Home |
Previous Page | Next Page Overview of Auditing > Audit Analysis >
This section describes two methods to analyze database
server audit records:
- The first method
is simply to display audit data as it appears in the audit trail, which
you can subject to your own audit-analysis tools. This method guarantees
accuracy because no processing is done on the raw audit records.
- The second method converts the audit records into a form that
can be uploaded into a table that the database server manages. You
can then use SQL to generate reports based
on this data. With the SQL-based method,
you can create and use customized forms and reports to manipulate
and selectively view audit data, which provides a flexible and powerful
audit-analysis procedure. Be sure, however, that records are not
deleted or modified from either the intermediate file or from the
database prior to analysis.
Important:
The SQL-based procedure is more
convenient but remains untrusted because users can use SQL data-manipulation
statements to tamper with the records that are copied into a table.
Both
methods rely on a utility called onshowaudit,
which Audit Analysis and Utility Syntax describe. For either method, you can extract audit
events for specific users, database servers, or both.
Figure 4 shows the preparation
process for both analysis methods. Audit Analysis explains
each step in detail.
Figure 4. Preparing for Audit Analysis
To perform audit analysis, first have audit records in your database
server or operating-system audit trail. The onshowaudit utility
does not remove data from the audit trail. It only reads records
from the audit trail and allows them to be viewed or manipulated
with standard SQL utilities.
UNIX Only
When all of the following conditions are present on UNIX,
records are in the operating-system audit trail:
- The operating system supports auditing.
- The database server supports operating-system auditing on this
platform.
- For
records in the operating-system audit trail, your database server
must be registered as a protected subsystem with your operating
system, as the UNIX machine notes
file describes. (See Additional
Documentation of
the Introduction.)
- Database server users have performed activities that generated
audit records.
- Operating-system auditing is on.
End of UNIX Only
Windows Only
To clear or remove audit logs on Windows, delete the files
that contain the audit trail.
End of Windows Only
Home |
[ Top of Page | Previous Page | Next Page | Contents |
Index ]
