Oracle Database

Page 325

Addressing the CONNECT Role Change

Privacy regulations often lead to additional business privacy policies. Most privacy laws require businesses to monitor access to personally identifiable information (PII), and monitoring is implemented by auditing. A business-level privacy policy should address all relevant aspects of data access and user accountability, including technical, legal, and company policy concerns.

Auditing Suspicious Database Activity When you audit to monitor suspicious database activity, use the following guidelines: 1.

First audit generally, and then specifically. When you start to audit for suspicious database activity, often not much information is available to target specific users or schema objects. Therefore, set audit options more generally at first, that is, by using the standard audit options described in Chapter 6, "Configuring Auditing" explains how you can use the standard audit options to audit SQL statements, schema objects, privileges, and so on. After you have recorded and analyzed the preliminary audit information, disable general auditing, and then audit specific actions. You can use fine-grained auditing, which is described in "Using Fine-Grained Auditing to Monitor Specific Activities" on page 6-38, to audit specific actions. Continue this process until you have gathered enough evidence to draw conclusions about the origin of the suspicious database activity.

2.

Protect the audit trail. When auditing for suspicious database activity, protect the audit trail so that audit information cannot be added, changed, or deleted without being audited. You can audit the standard audit trail by using the AUDIT SQL statement. For example: sqlplus "sys/as sysdba" Enter password: password SQL> AUDIT SELECT ON SYS.AUD$ BY ACCESS;

See also "Auditing the Standard Audit Trail" on page 6-19. To audit the fine-grained audit trail, as user SYS, you would enter the following statement: AUDIT SELECT ON SYS.FGA_LOG$ BY ACCESS;

Addressing the CONNECT Role Change The CONNECT role was introduced with Oracle Database version 7, which added new and robust support for database roles. The CONNECT role is used in sample code, applications, documentation, and technical papers. This section discusses the effects of changed CONNECT privileges in the following sections: ■

Why Was the CONNECT Role Changed?

How the CONNNECT Role Change Affects Applications

How the CONNECT Role Change Affects Users

Approaches to Addressing the CONNECT Role Change

Keeping Your Oracle Database Secure

10-17

Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.