Home » RDBMS Server » Security » problem with auditing (9iR2,win2k3)
problem with auditing [message #384914] Thu, 05 February 2009 13:55 Go to next message
abdulaziz
Messages: 102
Registered: May 2008
Location: Douala
Senior Member
Hello,

Management wants to perform an audit on one of our databases. Here's the situation:

1- Auditing has never been activated on that database.
2- That database has been running in noarchivelog for over 3 years now. The former team that was there before us has never found the need to turn archiving on.
3- That database is 9iR2
4- 3 persons had the password of the SYS account, and they could as well log in as sysdba.

Now fraudulous activities had just been discovered on that database and management wants an audit report to be produced.

Do you think we can operate a reliable audit on that database given the state I described above? I personaly don't think it's possible, but please if there is a way, let me now. I thought of using logminer but we turned archiving mode on that database only on January 31st, and unless I mistake, logminer works better when arching is turned on, which means, informations from the past 3 years have never been archived. Some people suggest "exploiting" the content of the redo log files. It's an idea I don't like-I don't want to temper with those-, but if it's possible, how can we do that?

Please this is urgent.

Thanks in advance.

[Updated on: Thu, 05 February 2009 14:00]

Report message to a moderator

Re: problem with auditing [message #384915 is a reply to message #384914] Thu, 05 February 2009 14:12 Go to previous messageGo to next message
Michel Cadot
Messages: 68625
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Quote:
Now fraudulous activities had just been discovered on that database and management wants an audit report to be produce.

This is a bit conflicting, "audit" means you planned it before, if not it is mining.

Quote:
this is urgent

Posting this in a forum is also inconsistent.
A forum means someone read it when he/she has time and answer when he/she has time.

In addition, as the offending actions have already be done there is nothing urgent now but YOU to activate a real audit and adopt a real security policy.

Regards
Michel

[Updated on: Thu, 05 February 2009 14:12]

Report message to a moderator

Re: problem with auditing [message #385007 is a reply to message #384915] Fri, 06 February 2009 02:37 Go to previous messageGo to next message
abdulaziz
Messages: 102
Registered: May 2008
Location: Douala
Senior Member
Thanks for the explanation in the terms I used. It was very helpful. The audit is now activated. Is it possible to mine that database, given the situation described before?

[Updated on: Fri, 06 February 2009 02:41]

Report message to a moderator

Re: problem with auditing [message #385008 is a reply to message #385007] Fri, 06 February 2009 02:42 Go to previous messageGo to next message
Michel Cadot
Messages: 68625
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Then you can only mine, as you are in NOARCHIVEDLOG, online redo logs which may have been overwritten.

Regards
Michel

[Edit: correct typos]

[Updated on: Fri, 06 February 2009 04:05]

Report message to a moderator

Re: problem with auditing [message #385021 is a reply to message #385008] Fri, 06 February 2009 03:43 Go to previous messageGo to next message
abdulaziz
Messages: 102
Registered: May 2008
Location: Douala
Senior Member
Thanks again Michel for your swift reply.

Indeed for the past 3 years, the database was running in NOARCHIVELOG. The ARCHIVELOG mode has been turned on only on January 31, the day we started working on that database.I guess it means that, we cannot efficiently exploit the current content of the redo logs for the mining operation we want to perform, is that so? I am asking because I would like to have sufficient arguments to present.

Thanks in advance.
Re: problem with auditing [message #385027 is a reply to message #385021] Fri, 06 February 2009 04:04 Go to previous messageGo to next message
Michel Cadot
Messages: 68625
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Quote:
we cannot efficiently exploit the current content of the redo logs for the mining operation we want to perform,

Efficiently in which way? performances or likelyhood to retrieve the information?
For the former there is no sensitive difference with archived logs. I already answered to the latter.

Regards
Michel
Re: problem with auditing [message #385043 is a reply to message #385027] Fri, 06 February 2009 05:06 Go to previous message
abdulaziz
Messages: 102
Registered: May 2008
Location: Douala
Senior Member
Thanks alot Michel.
Previous Topic: ORA-01017: invalid username/password, depending on db
Next Topic: User roles and grants(indirect) (merged)
Goto Forum:
  


Current Time: Thu Mar 28 18:52:39 CDT 2024