Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Welcome, Guest. Please Login.
Nov 20th, 2017, 1:40am
News: If you would like to register contact the forum admin
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Auditing
(Moderator: Pete Finnigan)
   Auditing/Reporting DBA Actions
« No topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: Auditing/Reporting DBA Actions  (Read 5325 times)
phildevall
PeteFinnigan.com Newbie
*



I love YaBB 1G - SP1!

   
View Profile |

Posts: 1
Auditing/Reporting DBA Actions
« on: Nov 28th, 2014, 3:53pm »
Quote | Modify

Hi, I wonder if anyone can give me some advice here.
Apologies as this is quite long.
 
This is on Windows platform 2008 R2 64 bit and 10g/11g databases running Enterprise Edition 64bit
 
I have set up auditing on one of our databases as per compliance requirement.
 
I am auditing sys operations which are written to the Event Log on the Windows server.
 
I have a filter log set up filtering on Event ID 34 in Windows
 
Unfortunately there appears to be a lot of messages regarding backups.  I'm trying to create a process so that it would be easy to spot sysdba logins and actions.
 
Loads of messages about internal commands relating to what Datapump is doing does not seem helpful to me.
 
I just ran an rman crosscheck, report obsolete, delete obsolete and a few other clean up commands.
 
This has caused around 100 records to be written to the event log.
 
I have set up a test database to audit out to XML to see if this is any better.
 
Trying to filter out results, everything done by SYSDBA comes in with an ACTION of 0  (UNKNOWN)
 
Why is this?
 
 
Code:
Alter database backup controlfile to trace as normal user is recorded as Action 35 (ALTER DATABASE)

 
Code:
Alter database backup controlfile to trace as SYSDBA is recorded as Action 0 (UNKNOWN)

 
I presume something like Audit Vault would give some nice clear reports about what is going on but there is no appetite to spend any more money on tools at the moment.  
 
Does anyone know how to make auditing SYSDBA events manageable?
 
Thanks
 
Phil
IP Logged
Pages: 1  Reply | Notify of replies | Send Topic | Print

« No topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright 2000-2004 Yet another Bulletin Board