Oracle Auditing Overview
The Oracle Knowledge Pack expands the auditing and reporting capabilities of InTrust to Oracle. It lets you collect and report on the audit data from your Oracle database system. Featuring a fully automated workflow, InTrust helps you:
- Gather and consolidate a variety of data from the Oracle hosts running on different platforms
- Consolidate, store, and analyze this information
- Generate the reports on various aspects of your Oracle system operation
The following Oracle database system versions are supported:
- 11g
- 10g (R1 and R2)
- 9i (R1 and R2)
Data can be collected from the Oracle hosts running on the following platforms:
- Microsoft Windows 2000 and higher
- Solaris versions 11.1, 10, 9 and 8
- Redhat Enterprise Linux version 3 or 4
- SUSE Linux Enterprise Server 9
Other platforms are also supported; however, reports on administrative users’ activity will not be generated for them (all other reports will be created).
Reports on your Oracle database system cover the following areas:
- Activity of users with administrative privileges (logged on as SYSOPER or SYSDBA)
- Other users’ activity, in particular, logons and logoffs
- User and role management activity
- Rights management
- Data retrieval and modification activity
- Data structure modification activity
Installing the Oracle Knowledge Pack
Support for Oracle auditing is provided by the Oracle Knowledge Pack. The Knowledge Pack must be installed on top of an existing InTrust installation.
Auditing Administrative User Activity
Gathering from Windows-Based Computers
Gathering from Unix-Based Computers
Gathering from Windows-Based Computers
Events from Oracle administrative users (users logged on to Oracle as SYSOPER or SYSDBA) are written into the Windows Application log of the Windows-based computers hosting Oracle database. This data is collected by InTrust in the traditional way, by retrieving events from the event logs on the specified computers.
In particular, to gather this data, you need to do the following:
- On the target machine, turn auditing on by setting the AUDIT_SYS_OPERATIONS parameter in the SPFILE file to TRUE. To do that, either use Oracle Enterprise Manager or run an SQL query. For example, you can take following steps:
- Connect to the necessary database as SYSDBA and run the following query:
select name, value from v$parameter where name like ‘audit%’
- Then check whether the AUDIT_SYS_OPERATIONS parameter value is set to TRUE. If not, run the following query:
ALTER SYSTEM SET audit_sys_operations = TRUE SCOPE=SPFILE;
- Wait for the system to report that the value has been altered, and restart Oracle database.
- Check whether administrative user events appear in the log.
- Populate the ‘Oracle for Windows servers in the domain’ site with the machines you want to collect data from.
- In the Oracle daily collection task, make sure that the ‘Oracle administrative users audit collection’ job involves the ‘Oracle administrative user events from Application log’ gathering policy, and that the job processes the ‘Oracle for Windows servers in the domain’ site.
