Auditing DBA privs

  • From: "Smith, Steven K - MSHA" <Smith.Steven@xxxxxxx>
  • To: "oracle-l" <oracle-l@xxxxxxxxxxxxx>
  • Date: Wed, 3 Oct 2007 09:15:18 -0600

The Inspector General office is breathing down our necks here and is
requesting that we audit all activities performed by anyone with DBAish
role privs.  We are currently on version 9i and are currently using the
'soon to be discontinued' DBA role.


At first glance, it appears that this would be simple.  I've started
looking into this and have found that 'audit DBA on session' isn't going
to do the trick because of the limitations/bugs in the execution of that
statement.  I guess that auditing DBA really isn't auditing everything
that someone with the DBA role does.  This is turning into the 300 lb


Anyway - I'm looking into setting up auditing for everything defined in
the dba_sys_privs view that is granted to DBA.  That should get a large
majority of the specific DBAish commands, but it will also get 'create
sequence', 'create view', etc.  Those are not DBA specific roles and
those are not commands that can only be executed by someone with DBA
privileges.  HHmm...


Does anyone have experience in 9i auditing the commands of userids with
DBA role assigned to them?  Has anyone gone through this exercise before
and is willing to share their experiences and pitfalls?


I know that I'm potentially looking at a lot of data in the AUD$ table -
managing it and reporting it is going to be a fun project in itself, but
first things first.




Steve Smith

Desk: 303-231-5499

Fax: 303-231-5696


Other related posts: