(I don't have sufficient reputation to comment yet) Have you compiled the package spec? And what happen when you compile the views? alter package DBMS_AUDIT_UTIL compile; alter view FGA_AUDIT_TRAIL VIEW compile;

Depending on the format of the audit file you could query it directly with https://aws.amazon.com/athena/faqs/ from S3 if it’s a supported format. If the format isn’t directly supposed by AWS Athena you can use https://aws.amazon.com/glue/faqs/ to do a transformation as some of the answers on https://stackoverflow.com/questions/55284580/how-to-query-nested-xml-file-in-aws-athena-via-glue suggest.

nope & nope CDC doesn't handle changes to table schema like adding or dropping columns, or to changing column data types well. If you want to do that, you'll need to: Save the current data off Get the current Start LSN Disable CDC Make your changes Enable CDC Insert the old data back Update the CDC capture instance with the Start LSN from before Here's an example script using a table called Posts. You'll need to adapt it to suit your specific needs. I won't be doing that here. --Optional: put it all in a transaction: --BEGIN TRAN --Back up current data SELECT dpc.* INTO #original_cdc_data FROM cdc.dbo_Posts_CT AS dpc; --Get the current start LSN DECLARE @start_lsn binary(10); SELECT @start_lsn = ct.start_lsn FROM cdc.change_tables AS ct WHERE ct.capture_instance = 'dbo_Posts'; --Disable CDC EXEC sys.sp_cdc_disable_table @source_schema = 'dbo', @source_name = 'Posts', @capture_instance = 'dbo_Posts'; --Make your changes here, whatever they may be. --Re-enable CDC EXEC sys.sp_cdc_enable_table @source_schema = 'dbo', @source_name = 'Posts'; --Insert back up data into the new table. If you added or dropped columns here, you'll need to account for that in the select list. If you just changed data types, make sure that the change is compatible here. INSERT cdc.dbo_Posts_CT WITH(TABLOCK) SELECT ocd.* FROM #original_cdc_data AS ocd; --Set the starting LSN to the value from above UPDATE ct SET ct.start_lsn = @start_lsn FROM cdc.change_tables AS ct WHERE ct.capture_instance = 'dbo_Posts'; --Optional: complete transaction --ROLLBACK; --COMMIT;

If some sort of system flagged this as suspicious, its most likely due to the execution of whoami.exe . The execution of whoami.exe is commonly performed by threat actors to find which user account they are running as. It is common to see alerts in SIEMs or other security systems set up to trigger upon execution of whoami.exe due to its popularity with threat actors. This doesn't mean that it is malicious, you will want to look at other logs on that host from the same time period, but it is worth investigating if you don't see this command being run often. In addition, the SID of the user that ran the command is associated with LocalSystem. It is unusual to see the System account running whoami

Just based on your information it does not look like a direct access from outside is possible. But due to how routers and firewalls on these routers work, scanning the external IP address from inside might give different results compared to scanning the external IP address from outside. And even scanning from a specific outside might not give reliable results: routers/firewalls might employ strategies to detect and limit scanning, they might give access only to specific IP addresses, there might be some port knocking or similar employed as access control etc. So better check the actual rules on your router and don't treat it like a black box only. That said, even if direct access from outside is not possible it might be indirect access: if a user on your network uses the browser to access an external attack-controlled web site, this page might initiate access to internal servers. For more on this see /questions/153797 and /questions/177486 .

The IRS has published https://www.irs.gov/pub/irs-pdf/p1075.pdf which provides "Safeguards for Protecting Federal Tax Returns and Return Information" Internal Revenue Code Section 6103 stipulates that IRS must protect all the personal and financial information furnished to the agency against unauthorized use, inspection or disclosure. Other Federal, State and local authorities who receive federal tax information (FTI) directly from either the IRS or from secondary sources must also have adequate security controls in place to protect the data received. Publication 1075 is very broad and deep. Section 4 discusses Secure Storage, and Section 9 focuses on Computer Security Systems. You should also look at FIPS 140-2 for additional encryption details. References https://www.irs.gov/privacy-disclosure/encryption-requirements-of-publication-1075 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf

Your Cloud Run service is behind a shared service (GFE). To an auditor that is a risk. He should document that fact. You can then request an exemption. A security officer can then review the risk analysis and the exemptions and make a final determination on security. In the cloud, it is rare to have a perfect environment. Today resources are global and shared among many customers to reduce costs. There is a tradeoff between security, cost, and convenience. In your question, you state that the auditor does not have access to the Google Console. That means the auditor is performing a black box audit. In the cloud that is not sufficient. The auditor should also be validating the internal security which includes identities, firewalls, network configurations, etc. In the cloud detecting backdoors is just as important as auditing open frontends.

I'll add that apart from watching the open code of senior colleagues from the open source, it makes sense to read books and articles on the theory. Patterns, SOLID, etc.Then the code will be easier to understand, that is. You'll understand not only what's done, but why is done.

Some special instrument is not binding. See what requests the Annex sent to the OBD can be simple https://docs.oracle.com/en/database/oracle/oracle-database/19/refrn/V-SQL.html#GUID-2B9340D7-4AA8-4894-94C0-D5990F67BE75 (all instruments do and do so). Replace the name and user of the annex in the request:set lines 9999 pages 999 long 200000 col module for a16 col sql_fulltext for a60 wrap select sql_fulltext, module, executions, last_active_time from v$sql where parsing_user_id = ( select user_id from ALL_USERS where USERNAME = user) --пользователь приложения--^ and module = 'SQL*Plus' --имя приложения--^ order by last_active_time desc; Example of conclusion:SQL_FULLTEXT MODULE EXECUTIONS LAST_ ------------------------------------------------------------ ---------------- ---------- ----- select e.employee_id, e.last_name, department_name SQL*Plus 2 15:17 from hr.employees e join hr.departments d on d.department_id = e.department_id where e.department_id = 10

Trojans in HTML do not live, and there is no Trojan code in html. I'm not even gonna look at the code, I'm gonna say that there's a lot of animals in there, most likely hackers found a stored XSS, or maybe just a phishing, and already with a known technology, they've attacked a target. It's hard to tell you what happened there because I'm writing a blind answer, you know, black-box. Especially as I know, maybe you have RCE in there than hackers and use (and will be used as long as you don't fix this volley). Anyway, the options are the clouds. Now, with regard to the idea of where the burial dog is.Figure 1: Storage XSSFigure 2: FishingFigure 3: RCEFigure 4: Tophead accountantHow to fix: Don't regret auditing funds (not auditing a-l Frilans from Vasia's crypt-kid, but joining some program)Record all volleys on OWASP-10 classification.Only people who know a little about the notion of IB.Conclusion: http://insafety.org/rce.php

If you're concerned about failed logins, that implies that your server is accessible from the Internet. It shouldn't be. There is, however, a way to get the information without resorting to the general log. According to the manual you can trigger logging these failed connections to the error log with the system variable log_warnings: If the value is greater than 1, aborted connections are written to the error log, and access-denied errors for new connection attempts are written. This is a dynamic variable, but changing it at run-time does not appear to trigger the logging behavior. Add this to your my.cnf in the [mysqld] section: log-warnings = 2 Restart the server daemon. You should then start to see failed logins in your MySQL error log. I don't know what you mean by "saving password details." The password is sent from the client to the server as... SHA1( password ) XOR SHA1( "20-bytes random data from server" SHA1( SHA1( password ) ) ) ...so you're not going to find the client's attempted password getting logged anywhere. The server doesn't know what password the client used. It only knows whether it used the correct one, by doing its own calculation of the hash the client would have returned if the client had known the right password.

From http://postgresql.1045698.n5.nabble.com/DELETE-and-UPDATE-triggers-on-parent-table-of-partioned-table-not-firing-td5683717.html: The DELETE and UPDATE triggers need to be on the child tables. An operation on a child doesn't fire the triggers of the parent. As such, the following code must also be executed: CREATE TRIGGER ${name}_delete BEFORE DELETE ON $name FOR EACH ROW EXECUTE PROCEDURE audit_delete(); The audit_delete() function won't work as written in the question: setting the deleted date is not possible using OLD.deleted = current_timestamp. Instead, assuming that the table has a primary key field of id: CREATE OR REPLACE FUNCTION audit_delete() RETURNS trigger AS $BODY$ BEGIN EXECUTE 'UPDATE ' || TG_TABLE_NAME || ' SET deleted = current_timestamp WHERE id = ' || OLD.id; RETURN NULL; END; $BODY$ LANGUAGE plpgsql VOLATILE COST 1;

You can do that with the help of the additional module dblink. Install once per database (the one where the trigger is executed): CREATE EXTENSION dblink; You need superuser privileges (in the database cluster where the trigger runs) for some of the involved functionality. Since you want to write to the external database, you will probably want to use dblink_exec(). The manual has code examples. Or try a search here for more dblink examples. Note that you cannot ROLLBACK what you have written with dblink to an external database. A local exception after the external write does not undo what's written in the foreign database.

You could do that with DDL triggers ([before|after] grant or revoke). The docs are in the Oracle Database PL/SQL Language Reference. You should look carefully at the event attribute functions table, and the Event Attribute Functions for Client Event Triggers section to know what information is available in those contexts. Here's an example trigger (probably incomplete, this is just an example) that would log basic information about grant and revoke events, assuming a log table with appropriate columns: create or replace trigger trigger1 after grant or revoke on database declare priv dbms_standard.ora_name_list_t; who dbms_standard.ora_name_list_t; npriv pls_integer; nwho pls_integer; begin npriv := ora_privilege_list(priv); if (ora_sysevent = 'GRANT') then nwho := ora_grantee(who); else nwho := ora_revokee(who); end if; for i in 1..npriv loop for j in 1..nwho loop insert into log values ( systimestamp, ora_sysevent, who(j), priv(i), ora_dict_obj_owner, ora_dict_obj_name ); end loop; end loop; end; Example: SQL> grant select on log to bar; Grant succeeded. SQL> revoke select on log from bar; Revoke succeeded. SQL> select * from log; DT WHAT WHO PRIV OWN OBJ 25-NOV-12 05.29.19.095403 PM GRANT BAR SELECT MAT LOG 25-NOV-12 05.29.27.004610 PM REVOKE BAR SELECT MAT LOG

Unfortunately there isn't any Change Data Capture, Change Tracking (both coming only from SQL 2008 +) or even enough Trace Events or Trace Event Groups for Use with Event Notifications. You're stuck with server side traces for saving all the user queries.

I applaud your effort, however the question asked is probably too vague. Different rules apply to different industries and furthermore, sometimes you have the opportunity to set your own rules, you just need to follow them. I would suggest checking with someone as to what audit you are expected to pass, then finding the specific requirements.

I would say consider logon triggers to accomplish this. This way you aren't using a server side trace. You can also audit all sucessful logins in the SQL Server error log (right click on instance, properties, security and then choose both successful and failed logons.. I don't believe this shows you the DB context info, though) Also - I would seriously consider upgrading to a later version of SQL if possible. SQL 2005 is two (three if you count 2008 R2) versions back. I know you probably know that but I'd feel bad if I didn't call it out I would also highly discourage the use of SA for any logons. SA is a highly privileged account. It is -the- highly privileged account in SQL Server. Everyone knows there is an account named SA and it can be prone to hack attempts. I tend to push for windows authentication only and ensure a group is added that the proper DBAs team can properly and securely added to. I often disable the SA account in mixed mode and will create another account with SA rights but a non descript name. If, for some reason, the SA account needs to stay around, I try and give that a horrible password and store it someplace really safe and not use it. By not having an SA account used by so many people that you need to audit its usage, you can give more granular permissions to do the required activities in SQL and no more. Least privilege and tight access lists will take you much further than watching SA account activity. At any rate, Logon triggers may be the best bet. Trace would work but there is a cost associated with that (there is with logon triggers also but my guess is the cost of trace will be more expensive for you)

fn_dblog is the way to look backwards as the other commentators have said. Only allowing the users to modify the data through stored procedures is a great way to prevent this happening in the first place, as you can add logic to prevent users from mass modifying records they shouldn't, or ensuring that they have to provide correct values for updates. This may mean that you'd need to make application changes depending on how they're currently accessing the data. Which may or may not be possible for you. If you can't do that, then a quick and simple way with SQL 2005 is going to be using a trigger to do some DML auditing at the table level. (SQL Server 2008 onwards have auditing tools built in). A simple solution for your issue might be: drop table audit_test go create table audit ( uname varchar(50), [date] datetime, what nvarchar(4000), host varchar(50), ) go create trigger ddlcheck on tbl_example for update, delete as declare @tbltmp table(eventtype nvarchar(30),para smallint, strsql nvarchar(4000)) insert into @tbltmp exec ('dbcc inputbuffer('+@@spid+')') insert into audit_test select SUSER_NAME(), GETDATE(), strsql , HOST_NAME() from @tbltmp This will fire any time a query attempts to update the table, or delete from the table. It uses DBCC inputbuffer ( http://msdn.microsoft.com/en-us/library/ms187730(v=sql.90).aspx ) to get the issued command. This gives you a table populated with all the update and delete statements issued against a particular table. Plus it records who issued statement, and where and when it was. Now this could be a lot of logging data on a busy table, so this could be restricted to just catch 'bad' queries (say those that update/delete 1000+ rows) by altering the trigger to: create trigger ddlcheck on tbl_example for update, delete as declare @cnt integer select @cnt=count(1) from deleted if @cnt>1000 begin declare @tbltmp table(eventtype nvarchar(30),para smallint, strsql nvarchar(4000)) insert into @tbltmp exec ('dbcc inputbuffer('+@@spid+')') insert into audit_test select SUSER_NAME(), GETDATE(), strsql , HOST_NAME() from @tbltmp end This logs less data, but the trigger still needs to 'evaluate' for every operation, so may have a performance impact which will need to be measured and tested. This will also miss the actions if the user submits lots of individual statements, ie; won't catch: delete from tbl_example where id=1 delete from tbl_example where id=2 ..... delete from tbl_exampe where id=1000 will catch delete from tbl_example where id>0 and id Hope this is of some help for the future.

SSRS has Execution Logs for this. http://msdn.microsoft.com/en-us/library/ms155836%28v=sql.100%29.aspx

You can still do this with SQL Server Profiler when the trace properties window appears check the box - save to table, then supply a server & database plus define a tablename I don't think extended events offers this functionality in a synchronous manner (you can save to a table once you have collected your data into a ring buffer or file - but you said you didn't want to do this).