Re: Auditing DBA privs

• From: mkb <mkb125@xxxxxxxxx>
• To: Smith.Steven@xxxxxxx, oracle-l <oracle-l@xxxxxxxxxxxxx>
• Date: Wed, 3 Oct 2007 10:34:30 -0700 (PDT)

Steve,

I would start by looking at the database-stig-v7r2.pdf which is available for 
download from iase.disa.mil/stigs/stig/database-stig-v7r2.pdf .  

Specifically, section 4 titled Database Auditing and B.14 Auditing in Oracle 
should get you started.

This document outlines the Security Technical Implementation Guide (STIG) 
process that many systems in federal agencies and the DOD have to go through 
before a system can get accredited and be put on a live network.  The 
recommendations in the database STIG should be sufficient to keep the IG off of 
you backs.

In our setup, we have audit_sys_operations = true and set audit_trail=db.  I 
don't have access to the system otherwise I would have attached a file listing 
of the audit options that we have turned on (see section B.14 in the STIG 
guide).

hth

--
mohammed



----- Original Message ----
From: "Smith, Steven K - MSHA" <Smith.Steven@xxxxxxx>
To: oracle-l <oracle-l@xxxxxxxxxxxxx>
Sent: Wednesday, October 3, 2007 11:15:18 AM
Subject: Auditing DBA privs


The Inspector General office is breathing down our necks here and is requesting 
that we audit all activities performed by anyone with DBAish role privs.  We 
are currently on version 9i and are currently using the ‘soon to be 
discontinued’ DBA role.
 
At first glance, it appears that this would be simple.  I’ve started looking 
into this and have found that ‘audit DBA on session’ isn’t going to do the 
trick because of the limitations/bugs in the execution of that statement.  I 
guess that auditing DBA really isn’t auditing everything that someone with the 
DBA role does.  This is turning into the 300 lb gorilla.
 
Anyway – I’m looking into setting up auditing for everything defined in the 
dba_sys_privs view that is granted to DBA.  That should get a large majority of 
the specific DBAish commands, but it will also get ‘create sequence’, ‘create 
view’, etc.  Those are not DBA specific roles and those are not commands that 
can only be executed by someone with DBA privileges.  HHmm…
 
Does anyone have experience in 9i auditing the commands of userids with DBA 
role assigned to them?  Has anyone gone through this exercise before and is 
willing to share their experiences and pitfalls?
 
I know that I’m potentially looking at a lot of data in the AUD$ table – 
managing it and reporting it is going to be a fun project in itself, but first 
things first.
 
Thanks
 
Steve Smith
Desk: 303-231-5499
Fax: 303-231-5696


      
____________________________________________________________________________________
Check out the hottest 2008 models today at Yahoo! Autos.
http://autos.yahoo.com/new_cars.html

Other related posts:

• » Auditing DBA privs
• » Re: Auditing DBA privs
• » RE: Auditing DBA privs
• » Re: Auditing DBA privs

1. Home
2. oracle-l
3. Archive
4. 10-2007

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---