Oracle Audit Configuration for Security Audit Trails
May 14, 2020The purpose of this article is to define the specific Oracle parameters required to capture the desired Oracle database events to the SYS.AUD$ table on test database residing on host “Host-Name”.
The audit parameters specified below are recommended in general to enable auditing.
- Modification of users accounts on Oracle (create and delete accounts)
- Access granted and denied for Oracle database and its tables
- Configuration changes on the Oracle database objects
- Users accessing database directly rather than through an application
Oracle User Permissions
When the Oracle Recorder was installed on “Host-Name”, an Oracle user account was specified. This is the account that the Oracle Recorder uses to access the records in the SYS.AUD$ table. The account must have the required permissions to access this table.
The following command is used to set the required Oracle UserID permissions:
- ROLE CONNECT
- Sys Priv: SELECT ANY TABLE
- (and for Oracle 9.x – 11g SELECT ANY DICTIONARY)
- Obj Priv: SELECT FROM SYS.AUD$
Activate Oracle Audit Trail
audit_trail = DB
SVRMGR> shutdown abort;
SVRMGR> startup;
Configure Oracle to Audit Connections
In order generate the Oracle audit events to identify users connecting to the database directly rather than through an authorized application, it is necessary to audit for successful or unsuccessful connections and disconnections.
SVRMGR>AUDIT SESSION;
Configure Oracle to Audit Database Object Access and Modification
SVRMGR> AUDIT ALTER, GRANT, INSERT, UPDATE, DELETE ON DEFAULT;
These Oracle audit parameters will generate the events to support the following test cases:
- Access granted and denied for Oracle database and its tables
- Configuration changes on the Oracle database objects
- Modification of users accounts on Oracle (create and delete accounts)