DB Audit - Best practices

What are the best practices in light of present day compliance scenario, for the installation infrastructure of DB audit.

I mean, I have heard that Audit trails storage and generation should be independent of DB Admin authority. I realise that the way DB Audit functions is that it generates triggers on tables and reports values. How do I enable a condition that would also report the incident where DB Admin chooses to disable a particular trigger?

Can I log all the events on a separate database outside the realm of current DB Admin? I am talking from the perspective of being an internal IT Auditor for a financial firm and the server where DB Audit logs and reports instances would only have me as it's DB Admin.

Is this possible?

Let's start here.

1. DB Audit provides several auditing methods. Using triggers is only one of them. This method should be used when you need to have a trail of data-changes, in other words to be able to produce for auditors what was there before the change and how it got changed.

2. Regarding the separation of the audit trail and the database access - DB Audit provides methods for storing the audit trail in a separate database system. We typically refer to this functionality as use of "central repository". Mechanism can be setup to move the audit trail from audited servers to a remote location to which local users and DBAs have no access.

3. DB Audit provides monitoring functions for tracking changes in the database including pre-designed alerts for monitoring changes in the audit configuration. The alerts can be used to notify auditors whenever somebody attempts to change the auditing settings.

4. Regarding your last question. The answer is "yes", please see above for details.

Thanks for the reply!

Asides, I was wondering, Is there a solution by softtree that would enable me to implement preventive, rather than detective controls over the activities of DB Admin at an economical price. I know of DB Vault which is quite in the news recently but prohibitively priced.

Anything else...that you can think of!!
Just thought of having an expert opinion, so I asked!
Rgds

From the DB Vault name I am assuming you are talking about Oracle databases. Have you looked at built-in data encryption and obfuscation methods? If not, take a look at this article
http://www.jaredstill.com/content/oracle-encryption.html that can give you an idea how to secure the data – kind of proactive security and unauthorized access prevention.

Db vault's usage is a bit different.

It locks out Db Admin of Oracle from undertaking changes to the database from backend unless explicitly authorised. DB Vault claims to lock the DB Admin out from undertaking 'Drop''Alter' activities from the backend.

The cheaper alternative is to share DB Admin password between two entities where, whenever DB Admin needs to logon and do jobs like 'Drop' Alter' on tables, he needs physical presence of the other guy (can be security analyst etc.).

I was seeking help in that area.

Data encryption/obfuscation is an option but out data is not so much classified/secret so as to undertake this procedure.

Any other suggestions..?
Also, you mentioned that "DB Audit provides monitoring functions for tracking changes in the database including pre-designed alerts for monitoring changes in the audit configuration..", is there a write up on how to accomplish this? It's quite important for me!!

Regards

DB Audit manual is available on-line, follow links here http://www.softtreetech.com/help/index.htm
In the manul see chapters for the Alert Center