Required object auditing should be configured.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-2562	DO3610-ORACLE11	SV-24928r2_rule	ECAR-1	Medium

Description
Database object definitions and configurations require similar oversight as application libraries to detect unauthorized changes. Unauthorized changes may indicate attempts to compromise data or application object integrity or confidentiality. Any access to audit data objects stored in the database must be audited to detect any attempts to compromise the audit trail. A compromise to audit data could jeopardize accountability for unauthorized actions.

Description

Database object definitions and configurations require similar oversight as application libraries to detect unauthorized changes. Unauthorized changes may indicate attempts to compromise data or application object integrity or confidentiality. Any access to audit data objects stored in the database must be audited to detect any attempts to compromise the audit trail. A compromise to audit data could jeopardize accountability for unauthorized actions.

STIG	Date
Oracle Database 11g Instance STIG	2015-06-23

Details

Check Text ( C-29477r2_chk )
From SQLPlus: select count() from all_def_audit_opts where ren = 'A/A'; If the count of 0 is returned, this is a Finding. Check for required auditing of the audit table as follows: From SQLPlus: select upd, del, object_type from dba_obj_audit_opts where object_name = 'AUD$'; If the record returned is of object type TABLE and upd(ate) and del(ete) are not = 'A/A', this is a Finding. If the record type VIEW is returned and upd and del are = ‘A/A’, this is NOT a Finding. Otherwise, if the record type VIEW is returned and upd and del are NOT = 'A/A', then the underlying table must be checked for update and delete auditing as follows: From SQLPlus: set long 1000 set wrap on select text from dba_views where view_name = 'AUD$'; Review the text returned and locate the “from table_owner.table_name”. This should be located at the end of the text returned. Replace table_owner and table_name in the select statement below with the values returned above. From SQL*Plus: select upd, del from dba_obj_audit_opts where owner = 'table_owner' and object_name = 'table_name'; If the value of upd(ate) and del(ete) returned above is NOT equal to 'A/A', this is a Finding.

Check Text ( C-29477r2_chk )

From SQL*Plus:

select count(*) from all_def_audit_opts where ren = 'A/A';

If the count of 0 is returned, this is a Finding.

Check for required auditing of the audit table as follows:

From SQL*Plus:

select upd, del, object_type from dba_obj_audit_opts
where object_name = 'AUD$';

If the record returned is of object type TABLE and upd(ate) and del(ete) are not = 'A/A', this is a Finding.

If the record type VIEW is returned and upd and del are = ‘A/A’, this is NOT a Finding.

Otherwise, if the record type VIEW is returned and upd and del are NOT = 'A/A', then the underlying table must be checked for update and delete auditing as follows:

From SQL*Plus:

set long 1000
set wrap on
select text from dba_views where view_name = 'AUD$';

Review the text returned and locate the “from table_owner.table_name”. This should be located at the end of the text returned.

Replace table_owner and table_name in the select statement below with the values returned above.

From SQL*Plus:

select upd, del from dba_obj_audit_opts
where owner = 'table_owner' and object_name = 'table_name';

If the value of upd(ate) and del(ete) returned above is NOT equal to 'A/A', this is a Finding.

Fix Text (F-26541r1_fix)
The only application objects auditing required is for use of the RENAME privilege on database objects. Configure auditing on RENAME privilege use by default for newly created objects. From SQLPlus: audit rename on default by access; If application objects have already been created, the audit rename on object statement should be issued for all application objects. From SQLPlus: audit rename on [application object name] by access; Enable auditing of access and activity on audit trail data stored in the database. From SQL*Plus: audit update, delete on AUD$ by access; NOTE: The audit table is by default in the SYSTEM schema, but may have been moved to another schema.

Fix Text (F-26541r1_fix)

The only application objects auditing required is for use of the RENAME privilege on database objects.

Configure auditing on RENAME privilege use by default for newly created objects.

From SQL*Plus:

audit rename on default by access;

If application objects have already been created, the audit rename on object statement should be issued for all application objects.

From SQL*Plus:

audit rename on [application object name] by access;

Enable auditing of access and activity on audit trail data stored in the database.

From SQL*Plus:

audit update, delete on AUD$ by access;

NOTE: The audit table is by default in the SYSTEM schema, but may have been moved to another schema.