How to perform an audit when stealing data using the DBA password.
How to perform an audit while a hacker can delete audit data from the database.
How to check while a hacker removes data from the operating system using the oracle software password.
When the default audit of the Oracle database is enabled, the audited data is stored in the AUD $ table of the database. Delete data and update the AUD $ table with "sysdba" privileges. The verified data will be stored in the operating system files, which belong to the owner of the Oracle software. This audit trail can be activated using the AUDIT_SYS_OPERATIONS parameter.
But any hacker can be a data theft of a database while he can decrypt the database password and can also delete data from the AUD $ tables to also delete data d & # 39; audit. If a hacker is able to decrypt (or know) the password of the owner of the Oracle software, he can then remove from the operating system the data of the operations verified by the system.
In Oracle 11g, a new security audit feature is introduced, a new parameter named AUDIT_SYSLOG_LEVEL.
Auditing the activities of the owner of the Oracle software. It retraces all the events and commands of sysdba, sysoper privileges.Generaly SYS.AUD $ The $ table contains the audit activities. But as the owner of the Oracle software (owned by SYSDBA), you can easily delete audit data from this SYS.AUD $ table.
Auditing the activities of the owner of the Oracle software. It tracks all sysdba events and commands, sysoper privileges and users. Generally, the SYS.AUD $ table contains auditing activities. But as owner of the Oracle software (owner of SYSDBA), he can delete audit data from this SYS.AUD $ table.
This setting also prevents the hacker's activity if he stole the password from the Oracle software owner. When both AUDIT_SYSLOG_LEVEL and AUDIT_SYS_OPERATIONS are applied in the database, all SQL and PL / SQL executed as a SYS user will be followed with the help of the syslog utility and the system. 39; operation. The syslog owner and the operating system tracking are ROOT, and a database administrator has neither access nor privilege from the root user account. Database administrators will not be able to delete the audited data or files from their operating system activity. This means that if a hacker is able to decipher the password of the Oracle software owner and try to harm it, he can not remotely audit the data from the Oracle superuser. (sysdba or sysoper), even if he has the password of the Oracle account owner.
AUDIT_SYSLOG_LEVEL allows you to write operating system audit logs to the system through the syslog utility, if the AUDIT_TRAIL parameter is set to os. The facility value can be one of the following values: USER, LOCAL0- LOCAL7, SYSLOG, DAEMON, KERN, MAIL, AUTH, LPR, NEWS, UUCP, or CRON. The level value can be one of the following values: NOTICE, INFO, DEBUG, WARNING, ERR, CRIT, ALERT, EMERG.
In short, if the AUDIT_SYSLOG_LEVEL parameter is enabled using the above parameter, AUDIT_FILE_DEST would be ignored and the audited files would be generated using the operating system utility ( as syslog) in the ROOT owner of the server.
Of course, this parameter is partially documented and not published by Oracle. But indeed, it's the best audit option for the database. This is a new security feature of Oracle 11g. Thank you very much to Oracle people.
SQL> show parameter audit_syslog_level
NAME TYPE VALUE
audit_syslog_level USER string