Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Auditing DBA privs

Re: Auditing DBA privs

From: mkb <>
Date: Wed, 3 Oct 2007 10:34:30 -0700 (PDT)
Message-ID: <>


I would start by looking at the database-stig-v7r2.pdf which is available for download from .  

Specifically, section 4 titled Database Auditing and B.14 Auditing in Oracle should get you started.

This document outlines the Security Technical Implementation Guide (STIG) process that many systems in federal agencies and the DOD have to go through before a system can get accredited and be put on a live network.  The recommendations in the database STIG should be sufficient to keep the IG off of you backs.

In our setup, we have audit_sys_operations = true and set audit_trail=db.  I don't have access to the system otherwise I would have attached a file listing of the audit options that we have turned on (see section B.14 in the STIG guide).



----- Original Message ----
From: "Smith, Steven K - MSHA" <Smith.Steven@DOL.GOV>
To: oracle-l <>
Sent: Wednesday, October 3, 2007 11:15:18 AM
Subject: Auditing DBA privs

The Inspector General office is breathing down our necks here and is requesting that we audit all activities performed by anyone with DBAish role privs.  We are currently on version 9i and are currently using the ‘soon to be discontinued’ DBA role.
At first glance, it appears that this would be simple.  I’ve started looking into this and have found that ‘audit DBA on session’ isn’t going to do the trick because of the limitations/bugs in the execution of that statement.  I guess that auditing DBA really isn’t auditing everything that someone with the DBA role does.  This is turning into the 300 lb gorilla.
Anyway – I’m looking into setting up auditing for everything defined in the dba_sys_privs view that is granted to DBA.  That should get a large majority of the specific DBAish commands, but it will also get ‘create sequence’, ‘create view’, etc.  Those are not DBA specific roles and those are not commands that can only be executed by someone with DBA privileges.  HHmm…
Does anyone have experience in 9i auditing the commands of userids with DBA role assigned to them?  Has anyone gone through this exercise before and is willing to share their experiences and pitfalls?
I know that I’m potentially looking at a lot of data in the AUD$ table – managing it and reporting it is going to be a fun project in itself, but first things first.
Steve Smith
Desk: 303-231-5499
Fax: 303-231-5696

Check out the hottest 2008 models today at Yahoo! Autos.
Received on Wed Oct 03 2007 - 12:34:30 CDT

Original text of this message