Logging and auditing are one of the pillars of PeopleSoft Security. Both application and database auditing is required. Logging and auditing support a trust-but-verify approach which is often deemed required to secure the activities of privileged system and database administrators.
While both the application and database offer sophisticated auditing solutions, one key feature Integrigy always recommends is to ensure that EnableDBMononitoring is enabled within the psappssrv.cfg file. This is set by default but we at times find it disabled.
When enabled EnableDBMononitoring allows PeopleSoft application auditing to bridge or flow into database auditing. This is done by populating the Oracle Client_Info variable with the PeopleSoft User Id, IP address and program name. With Oracle RDBMS auditing enabled, anything written to Client_Info is also written into the database audit logs.
In other words, with both database and EnableDBMononitoring enabled, you can report on which user updated what and when – not just that the PeopleSoft application or ‘Access ID’ issued an update statement.
The graphics below we commonly use to help review Integrigy’s approach to PeopleSoft logging and auditing.
If you have questions, please contact us at firstname.lastname@example.org
Michael A. Miller, CISSP-ISSMP, CCSP