\documentclass[11pt,twoside]{article}\makeatletter \IfFileExists{xcolor.sty}% {\RequirePackage{xcolor}}% {\RequirePackage{color}} \usepackage{colortbl} \usepackage{wrapfig} \usepackage{ifxetex} \ifxetex \usepackage{fontspec} \usepackage{xunicode} \catcode`⃥=\active \def⃥{\textbackslash} \catcode`❴=\active \def❴{\{} \catcode`❵=\active \def❵{\}} \def\textJapanese{\fontspec{Noto Sans CJK JP}} \def\textChinese{\fontspec{Noto Sans CJK SC}} \def\textKorean{\fontspec{Noto Sans CJK KR}} \setmonofont{DejaVu Sans Mono} \else \IfFileExists{utf8x.def}% {\usepackage[utf8x]{inputenc} \PrerenderUnicode{–} }% {\usepackage[utf8]{inputenc}} \usepackage[english]{babel} \usepackage[T1]{fontenc} \usepackage{float} \usepackage[]{ucs} \uc@dclc{8421}{default}{\textbackslash } \uc@dclc{10100}{default}{\{} \uc@dclc{10101}{default}{\}} \uc@dclc{8491}{default}{\AA{}} \uc@dclc{8239}{default}{\,} \uc@dclc{20154}{default}{ } \uc@dclc{10148}{default}{>} \def\textschwa{\rotatebox{-90}{e}} \def\textJapanese{} \def\textChinese{} \IfFileExists{tipa.sty}{\usepackage{tipa}}{} \fi \def\exampleFont{\ttfamily\small} \DeclareTextSymbol{\textpi}{OML}{25} \usepackage{relsize} \RequirePackage{array} \def\@testpach{\@chclass \ifnum \@lastchclass=6 \@ne \@chnum \@ne \else \ifnum \@lastchclass=7 5 \else \ifnum \@lastchclass=8 \tw@ \else \ifnum \@lastchclass=9 \thr@@ \else \z@ \ifnum \@lastchclass = 10 \else \edef\@nextchar{\expandafter\string\@nextchar}% \@chnum \if \@nextchar c\z@ \else \if \@nextchar l\@ne \else \if \@nextchar r\tw@ \else \z@ \@chclass \if\@nextchar |\@ne \else \if \@nextchar !6 \else \if \@nextchar @7 \else \if \@nextchar (8 \else \if \@nextchar )9 \else 10 \@chnum \if \@nextchar m\thr@@\else \if \@nextchar p4 \else \if \@nextchar b5 \else \z@ \@chclass \z@ \@preamerr \z@ \fi \fi \fi \fi \fi \fi \fi \fi \fi \fi \fi \fi \fi \fi \fi \fi} \gdef\arraybackslash{\let\\=\@arraycr} \def\@textsubscript#1{{\m@th\ensuremath{_{\mbox{\fontsize\sf@size\z@#1}}}}} \def\Panel#1#2#3#4{\multicolumn{#3}{){\columncolor{#2}}#4}{#1}} \def\abbr{} \def\corr{} \def\expan{} \def\gap{} \def\orig{} \def\reg{} \def\ref{} \def\sic{} \def\persName{}\def\name{} \def\placeName{} \def\orgName{} \def\textcal#1{{\fontspec{Lucida Calligraphy}#1}} \def\textgothic#1{{\fontspec{Lucida Blackletter}#1}} \def\textlarge#1{{\large #1}} \def\textoverbar#1{\ensuremath{\overline{#1}}} \def\textquoted#1{‘#1’} \def\textsmall#1{{\small #1}} \def\textsubscript#1{\@textsubscript{\selectfont#1}} \def\textxi{\ensuremath{\xi}} \def\titlem{\itshape} \newenvironment{biblfree}{}{\ifvmode\par\fi } \newenvironment{bibl}{}{} \newenvironment{byline}{\vskip6pt\itshape\fontsize{16pt}{18pt}\selectfont}{\par } \newenvironment{citbibl}{}{\ifvmode\par\fi } \newenvironment{docAuthor}{\ifvmode\vskip4pt\fontsize{16pt}{18pt}\selectfont\fi\itshape}{\ifvmode\par\fi } \newenvironment{docDate}{}{\ifvmode\par\fi } \newenvironment{docImprint}{\vskip 6pt}{\ifvmode\par\fi } \newenvironment{docTitle}{\vskip6pt\bfseries\fontsize{22pt}{25pt}\selectfont}{\par } \newenvironment{msHead}{\vskip 6pt}{\par} \newenvironment{msItem}{\vskip 6pt}{\par} \newenvironment{rubric}{}{} \newenvironment{titlePart}{}{\par } \newcolumntype{L}[1]{){\raggedright\arraybackslash}p{#1}} \newcolumntype{C}[1]{){\centering\arraybackslash}p{#1}} \newcolumntype{R}[1]{){\raggedleft\arraybackslash}p{#1}} \newcolumntype{P}[1]{){\arraybackslash}p{#1}} \newcolumntype{B}[1]{){\arraybackslash}b{#1}} \newcolumntype{M}[1]{){\arraybackslash}m{#1}} \definecolor{label}{gray}{0.75} \def\unusedattribute#1{\sout{\textcolor{label}{#1}}} \DeclareRobustCommand*{\xref}{\hyper@normalise\xref@} \def\xref@#1#2{\hyper@linkurl{#2}{#1}} \begingroup \catcode`\_=\active \gdef_#1{\ensuremath{\sb{\mathrm{#1}}}} \endgroup \mathcode`\_=\string"8000 \catcode`\_=12\relax \usepackage[a4paper,twoside,lmargin=1in,rmargin=1in,tmargin=1in,bmargin=1in,marginparwidth=0.75in]{geometry} \usepackage{framed} \definecolor{shadecolor}{gray}{0.95} \usepackage{longtable} \usepackage[normalem]{ulem} \usepackage{fancyvrb} \usepackage{fancyhdr} \usepackage{graphicx} \usepackage{marginnote} \renewcommand{\@cite}[1]{#1} \renewcommand*{\marginfont}{\itshape\footnotesize} \def\Gin@extensions{.pdf,.png,.jpg,.mps,.tif} \pagestyle{fancy} \usepackage[pdftitle={Database Autopsy Close Look to Database Auditing for Oracle Database}, pdfauthor={}]{hyperref} \hyperbaseurl{} \paperwidth210mm \paperheight297mm \def\@pnumwidth{1.55em} \def\@tocrmarg {2.55em} \def\@dotsep{4.5} \setcounter{tocdepth}{3} \clubpenalty=8000 \emergencystretch 3em \hbadness=4000 \hyphenpenalty=400 \pretolerance=750 \tolerance=2000 \vbadness=4000 \widowpenalty=10000 \renewcommand\section{\@startsection {section}{1}{\z@}% {-1.75ex \@plus -0.5ex \@minus -.2ex}% {0.5ex \@plus .2ex}% {\reset@font\Large\bfseries}} \renewcommand\subsection{\@startsection{subsection}{2}{\z@}% {-1.75ex\@plus -0.5ex \@minus- .2ex}% {0.5ex \@plus .2ex}% {\reset@font\Large}} \renewcommand\subsubsection{\@startsection{subsubsection}{3}{\z@}% {-1.5ex\@plus -0.35ex \@minus -.2ex}% {0.5ex \@plus .2ex}% {\reset@font\large}} \renewcommand\paragraph{\@startsection{paragraph}{4}{\z@}% {-1ex \@plus-0.35ex \@minus -0.2ex}% {0.5ex \@plus .2ex}% {\reset@font\normalsize}} \renewcommand\subparagraph{\@startsection{subparagraph}{5}{\parindent}% {1.5ex \@plus1ex \@minus .2ex}% {-1em}% {\reset@font\normalsize\bfseries}} \def\l@section#1#2{\addpenalty{\@secpenalty} \addvspace{1.0em plus 1pt} \@tempdima 1.5em \begingroup \parindent \z@ \rightskip \@pnumwidth \parfillskip -\@pnumwidth \bfseries \leavevmode #1\hfil \hbox to\@pnumwidth{\hss #2}\par \endgroup} \def\l@subsection{\@dottedtocline{2}{1.5em}{2.3em}} \def\l@subsubsection{\@dottedtocline{3}{3.8em}{3.2em}} \def\l@paragraph{\@dottedtocline{4}{7.0em}{4.1em}} \def\l@subparagraph{\@dottedtocline{5}{10em}{5em}} \@ifundefined{c@section}{\newcounter{section}}{} \@ifundefined{c@chapter}{\newcounter{chapter}}{} \newif\if@mainmatter \@mainmattertrue \def\chaptername{Chapter} \def\frontmatter{% \pagenumbering{roman} \def\thechapter{\@roman\c@chapter} \def\theHchapter{\roman{chapter}} \def\thesection{\@roman\c@section} \def\theHsection{\roman{section}} \def\@chapapp{}% } \def\mainmatter{% \cleardoublepage \def\thechapter{\@arabic\c@chapter} \setcounter{chapter}{0} \setcounter{section}{0} \pagenumbering{arabic} \setcounter{secnumdepth}{6} \def\@chapapp{\chaptername}% \def\theHchapter{\arabic{chapter}} \def\thesection{\@arabic\c@section} \def\theHsection{\arabic{section}} } \def\backmatter{% \cleardoublepage \setcounter{chapter}{0} \setcounter{section}{0} \setcounter{secnumdepth}{2} \def\@chapapp{\appendixname}% \def\thechapter{\@Alph\c@chapter} \def\theHchapter{\Alph{chapter}} \appendix } \newenvironment{bibitemlist}[1]{% \list{\@biblabel{\@arabic\c@enumiv}}% {\settowidth\labelwidth{\@biblabel{#1}}% \leftmargin\labelwidth \advance\leftmargin\labelsep \@openbib@code \usecounter{enumiv}% \let\p@enumiv\@empty \renewcommand\theenumiv{\@arabic\c@enumiv}% }% \sloppy \clubpenalty4000 \@clubpenalty \clubpenalty \widowpenalty4000% \sfcode`\.\@m}% {\def\@noitemerr {\@latex@warning{Empty `bibitemlist' environment}}% \endlist} \def\tableofcontents{\section*{\contentsname}\@starttoc{toc}} \parskip0pt \parindent1em \def\Panel#1#2#3#4{\multicolumn{#3}{){\columncolor{#2}}#4}{#1}} \newenvironment{reflist}{% \begin{raggedright}\begin{list}{} {% \setlength{\topsep}{0pt}% \setlength{\rightmargin}{0.25in}% \setlength{\itemsep}{0pt}% \setlength{\itemindent}{0pt}% \setlength{\parskip}{0pt}% \setlength{\parsep}{2pt}% \def\makelabel##1{\itshape ##1}}% } {\end{list}\end{raggedright}} \newenvironment{sansreflist}{% \begin{raggedright}\begin{list}{} {% \setlength{\topsep}{0pt}% \setlength{\rightmargin}{0.25in}% \setlength{\itemindent}{0pt}% \setlength{\parskip}{0pt}% \setlength{\itemsep}{0pt}% \setlength{\parsep}{2pt}% \def\makelabel##1{\upshape ##1}}% } {\end{list}\end{raggedright}} \newenvironment{specHead}[2]% {\vspace{20pt}\hrule\vspace{10pt}% \phantomsection\label{#1}\markright{#2}% \pdfbookmark[2]{#2}{#1}% \hspace{-0.75in}{\bfseries\fontsize{16pt}{18pt}\selectfont#2}% }{} \def\TheFullDate{2013-01-15 (revised: 15 January 2013)} \def\TheID{\makeatother } \def\TheDate{2013-01-15} \title{Database Autopsy Close Look to Database Auditing for Oracle Database} \author{}\makeatletter \makeatletter \newcommand*{\cleartoleftpage}{% \clearpage \if@twoside \ifodd\c@page \hbox{}\newpage \if@twocolumn \hbox{}\newpage \fi \fi \fi } \makeatother \makeatletter \thispagestyle{empty} \markright{\@title}\markboth{\@title}{\@author} \renewcommand\small{\@setfontsize\small{9pt}{11pt}\abovedisplayskip 8.5\p@ plus3\p@ minus4\p@ \belowdisplayskip \abovedisplayskip \abovedisplayshortskip \z@ plus2\p@ \belowdisplayshortskip 4\p@ plus2\p@ minus2\p@ \def\@listi{\leftmargin\leftmargini \topsep 2\p@ plus1\p@ minus1\p@ \parsep 2\p@ plus\p@ minus\p@ \itemsep 1pt} } \makeatother \fvset{frame=single,numberblanklines=false,xleftmargin=5mm,xrightmargin=5mm} \fancyhf{} \setlength{\headheight}{14pt} \fancyhead[LE]{\bfseries\leftmark} \fancyhead[RO]{\bfseries\rightmark} \fancyfoot[RO]{} \fancyfoot[CO]{\thepage} \fancyfoot[LO]{\TheID} \fancyfoot[LE]{} \fancyfoot[CE]{\thepage} \fancyfoot[RE]{\TheID} \hypersetup{citebordercolor=0.75 0.75 0.75,linkbordercolor=0.75 0.75 0.75,urlbordercolor=0.75 0.75 0.75,bookmarksnumbered=true} \fancypagestyle{plain}{\fancyhead{}\renewcommand{\headrulewidth}{0pt}} \date{} \usepackage{authblk} \providecommand{\keywords}[1] { \footnotesize \textbf{\textit{Index terms---}} #1 } \usepackage{graphicx,xcolor} \definecolor{GJBlue}{HTML}{273B81} \definecolor{GJLightBlue}{HTML}{0A9DD9} \definecolor{GJMediumGrey}{HTML}{6D6E70} \definecolor{GJLightGrey}{HTML}{929497} \renewenvironment{abstract}{% \setlength{\parindent}{0pt}\raggedright \textcolor{GJMediumGrey}{\rule{\textwidth}{2pt}} \vskip16pt \textcolor{GJBlue}{\large\bfseries\abstractname\space} }{% \vskip8pt \textcolor{GJMediumGrey}{\rule{\textwidth}{2pt}} \vskip16pt } \usepackage[absolute,overlay]{textpos} \makeatother \usepackage{lineno} \linenumbers \begin{document} \affil[1]{ AMA International university-Bahrain} \renewcommand\Authands{ and } \date{\small \em Received: 11 December 2012 Accepted: 2 January 2013 Published: 15 January 2013} \maketitle \begin{abstract} Today, that business has different rules and regulation and supplied threats; organizations must go well beyond securing their data, and managing their database. Essentially, Data have to be perpetually monitored to be aware of who what, to all their data. Database auditing involves monitoring database to be aware of what user of proceedings. In this article we will offer a novel procedure for finding auditing records from different locations that DBMS keeps records, further more we will discuss which user, or system activity to keep records to do auditing efficiently and also avoid over use of system resources which will caused on slow transaction time. \end{abstract} \keywords{} \begin{textblock*}{18cm}(1cm,1cm) % {block width} (coords) \textcolor{GJBlue}{\LARGE Global Journals \LaTeX\ JournalKaleidoscope\texttrademark} \end{textblock*} \begin{textblock*}{18cm}(1.4cm,1.5cm) % {block width} (coords) \textcolor{GJBlue}{\footnotesize \\ Artificial Intelligence formulated this projection for compatibility purposes from the original article published at Global Journals. However, this technology is currently in beta. \emph{Therefore, kindly ignore odd layouts, missed formulae, text, tables, or figures.}} \end{textblock*} \let\tabcellsep& \section[{Introduction}]{Introduction}\par oday, that business has different rules and regulation and supplied threats, organizations must go well Beyond securing their data, and managing their database. Essentially, Data have to be perpetually monitored to be aware of who what, to all their data. Database auditing involves monitoring database to be aware of what user of proceedings. Database consultant and DBA often set up auditing policy for security purposes, for example, to ensure that everybody get access to what it has permission . This study looks at auditing as a concept, what are threats and how to diagnose that threat when they are happening.\par One of challenge regarding auditing that Organizations today are facing is data security, they have to recognize threats and threat them in a more cost effective way. There are some policies which are force by platform the DBA must understand the cost of this policy of database performance and base of need modify or unable these predefine policies as well as create new policies base of their needs.\par By understanding the audit concept companies can decrease the increasing cost of database security. \section[{a) Back Ground of Study}]{a) Back Ground of Study}\par Database security is a very broad area that addresses many issues like legal and ethical, policy issues at governmental, or corporate and system-related issues such as system level.\par Author : AMA International university-Kingdom of Bahrain School Year 2012-2013. E-mail : mashdyelham@yahoo.com Threats to database results in the loss or degradation of some or all of following commonly accepted security Goals: integrity, availability, and confidentiality.\par Grate amount of different errors can leak into organizational databases; these errors may range from data entry errors to violations of accounting standards. It seems that although database systems have radically changed the file system in terms speed and competence, detecting errors and keeping quality did not cope with speed of events.\par To protect database against types of threats, it is common to implement four kind of control measurement.? Access control ? Authentication ? Authorization ? Auditing\par Database auditing is directly related to database security. Auditing is one aspect of database security. In practice, if there is need to secure a particular database system, then auditing is essential. Auditing mechanism implemented on a database system facilitates the security implemented in a system.\par Three different strategies for database auditing are introduced and compare in term of efficiently (Data Base Auditing, Levant V. Orman, and Cornell University).\par In this paper we will discuss Data base Autopsy, that is when a threat happened you use tools to find out what was type of threat, who attack your data base, when that happened. And from this information you can review and change your Authentication, authorization policies.\par Regulatory compliance requirements can be met for your data base by carrying out auditing which enforces internal controls, so that unwanted changes can be prevented. \section[{b) Statement of Problem i. General Objective}]{b) Statement of Problem i. General Objective}\par The outcomes of database auditing can be used by administrator to watch the activities of Information System Users (ISU). System user can be aware of database and its capabilities (sophistic user) or they can be completely unaware of facilities offered by database (naïve user) .The information that they can access is defined as constrained by the explicit privileges which is defined by the Database1 ( D D D D D D D D )\par Management System (DBMS), or any other tier in multi tier architecture like Application Servers (AS) or in any another tier. However if a naughty user (inside organization) or a malicious user (from outside) attempts to access a piece of information for whom he has no privileges, an audit trial must be made. And his activity must be trace and record.\par ii. Specific Objective c) The Scope and Delimitation\par The Information system which are manipulating and storing financial, accounting, or other legally sensitive data can use this study. Legal vulnerabilities can be created by even basic trading operation, in today increasingly litigious world. For example.\par The investor who lose large amount in trading may hope to recover his capital, and/or the investor's employee may seek to escape responsibility, by legal action against the broker. If related trade data has been modified by the broker without an acceptable Autopsy, which can be seen as apparent indicator from the investor's opposing results which are due to the misconduct of the broker.\par Auditing, which means capturing and storing information about what is happening in the system, increase the amount of work the system must do. Auditing must be focused so that only events that are of interest are captured .Well designed auditing policies has minimal impact on system performance .Improperly focused auditing can significantly affect performance.\par The scope and depth of the audit should be designed to meet the specific objective of organizations base of its environments and type of threats it is facing.\par The coverage of this study is the Oracle database 11g, without SAM, which data renovation period is specified by DBA However, we will discuss FGA auditing in this paper, but will not consider RAID system.\par The researcher is limited this research to user of relational database. \section[{d) Importance \& Significance of Study}]{d) Importance \& Significance of Study}\par Database auditing and database security are directly related to each other. One aspect of database security is auditing. Auditing is essential tasks for DBA of database management system which need to secure a particular database system, then. Auditing mechanism which is deploying on a database system facilitates the security implemented in a system.\par Auditing, which means capturing and storing information about what is happening in the system, increase the amount of work the system must do.\par Auditing must be focused so that only events that are of interest are captured .Properly focused auditing has minimal impact on system performance .Improperly focused auditing can significantly affect performance.\par The security administration will use guides provided by Database auditing to develop and enforce a well defined set of security policies based on the initial set of business rules. At the beginning of the specific information system project' the DBA will decide the business rules and later on, modify it with the passage of time, based on the behavior of users.\par A wide range of events that can be tracked and collected in Auditing of database records. This creates an additional processing and disk I/O load on database server machine and hence degrades its performance. In other word auditing, which means capturing and storing information about what is happening in the system, increase the amount of work the system must do. Auditing must be focused so that only events that are of interest are captured Properly focused auditing has minimal impact on system performance .but with gathering extra and not needed auditing record you will scarified the performance of database. \section[{So we divide the auditing to}]{So we divide the auditing to}\par ? Mandatory Auditing: All oracle database audit certain action regardless of other audit option or parameter .The reason for mandatory audit logs is that the database needs to record some database activities, such as connection by privileged users.\par ? Standard Database Auditing: Enabled at the system level by using the audit trail initialization parameter. After you enabled auditing select the object and privileges that you want to audit and set auditing properties with audit command.\par ? Value base Auditing: Extends standards database auditing, capturing not only the audited event that occurred but also the actual values that were inserted, updated or deleted, Values base auditing is implemented through database trigger.\par ? Fine-Grained: Auditing(FGA) Extends standard database auditing, capturing the actual SQL statement that was issued rather than only the fact that the event occurred.\par ? SYSDBA Auditing: separates the auditing duties between the DBA and an auditor or security administrator who monitors the DBA activates in an operating system audit trail. So, it is not recommended to keep the excessive auditing of so as to avoid demeaning of performance of the database server. For example, in case of auditing DML commands, it is recommended to Following statics may show the important of security and auditing in data base (Neon Enterprise Software).\par ? Percentage of companies suffers from increasing of security budget? 54\% ? Number of companies that claim their job will get more strategic in 2013? 69\% ? Number of companies that claim their job will get more compliance? 75\% ? Number of companies claim that their top priority will be related to network/security integration? 52\% ? How many companies will be more interested to buy best security they can with their budject? 80\% ? Sensitive data is losing important data? 68\%\par This study can be used by i. All organization using database, especially oracle database. ii. Researchers, who are interested about DBMS and its features. iii. Database Professionals: Data base administrators, database sysmans who are responsible for database recoveries. iv. Teachers and students how are working with database in different aspect. \section[{II.}]{II.} \section[{Related Studies}]{Related Studies}\par A database is considered as a core asset of an organization. Numerous approaches dealing with Data base Auditing Interface for operating systems and networks have been developed .Nevertheless, they are not sufficient for protecting databases. Still there are many discussions about the abstract and high-level architecture of a DBMS including an ID component.\par However, this work mainly focuses on debating generic solutions rather than proposing solid algorithmic solutions. There are many researches about auditing in work done by LIU the authors compare strategies adapted by selected set of vendor for auditing database.\par In study done by Cornell University the author introduce three major strategies of database auditing to maintain integrity {\ref [1]}. Then these strategies are compared in term of efficiency and effectiveness in eliminating error, to do so they compute the optimum timing under each strategy.\par In studies submitted to IEEE conference they demonstrate a way in which deductive database cart be used to address elusive problems in the establishment and maintenance of a database audit trail. However, they discus situation and examples of issues that arise in many application computing environments. The means deductive approach can be applied to more than database issues. The main features of the relational model, is extended to more wider concerns of application development in Deductive computing which is an example of an emerging paradigm {\ref [2]}.\par In study published in ACM proposed an approach for detecting different type of anomalies and anomalous access patterns in DBMS. They have developed three models, of different granularity, to represent the SQL queries appearing in the database log files. We will use their work to find out what information must be extract from log file to show access patterns of the queries \hyperref[b12]{[8]}. \section[{a) Conceptual Frame Work}]{a) Conceptual Frame Work}\par We fist will discuss the tolls you can use for auditing, then we will look inside the system and search for different location database stores auditing records, then we will consider what is actions that DBMS produces and audit records about it and how we can add actions to keep data about according to our needs and requirements. \section[{Specific Research Purpose and Research Questions}]{Specific Research Purpose and Research Questions}\par The purpose of this study is to help database Administration to identify threats and configure the database to response by predefine procedure to that treads, also it will help oracle DBA to identify the harm the tread will make to system performance or security of data.\par The study will address following questions on specific:\par ? What are the kinds of threats that can affect database performance? ? What are different threats that will attack database security? ? Which location database will store data's about threats? ? How to setup database management system to do predefine actions against each threat? ? What are important information regarding threats.\par How to extract information from system log? ? Which statement can create audit log?\par ? How can you add or edit default commends that make audit logs? a) Research Methodology Meta Analysis Research methodology is adopted in accomplishing my research goal. The research intends to study the commonly used auditing method and its drawbacks, also the additional factor which solves the problems in widely used methodology. The research analyzed various auditing records and suggested an efficient procedure to abstract information more effectively and efficiently from recourses. Future more, a novel model that avoids extra lose of system resources is proposed. \section[{b) Research Design i. Source of Data}]{b) Research Design i. Source of Data}\par Database audit records for statement, privilege, and object auditing are stored in the table SYS.AUD\$. Depending on how extensive you're auditing and retention policies are, you will need to periodically delete old audit records from this table. The database does not provide an interface to assist in deleting rows from the audit table, so you will need to do so yourself.\par So we will take a close look at SYS. Audis table and also very important parameter which is audit \textunderscore trail.\par We will look at four level of auditing which oracle 11 G do auditing.? Statement ? Privilege ? Object ? Fine-grained access c) Research Plan\par A database Administrator knows that when a threat is happened the first priority is backing up and restores the system, but it is also very important to find what the reason for system failure was. To answer this question ,priors to any failure ,you have to analyze your system as database Administrator and decide what are the possible threat for your system, and active or inactive default auditing records ,or modify and extra information to your audit tables.\par All DBA know that finding the proper records for your query are one of skills that they will gain it by time and trying, so in this article we will help database administrator to find required information about threat effectively and sufficiently. Also we will talk about how and when you will purge your unwanted information from Audit table and export them for future used. \section[{Results and Discussions}]{Results and Discussions}\par IV. \section[{Location of Audit Records}]{Location of Audit Records}\par Oracle 11 record audit records in two locations? Database ? Operating-system Files\par Oracle decided where to keep record by investigating value of initialization parameter audit trail. The default is DB, as in "AUDIT\textunderscore TRAIL=DB, you can change this value to DB, EXTENDED to record audit records in the database together with bind variables (SQLBIND) and the SQL.\par Statement triggering the audit entry (SQLTEXT). AUDIT\textunderscore TRAIL=OS tells the database to record audit records in operating-system files.\par To change value for audit \textunderscore trail you have to edit your pile or file. For example, the following statement will change the location of audit records in the spilled. Keep in mind that you should bounce your database instance for change to take effect. When recorded in the database, most audit entries are recorded in the SYS AUD \$ table. On UNIX systems, operating-system audit records are written into files in the directory specified by the initialization parameter audit\textunderscore file\textunderscore dest (which is set to \$ORACLE\textunderscore BASE/ admin/\$ORACLE\textunderscore SID/a dump if the database is created using DBCA). On Windows systems.\par These audit records are written to the Event Viewer log file. So we can find the locations for gathering information as describe in following chart. What to audit? Auditing involves monitoring and recording specific database activity. An Oracle 11g database supports four levels of auditing:? Statement ? Privilege ? Object ? Fine-grained access\par We discuss managing each one of this level in following sections. \section[{a) Management Statement Auditing}]{a) Management Statement Auditing}\par Statement auditing involves monitoring and recording the execution of specific types of SQL statements. Executions of some statements are enabling by default, but you can modify this list by adding or deleting some statements to this list as explain in code. All needed information about STAEMENT auditing will exist in the DBA\textunderscore STMT\textunderscore AUDIT\textunderscore OPTS data dictionary view. You can query this view to find needed informations, the recorded in formations are If you enable AUDIT SESSION, the database creates one audit record when a user logs on and updates that record when the user logs off successfully.\par These session audit records contain some valuable information that can help you narrow the focus of tuning efforts. Among the information recorded in the audit records are the username, logon time, logoff time, and the number of physical reads and logical reads performed during the session. By looking for sessions with high counts of logical or physical reads, you can identify high-resource-consuming jobs and narrow the focus of your tuning efforts.\par The following are statements will create records by default- privilege that you want to monitor, or user, or even include DML privilege.\par If you want to make report of which privilege is recording in audit records you will query DBA\textunderscore PRIV\textunderscore AUDIT\textunderscore OPTS data dictionary views.\par To disable auditing of a system privilege, use a NOAUDIT statement. The NO AUDIT statement.\par Allows the same BY options as the AUDIT statement. \section[{d) Managing of Objects Auditing}]{d) Managing of Objects Auditing}\par Object auditing involves monitoring and recording the execution of SQL statements that require a specific object privilege, such as SELECT, INSERT, UPDATE, DELETE, or EXECUTE. Unlike either statement or system privilege auditing, schema object auditing cannot be restrict to specific users, it is enabled for all users or no users.\par You enable object auditing with an AUDIT statement, specifying both the object and object privilege that you want to monitor. For example, to audit SELECT statements on the HR.EMPLOYEES TABLE, execute the following: AUDIT select ON hr. employee: You can further configure these audit records to record one audit entry for the triggering session or one for each auditable action during the session by specifying BY ACCESS or BY SESSION in the AUDIT statement. This access/session configuration can be defined differently for successful or unsuccessful executions.\par The object-auditing options that are enabled in the database are recorded in the DBA\textunderscore OBJ\textunderscore AUDIT\textunderscore OPTS data dictionary view. Unlike the statement and privilege \textunderscore AUDIT\textunderscore OPTS views,\par The DBA\textunderscore OBJ\textunderscore AUDIT\textunderscore OPTS data dictionary view always has one row for each auditable object in the database. There are columns for each object privilege that auditing can be enabled on, and in each of these columns, a code is reported that shows the auditing options let's see following codes. Database audit records for statement, privilege, and object auditing are stored in the table SYS.AUD\$. Depending on how extensive your auditing and retention policies are, you will need to periodically delete old audit records from this table. The database does not provide. An interface to assist in deleting rows from the audit table, so you will need to do so yourself.\par To purge audit records older than 90 days, execute the following as user SYS: DELETE FROM sys.aud\$ WHERE timestamp\# < SYSDATE -90>; You might want to copy the audit records into a different table for historical retention or export them to an operating-system file before removing them. It is a good practice to audit changes to the AUD\$ table so that you can identify when changes were made. \section[{f) Using of DBCA to create base line for Auditing}]{f) Using of DBCA to create base line for Auditing}\par The Oracle Database Configuration Assistant (DBCA) is a Java-based tool used to create Oracle Databases the DBCA provides a flexible and robust environment in which you not only can create databases but also can generate templates containing the definitions of the databases created. This provides you with the ease of using a GUI-based interface with the flexibility of Oracle-generated XML-based templates that you can use to maintain a library of database definitions. When the specified condition evaluates to TRUE, an audit record is created, and an optional eventhandler program is called. You use the PL/SQL package DBMS\textunderscore FGA to configure and manage FGA. The implement of this type of auditing need creating package in Pl/sql which is out of scope of this article. \section[{Conclusions and Recommendations}]{Conclusions and Recommendations}\par V. \section[{Conclusions}]{Conclusions}\par In this study we discussed the important role of auditing not only for detecting mistrustful behavior also providing proof and reasons to auditors, and also it is recommended to use. Oracle database auditing because of it minimal impact for high audit trail load.\par We also discussed different methodology in audits which include trigger or Transactional log but you cannot use these methods for some events which go beyond server events. \section[{VI.}]{VI.} \section[{Recommendations}]{Recommendations}\begin{figure}[htbp] \noindent\textbf{}\includegraphics[]{image-2.png} \caption{\label{fig_0}C}\end{figure} \begin{figure}[htbp] \noindent\textbf{1}\includegraphics[]{image-3.png} \caption{\label{fig_1}Figure 1 :}\end{figure} \begin{figure}[htbp] \noindent\textbf{2}\includegraphics[]{image-4.png} \caption{\label{fig_2}CFigure 2 :}\end{figure} \begin{figure}[htbp] \noindent\textbf{3}\includegraphics[]{image-5.png} \caption{\label{fig_3}Figure 3 :C}\end{figure} \begin{figure}[htbp] \noindent\textbf{4}\includegraphics[]{image-6.png} \caption{\label{fig_4}Figure 4 :}\end{figure} \begin{figure}[htbp] \noindent\textbf{5}\includegraphics[]{image-7.png} \caption{\label{fig_5}Figure 5 :}\end{figure} \begin{figure}[htbp] \noindent\textbf{6}\includegraphics[]{image-8.png} \caption{\label{fig_7}Figure 6 :}\end{figure} \begin{figure}[htbp] \noindent\textbf{SYS} \par \begin{longtable}{P{0.6991606714628297\textwidth}P{0.05911270983213429\textwidth}P{0.09172661870503597\textwidth}} \multicolumn{3}{l}{Explore \$ORACLE\textunderscore HOME/dbs and investigate in one of}\\ following\tabcellsep \\ spfile\$ORACLE\textunderscore SID.ora\tabcellsep \\ spfile.ora\tabcellsep \\ nit\$ORACLE\textunderscore SID.ora\tabcellsep \\ Look for parameter Audit \textunderscore trail\tabcellsep \\ Audit\tabcellsep \\ Audit\textunderscore trail=DB\tabcellsep \multicolumn{2}{l}{AUDIT\textunderscore TRAIL=OS}\\ \multicolumn{2}{l}{Your OS=Unix base}\tabcellsep IS your OS=DOS Investigate on\\ \tabcellsep \tabcellsep Event Viewer log\\ \multicolumn{3}{l}{Find the audit file on}\\ \multicolumn{2}{l}{\$ORACLE\textunderscore BASE/}\\ \multicolumn{3}{l}{admin/\$ORACLE\textunderscore SID/adump}\end{longtable} \par \caption{\label{tab_1}TABLE SYS Is}\end{figure} \begin{figure}[htbp] \noindent\textbf{} \par \begin{longtable}{P{0.29423076923076924\textwidth}P{0.032692307692307694\textwidth}P{0.14166666666666666\textwidth}P{0.06538461538461539\textwidth}P{0.07628205128205127\textwidth}P{0.04358974358974359\textwidth}P{0.19615384615384615\textwidth}} 4. You\tabcellsep can\tabcellsep \multicolumn{2}{l}{alternately}\tabcellsep \multicolumn{2}{l}{specify}\tabcellsep WHENEVER\\ \multicolumn{2}{l}{SUCCESSFUL}\tabcellsep to\tabcellsep \multicolumn{2}{l}{record}\tabcellsep only\tabcellsep successful\\ \multicolumn{2}{l}{statements.}\tabcellsep \tabcellsep \tabcellsep \end{longtable} \par {\small\itshape [Note: TABLE, DROPTABLE, and TRUNCATE TABLE, use the TABLE audit option like this. You can add attribute for this command .The attributes are by user, whenever successful by session, whenever not successful and? 2. If you do not include a WHENEVER clause, both successful and unsuccessful statements trigger audit records. You can further configure non-DDL statement to record one audit entry for the triggering session or one entry for each auditable action during the session. Specify BY ACCESS or BY SESSION in the AUDIT statement. There are many auditing options other than TABLE or INSERT]} \caption{\label{tab_2}}\end{figure} \begin{figure}[htbp] \noindent\textbf{.} \par \begin{longtable}{P{0.02510183299389002\textwidth}P{0.2389002036659878\textwidth}P{0.5695519348268839\textwidth}P{0.005193482688391039\textwidth}P{0.007790224032586558\textwidth}P{0.003462321792260692\textwidth}} \tabcellsep Statement-Auditing Option\tabcellsep \multicolumn{3}{l}{Triggering SQL Statements}\\ \tabcellsep ALTER SEQUENCE\tabcellsep \multicolumn{2}{l}{ALTER SEQUENCE}\\ \tabcellsep ALTER TABLE\tabcellsep ALTER TABLE\tabcellsep \\ \tabcellsep COMMENT TABLE\tabcellsep \multicolumn{3}{l}{COMMENT ON TABLE COMMENT ON COLUMN}\\ \tabcellsep DATABASE LINK\tabcellsep \multicolumn{3}{l}{CREATE DATABASE LINK DROP DATABASE LINK}\\ \tabcellsep DELETE TABLE\tabcellsep DELETE\tabcellsep \\ \tabcellsep EXECUTE PROCEDURE\tabcellsep \multicolumn{3}{l}{Execution of any procedure or function or access to}\\ 013 2\tabcellsep GRANT PROCEDURE\tabcellsep \multicolumn{3}{l}{any cur-sor or variable in a package GRANT on a function, package, or procedure}\\ Year\tabcellsep GRANT SEQUENCE GRANT TABLE\tabcellsep \multicolumn{2}{l}{GRANT on a sequence GRANT on a table or view}\\ \tabcellsep INDEX\tabcellsep CREATEINDEX\tabcellsep \\ \tabcellsep INSERT TABLE\tabcellsep \multicolumn{2}{l}{INSERT into table or view}\\ \tabcellsep LOCK TABLE\tabcellsep LOCK\tabcellsep \\ \tabcellsep NOT EXISTS\tabcellsep \multicolumn{2}{l}{All SQL statements}\\ \tabcellsep PROCEDURE\tabcellsep \multicolumn{3}{l}{CREATE FUNCTION DROP FUNCTION CREATE}\\ \tabcellsep \tabcellsep \multicolumn{3}{l}{PACKAGE CREATE PACKAGE BODY DROP}\\ \tabcellsep \tabcellsep PACKAGE\tabcellsep CREATE\tabcellsep PROCEDURE\tabcellsep DROP\\ \tabcellsep \tabcellsep PROCEDURE\tabcellsep \\ \tabcellsep PROFILE\tabcellsep \multicolumn{3}{l}{CREATE PROFILE ALTER PROFILE DROP PROFILE}\\ \tabcellsep ROLE\tabcellsep \multicolumn{3}{l}{CREATE ROLE ALTER ROLE DROP ROLE SET ROLE}\\ \tabcellsep SELECT SEQUENCE\tabcellsep \multicolumn{2}{l}{SELECT on a sequence}\\ D D D D D D D D ) C\tabcellsep SELECT TABLE\tabcellsep \multicolumn{2}{l}{SELECT from table or view}\\ (\tabcellsep SEQUENCE\tabcellsep \multicolumn{3}{l}{CREATE SEQUENCE DROP SEQUENCE}\\ \tabcellsep SESSION\tabcellsep LOGON\tabcellsep \\ \tabcellsep SYNONYM\tabcellsep \multicolumn{3}{l}{CREATE SYNONYM DROP SYNONYM}\\ \tabcellsep SYSTEM AUDIT\tabcellsep \multicolumn{2}{l}{AUDIT NOAUDIT}\\ \tabcellsep SYSTEM GRANT\tabcellsep \multicolumn{2}{l}{GRANT REVOKE}\end{longtable} \par \caption{\label{tab_3}TABLE . Table}\end{figure} \begin{figure}[htbp] \noindent\textbf{CREATEDROPTRUNCATETABLESPACE} \par \begin{longtable}{P{0.08895348837209302\textwidth}P{0.761046511627907\textwidth}} \tabcellsep CREATE TABLESPACE ALTER TABLESPACE DROP\\ \tabcellsep TABLESPACE\\ TRIGGER\tabcellsep CREATE TRIGGER ALTER TRIGGER (to enable or\\ \tabcellsep disable) ALTER TABLE (to enable all or disable all)\\ UPDATE TABLE\tabcellsep UPDATE on a table or view\\ USER\tabcellsep CREATE USER ALTER USER DROP USER\\ VIEW\tabcellsep CREATE VIEW DROP VIEW\\ \tabcellsep Table 4.1 :\end{longtable} \par \caption{\label{tab_4}TABLE CREATE TABLE DROP TABLE TRUNCATE TABLE TABLESPACE}\end{figure} \begin{figure}[htbp] \noindent\textbf{} \par \begin{longtable}{P{0.3935750179468772\textwidth}P{0.12753050969131371\textwidth}P{0.2654343144292893\textwidth}P{0.06346015793251975\textwidth}} ALTER ANY PROCEDURE\tabcellsep \multicolumn{2}{l}{CREATE ANY TABLE}\tabcellsep DROP USER\\ ALTER ANY TABLE\tabcellsep \multicolumn{2}{l}{CREATE EXTERNAL JOB}\tabcellsep EXEMPT ACCESS POLICY\\ ALTER DATABASE\tabcellsep \multicolumn{2}{l}{CREATE PUBLIC DATABASE LINK}\tabcellsep GRANT ANY OBJECT PRIVILEGE\\ ALTER PROFILE\tabcellsep \multicolumn{2}{l}{CREATE SESSION}\tabcellsep GRANT ANY PRIVILEGE\\ ALTER SYSTEM\tabcellsep \multicolumn{2}{l}{CREATE USER}\tabcellsep GRANT ANY ROLE\\ ALTER USER\tabcellsep \multicolumn{2}{l}{DROP ANY PROCEDURE}\tabcellsep ROLE\\ CREATE ANY LIBRARY\tabcellsep \multicolumn{2}{l}{DROP ANY TABLE}\tabcellsep SYSTEM AUDIT\\ CREATE ANY PROCEDURE\tabcellsep \multicolumn{2}{l}{DROP PROFILE}\\ \multicolumn{2}{l}{You can restricts and limit this by using}\tabcellsep \multicolumn{2}{l}{(displays all standard audit trail entries) and}\\ \multicolumn{2}{l}{command "no audit" in order to not decrease your}\tabcellsep \multicolumn{2}{l}{USER\textunderscore AUDIT\textunderscore TRAIL (the standard audit trail entries}\\ \multicolumn{2}{l}{operation time and also avoid overwrite of audit file}\tabcellsep \multicolumn{2}{l}{related to the current user. For example, you can view}\\ \multicolumn{2}{l}{which cause lose important information so you need .}\tabcellsep \multicolumn{2}{l}{the user, time, and type of statement audited for user}\\ \multicolumn{2}{l}{b) Examining the Audit Trail Statement, privilege, and object audit records are written to the SYS.AUD\$ table and made available}\tabcellsep \multicolumn{2}{l}{Scott by executing the following: SELECT username, timestamp, action name FROM dba\textunderscore audit\textunderscore trail}\\ \multicolumn{2}{l}{via the data dictionary views DBA\textunderscore AUDIT\textunderscore TRAIL}\tabcellsep \multicolumn{2}{l}{WHERE username =scott;}\\ ORA USER\tabcellsep TIMESTAMP\tabcellsep \multicolumn{2}{l}{ACTION\textunderscore NAME}\\ SCOTT\tabcellsep 6/15/2004 18:43\tabcellsep LOGON\\ SCOTT\tabcellsep 6/15/2004 18:44\tabcellsep \multicolumn{2}{l}{LOGOFF}\\ SCOTT\tabcellsep 6/15/2004 18:46\tabcellsep LOGON\\ SCOTT\tabcellsep 6/15/2004 18:46\tabcellsep \multicolumn{2}{l}{CREATE TABLE}\\ \tabcellsep \multicolumn{2}{l}{Table 4.2}\\ c) Managing of Privilege Auditing\tabcellsep \tabcellsep \\ \multicolumn{2}{l}{Privilege auditing involves monitoring and}\tabcellsep \\ recording the execution\tabcellsep \tabcellsep \end{longtable} \par \caption{\label{tab_5}}\end{figure} \begin{figure}[htbp] \noindent\textbf{GRANT} \par \begin{longtable}{P{0.85\textwidth}} ANY OBJECT\\ PRIVILEGE\\ ALTER ANY TABLE\\ CREATE EXTERNAL\\ JOB GRANT ANY\\ PRIVILEGE\\ ALTER DATABASE\\ CREATE PUBLIC DATABASE\\ LINK\\ h) Managing Fine-Grained Auditing\\ Fine-grained auditing (\end{longtable} \par \caption{\label{tab_6}TABLE GRANT}\end{figure} \footnote{© 2013 Global Journals Inc. (US)} \backmatter \begin{bibitemlist}{1} \bibitem[ Science and Engineering ()]{b5}\label{b5} \textit{}, \textit{Science and Engineering} 2009. p. . \bibitem[Qiang et al. ()]{b6}\label{b6} ‘A Framework for database Auditing’. Qiang , Liu , Lian-Zong . \textit{IEEE conference publications, Forth conference on Computer Science and Convergence Information} 2009. p. 910. \bibitem[Huang]{b15}\label{b15} ‘A logging schema for Database Auditing’. Liu Huang . \textit{IEEE conference publication}, \bibitem[Connolly & Carolyn and Begg ()]{b12}\label{b12} \textit{Database Systems: A practical approach to Design, Implementation and Management, Fifth Edition}, Thomas Connolly \& Carolyn , Begg . 2010. Addison Wesley. \bibitem[Li]{b11}\label{b11} Yung Li . \textit{ACM publication, Proceedings of the 40th ACM technical symposium on Computer}, ISBN p. . \bibitem[Sam Alapati Kim (ed.)]{b9}\label{b9} \textit{Oracle Database 11g New Features for DBAs and Developers}, R Sam, Charles Alapati, Kim (ed.) (Apress, ISBN) p. . \bibitem[Oracle Database 11g The Complete Reference (2010)]{b13}\label{b13} \textit{Oracle Database 11g The Complete Reference}, (Kevin Loney, Publisher: McGraw-Hill Osborne Media) December 17. 2010. Osborne ORACLE Press Series. (1 edition) \bibitem[Oracle Database New Features Guide 11g Release 1 (11.1)]{b8}\label{b8} \textit{Oracle Database New Features Guide 11g Release 1 (11.1)}, B28279-02. \bibitem[Oracle White Paper-Oracle Database Auditing: Performance Guidelines]{b7}\label{b7} \textit{Oracle White Paper-Oracle Database Auditing: Performance Guidelines}, \bibitem[Ramez Elmasri & Shamkant B. Navathe, Fundamentals of Database Systems ()]{b10}\label{b10} \textit{Ramez Elmasri \& Shamkant B. Navathe, Fundamentals of Database Systems}, 2009. Addison-Wesley. (Sixth Edition) \bibitem[References Références Referencias]{b14}\label{b14} \textit{References Références Referencias}, \bibitem[Set auditing as part of your defense architecture as follow: i. Set full audit trail of logon and logoff, and record all failed login attempts, as first category ii. Audit Data Control Language (DCL) of the database. For second category]{b3}\label{b3} \textit{Set auditing as part of your defense architecture as follow: i. Set full audit trail of logon and logoff, and record all failed login attempts, as first category ii. Audit Data Control Language (DCL) of the database. For second category}, \bibitem[Set enough size for OS audit file]{b2}\label{b2} \textit{Set enough size for OS audit file}, \bibitem[The third category is to audit Data Definition Language (DDL) which changes database schema]{b4}\label{b4} \textit{The third category is to audit Data Definition Language (DDL) which changes database schema}, \bibitem[Use oracle database auditing even if you have large amount of audit trail load]{b0}\label{b0} \textit{Use oracle database auditing even if you have large amount of audit trail load}, \bibitem[Write audit record to Operating system]{b1}\label{b1} \textit{Write audit record to Operating system}, \end{bibitemlist} \end{document}