application , security

Enabling – Oracle Audit Configuration for Security Audit Trails

June 22, 2013

Make sure you have enough disk space to support the storage of the event logs and make sure you have a process or strategy for log rotation / retention.

The purpose of this document is to define the specific Oracle parameters required to capture the desired Oracle database events to the SYS.AUD$ table on test database residing on host “Host-Name”.

The audit parameters specified below are recommended in general to enable auditing.

  • Modification of users accounts on Oracle (create and delete accounts)
  • Access granted and denied for Oracle database and its tables
  • Configuration changes on the Oracle database objects
  • Users accessing database directly rather than through an application

Oracle User Permissions

When the Oracle Recorder was installed on “Host-Name”, an Oracle user account was specified.  This is the account that the Oracle Recorder uses to access the records in the SYS.AUD$ table.  The account must have the required permissions to access this table. 

The following command is used to set the required Oracle UserID permissions:

  • ROLE CONNECT
  • Sys Priv: SELECT ANY TABLE
    • (and for Oracle 9.x – 11g SELECT ANY  DICTIONARY)
  • Obj Priv: SELECT FROM SYS.AUD$ 

Activate Oracle Audit Trail

To activate audit trail, enter the following command in the Initialization Parameter File, $ORACLE_HOME/dbs/init”Database-Name”.ora, and restart the Oracle instance:

audit_trail = DB

To restart the Oracle instance, enter:

SVRMGR> shutdown abort;

SVRMGR> startup;  

Configure Oracle to Audit Connections

In order generate the Oracle audit events to identify users connecting to the database directly rather than through an authorized application, it is necessary to audit for successful or unsuccessful connections and disconnections.

To set audit for events of successful or unsuccessful connections and disconnections, enter:

SVRMGR>AUDIT SESSION;

Configure Oracle to Audit Database Object Access and Modification

In order to generate Oracle audit events for database objects, enter the following command to set the relevant audit parameters.

SVRMGR> AUDIT ALTER, GRANT, INSERT, UPDATE, DELETE ON DEFAULT;

These Oracle audit parameters will generate the events to support the following test cases:

  • Access granted and denied for Oracle database and its tables
  • Configuration changes on the Oracle database objects
  • Modification of users accounts on Oracle (create and delete accounts)