on 08-21-2014 9:24 AM
Hello,
auditor complained settings of audit parameters in oracle 11, especially audit_sys_operations=FALSE and audit_syslog_level=' '.
I found notes 1551504, 700548, 1963700, 1128663 etc with informations about technical configuration.
But I didn't found notes or links about the recommended setting by SAP and by advisors. Sometimes these recomendations differ, so that advisors recommend stronger security settings.
What are recommended settings for these audit parameters? Is it better to log auditfiles in database? Do logs have to be reported to the UNIX-syslog? And what is a good way to secure auditfiles in a folder, so that dbauser can still access for reading or creating?
Regards,
Julia
Hi,
But I didn't found notes or links about the recommended setting by SAP and by advisors. Sometimes these recomendations differ, so that advisors recommend stronger security settings
There are lots of things that is considered and then recommended.
You should understand this.
From your side, you start by considering your environment and standard recommendations.
Once you have the audit done, you have the results and scope for improvements.
For your other queries, you have notes supporting them and already my counterparts have stated on the same.
So, Cheers,
Divyanshu
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi julia
Auditing requirement is different for each company and auditors
now to give your question a generic reply
1. you need to set the parameter suggested by oracle in regards to your company in initsid.ora file and genrate sp file from it.
2. get it verify with the standard provided by auditor for your company then its fine phase 1 is ok.
3. now in phase 2 in regards to security of files
then you can make groups in unix / aix flavor
lets say you made group called DBA
and you have assigned users to that group
and now file system most probably
/oracle/SID/saptrace/audit /.....
you give the permission as follow
Chown userid:dba <dir name> that will make your files secure and nobody who is not in group of DBA able to change it.
regards
Dishant Pathak
[REDACTED BY MODERATOR PER SCN RULES OF ENGAGEMENT]
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Julia,
Please have a look into composite note 1868094 - Overview: Oracle Security SAP Notes
It has list of other SAP notes based on different sections.
As per your requirement you may look into respective SAP notes and take suggested action
Detailed information on Oracle level security can be found in link
http://docs.oracle.com/cd/E11882_01/network.112/e36292/auditing.htm#DBSEG30002
SAP notes
700548 - FAQ: Oracle authorizations
1710997 - Using Personalized Database Administrator Accounts
Hope this helps.,
Regards,
Deepak Kori
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Kori,
thank you for your hints.
Note 1868094 does contain one reference to an audit relevant note -> 832662, which is configuration of brtools.
Note 700548 contains points to configuration of AUDIT_SYS_OPERATIONS and AUDIT_TRAIL. But there are only answers to "can I activate...".
Personalization of database administrator acounts should be in mind too, of course.
Oracle parametercheck (Note 1171650) says parameters are ok like this.
Auditor says it is not ok.
So how is this set in other companies? Where can I find recommendations from auditors?
Regards,
Julia
Hi Julia,
Oracle has published standard auditing guidelines as in link below
Keeping Your Oracle Database Secure
Also refer to link shared earlier for guidelines from Oracle.
From my experience these Auditors have some checklist of such recommendations ( probably from Database vendor) and they follow the suggestion mentioned in that.
We had followed the approach as below
1) Discussed all the suggestions from auditors with DBA
2) Performed those changes in one of non-Production system and a copy of Production
3) USer testing were performed to double check whether these parameters had any impact on day-to-day operations.
4) Roll out the changes on Production.
Regards,
Deepak Kori
Hi Deepak,
now we got some recommendations from our auditor.
I have now a technical question concerning the setting of parameter audit_syslog_level:
we are recommended to audit events err, crit, alert and emerg.
But in parameter audit_syslog_level I can only define one combination, for example:
audit_syslog_level=local6.err
This I define in /etc/syslog.conf too:
local6.err /var/log/oraclaudit.log
Will this adjustment log critical, alert and emergency events too or just errors?
Syntax: AUDIT_SYSLOG_LEVEL = 'facility_clause.priority_clause'
facility_clause::=
{ USER | LOCAL[0 | 1 | 2 | 3 | 4 | 5 | 6 | 7] | SYSLOG | DAEMON | KERN | MAIL | AUTH | LPR | NEWS | UUCP | CRON }
priority_clause::=
{ NOTICE | INFO | DEBUG | WARNING | ERR | CRIT | ALERT | EMERG }
Regards,
Julia
User | Count |
---|---|
93 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.