Documentation - V-270502

Title

Oracle Database must provide audit record generation capability for organization-defined auditable events within the database.

Description

<VulnDiscussion>Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the database management system (DBMS) (e.g., process, module). Certain specific application functionalities may be audited as well. The list of audited events is the set of events for which audits are to be generated. This set of eve...

Fix Text (Documentation Requirement)

Configure the DBMS's auditing to audit organization-defined auditable events. If preferred, use a third-party tool. The tool must provide the minimum capability to audit the required events. If using a third-party product, proceed in accordance with the product documentation. If using Oracle's capabilities, proceed as follows. If Standard Auditing is used: Use this process to ensure auditable events are captured: ALTER SYSTEM SET AUDIT_TRAIL=<audit trail type> SID='*' SCOPE=SPFILE; Audit trail type can be 'OS', 'DB', 'DB,EXTENDED', 'XML' or 'XML,EXTENDED'. After executing this statement, it may be necessary to shut down and restart the Oracle database. If the site-specific audit requirements are not covered by the default audit options, deploy and configure Fine-Grained Auditing. For...