跳至正文
KYRA MDR KYRA MDR Docs

Oracle & Tibero Database Integration

Overview

This integration collects database audit logs from Oracle Database and Tibero for privileged access monitoring, data exfiltration detection, and ISMS-P compliance. Oracle is widely used in Korean financial institutions and large enterprises, while Tibero (by TmaxSoft) is the leading Oracle-compatible database for Korean government systems under the domestic software mandate.

Supported versions: Oracle 19c/21c, Tibero 6/7

Prerequisites

  • A KYRA MDR Collector installed and running (Installation Guide)
  • DBA-level access on the Oracle or Tibero instance
  • A scheduled script to export audit records (neither database supports native syslog output)
  • Network connectivity from the database server to the collector on port 514

Configuration

Oracle Unified Audit (12c+)

Enable unified auditing and create a policy for sensitive tables:

ALTER SYSTEM SET AUDIT_TRAIL = DB, EXTENDED SCOPE=SPFILE;


CREATE AUDIT POLICY kyra_policy
    ACTIONS SELECT, INSERT, UPDATE, DELETE
    ON HR.EMPLOYEES, HR.DEPARTMENTS;
AUDIT POLICY kyra_policy;

Audit records are stored in DBA_UNIFIED_AUDIT_TRAIL.

Tibero Audit

ALTER SYSTEM SET AUDIT_TRAIL = DB;
AUDIT SELECT, INSERT, UPDATE, DELETE ON schema.table;

Audit records are stored in SYS.DBA_AUDIT_TRAIL.

Syslog Export Script

Since neither Oracle nor Tibero supports native syslog output, use a scheduled script to extract and forward audit records:

/opt/kyra/scripts/db-audit-to-syslog.sh
# Runs every 5 minutes via cron
*/5 * * * * /opt/kyra/scripts/db-audit-to-syslog.sh

The script queries the audit trail view, formats records, and sends them to the collector via syslog.

Collected Log Types

Log TypeSecurity UsePriority
Login failures (ORA-01017)Brute force detectionHigh
SYS/SYSDBA accessPrivileged account monitoringCritical
Large SELECT operationsData exfiltration detectionHigh
DDL changes (DROP, ALTER, TRUNCATE)Schema tampering detectionHigh
Privilege changes (GRANT DBA)Privilege escalation detectionCritical
DB Link creationExternal data channel detectionHigh

Troubleshooting

No Audit Records

  1. Verify auditing is enabled: SHOW PARAMETER audit_trail (Oracle) or check DBA_AUDIT_TRAIL (Tibero)
  2. Confirm the audit policy is applied to the target tables
  3. Check the cron job is running: crontab -l
  4. Ensure the export script has database connectivity

High Storage Usage

  • Unified audit trail can grow quickly; configure a retention policy
  • Periodically purge old records: DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL (Oracle)

For additional help, contact kyra@seekerslab.com.