Re: Securing sys.aud$

It's an interesting feature, logging directly to syslog from Oracle. However, it's a shame Oracle forgot to include the SID in the audit entry. Therefore, if you've got more than one instance on a server, there's no way to figure out which one any given entry originated from.

Stefan

On 4/26/07, Paul Drake <bdbafh_at_gmail.com> wrote:
>
> On 4/26/07, Peter Dixon <peterdixon001_at_hotmail.com> wrote:
> > I have an issue where i am unable to stop dbas updating/deleting
> information
> > from sys.aud$ table has anybody got any ideas/methods of protecting the
> > audit trial, as sending the information to a log file on the o/s is not
> an
> > option at our site.
>
> Peter,
>
> Since you don't mention a version, I'll assume that 10g R2 is in use.
>
>
> http://download-east.oracle.com/docs/cd/B19306_01/network.102/b14266/whatsnew.htm#i970212
>
> #
>
> Syslog audit records
>
> Audit records can now be written to the operating system using a
> syslog audit trail. A potential security vulnerability to an operating
> system audit trail is that a privileged user such as a DBA can modify
> or delete audit records. In order to minimize this risk, you can use
> syslog, which is a standard protocol on UNIX-based systems for logging
> information from different components of a network.
>
> See Also:
> "Syslog Audit Trail" for more information about this new view
>
>
> http://download-east.oracle.com/docs/cd/B19306_01/network.102/b14266/auditing.htm#CEGJJHJH
>
> Paul
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>

-- 
=========================

Stefan P Knecht
Consultant
Infrastructure Managed Services

Trivadis AG
Europa-Strasse 5
CH-8152 Glattbrugg

Phone +41-44-808 70 20
Fax +41-808 70 12
Mobile +41-79-571 36 27
stefan.knecht_at_trivadis.com
http://www.trivadis.com

=========================

--
http://www.freelists.org/webpage/oracle-l