Audit records should contain required information.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15646	DG0145-ORACLE11	SV-30881r1_rule		Medium

Description
Complete forensically valuable data may be unavailable or accountability may be jeopardized when audit records do not contain sufficient information.

STIG	Date
Oracle Database 11g Instance STIG	2017-06-29

Details

Check Text ( C-31301r1_chk )
Review samples of the DBMS audit logs. Compare to the required elements listed below: - User ID. - Successful and unsuccessful attempts to access security files - Date and time of the event. - Type of event. - Success or failure of event. - Successful and unsuccessful logons. - Denial of access resulting from excessive number of logon attempts. - Blocking or blacklisting a user ID, terminal or access port, and the reason for the action. - Activities that might modify, bypass, or negate safeguards controlled by the system. - Data required to audit the possible use of covert channel mechanisms. - Privileged activities and other system-level access. - Starting and ending time for access to the system. - Security relevant actions associated with periods processing or the changing of security labels or categories of information. If the elements listed above are not included in the audit logs at at minimum, this is a Finding.

Check Text ( C-31301r1_chk )

Review samples of the DBMS audit logs.

Compare to the required elements listed below:
- User ID.
- Successful and unsuccessful attempts to access security files
- Date and time of the event.
- Type of event.
- Success or failure of event.
- Successful and unsuccessful logons.
- Denial of access resulting from excessive number of logon attempts.
- Blocking or blacklisting a user ID, terminal or access port, and the reason for the action.
- Activities that might modify, bypass, or negate safeguards controlled by the system.
- Data required to audit the possible use of covert channel mechanisms.
- Privileged activities and other system-level access.
- Starting and ending time for access to the system.
- Security relevant actions associated with periods processing or the changing of security labels or categories of information.

If the elements listed above are not included in the audit logs at at minimum, this is a Finding.

Fix Text (F-27769r1_fix)
Configure audit settings to include the following list of elements in the audit logs at a minimum: - User ID. - Successful and unsuccessful attempts to access security files - Date and time of the event. - Type of event. - Success or failure of event. - Successful and unsuccessful logons. - Denial of access resulting from excessive number of logon attempts. - Blocking or blacklisting a user ID, terminal or access port, and the reason for the action. - Activities that might modify, bypass, or negate safeguards controlled by the system. - Data required to audit the possible use of covert channel mechanisms. - Privileged activities and other system-level access. - Starting and ending time for access to the system. - Security relevant actions associated with periods processing or the changing of security labels or categories of information.

Fix Text (F-27769r1_fix)

Configure audit settings to include the following list of elements in the audit logs at a minimum:
- User ID.
- Successful and unsuccessful attempts to access security files
- Date and time of the event.
- Type of event.
- Success or failure of event.
- Successful and unsuccessful logons.
- Denial of access resulting from excessive number of logon attempts.
- Blocking or blacklisting a user ID, terminal or access port, and the reason for the action.
- Activities that might modify, bypass, or negate safeguards controlled by the system.
- Data required to audit the possible use of covert channel mechanisms.
- Privileged activities and other system-level access.
- Starting and ending time for access to the system.
- Security relevant actions associated with periods processing or the changing of security labels or categories of information.