cancel
Showing results for 
Search instead for 
Did you mean: 

Oracle audit parameter

j_bayrhammer
Participant
0 Kudos

Hello,

auditor complained settings of audit parameters in oracle 11, especially audit_sys_operations=FALSE and audit_syslog_level=' '.

I found notes 1551504, 700548, 1963700, 1128663 etc with informations about technical configuration.

But I didn't found notes or links about the recommended setting by SAP and by advisors. Sometimes these recomendations differ, so that advisors recommend stronger security settings.

What are recommended settings for these audit parameters? Is it better to log auditfiles in database? Do logs have to be reported to the UNIX-syslog? And what is a good way to secure auditfiles in a folder, so that dbauser can still access for reading or creating?

Regards,

Julia

Accepted Solutions (0)

Answers (3)

Answers (3)

divyanshu_srivastava3
Active Contributor
0 Kudos

Hi,

But I didn't found notes or links about the recommended setting by SAP and by advisors. Sometimes these recomendations differ, so that advisors recommend stronger security settings

There are lots of things that is considered and then recommended.

You should understand this.

From your side, you start by considering your environment and standard recommendations.

Once you have the audit done, you have the results and scope for improvements.

For your other queries, you have notes supporting them and already my counterparts have stated on the same.

So, Cheers,

Divyanshu

Former Member
0 Kudos

Hi julia

Auditing requirement is different for each company and auditors

now to give your question a generic reply

1. you need to set the parameter suggested by oracle in regards to your company in initsid.ora file and genrate sp file from it.

2. get it verify with the standard provided by auditor for your company then its fine phase 1 is ok.

3. now in phase 2 in regards to security of files

then you can make groups in unix / aix flavor

lets say you made group called DBA

and you have assigned users to that group

and now file system most probably

/oracle/SID/saptrace/audit /.....

you give the permission as follow

Chown userid:dba <dir name> that will make your files secure and nobody who is not in group of DBA able to change it.

regards

Dishant Pathak

[REDACTED BY MODERATOR PER SCN RULES OF ENGAGEMENT]

former_member188883
Active Contributor
0 Kudos

Hi Julia,

Please have a look into composite note 1868094 - Overview: Oracle Security SAP Notes


It has list of other SAP notes based on different sections.

As per your requirement you may look into respective SAP notes and take suggested action


Detailed information on Oracle level security can be found in link

http://docs.oracle.com/cd/E11882_01/network.112/e36292/auditing.htm#DBSEG30002


SAP notes

700548 - FAQ: Oracle authorizations

1710997 - Using Personalized Database Administrator Accounts


Hope this helps.,


Regards,

Deepak Kori

j_bayrhammer
Participant
0 Kudos

Hello Kori,

thank you for your hints.

Note 1868094 does contain one reference to an audit relevant note -> 832662, which is configuration of brtools.

Note 700548 contains points to configuration of AUDIT_SYS_OPERATIONS and AUDIT_TRAIL. But there are only answers to "can I activate...".

Personalization of database administrator acounts should be in mind too, of course.

Oracle parametercheck (Note 1171650) says parameters are ok like this.

Auditor says it is not ok.

So how is this set in other companies? Where can I find recommendations from auditors?

Regards,

Julia

former_member188883
Active Contributor
0 Kudos

Hi Julia,

Oracle has published standard auditing guidelines as in link below

Keeping Your Oracle Database Secure

Also refer to link shared earlier for guidelines from Oracle.

From my experience these Auditors have some checklist of such recommendations ( probably from Database vendor) and they follow the suggestion mentioned in that.

We had followed the approach as below

1) Discussed all the suggestions from auditors with DBA

2) Performed those changes in one of non-Production system and a copy of Production

3) USer testing were performed to double check whether these parameters had any impact on day-to-day operations.

4) Roll out the changes on Production.

Regards,

Deepak Kori

j_bayrhammer
Participant
0 Kudos

Hello Deepak,

and how did you set these parameters and why?

Regards,

Julia

former_member188883
Active Contributor
0 Kudos

Hi Julia,

These parameters can be set directly under init<SID>.ora file and then we create spfile from pfile.

Or

We can use alter session command to set the parameter.

We had set those parameters as Customer's auditor has recommended them to set it.

Regards,

Deepak Kori

j_bayrhammer
Participant
0 Kudos

Hello Deepak,

and which values did the auditor recommend to your customers?

Regards,

Julia

former_member188883
Active Contributor
0 Kudos

Hi Julia,

I could remember some of the suggestions from the audit as below

- Configure audit and storage

- Audit all SYS operations

- Secure listener.ora at the O/S level

- Change the standard listener ports 1521, 1526

I do not recollect the parameters associate with them.

Regards,

Deepak Kori

j_bayrhammer
Participant
0 Kudos

Hi Deepak,

now we got some recommendations from our auditor.

I have now a technical question concerning the setting of parameter audit_syslog_level:

we are recommended to audit events err, crit, alert and emerg.

But in parameter audit_syslog_level I can only define one combination, for example:

audit_syslog_level=local6.err

This I define in /etc/syslog.conf too:

local6.err /var/log/oraclaudit.log

Will this adjustment log critical, alert and emergency events too or just errors?

AUDIT_SYSLOG_LEVEL

Syntax: AUDIT_SYSLOG_LEVEL = 'facility_clause.priority_clause'

facility_clause::=

{ USER | LOCAL[0 | 1 | 2 | 3 | 4 | 5 | 6 | 7] | SYSLOG | DAEMON | KERN | MAIL | AUTH | LPR | NEWS | UUCP | CRON }

priority_clause::=

{ NOTICE | INFO | DEBUG | WARNING | ERR | CRIT | ALERT | EMERG }

Regards,

Julia

j_bayrhammer
Participant
0 Kudos

Hello Deepak,

is it regardless which facility and priority is set in this parameter?

Will always be logged the same?

Regards,

Julia