Well, from security point of view "audit anything you need" is wrong!
Better is "audit all except what you know for sure is legitimate",
which is exactly the standard phrase any auditor uses - "outside the
normal use of an application". The problem is to find as much
legitimate things as possible - as you mentioned.
Worse yet, sometimes (should I say most of the time) it's not possible
to figure that out in deterministic way. Often, you can only
distinguish non-legitimate operations after playing with collected
data in some BI tool. The level of collection... well it's fine-tuned
as you need and as you go through your analysis. Like start with
connection audit, add some DDL, more, add some DMLs on some object and
etc. until you are comfortable.
For example, if you take Audit Vault - it's actually just
pre-configure audit data warehouse with OLAP tools configured to play
with audit data. OK, maybe I am over-simplifying but that's an idea
and it seems like a very good approach.
Regarding a highly paid auditor - you don't pay for good advice - you
pay for a stamp.;-) Usually, it doesn't make you any secure. For that
you need to hire another guys and they won't give you any stamps.;-)
Actually, it has nothing to do with just IT. Every auditor must have
the balls to "stamp" its customers.
2006/8/7, rjamya :