Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: audit insert, delete, update on sys.aud$
Anurag Varma wrote:
> DA Morgan wrote:
> > Anurag Varma wrote:
> >
> >> :) Not that funny though. Its common to audit delete on sys.aud$
....
> >>
> >> Anurag
> >
> >
> > Assuming the person that had access to sys.aud$ doesn't have access
> > to the table used to audit the delete from sys.aud$?
> >
> > If this is about Sarbanes-Oxley a far more robust solution is
require
> > to comply with the law.
>
> Daniel,
>
> If you audit delete on aud$. Then the record is placed in sys.aud$
itself.
> Now you might think that the user with delete privs on aud$ can
delete that record ..
> well te user does, the attempt to delete will be logged.
>
> Now he can then log in as sysdba and turn off auditing and delete all
records
> from sys.aud$ .. then in that case the statements will be logged to
the filesystem.
> And in the rare chance that you dont trust the sysdba, you can
prevent him
> from deleting the audit files created in audit file destination.
>
> In the FM:
>
http://download-west.oracle.com/docs/cd/B10501_01/server.920/a96521/audit.htm#1875
>
>
> To Prem:
> I do see the FM suggesting audit insert/update/delete on sys.aud$, so
its
> possible that attempts to insert using non-administrative account
might
> still be logged (I have not done testing regarding this)....
>
> Anurag
Anurag:
Yes, when I did insert on sys.aud$ from a non dba login, first I got
error
insert into sys.aud$ (SESSIONID, ENTRYID , STATEMENT, TIMESTAMP#,
ACTION#, RETURNCODE) values (99999, 99999, 1, sysdate, 1, -200)
*
But it does generate a record in audit trail:
MDBAUDARCH SYS AUD$ SESSION REC
0 ------F--------- 04/02/2005 09:59:25
So infinte recursion argument for not cretaing an audit trail on insert
does
not seem to hold.
Prem
Prem Received on Sat Apr 02 2005 - 09:23:24 CST