October 15, 2010 at 9:38 am
Can anyone please point me towards server & DB audit spec scripts that will let me cover off a requirement I've been set by my Auditor to audit all DBA actions and not anyone else's actions? Just the DBA.
Thanks
October 15, 2010 at 10:36 am
Will a trace do what you need? You can capture all commands issued to the server, filtered by account/connection.
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
October 15, 2010 at 11:03 am
Tracing is not bad and of course has been used by DBAs for many years but the layout of the new audit tables is much more Auditor-friendly.
The other thing is I want to audit Windows Admins while they patch my instances. It's easier to do this with the new Audit tools than with tracing
October 15, 2010 at 11:09 am
Honestly, if I really needed to audit what a DBA does, I'd probably set up some sort of 3rd party auditing tool outside the scope of the database/RDBMS. DBAs usually have access to do things like turning a trace off, or impersonating other credentials. Anything inside the database probably won't pass the "beyond a reasonable doubt" test, if this is for legal/compliance purposes.
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
October 15, 2010 at 11:58 am
Traces can work, but I'd agree with Gus. Third party tool. Log to a folder that the tool and the DBAs can not read from. Only write to.
Follow me on Twitter: http://www.twitter.com/way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply