DO3610-ORACLE11 - Required object auditing should be configured - 'Auditing for update and delete is enabled'

Information

Database object definitions and configurations require similar oversight as application libraries to detect unauthorized changes. Unauthorized changes may indicate attempts to compromise data or application object integrity or confidentiality. Any access to audit data objects stored in the database must be audited to detect any attempts to compromise the audit trail. A compromise to audit data could jeopardize accountability for unauthorized actions.

Solution

The only application objects auditing required is for use of the RENAME privilege on database objects.

Configure auditing on RENAME privilege use by default for newly created objects.

From SQL*Plus:

audit rename on default by access;

If application objects have already been created, the audit rename on object statement should be issued for all application objects.

From SQL*Plus:

audit rename on [application object name] by access;

Enable auditing of access and activity on audit trail data stored in the database.

From SQL*Plus:

audit update, delete on AUD$ by access;

NOTE: The audit table is by default in the SYSTEM schema, but may have been moved to another schema.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_11g_Y21M10_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c., CAT|II, Rule-ID|SV-24928r2_rule, STIG-ID|DO3610-ORACLE11, Vuln-ID|V-2562

Plugin: OracleDB

Control ID: c16e10c78e2ee992c1729903414fdd237f44e4090372f89ea4b4989f3eb26a73