cancel
Showing results for 
Search instead for 
Did you mean: 

auditing direct database access

Former Member
0 Kudos

I'm a database security engineer and quite unfamiliar with SAP.

From the viewpoint of SOX/IT control, I just wonder if there is any necessity to audit Oracle database using Oracle's auditing features (audit_trail=db/os).

Privileged Oracle users can login to the database bypassing SAP application. In addition, they may be able to change any financial data by executing DML commands directly.

Is such scenario realistic?

I'd like your opinions.

Thanks in advance,

ebi

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

The administrative user connections are always audited regardless of the init.ora parameter audit_trail. Oracle 9i onwards, there is a new parameter, AUDIT_SYS_OPERATIONS which controls SYS auditing...

Vinod

Answers (1)

Answers (1)

lbreddemann
Active Contributor
0 Kudos

Hi Ebi,

in my opinion all that Auditing is only interesting to watch your Administrators hands...

What do you need to access the oracle database?

- client-software ... at least a jdbc driver

(May be available on many computers)

- the hostname, the listener port, a network connection that works and the DB SID

(that should not be so easy... DB Server should be in a seperate network zone... at best only reachable via the Application Servers)

- OR: physical access to the database

(if that is possible... don't think of auditing anymore... there is no security then)

- a valid user account that has access to the SAP<sid> schema

(Ok, that should only be the SYSDBA/SYSTEM account, nothing else. Access to these accounts has to be highly secured. Not so much technically but much more on the "human side". It just has to be a real secret. Period.)

- you've to know at least a bit about the datamodel of SAP databases. Not that easy in a system with more than 40000 tables...

Really problematic (in my opinion) are the approaches to "connect" the SAP database to the other systems in the company. People make up export and import interfaces (sometimes also direct table access) on database level.

Let's face it: businesswise security is gone in these cases.

SAP systems rely on the access "from above", that is through the interfaces and APIs.

Direct database access is like taking money out of the banks safe instead of withdraw it.

To come back to your question: if you want to check the dba actions, yes auditing is a nice thing. But it is just a way to proof later on who did something wrong. It's a finger pointing tool.

I would put more effort in trying to avoid such things from happening - limit the access to the database. Double check changes to the database - via procedures (e.g. no interactive sqlplus access to the productive database) and 4 eyes checks.

Best regards,

Lars

Former Member
0 Kudos

Lars,

Thank you for your quick response.

I totaly agree with your thought.

But, actually, I am developing a software that monitors and alerts suspicious accesses to databases by DBAs and wonder whether we should have additional features specific to SAP.

Anyway, your answer provided some important insights to me.

I'd like to say thank you again.

ebi