Hiding database activities from auditing (stealth mode)

Let’s suppose that we have activated our database auditing as recommended and put in place  a centralized auditing solution so that the audit data can be sent to a remote server and protected (Like in my previous blog post) . Let’s now think like a hacker, can we hide our database activities (or some of it) ?

So here we have access to our 19c oracle database (using pure unified auditing)  and we want to hide our sysdba activity (disable auditing only for our current session) . All what we are going to do here is based on oradebug !

The first thing that we are going to do is change the protection of our memory region using mprotect to allow writing to it :

Capture 01

Capture 02

Capture 03

So now we have the write flag correctly set.This flag need to be set so that we can patch the oracle kernel function  “sopts_IsUnifiedAuditOn” and disable auditing for our target session.

Sadly the oradebug poke function seem to not work as expected in recent oracle release

Capture 04

But don’t worry there is always other ways 🙂 We are going to use the “memset” function here to modify a little bit our function ( By the way I just modified the value pushed into the EAX register )  :

Capture 05

And that’s it we are good to go, we are in stealth mode now  ! All auditing for our current session have been disabled ! Still we will find the execution of the last oradebug command in the “unified_audit_trail” :

Capture 06

PS: The oradebug command can be disabled by setting “_disable_oradebug_commands” to all.

That’s it 😀

REF :

 

 

 

 

2 thoughts on “Hiding database activities from auditing (stealth mode)

  1. Hi Mahmoud,

    Thanks for this nice security article !

    So audit logs generated for SYS account within the session will not get generated ?

    if the parameter audit_sys_operations=TRUE

    *.aud files gets generated…have you checked that ?

    Regards,
    Emad Al-Mousa

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s