Detections
Analytics
O19C-00-005800 - Oracle Database must off-load audit data to a separate log management facility; this must be continuous and in near-real-time for systems with a network connection to the storage facility, and weekly or more often for stand-alone systems.
Information
Information stored in one location is vulnerable to accidental or incidental deletion or alteration.Off-loading is a common process in information systems with limited audit storage capacity.
The database management system (DBMS) may write audit records to database tables, files in the file system, other kinds of local repositories, or a centralized log management system. Whatever the method used, it must be compatible with off-loading the records to the centralized system.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Configure the DBMS or deploy and configure software tools to transfer audit records to a centralized log management system, continuously and in near-real-time where a continuous network connection to the log management system exists, or at least weekly in the absence of such a connection.Consider deploying the Oracle Audit Vault, which is Oracle's centralized audit log management system. Oracle Audit Vault is a powerful enterprise-wide audit solution that provides centralized location and configuration of audit information that is captured in audit records which are generated by all databases including Oracle, or other databases (SQL Server, MySQL, etc.), and various components of the DBMS, as well as, operating systems, file systems, directory services, or custom audit data in either database tables or XML files.
Oracle Audit Vault consumes audit data from databases, which may be automatically purged from the target database after it has been moved to the Oracle Audit Vault Server, freeing up valuable space for business data. Oracle Audit Vault Server supports data retention policies on a per source basis, making it possible to meet internal or external compliance requirements. To prevent unauthorized access or tampering, Oracle Audit Vault encrypts audit and event data at every stage, in transmission and at rest. For Oracle Databases, Oracle Audit Vault can track changes to data, user entitlements, and stored procedures. Historical tracking of important data attributes allows users to quickly report on the lifecycle of a data attribute. User entitlements tracking enables easy reporting on which users have what privileges, along with differential reporting on what has changed since the last report. Maliciously modified stored procedures are a frequent vector for data theft-stored procedure tracking helps users quickly spot changes. With support for Oracle's unified audit, it is easy to implement best practices for auditing using preseeded audit policies.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_19c_V1R1_STIG.zip
Item Details
Audit Name: DISA Oracle Database 19c STIG v1r1 Database
Category: AUDIT AND ACCOUNTABILITY
References: 800-53|AU-4(1), CAT|II, CCI|CCI-001851, Rule-ID|SV-270507r1065200_rule, STIG-ID|O19C-00-005800, Vuln-ID|V-270507
Plugin: OracleDB
Control ID: 979cfc53d7bcd7f7f9cefcd3cc81ba7473ff37a1122c55238324b5b7db9da22a