Pete Finnigan's Oracle Security Forum (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
Oracle Security >> Oracle Auditing >> Audit alerts to EM?
(Message started by: Pete Finnigan on Jan 6th, 2009, 12:20pm)

Title: Audit alerts to EM?
Post by Pete Finnigan on Jan 6th, 2009, 12:20pm
The last few days I've been looking into auditing.

It's quite easy to audit certain statements, like "audit alter any procedure" for example. Having audit data as forensic option is nice, but I'd prefer to get an alert in Enterprise Manager, that would warn DBAs (by mail) that somebody is trying to alter a procedure (or create a directory of something else).

I've been looking into EM's compliance features, but that kind of functionality does not seem to be included by default.

Probably I have to create a job of some sort, that checks sys.aud$ for new rows and raises an alert in EM somehow.

Has anyone done this before?

Title: Re: Audit alerts to EM?
Post by Pete Finnigan on Jan 21st, 2009, 7:32pm
Marcel-Jan,

I've not done it before but I've written user defined metrics for Oracle Grid and I think what you want can be easily implemented with a UDM. See the Oracle documentation on how to write UDM. It is easy.
Also, if you write Oracle 's audit trail to an OS file other tools can be used to generate alerts.

regards,

Ivan

Title: Re: Audit alerts to EM?
Post by Pete Finnigan on Jan 22nd, 2009, 3:21pm
Another option Marcel-Jan would be to use a system trigger and to send message from the trigger to EM. This could be fired on ALTER and the trigger code can filter on the specific target of the ALTER.

cheers

Pete

Title: Re: Audit alerts to EM?
Post by Pete Finnigan on Jan 23rd, 2009, 9:08am
Lets say it was right in front of my nose in OEM, but I didn't notice the Create button completely on the right on the User Defined Metrics page.

It wasn't until I studied this article that I noticed it:
http://dba-brent.blogspot.com/2007/08/howto-setup-user-defined-metrics-in-oem.html

I consider UDM before trying system triggers.

Title: Re: Audit alerts to EM?
Post by Pete Finnigan on Jan 23rd, 2009, 9:35am
sounds like a better plan Marcel-Jan :)



Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board