Audit login anomalies detector
Job details
| Name: |
Audit login anomalies detector |
| Platform: |
Oracle |
| Category: |
Audit |
| Description: |
Check that looks for anomalies in new sessions logging on the database |
| Long description: |
|
| Version: |
3.9 |
| Default schedule: |
* * * * |
| Requires engine install: |
Yes |
| Compatibility tag: |
.[type=‘instance’ & databasetype=‘oracle’]/.[hasengine=‘YES’] |
Parameters
| Name |
Default value |
Description |
| Match database keep time (days) |
60 |
The number of days we keep a record of an action before it is removed from normal behavior table. |
| Gathering baseline |
YES |
YES means it will accept all new behavior as normal and gather information for building up a anomalies database. |
Job Summary
- Purpose: The purpose of this job is to monitor for anomalies in login activities on Oracle databases. It primarily focuses on detecting unusual behaviors and login patterns, helping in the identification of potential security breaches or unauthorized access attempts.
- Why: This job is important because it assists in ensuring database security by:
- Identifying unexpected and possibly malicious login behaviors.
- Helping database administrators react quickly to potential security threats.
- Providing a mechanism to keep logs of login activities for audit purposes.
- Manual checking: To manually check for anomalies, one could analyze the login patterns directly from the database logs. However, this task relies on sophisticated algorithms that might be hard to replicate manually without a similar setup.
Technical Description
Specific Jobs and Functions:
Data Tables and Schema Creation
- Creates various tables like `dbw_anomalies_login_rowsets` and `dbw_anomalies_login_db` which are used to store row sets of data and login actions respectively.
- Utilizes MD5 hashing via the function `dbw_anomalies_get_md5` to handle data securely and efficiently.
Procedures
- Procedures such as `dbw_anomalies_login_read`, `dbw_anomalies_login_make_cs`, and the main procedure `dbw_anomalies_login` serve to read, process, and analyze the data, determining the presence of anomalies based on the gathered and computed checksums.
Dependencies and Cleanup Handling
- Several dependencies marked with cleanup-on-fail set to true, ensuring a clean state upon job failure to avoid corrupting or misrepresenting the data.
Scheduled Operations
- Scheduled to run continuously every minute as specified in `default-schedule`, ensuring constant monitoring and immediate detection of anomalies.
Overall Workflow and Process:
- The job consists of creating necessary tables, computing hash values for actions, checking these actions against expected behaviors, and logging any deviations or anomalies.
- It operates on gathered data to identify irregular patterns and maintains a history of login activities that can be useful for audits and forensic analysis.
Additional Features and Reporting
- Acknowledgements are enabled for this job, highlighting its importance in the operational integrity and security.
- Utilizes a robust reporting template (`dbwatch-report-template`) that categorizes and presents findings comprehensively, aiding in review and decision-making processes.
In conclusion, the described dbWatch Control Center job is essential for maintaining the security posture of Oracle database systems by monitoring and analyzing login behaviors, ensuring that any unusual activities are promptly highlighted and addressed.