Oracle Security is easier if you design for it
View Profile | WWW | Email
Auditing/Reporting DBA Actions
« on: Nov 28th, 2014, 3:53pm »
Quote | Modify
Hi, I wonder if anyone can give me some advice here.
Apologies as this is quite long.
This is on Windows platform 2008 R2 64 bit and 10g/11g databases running Enterprise Edition 64bit
I have set up auditing on one of our databases as per compliance requirement.
I am auditing sys operations which are written to the Event Log on the Windows server.
I have a filter log set up filtering on Event ID 34 in Windows
Unfortunately there appears to be a lot of messages regarding backups. I'm trying to create a process so that it would be easy to spot sysdba logins and actions.
Loads of messages about internal commands relating to what Datapump is doing does not seem helpful to me.
I just ran an rman crosscheck, report obsolete, delete obsolete and a few other clean up commands.
This has caused around 100 records to be written to the event log.
I have set up a test database to audit out to XML to see if this is any better.
Trying to filter out results, everything done by SYSDBA comes in with an ACTION of 0 (UNKNOWN)
Why is this?
|Alter database backup controlfile to trace as normal user is recorded as Action 35 (ALTER DATABASE) |
|Alter database backup controlfile to trace as SYSDBA is recorded as Action 0 (UNKNOWN) |
I presume something like Audit Vault would give some nice clear reports about what is going on but there is no appetite to spend any more money on tools at the moment.
Does anyone know how to make auditing SYSDBA events manageable?