Oracle Database must off-load audit data to a separate log management facility; this must be continuous and in near-real-time for systems with a network connection to the storage facility, and weekly or more often for stand-alone systems.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-270507 | SRG-APP-000515-DB-000318 | O19C-00-005800 | SV-270507r1065200_rule | 2025-02-14 | 1 |
| Description |
|---|
| Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. The database management system (DBMS) may write audit records to database tables, files in the file system, other kinds of local repositories, or a centralized log management system. Whatever the method used, it must be compatible with off-loading the records to the centralized system. |
| ℹ️ Check |
|---|
| Review the system documentation for a description of how audit records are off-loaded. If there is no centralized audit log management system, for the audit data to be written to, this is a finding. If the DBMS has a continuous network connection to the centralized log management system, but the DBMS audit records are not written directly to the centralized log management system or transferred in near-real-time, this is a finding. If the DBMS does not have a continuous network connection to the centralized log management system, and the DBMS audit records are not transferred to the centralized log management system weekly or more often, this is a finding. |
| ✔️ Fix |
|---|
| Configure the DBMS or deploy and configure software tools to transfer audit records to a centralized log management system, continuously and in near-real-time where a continuous network connection to the log management system exists, or at least weekly in the absence of such a connection. Consider deploying the Oracle Audit Vault, which is Oracle's centralized audit log management system. Oracle Audit Vault is a powerful enterprise-wide audit solution that provides centralized location and configuration of audit information that is captured in audit records which are generated by all databases including Oracle, or other databases (SQL Server, MySQL, etc.), and various components of the DBMS, as well as, operating systems, file systems, directory services, or custom audit data in either database tables or XML files. Oracle Audit Vault consumes audit data from databases, which may be automatically purged from the target database after it has been moved to the Oracle Audit Vault Server, freeing up valuable space for business data. Oracle Audit Vault Server supports data retention policies on a per source basis, making it possible to meet internal or external compliance requirements. To prevent unauthorized access or tampering, Oracle Audit Vault encrypts audit and event data at every stage, in transmission and at rest. For Oracle Databases, Oracle Audit Vault can track changes to data, user entitlements, and stored procedures. Historical tracking of important data attributes allows users to quickly report on the lifecycle of a data attribute. User entitlements tracking enables easy reporting on which users have what privileges, along with differential reporting on what has changed since the last report. Maliciously modified stored procedures are a frequent vector for data theft-stored procedure tracking helps users quickly spot changes. With support for Oracle's unified audit, it is easy to implement best practices for auditing using preseeded audit policies. |