This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Attacks on Databases is old news– July 19, 2006: “Hackers are striking databases in record numbers, trying to
pilfer a rich trove of personal and financial data…”http://www.computerworld.com/s/article/9001878/SQL_injection_attacks_against_databases_rise_sharply
Trend continues but with more sophistication– February 9, 2010: “SQL injections have evolved in their purpose and
sophistication. Originally meant as a tool to attack a merchant’s database and steal data. The attack was reconfigured last summer to install viruses on users’ computers that contain a remote control component.”http://information-security-resources.com/2010/02/09/targeted-sequel-injection-attacks-on-the-rise/
Knowledge is POWER!– You’ll be surprised by what you find…
• I recommend DB, extended but OS is also an option (writes data to OS file) ALTER SYSTEM SET audit_trail=db,extended SCOPE=SPFILE; Requires restart of DB
• DB,extended logs all activity to sys.aud$ table in the database Audit SYS operations
– Audits DBA user activity• I recommend enabling SYS auditing ALTER SYSTEM SET audit_sys_operations=true SCOPE=SPFILE; Requires restart of DB
• SYS operations are logged to OS audit log Assumes DBA does not have control over OS audit log
Show parameter audit– Shows status of Oracle audit configuration
– Retrieves audit logs from Oracle database remotely via JDBC connection
Oracle audit Syslog SmartConnector– Collects audit logs written to Syslog when audit_trail is set to OS– Syslog Daemon, Syslog File and Syslog Pipe SmartConnectors can be
Single Oracle instance– Use Oracle SYSDBA Audit DB to process audit logs– ArcSight SmartConnector must be installed on same server as Oracle
Multiple Oracle instances– Use Oracle SYSDBA Multiple Folder Audit DB to process audit logs– ArcSight SmartConnector can be installed on separate server from Oracle– Processes events in “batch” mode or “realtime” mode– Batch mode requires an external script to move complete audit files to a new
folder for processing– Realtime mode requires a database user for querying remote databases to