Oracle Database

Page 181

Using Standard Auditing to Monitor General Activities

Only the user SYS, a user who has the DELETE ANY TABLE privilege, or a user to whom SYS granted the DELETE privilege on SYS.AUD$ can delete records from the database audit trail. Note: If the audit trail is full and connections are being audited

(that is, if the SESSION option is set), then typical users cannot connect to the database because the associated audit record for the connection cannot be inserted into the audit trail. In this case, the security administrator must connect as SYS (operations by SYS are not audited), and make space available in the audit trail. As with any database table, after records are deleted from the database audit trail, the extents allocated for this table still exist. If the database audit trail has many extents allocated for it, but many of them are not being used, then you can reduce the space allocated to the database audit trail by following these steps: 1.

If you want to save information currently in the audit trail, then copy it to another database table, or export it by using the Oracle Data Pump Export. See "Archiving the Standard and Fine-Grained Audit Trails" on page 6-47 for an example of using Oracle Data Pump Export.

2.

Connect as a user with administrator privileges.

3.

Truncate SYS.AUD$ using the TRUNCATE TABLE statement.

4.

Reload archived audit trail records generated in Step 1.

The new version of SYS.AUD$ is allocated only as many extents as are necessary to maintain current audit trail records. Note: SYS.AUD$ is the only SYS object that should ever be

directly modified.

Protecting the Standard Audit Trail When auditing for suspicious database activity, you should protect the integrity of the audit trail records to guarantee the accuracy and completeness of the auditing information. Audit records generated as a result of object audit options set for the SYS.AUD$ table can only be deleted from the audit trail by someone who has connected with administrator privileges. Remember that administrators are also audited for unauthorized use. See "Auditing Administrative Users" on page 6-33 for more information.

Auditing the Standard Audit Trail If an application needs to give SYS.AUD$ access to regular users (non-SYSDBA users), remember that DML statements such as INSERT, UPDATE, MERGE, and DELETE are always audited and recorded in the SYS.AUD$ table. You can check these activities by running the DBA_AUDIT_TRAIL and DBA_COMMON_AUDIT_TRAIL views. If a typical user has SELECT, UPDATE, INSERT, and DELETE privileges on SYS.AUD$ and executes a SELECT operation, then the audit trail will have a record of that

Configuring Auditing 6-19

Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.