We are running R/3 4.6C on HPUX11/Oracle 126.96.36.199. Our auditors asked us to log and audit access to the Oracle database at the OS level, bypassing the SAP layer. For example, someone logging in, sudo to ora<sid>, execute sqlplus and view or modify a financial document. They did not give us possible ways of doing this. Our SAs and DBAs are a little stumped about getting their hands around the scope of this. Does anyone have any ideas?
My advise to you would be: ignore the auditors. You just should describe the processes of security and access within your company and show to them that you follow that. Audit trails are done at application level. Most UNIX flavours do have the ability to log all activities at the OS layer; as well as su - oraSID etc. That should be more than possible.
I wish I could igonre. The auditors do have a point for SOX chain. Someone can sqlplus and change the database rows for a financial document. I am surprised that this never came up before. I have proposed the Unix logging, but it is the sqlplus log that is more relevant. I am hoping some Oracle guru has a suggestion.