Monitor Databases
Databases can be critical sources of security events, especially on systems that store sensitive data. To ensure that they keep a continuous flow of messages, monitor the processes that record events in the database, and monitor the storage locations for the events, to make sure new messages are showing up. This section explores techniques for monitoring database settings for auditing and logging.
Monitor Oracle
You can configure Oracle to record a wide variety of events. To make certain Oracle is properly capturing an audit trail, you must ensure that events are being logged properly and that audit settings are properly set. As an additional precaution, configure the database to capture administrative events to audit DBA activity.
Maintain Oracle systemwide audit settings
To enable event logging in Oracle (Oracle calls it “auditing”),
you must set the audit_trail
parameter in the init.ora file.
The database references this core configuration file at startup, and
specifies whether to log events to the Oracle database (audit_trail = db
or audit_trail = true
) or to a logfile
(audit_trail = os
) on the host file
system.
As an added step, routinely check the configuration files to be
sure the Oracle database remains properly configured for logging. From
the database, you can ensure that systemwide auditing is turned on by
checking the v$parameter
table:
select NAME, VALUE from V$PARAMETER where NAME like 'audit%'; NAME VALUE ------------------------------ audit_trail DB audit_file_dest ...
Get Security Monitoring now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.