SteveT68@gmail.com said:

onaudit. It's in TFM.

You don't mention which database server you use, or which OS, or versions,
or...... Anyway, you mention syslog, so assuming IDS on UNIX...

You can use database auditing (Trusted Facility Guide) to log actions by
any user. You would not audit scripts, but the commands that those scripts
execute on the database server. Be careful though, auditing can be very
expensive in terms of performance loss. You can implement role separation,
so that the person maintaining the audit system cannot read the audit logs,
and the person reviewing the audit logs cannot maintain the auditing.
Sarbanes Oxley requirements are based on defining procedures and then
proving that you follow them, so check whether your procedures are going to
kill your database server first.

You can either send audit logs to flat files or to the UNIX audit system.
You can also load the flat files into a database table. There are
apparently tools for sending UNIX audit logs to syslog, but I have not seen
them in action yet. So in theory at least you could get IDS to send audit
logs to UNIX auditing, and then to syslog, and then to enVision.

Remember you are going to have to prove that you collect audit logs and
that you keep them for a predefined number of days.

Cheers,

+----------------------+-----------------------------------+-----------+

Bad luck - that you got the assignment.  I wish you good luck in achieving
the "solution".

What we would like to do is log all activity on the database by the

You are going to need to clarify your terminology, to yourself and to us.
It would also be helpful to have basic environment information - which
machine type (especially Unix/Linux vs Windows) and which version or
versions of IDS (7.31 vs 9.xx vs 10.00, for example).

What do you mean by:
* The Informix DBAs
* Log on/off
* Scripts run by the DBA

I'm not trying to be awkward - though I'm probably succeeding.  However, the
terms have a variety of meanings, and not everyone within the Informix camp
would necessarily automatically agree withme about the meanings, though I
could probably argue them into agreeing eventually.

Informix DBAs: Do you mean the 'informix' user who monitors the server
instance, or do you mean the DBA who manages a database within an instance?
I susepct the former, primarily, though you'll also need to worry about the
latter too.

Log on/off: Do you mean the log on to the operating system (which is an o/s
level auditing operation - there's nothing Informix can do to help you
directly there), or do you mean connections to the database server and
operations on the database server - such as running 'oninit', 'onmode',
'oncheck', 'onstat' and 'onbar' (or do you use 'ontape'?).

Scripts run by the DBA: There are very few scripts provided by IDS - do you
really mean programs run by the DBA?  Such as the ON* utilities mentioned
above?

The details of what you do will probably vary depending on the answers to
these questions.

You will need to look at an integrated or holistic solution - some parts
will depend on the operating system itself (syslog, basic process
accounting, general system security), other parts will depend on IDS
facilities (notably the ON-Audit and ON-ShowAudit facilities documented in
the Trusted Facility Manual - as mentioned by Obnoxio the Clown), and other
parts may have to be introduced.  For example, I'd consider using the sudo
command to control access to the informix user ID.  No-one can login as user
informix - they can only assume the user ID by invoking sudo (not su), and
sudo is used to log that activity auditably.

You will need to consider whether 'role separation' is appropriate for you.
In part, that will depend on the size of your operation - how many
administrative types are you dealing with?  If you've got one person running
both the operating system and the databases, you face a different challenge
from if you have a staff of 30 managing the operating system aspects of the
systems, and another 10 managing the databases, plus 50 developers working
on development and maintenance of the systems running the show.

As you will see from the above, I am no expert, in fact have never

I'd suggest hunting for 'Is Your DBA Paranoid Enough' on Google - with
quotes.  You'll find various versions of my presentation in this general
area.  It doesn't directly answer your question - it does contain lots of
information.  For the most part, the version of IDS is not a critical issue,
but the most secure solution is the most recent 10.00 version.

Our Log collection tool, will be Network Intelligence enVision, which

It is,  just about, possible to get IDS to report auditing activity to the
syslog.  It requires root privileges to do that (unless I'm misremembering
horribly), and it isn't quite as simple as you'd like.

By the way, we have similar challenges with Oracle and SQL!

SQL?  As in MS SQL Server?  Or as in the common language used by Oracle and
IDS (and other SQL DBMS of note)?  You will need to sharpen up the precision
of your language if you wish to get sharp answers.