Oracle Database Security Auditing Baseline

After spending some time about the security of auditing on Oracle DB . I decided to share some important "must to do" shortnotes with you. 

The first thing should be enabling the sys operation audits these are performed by sys, sysdba, sysoper users. To enable auditing of these users  the “audit_sys_operations” parameter on the database must set to “true”.

ORA-01756 and ORA-01789 error triggers should also be created for SQL Injection Detection. I can suggest that these triggers should also be logged for detective purposes. Especially ORA-01756 is more important than the other.

Audit_Trail  parameter must set to value OS, so that the audit files can be written to filesystem rather  than database.

The audit trails for users with sysdba and sysoper roles once enabled are always generated externally using operating system files in a location specified by audit_file_dest regardless of the audit_trail parameter setting.

Oracle has four options as a logging type. Object Base, Fine Grained Auditing, System Privileged and Statement based auditing.I did not prefer to go with object based or fine grained auditing. (if you have time to look inside the tables you can go with these options too). So i used Privileged and Statement base auditing to keep it short.  Just keep in mind that if the privileged and statement point the same event , oracle just audits one  log. Both the privileged and statement auditing have an option to log the event as a session or access modes  with success and failure event type. So my selection was Session with both success and failure modes. 

Statements to be Audit Enabled:

The shortcut definations can be found at http://bit.ly/UU6sXM

Be careful about enabling yellow ones, they can create so much audit. The blue ones i discarded

System Privileges to be Audit Enabled: 

You can see the all system privileges from  http://bit.ly/127c7y2: The list was so long i did not paste the table but it was the same approach as statement example. 

Exceptions:

The internal Oracle accounts should be disabled to prevent mass logging such as dbsnmp user.  You may also create exception for interface accounts unless they use, create, modify sensitive data.

Finally, you can check the enabled audit options from the following tables:

"DBA_STMT_AUDIT_OPTS" and "DBA_PRIV_AUDIT_OPTS"