DataBaser

This’s a example to audit sys user to SYSLOG utility.

- Modify syslog.conf
# vi /etc/syslog.conf
user.notice /var/log/syslog-orcl

# touch /var/log/syslog-orcl

- Restart syslog
# /etc/init.d/syslog restart
Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]

- Modify AUDIT_SYSLOG_LEVEL initialization parameter on Database

AUDIT_SYSLOG_LEVEL = facility.level

The value of facility can be any of the following: USER, LOCAL0-LOCAL7, SYSLOG, DAEMON, KERN, MAIL, AUTH, LPR, NEWS, UUCP or CRON.

The value of level can be any of the following: NOTICE, INFO, DEBUG, WARNING, ERR, CRIT, ALERT, EMERG .

SYS> show parameter AUDIT_SYSLOG_LEVEL

NAME TYPE VALUE
———————————— ———– ——————————
audit_syslog_level string

SYS> alter system set audit_syslog_level=’user.notice’ scope=spfile;

System altered.

SYS> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.

SYS> startup
ORACLE instance started.

Total System Global Area 810053632 bytes
Fixed Size 2217712 bytes
Variable Size 645925136 bytes
Database Buffers 155189248 bytes
Redo Buffers 6721536 bytes
Database mounted.
Database opened.

What did we see in log file?

# tail -f /var/log/syslog-orcl
Jan 12 16:37:47 RHEL5-TEST Oracle Audit[18624]: LENGTH : ’155′ ACTION :[7] ‘STARTUP’ DATABASE USER:[1] ‘/’ PRIVILEGE :[4] ‘NONE’ CLIENT USER:[6] ‘oracle’ CLIENT TERMINAL:[13] ‘Not Available’ STATUS:[1] ’0′ DBID:[0] ”
Jan 12 16:37:47 RHEL5-TEST Oracle Audit[18827]: LENGTH : ’148′ ACTION :[7] ‘CONNECT’ DATABASE USER:[1] ‘/’ PRIVILEGE :[6] ‘SYSDBA’ CLIENT USER:[6] ‘oracle’ CLIENT TERMINAL:[5] ‘pts/1′ STATUS:[1] ’0′ DBID:[0] ”

Test to Logon by sys:
$ sqlplus / as sysdba
SYS>

In log fle:
Jan 12 16:40:51 RHEL5-TEST Oracle Audit[19269]: LENGTH : ’159′ ACTION :[7] ‘CONNECT’ DATABASE USER:[1] ‘/’ PRIVILEGE :[6] ‘SYSDBA’ CLIENT USER:[6] ‘oracle’ CLIENT TERMINAL:[5] ‘pts/1′ STATUS:[1] ’0′ DBID:[10] ’1233539256′

We can audit sys operation (audit_sys_operations=true) by:

SYS> show parameter audit_sys_operations

NAME TYPE VALUE
———————————— ———– ——————————
audit_sys_operations boolean FALSE

SYS> alter system set audit_sys_operations=TRUE scope=spfile;

System altered.

SYS> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.

SYS> startup
ORACLE instance started.

Total System Global Area 810053632 bytes
Fixed Size 2217712 bytes
Variable Size 645925136 bytes
Database Buffers 155189248 bytes
Redo Buffers 6721536 bytes
Database mounted.
Database opened.

Test Query:
SYS> select count(*) from v$session;

COUNT(*)
———-
88

1 row selected.

In log file:
Jan 12 16:55:09 RHEL5-TEST Oracle Audit[20698]: LENGTH : ’183′ ACTION :[30] ‘select count(*) from v$session’ DATABASE USER:[1] ‘/’ PRIVILEGE :[6] ‘SYSDBA’ CLIENT USER:[6] ‘oracle’ CLIENT TERMINAL:[5] ‘pts/1′ STATUS:[1] ’0′ DBID:[10] ’1233539256′

That’s just example