Hi, Michael
I am (obviously) dreadfully behind on e-mails.
I was disappointed that I did not see a response to your e-mail on the list. Here's my .02
IMHO, there's a significant difference between what auditors will ask
for, and what a good DBA deems necessary to secure his/her
database. SoX seems rather intent on "watching the dba". If
you have audit_sys_operations = true along with some mechanism for
protecting the associated output files, and you're auditing the audit
tables (for example audit all on sys.aud$ by access), the SoX droids
seem to be pretty happy. (And you're using the SYS account only
when absolutely necessary.)
By contrast, I really like to watch several other things on my
production databases. In production, no one should be
adding/modifying tables, procedures, triggers, etc. If they are,
I want to know about it. I'm auditing for creation or
modification of these objects, as well as unsuccessful 'create session'
activity. I have not noticed any performance impact with enabling
these kinds of audits.
I really don't know of a white paper regards impact of enabling
auditing. Tim Gorman has a nice paper on his web site
(
www.evdbt.com) titled "Unraveling the Sweater - Oracle Database
Security" that I like.
The 20% load you experienced seems awfully high. I'd suggest the
"just try it" approach, but enabling only those things absolutely
necessary. Watch performance for awhile and see what is really
impacted. Hopefully you'll find a nice balance.
Good luck!
Barb
On 3/17/06, Kline.Michael <Michael.Kline@suntrust.com> wrote:
Is there a white paper out there that discusses what
the load is for turning on auditing?
In the past when we had short occurrences to just "try
it", it seemed to put almost a 20% load which is unacceptable. Then
again, you don't have to audit EVERYTHING.
Is there a good paper and/or book on the fine
details on the subject?
What, if anything, have you done to sort of satisfy
Sorbanes, etc?
