Re: Auditing DBAs

Daniel Morgan <damorgan_at_x.washington.edu> wrote in message news:<1097891910.724221_at_yasure>...
> Jan van Mourik wrote:
>
> > We have this problem too, brought on by the Sarbanes-Oxley
> > legislation. Our auditors are pressing for individual accountability
> > for all the Oracle DBAs. So Sybrand's solution isn't applicable to our
> > situation... One small step we're taking is creating individual unix
> > accounts for all dbas, then have them su to oracle when necessary. But
> > what then? In 9i we can set that nice parameter "audit_sys_operations"
> > which is probably enough. But I'm not sure yet what to do in 8i.
> >
> > Any suggestions (and no, we can't fire the auditors Sybrand!)
> >
> > jan
>
> Use database level triggers. Basic auditing may not catch SYS ... but
> you can do anything without an entry in v_$session from which you can
> be tracked.

I presumably missed the bit where everyone posted the fact that in 9i Release 2, auditing SYS operations is a piece of cake, and requires the setting of one init.ora/spfile parameter.

Audit_sys_operations=true is your friend.

It requires that you set the directory where the SYS audit trail is written to, and that requires in turn that you set appropriate O/S permissions on that directory so that Mr. DBA doesn't just waltz in to the directory and delete the audit trail. But nothing a moderately competent Unix administrator couldn't cope with, I suspect.

Regards
HJR Received on Sat Oct 16 2004 - 05:12:14 CDT