Oracle 12c Real Application Security and Standard Database Auditing - Warning Database Logins Not Logged
Oracle 12c introduces several major new security features. Data redaction is one new feature and Real Application Security (RAS) is another. Per Oracle, RAS is the next generation Virtual Private Database (VPD) and is installed with Oracle Enterprise Edition – no additional license required. RAS is a new declarative and granular authorization model and is designed to be an application security platform for end-to-end application security. For those developing APEX applications (also installed with Enterprise Edition), RAS will certainly become an integral tool.
With RAS, developers define security policies instead of having to create and maintain PL/SQL code. Most notably, RAS however extends the security solution to define both application users and roles separate from database users and roles.
RAS allows for the creation of users, complete with user names and passwords, and stores them in the database. RAS users are not stored in DBA_USERS. RAS users are defined in DBA_XS_USERS, and their passwords are stored in SYS. XS$VERIFIERS.
With 184.108.40.206, RAS users can also directly connect to the database. It appears that with 220.127.116.11, RAS users can be defined with a flag to allow or disallow direct database logons. As any database security monitoring and logging solution should be monitoring database logon activity, it should be known that RAS users will NOT show up in standard Oracle database auditing. Standard database auditing instead picks up login activity by the generic user XS$NULL. Because it is designed to be part of an application, RAS has its own logging and auditing solution.
Basic logon activity for RAS users, however is logged in SYS.UNIFIED_AUDIT_TRAIL. Even if you have NOT enabled Unified Auditing in 12c, SYS.UNIFIED_AUDIT_TRAIL is being populated. Why this is the case will be the topic of another blog post. If you have compliance requirements to log and audit database logons, you will need to monitor SYS.UNIFIED_AUDIT_TRAIL for RAS user activity as well as for the creation of RAS users if not also potentially configuring RAS auditing. The example below should get you started.
With the below you can test for yourself how standard database auditing logs RAS user logons:
- Ensure auditing for create session is enabled, if not: audit create session by access;
- Create Real application security user
- Set password for Real Application Security user
- Review both dba_users and dba_xs_users to see for yourself where RAS users are defined.
- Log into the database with: INTEGRIGY_RAS_USER/oracle
- Look at your auditing and see a logon from XS$NULL instead of INTEGRIGY_RAS_USER
select * from sys.aud$ order by 1 desc
- Now look at SYS.UNIFIED_AUDIT_TRAIL. You will see XS$NULL for the DBUSERNAME but you will see 'INTEGRIGY_RAS_USER' in XS_USER_NAME.
select dbusername,xs_user_name ,event_timestamp
where xs_user_name = 'INTEGRIGY_RAS_USER'
order by event_timestamp
If you are not familiar with XS$NULL, XS$NULL is created when the database component Oracle XML Database (XDB) is installed. XDB is now a mandatory component of 12c and as such, XS$NULL must exist in the database. Per Oracle, XS$NULL is an internal account that represents the absence of a user in a session. It is used by the lightweight session infrastructure for APEX, RAS and XDB and the name of this user is hard coded in those modules. Because XS$NULL is not really a user, this account can only be accessed by the Oracle Database instance. XS$NULL has no privileges, and no one can authenticate as XS$NULL, nor can authentication credentials ever be assigned to XS$NULL.
If you have questions, please contact us at firstname.lastname@example.org
Summary of Real Application Security http://www.oracle.com/technetwork/database/security/real-application-security/real-application-security-1964775.html
Oracle Documentation for Real Application Security http://docs.oracle.com/database/121/DBFSG/intro.htm#DBFSG10000
Is the XS$NULL user a required account? (Doc ID 1556725.1) https://support.oracle.com/rs?type=doc&id=1556725.1