Skip to Main Content
  • Questions
  • Which feature/option could be used for a specific database event?

Breadcrumb

May 4th

Question and Answer

Connor McDonald

Thanks for the question, Dejan.

Asked: December 13, 2016 - 10:50 am UTC

Last updated: December 15, 2016 - 4:21 am UTC

Version: 12.1.0.2

Viewed 1000+ times

You Asked

Hi,

the system shall log database security events in accordance with the Australian Government Information Security Manual (ISM:2015) Control 0987 event list:
Database logging requirement
Access to particularly sensitive information
Addition of new users, especially privileged users
Any query containing comments
Any query containing multiple embedded queries
Any query or database alerts or failures
Attempts to elevate privileges
Attempted access that is successful or unsuccessful
Changes to the database structure
Changes to user roles or database permissions
Database administrator actions
Database logons and logoffs
Modifications to data
Use of executable commands e.g. xp_cmdshell

I know I could use Unified Auditing and/or FGA, but I am not sure how to deal with for example these two:
Any query containing comments
Any query containing multiple embedded queries

Please, could you specify for each event from the list:
- which Oracle feature/technology is needed
- what license is needed
- is it supported also in the Standard Edition or only in the Enterprise Edition

Thanks in advance & kind regards
Dejan

and Connor said...

"Modifications to data" - well, thats an interesting one. That is pretty much what databases are designed for :-)

You can see what facilities are available in each of the editions here

https://docs.oracle.com/cd/E11882_01/license.112/e47877/editions.htm#DBLIC109


Access to particularly sensitive information
=> business defined

Addition of new users, especially privileged users
=> auditing

Any query containing comments
=> auditing - you would have to capture all queries and filter from there

Any query containing multiple embedded queries
=> auditing - you would have to capture all queries and filter from there

Any query or database alerts or failures
=> alert log

Attempts to elevate privileges
=> business defined, auditing of errored command

Attempted access that is successful or unsuccessful
=> auditing

Changes to the database structure
=> auditing

Changes to user roles or database permissions
=> auditing

Database administrator actions
=> auditing, or you might need to consider database vault

Database logons and logoffs
=> auditing

Modifications to data
=> auditing, triggers or flashback data archive

Use of executable commands e.g. xp_cmdshell
=> business defined as to what consitutes 'external'

By the way, I've worked in several Australian government agencies over the years - none of them come close to meeting this "standard". There is always a compromise to what is achievable given the overheads (both resource and financial).


Is this answer out of date? If it is, please let us know via a Comment

More to Explore

Security

All of the vital components for a secure database are covered in the Security guide.