 | | | Subject: RE: Auditing DBA privs | Subject: RE: Auditing DBA privs 2007-10-03 - By Johnson, William L (TEIS)
Back
Have you considered or investigated auditing each individual account
granted DBA privs with something like...
AUDIT ALL BY <userid>;
AUDIT ALL PRIVILEGES BY <userid>;
__ ____ ____ ____ ____ ____ ____
From: oracle-l-bounce@(protected)
[mailto:oracle-l-bounce@(protected)] On Behalf Of Smith, Steven K -
MSHA
Sent: Wednesday, October 03, 2007 11:15 AM
To: oracle-l
Subject: Auditing DBA privs
The Inspector General office is breathing down our necks here and is
requesting that we audit all activities performed by anyone with DBAish
role privs. We are currently on version 9i and are currently using the
'soon to be discontinued' DBA role.
At first glance, it appears that this would be simple. I've started
looking into this and have found that 'audit DBA on session' isn't going
to do the trick because of the limitations/bugs in the execution of that
statement. I guess that auditing DBA really isn't auditing everything
that someone with the DBA role does. This is turning into the 300 lb
gorilla.
Anyway - I'm looking into setting up auditing for everything defined in
the dba_sys_privs view that is granted to DBA. That should get a large
majority of the specific DBAish commands, but it will also get 'create
sequence', 'create view', etc. Those are not DBA specific roles and
those are not commands that can only be executed by someone with DBA
privileges. HHmm...
Does anyone have experience in 9i auditing the commands of userids with
DBA role assigned to them? Has anyone gone through this exercise before
and is willing to share their experiences and pitfalls?
I know that I'm potentially looking at a lot of data in the AUD$ table -
managing it and reporting it is going to be a fun project in itself, but
first things first.
Thanks
Steve Smith
Desk: 303-231-5499
Fax: 303-231-5696
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft
-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http:
//www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@(protected)
{font-family:Tahoma;
panose-1 (See http://ose-1.ora-code.com):2 11 6 4 3 5 4 4 2 4;}
@(protected)
{font-family:"Book Antiqua";
panose-1 (See http://ose-1.ora-code.com):2 4 6 2 5 3 5 3 3 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Book Antiqua";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:#606420;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:Arial;
color:windowtext;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@(protected) Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink="#606420">
<div class=Section1>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Have you considered or investigated
auditing each individual account granted DBA privs with something like…<o
:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New">
<span
style='font-size:10.0pt;font-family:"Courier New"'>AUDIT ALL BY <userid>;
<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New">
<span
style='font-size:10.0pt;font-family:"Courier New"'>AUDIT ALL PRIVILEGES BY <
;userid>;<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt;font-family:"Times New
Roman"'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>
oracle-l-bounce@(protected) [mailto:oracle-l-bounce@(protected)] <b><span
style='font-weight:bold'>On Behalf Of </span></b>Smith, Steven K - MSHA<br>
<b><span style='font-weight:bold'>Sent:</span></b> Wednesday, October 03, 2007
11:15 AM<br>
<b><span style='font-weight:bold'>To:</span></b> oracle-l<br>
<b><span style='font-weight:bold'>Subject:</span></b> Auditing DBA privs</span>
</font><font
face="Times New Roman"><span style='font-family:"Times New Roman"'><o:p></o:p><
/span></font></p>
</div>
<p class=MsoNormal><font size=3 face="Book Antiqua"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face=Arial><span style='font-size:12.0pt;
font-family:Arial'>The Inspector General office is breathing down our necks
here and is requesting that we audit all activities performed by anyone with
DBAish role privs. We are currently on version 9i and are currently using
the ‘soon to be discontinued’ DBA role.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face=Arial><span style='font-size:12.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face=Arial><span style='font-size:12.0pt;
font-family:Arial'>At first glance, it appears that this would be simple.
I’ve started looking into this and have found that ‘audit DBA on
session’ isn’t going to do the trick because of the
limitations/bugs in the execution of that statement. I guess that
auditing DBA really isn’t auditing everything that someone with the DBA
role does. This is turning into the 300 lb gorilla.<o:p></o:p></span><
/font></p>
<p class=MsoNormal><font size=3 face=Arial><span style='font-size:12.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face=Arial><span style='font-size:12.0pt;
font-family:Arial'>Anyway – I’m looking into setting up auditing
for everything defined in the dba_sys_privs view that is granted to DBA.
That should get a large majority of the specific DBAish commands, but it will
also get ‘create sequence’, ‘create view’, etc.
Those are not DBA specific roles and those are not commands that can only be
executed by someone with DBA privileges. HHmm…<o:p></o:p></span><
/font></p>
<p class=MsoNormal><font size=3 face=Arial><span style='font-size:12.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face=Arial><span style='font-size:12.0pt;
font-family:Arial'>Does anyone have experience in 9i auditing the commands of
userids with DBA role assigned to them? Has anyone gone through this
exercise before and is willing to share their experiences and pitfalls?<o:p></o
:p></span></font></p>
<p class=MsoNormal><font size=3 face=Arial><span style='font-size:12.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face=Arial><span style='font-size:12.0pt;
font-family:Arial'>I know that I’m potentially looking at a lot of data
in the AUD$ table – managing it and reporting it is going to be a fun
project in itself, but first things first.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face=Arial><span style='font-size:12.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face=Arial><span style='font-size:12.0pt;
font-family:Arial'>Thanks<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face=Arial><span style='font-size:12.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face=Arial><span style='font-size:12.0pt;
font-family:Arial'>Steve Smith</span></font><o:p></o:p></p>
<p class=MsoNormal><font size=3 face=Arial><span style='font-size:12.0pt;
font-family:Arial'>Desk: 303-231-5499</span></font><o:p></o:p></p>
<p class=MsoNormal><font size=3 face=Arial><span style='font-size:12.0pt;
font-family:Arial'>Fax: 303-231-5696</span></font><o:p></o:p></p>
<p class=MsoNormal><font size=3 face="Book Antiqua"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
</body>
</html>
|
|
|