Application Security Testing: An Integral Part of DevOps
Auditing data of business applications is a common requirement. In this article, I'll demonstrate one way to audit an Oracle database that is both simple and flexible. The code is written in Oracle PL/SQL and can be applied to any modern Oracle database. It does not rely on any Oracle-supplied package. More importantly perhaps, the process demonstrated can be duplicated on many other databases by using their default programming language.
There are several different ways to audit database activity. In Oracle, you may audit things such as database connections, user logins, and so on, storing the results in a data dictionary table.
This type of auditing is valuable, but what about creating an audit trail for the data itself? The focus of this article is auditing application data.
A common, yet simplistic, approach to auditing data requires adding columns such as created_by/created_on, and updated_by/updated_on to every targeted table. At commit time, these fields are set to the current user and system date. The problem with this approach is that it is often not enough. For example, it conveys the time of last update but provides no snapshot of the actual data as it existed before its current state.
Oracle also allows you to audit data by using the AUDIT command. For example, AUDIT DELETE ON my_table; will audit deletes on the table my_table. Several options can be supplied with this command. However, the data is written to the central Oracle auditing table and it's not possible to specify any auditing criteria.
Oracle 9i introduces "fine-grained auditing," in an Oracle-supplied package, enabling you to update an audit table based upon business rules. For example, you can use this tool's API to audit financial transactions only when the posted amount exceeds $1,000.
Finally, many off-the-shelf applications provide their own auditing tables and procedures.
If you're fortunate enough to have some existing capabilities with a purchased application, or you are committed to using Oracle 9i or higher, then by all means use them. Otherwise, the two scripts below can be modified as needed to provide a rich audit trail.