Monday, August 5, 2013

Auditing DBA's - Steps to be followed. (Auditing DBA's)

Does the DBA have their own account or do they share the same one(s)?
This is the first question.
And the mandatory answer is "they must have their own account".

Then you can use standard Oracle auditing (AUDIT ALL STATEMENTS BY <dba account>; AUDIT ALL PRIVILEGE BY <dba account>;) but setting audit_trail to OS and forbidding DBA access to the OS logging directory and files.
And of course AUDIT_SYS_OPERATIONS must be TRUE and have a look at the options for AUDIT_SYSLOG_LEVEL parameter.

Otherwise, there are many third party tool (including Oracle Audit Vault) but they are expensive.

But Audit Vault is not adviceable as it creates problems with applications as well as to databases.

This type of activity needs to be handled together with the system administrators, security administrators, database administrators and managers. There are things that will be required that need to make sure that everyone agrees on.

But the O/S account (i.e. oracle user) is shared amoung the DBA's.....and su - oracle

This requirement will not be for the DBA's to find a way to audit but for the system administrators. I understand that there are logging capabilities for the su command. Our system administrators setup auditing using pbrun. You need to work with them to find the best way to handle this requirement.

How am I going to restrict the DBA access to OS logging directory and files
*You will need to work with your system administrators to set this up.

http://docs.oracle.com/cd/E11882_01/network.112/e16543/auditing.htm#DBSEG66112

Set
AUDIT_TRAIL=OS
AUDIT_SYS_OPERATIONS=TRUE
AUDIT_SYSLOG_LEVEL=????????

syslog is used and audit goes to directories that should not be accessiable by DBAs.
 

No comments:

Post a Comment