Hi
There's no DCS 6.1 MP1 , could be 6.0 MP1 or 6.5 MP1, anyway the policies on those platforms are quite similar.
As you mentioned Windows_Baseline_Detection has an Advanced Policy Setting for Database Services Monitor (it’s included Oracle RDBMS ), this detection policy tries to read specific strings from specific Oracle’s logs.
For example, you will find something like:
Select String:
Source: *Oracle* USERID:[6] ?SYSDBA? * RETURNCODE:[4] ?1017? *
With the *nix-Oracle You have two Detection Policy options:
- Create a Custom Rule under Unix_Baseline_Detection
or
(Recommended)
- Create all DB detections rules under Unix_Template_Policy .
- You can use more than 1 Detection Policy on an Asset/Group so, you can use Baseline + Template policy simultaneously.
Here is the interesting thing:
- What do you need to audit and or monitor?
- C2 Logs
- Text Logs
- What kind of events do you need to audit or monitor?
- Oracle User activity
- Specific return codes
- Other
So, according with the Detection Policy Reference Guide you will need to think about using Text Log , C2 or Syslog Rules https://support.symantec.com/en_US/article.DOC7979.html
Text Log: See Detection Policy Reference Guide Pages 37 to 39
Looks for matches in user-specified text logs. You can specify the path to a log file, and a text pattern that determines how data from the log file is parsed and recorded.