Solved

oracle database auditing

Posted on 2014-03-27
2
442 Views
Last Modified: 2014-04-11
I appreciate this falls into the realms of "it depends on company policy" etc. But when it comes to enabling auditing on oracle databases that process PII data, are there any best practices on what exactly you should be auditing, or what specific events you should monitor for access abuse/misuse, data theft etc. I didnt no whether there are any best practices in this area, or any examples on what you log and monitor in your databases.
0
Comment
Question by:pma111
2 Comments
 
LVL 12

Accepted Solution

by:
praveencpk earned 250 total points
ID: 39959683
0
 
LVL 23

Assisted Solution

by:David
David earned 250 total points
ID: 39960726
Perhaps my best practice approach is to identify risk, and mitigate it -- not particularly an audit issue.  Or rather, one may turn on, and might even have the personnel to track, all manner of audit -- but that's not the target -- data integrity is, or should be.

Another view, auditing reports what happened, but doesn't do a blessed thing to prevent the attack from happening.

The sfisaca paper had a lot of marketing fluff but did mention some good points.  For example, data that is encrypted at rest, and encrypted in transit, is going to address the major part of your risk.  Hardening the system, and the network, to least access, follows next.  The U.S. federal government publishes their security technical implementation guides (STIG) at http://iase.disa.mil/stigs/ (unclassified).  Before a new server can be staged in production, for example, it is tested for federal best practices -- one of which, for example, is that the oracle installation user and o/s group must exclude the oracle DBAs.  The DBAs can read logs, etc., but don't need to modify nor execute the binaries.  

Another good point about the DISA checklist is that they provide gradients:  a category one violation is a showstopper to us; twos require a formal, management approved exception, and threes are more likely to be documented if they can't be resolved.  Under this approach one may focus upon covering (auditing) the risk of known weaknesses.

In some shops, developers may want a copy of production data in test and QA environments, so that they "can work with current conditions".  Non-production environments may relax security requirements -- no one willingly maintains a 16-character password every 30 days.......  As a former developer, I am aware of how easily Oracle can provide profiles and execution plans from production, and workload playback, to simulate those conditions.  In Oracle 12c, PII data can be (should be) masked and / or redacted to change PII data into simple random strings.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

This post first appeared at Oracleinaction  (http://oracleinaction.com/undo-and-redo-in-oracle/)by Anju Garg (Myself). I  will demonstrate that undo for DML’s is stored both in undo tablespace and online redo logs. Then, we will analyze the reaso…
Checking the Alert Log in AWS RDS Oracle can be a pain through their user interface.  I made a script to download the Alert Log, look for errors, and email me the trace files.  In this article I'll describe what I did and share my script.
This video shows how to recover a database from a user managed backup
Via a live example, show how to restore a database from backup after a simulated disk failure using RMAN.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now