6.1.14 Ensure the 'ALL' Audit Option on 'SYS.AUD$' Is Enabled

Information

The logging of attempts to alter the audit trail in the SYS.AUD$ table (open for read/update/delete/view) will provide a record of any activities that may indicate unauthorized attempts to access the audit trail. Enabling the audit option will cause these activities to be audited.

Rationale:

As the logging of attempts to alter the SYS.AUD$ table can provide forensic evidence of the initiation of a pattern of unauthorized activities, this logging capability should be enabled.

Solution

To remediate this setting, execute the following SQL statement in either the non multi-tenant or container database, it does NOT need run in the pluggable.

AUDIT ALL ON SYS.AUD$ BY ACCESS;

See Also

https://workbench.cisecurity.org/files/2741