Pete Finnigan's Oracle Security Forum
        (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
      

        Oracle Security >> Oracle Auditing >> WHAT LEVEL OF AUDITING TO SET
        
(Message started by: Pete Finnigan on Sep 14th, 2009, 1:38pm)
Title: WHAT LEVEL OF AUDITING TO SET
Post by Pete Finnigan on Sep 14th, 2009, 1:38pm
Hi all

I have been tasked with reviewing the fact that we have auditing switched off here, and selecting an "appropriate" level of auditing.  

We are not a bank, but we would like to use a "best practice" approach to security.  How should I start this analysis process - and what are the Oracle defaults once the AUDIT feature has been switched on?  Should I just turn AUDIT_TRAIL to ON and see what happens  :o   Is FGA a bolt-on, or is it something that comes with Oracle (we have 10g)?

Keep up the great work, Pete.

Chris  
Title: Re: WHAT LEVEL OF AUDITING TO SET
Post by Pete Finnigan on Sep 14th, 2009, 8:04pm
Hi Chris,

Thanks for your question. No simply turning on audit doesnt make it do anything. You also need to enable specific audit settings. The simplest first apporach is to set audit to the database, audit_trail=db. This is not the most secure setting BUT as a first step its fine and is in fact what Oracle recommend and set by default in 11gR1. More secure options are available such as writing to the operating system or to syslog. Also options are available to include SQL and to write XML. Using db is a good first step as audit is not just about turning it on as you also need to do something with it. i.e. manage, purge, archive, have reports, act on them, escalation procedures.....

The settings enabled in 11g are fine. These can be found by querying an 11g database. Alternately drop me an email and I will send you a list i have (The Oracle 11g ones and around 50 more that i recommend). There is also a package DBMS_AUDIT_MGMT that is used to manage the audit trail. See http://download.oracle.com/docs/cd/E11062_01/admin.1023/e11059/avadm_mng_admin_tasks.htm#insertedID4. Also as you suggest FGA is a feature of Enterprise edition.

I have a paper on Oracle auditing - quite old now, 2003 but still relevant, you can find a link at http://www.petefinnigan.com/orasec.htm

hope this helps

cheers

pete
Title: Re: WHAT LEVEL OF AUDITING TO SET
Post by Pete Finnigan on Sep 14th, 2009, 9:15pm
Hi Pete

Thanks for your reply - much appreciated.

I'll definitely follow the links you've suggested - I may have already read your orasec paper but I'll go and have another look anyway.

By the way, we are on 10g - are the default settings good n that version?  my email is chrisuk@internet.lu - I'd like your list please.

Thanks again!
Chris
Title: Re: WHAT LEVEL OF AUDITING TO SET
Post by Pete Finnigan on Sep 15th, 2009, 8:06pm
Hi Chris,

I emailed it to you.

cheers

pete


Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board