HomeOracle Page 3 - Auditing to Secure Oracle Database XE
Protecting the Audit Trail - Oracle
In this conclusion to a ten-part article series on securing Oracle Database XE, you will learn about statement auditing, privilege auditing, and more. This article is excerpted from chapter 31 of the book Beginning PHP and Oracle: From Novice to Professional, written by W. Jason Gilmore and Bob Bryla (Apress; ISBN: 1590597702).
The audit trail itself needs to be protected, especially if nonsystem users must access the table SYS.AUD$. The built-in role DELETE_ANY_CATALOG is one of the ways that non-SYS users can have access to the audit trail (e.g., to archive and truncate the audit trail to ensure that it does not impact the space requirements for other objects in the SYStablespace).
To set up auditing on the audit trail itself, connect asSYSDBAand run the following command:
SQL> audit all on sys.aud$ by access; Audit succeeded.
Now all actions against the tableSYS.AUD$, includingSELECT,INSERT,UPDATE, andDELETE, will be recorded inSYS.AUD$itself. But, you may ask, what if someone deletes the audit records identifying access to the tableSYS.AUD$? The rows in the table are deleted, but then another row is inserted, recording the deletion of the rows. Therefore, there will always be some evidence of activity, intentional or accidental, against theSYS.AUD$table. In addition, ifAUDIT_SYS_OPERATIONSis set toTRUE, any sessions usingAS SYSDBAorAS SYSOPER, or connecting asSYS itself will be logged into the operating system audit location, which presumably even the Oracle DBAs would not have access to. As a result, you have many safeguards in place to ensure that you record all privileged activity in the database, along with any attempts to hide this activity.
As a DBA, you want to make sure that your application environment is secure. This chapter provided you with the tools to enhance and refine the security options available in Oracle Database XE. While you can protect your enterprise data using Oracle’s built-in security, you are free to add another layer of protection in your Web-based PHP applications as well. Any robust security policy implements more than one layer of security to ensure that users are who they say they are (authentication), and that they are allowed to access various resources in your environment (authorization).
In the next chapter, we tie together your PHP applications with Oracle and show you how easy it is to connect to Oracle Database XE, query and modify database tables, retrieve database metadata, and format your database’s data to look good in a PHP application.