6.2.27 Ensure the 'LOGON' AND 'LOGOFF' Actions Audit Is Enabled

Information

Oracle database users log on to the database to perform their work. Enabling this unified audit causes logging of all LOGON actions, whether successful or unsuccessful, issued by the users regardless of the privileges held by the users to log into the database. In addition, LOGOFF action audit captures logoff activities. This audit action also captures logon/logoff to the open database by SYSDBA and SYSOPER

Logging and monitoring of all attempts to logon to the database, whether successful or unsuccessful, may provide forensic evidence about potential suspicious/unauthorized activities. Any such activities may be a cause for further investigation. In addition, organization security policies and industry/government regulations may require logging of all user activities involving LOGON and LOGOFF

Solution

Execute the following SQL statement to remediate this setting.

ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
LOGON,
LOGOFF;

Note: If you do not have CIS_UNIFIED_AUDIT_POLICY please create one using the CREATE AUDIT POLICY statement.

See Also

https://workbench.cisecurity.org/benchmarks/11760