 | | | Subject: Auditing DBA privs | Subject: Auditing DBA privs 2007-10-03 - By Smith, Steven K - MSHA
Back
The Inspector General office is breathing down our necks here and is
requesting that we audit all activities performed by anyone with DBAish
role privs. We are currently on version 9i and are currently using the
'soon to be discontinued' DBA role.
At first glance, it appears that this would be simple. I've started
looking into this and have found that 'audit DBA on session' isn't going
to do the trick because of the limitations/bugs in the execution of that
statement. I guess that auditing DBA really isn't auditing everything
that someone with the DBA role does. This is turning into the 300 lb
gorilla.
Anyway - I'm looking into setting up auditing for everything defined in
the dba_sys_privs view that is granted to DBA. That should get a large
majority of the specific DBAish commands, but it will also get 'create
sequence', 'create view', etc. Those are not DBA specific roles and
those are not commands that can only be executed by someone with DBA
privileges. HHmm...
Does anyone have experience in 9i auditing the commands of userids with
DBA role assigned to them? Has anyone gone through this exercise before
and is willing to share their experiences and pitfalls?
I know that I'm potentially looking at a lot of data in the AUD$ table -
managing it and reporting it is going to be a fun project in itself, but
first things first.
Thanks
Steve Smith
Desk: 303-231-5499
Fax: 303-231-5696
<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas
-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<style>
<!--
/* Font Definitions */
@(protected)
{font-family:"Book Antiqua";
panose-1 (See http://ose-1.ora-code.com):2 4 6 2 5 3 5 3 3 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Book Antiqua";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:#606420;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:Arial;
color:windowtext;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
@(protected) Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink="#606420">
<div class=Section1>
<p class=MsoNormal><font size=3 face=Arial><span style='font-size:12.0pt;
font-family:Arial'>The Inspector General office is breathing down our necks
here and is requesting that we audit all activities performed by anyone with
DBAish role privs. We are currently on version 9i and are currently using
the ‘soon to be discontinued’ DBA role.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face=Arial><span style='font-size:12.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face=Arial><span style='font-size:12.0pt;
font-family:Arial'>At first glance, it appears that this would be simple.
I’ve started looking into this and have found that ‘audit DBA on
session’ isn’t going to do the trick because of the
limitations/bugs in the execution of that statement. I guess that
auditing DBA really isn’t auditing everything that someone with the DBA
role does. This is turning into the 300 lb gorilla.<o:p></o:p></span><
/font></p>
<p class=MsoNormal><font size=3 face=Arial><span style='font-size:12.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face=Arial><span style='font-size:12.0pt;
font-family:Arial'>Anyway – I’m looking into setting up auditing
for everything defined in the dba_sys_privs view that is granted to DBA.
That should get a large majority of the specific DBAish commands, but it will
also get ‘create sequence’, ‘create view’, etc.
Those
are not DBA specific roles and those are not commands that can only be executed
by someone with DBA privileges. HHmm…<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face=Arial><span style='font-size:12.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face=Arial><span style='font-size:12.0pt;
font-family:Arial'>Does anyone have experience in 9i auditing the commands of
userids with DBA role assigned to them? Has anyone gone through this
exercise before and is willing to share their experiences and pitfalls?<o:p></o
:p></span></font></p>
<p class=MsoNormal><font size=3 face=Arial><span style='font-size:12.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face=Arial><span style='font-size:12.0pt;
font-family:Arial'>I know that I’m potentially looking at a lot of data in
the AUD$ table – managing it and reporting it is going to be a fun
project in itself, but first things first.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face=Arial><span style='font-size:12.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face=Arial><span style='font-size:12.0pt;
font-family:Arial'>Thanks<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face=Arial><span style='font-size:12.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face=Arial><span style='font-size:12.0pt;
font-family:Arial'>Steve Smith</span></font><o:p></o:p></p>
<p class=MsoNormal><font size=3 face=Arial><span style='font-size:12.0pt;
font-family:Arial'>Desk: 303-231-5499</span></font><o:p></o:p></p>
<p class=MsoNormal><font size=3 face=Arial><span style='font-size:12.0pt;
font-family:Arial'>Fax: 303-231-5696</span></font><o:p></o:p></p>
<p class=MsoNormal><font size=3 face="Book Antiqua"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
</body>
</html>
|
|
|