Auditing IT components using CAATs

Auditing Oracle Users using CAATs

Typically application access to an Oracle database is via one of two methods. 

Either all users access the same database using a single (proxy) user which is defined in an initialisation (.INI) file, registry etc.

Or the users access the database individually using a named user profile.  When access is via this second method the users will be stored in Dba_users (See Auditing Oracle Passwords using CAATs  http://www.isaca.org/Blogs/273340/Lists/Posts/ViewPost.aspx?ID=1).

It is therefore possible to import a “primary” source of users, for example, the payroll or company/department telephone directory into your CAATs tool.  These user names can be manipulated to produce a user profile to match the profiles on the Oracle database (for example, John Smith can be manipulated to produce SMITHF).

There may be a couple of things to note here, if the password for the user is “EXTERNAL” then user is being authenticated externally (most likely via your operating system).  The Oracle parameter “os_authent_prefix” then becomes important.  If it has a value (“OPS$” is the default) then “OPS$<domain name>\“ should be concatenated to the start of your username.

It is then a matter of clashing your Oracle usernames with those you have built.  Anywhere there is a mismatch (and the account status is open or even expired) should be investigated.   These users may still be able to access the database but are no longer part of your company/department. 

Note that users whose passwords are “EXTERNAL” and have their operating systems account disabled will not be able to access the database.

You must sign in to rate content.
(1 ratings)

Comments

RE: Auditing Oracle Users using CAATs

Good content in this post.  Useful & practical reference guide for what to look for from an audit perspective relating to Oracle Users. 
Martin554 at 3/15/2012 5:57 AM
You must sign in to rate content.
(Unrated)

RE: Auditing Oracle Users using CAATs

Good content in this post.  Useful & practical reference guide for what to look for from an audit perspective relating to Oracle Users. 
Martin554 at 3/15/2012 5:57 AM
You must sign in to rate content.
(Unrated)

RE: Auditing Oracle Users using CAATs

Good content in this post.  Useful & practical reference guide for what to look for from an audit perspective relating to Oracle Users. 
Martin554 at 3/15/2012 5:57 AM
You must sign in to rate content.
(Unrated)

Leave a Comment

You must be logged in to post a comment.