A very important update in Oracle 12C database is that audit_sys_operations is set to true, that means all actions performed by super user sys will be audited. So the actions would be going to and being recorded at location specified by initialization paramter audit_file_dest.
SQL> show parameter audit_sys_operations
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_sys_operations boolean TRUE
The explanation of both these initialization parameters is given below :-
AUDIT_SYS_OPERATIONS enables or disables the auditing of operations issued by user SYS, and users connecting with SYSDBA or SYSOPER privileges. The audit records are written to the operating system's audit trail. The audit records will be written in XML format if the AUDIT_TRAIL initialization parameter is set to XML.
On UNIX platforms, if the AUDIT_SYSLOG_LEVEL parameter has also been set, then it overrides the AUDIT_TRAIL parameter and SYS audit records are written to the system audit log using the SYSLOG utility.
AUDIT_FILE_DEST specifies the operating system directory into which the audit trail is written when the AUDIT_TRAIL initialization parameter is set to os, xml, or xml,extended. The audit records will be written in XML format if the AUDIT_TRAIL initialization parameter is set to XML. It is also the location to which mandatory auditing information is written and, if so specified by the AUDIT_SYS_OPERATIONS initialization parameter, audit records for user SYS.
SQL> show parameter audit_file_dest
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest string /u01/app/oracle/admin/prd/adum
p
SQL>
SQL> exit
Disconnected from Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
You have new mail in /var/spool/mail/oracle
[oracle@node4 ~]$ cd /u01/app/oracle/admin/prd/adump/
[oracle@node4 adump]$ ls -ltr
total 52
-rw-r----- 1 oracle oinstall 772 Jul 26 22:39 prd_ora_10764_1.aud
-rw-r----- 1 oracle oinstall 772 Jul 26 22:40 prd_ora_10929_1.aud
-rw-r----- 1 oracle oinstall 980 Jul 26 22:40 prd_ora_10574_1.aud
-rw-r----- 1 oracle oinstall 755 Jul 26 22:40 prd_ora_10943_1.aud
-rw-r----- 1 oracle oinstall 762 Jul 26 22:40 prd_ora_10943_2.aud
-rw-r----- 1 oracle oinstall 1463 Jul 26 22:41 prd_ora_11017_1.aud
-rw-r----- 1 oracle oinstall 2384 Jul 26 22:42 prd_ora_11086_1.aud
-rw-r----- 1 oracle oinstall 3227 Jul 26 22:58 prd_ora_11216_1.aud
-rw-r----- 1 oracle oinstall 2140 Jul 26 22:59 prd_ora_14010_1.aud
-rw-r----- 1 oracle oinstall 755 Jul 26 22:59 prd_ora_14052_1.aud
-rw-r----- 1 oracle oinstall 768 Jul 26 22:59 prd_ora_14126_1.aud
-rw-r----- 1 oracle oinstall 762 Jul 26 22:59 prd_ora_14052_2.aud
-rw-r----- 1 oracle oinstall 772 Jul 26 22:59 prd_ora_14226_1.aud
[oracle@node4 adump]$
[oracle@node4 adump]$ cat prd_ora_14226_1.aud
....
......
........
..............
...................
System name: Linux
Node name: node4.oracle.com
Release: 2.6.32-100.26.2.el5
Version: #1 SMP Tue Jan 18 20:11:49 EST 2011
Machine: x86_64
Instance name: prd
Redo thread mounted by this instance: 1
Oracle process number: 19
Unix process pid: 14226, image: oracle@node4.oracle.com (TNS V1-V3)
Sun Jul 26 22:59:07 2015 +05:30
LENGTH : '160'
ACTION :[7] 'CONNECT'
DATABASE USER:[1] '/'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[6] 'oracle'
CLIENT TERMINAL:[5] 'pts/1'
STATUS:[1] '0'
DBID:[10] '1924794093'
## Above is a audit record which specifies that mandatory auditing of the sysdba and its a login record
SQL> show parameter audit_sys_operations
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_sys_operations boolean TRUE
The explanation of both these initialization parameters is given below :-
AUDIT_SYS_OPERATIONS enables or disables the auditing of operations issued by user SYS, and users connecting with SYSDBA or SYSOPER privileges. The audit records are written to the operating system's audit trail. The audit records will be written in XML format if the AUDIT_TRAIL initialization parameter is set to XML.
On UNIX platforms, if the AUDIT_SYSLOG_LEVEL parameter has also been set, then it overrides the AUDIT_TRAIL parameter and SYS audit records are written to the system audit log using the SYSLOG utility.
AUDIT_FILE_DEST specifies the operating system directory into which the audit trail is written when the AUDIT_TRAIL initialization parameter is set to os, xml, or xml,extended. The audit records will be written in XML format if the AUDIT_TRAIL initialization parameter is set to XML. It is also the location to which mandatory auditing information is written and, if so specified by the AUDIT_SYS_OPERATIONS initialization parameter, audit records for user SYS.
SQL> show parameter audit_file_dest
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest string /u01/app/oracle/admin/prd/adum
p
SQL>
SQL> exit
Disconnected from Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
You have new mail in /var/spool/mail/oracle
[oracle@node4 ~]$ cd /u01/app/oracle/admin/prd/adump/
[oracle@node4 adump]$ ls -ltr
total 52
-rw-r----- 1 oracle oinstall 772 Jul 26 22:39 prd_ora_10764_1.aud
-rw-r----- 1 oracle oinstall 772 Jul 26 22:40 prd_ora_10929_1.aud
-rw-r----- 1 oracle oinstall 980 Jul 26 22:40 prd_ora_10574_1.aud
-rw-r----- 1 oracle oinstall 755 Jul 26 22:40 prd_ora_10943_1.aud
-rw-r----- 1 oracle oinstall 762 Jul 26 22:40 prd_ora_10943_2.aud
-rw-r----- 1 oracle oinstall 1463 Jul 26 22:41 prd_ora_11017_1.aud
-rw-r----- 1 oracle oinstall 2384 Jul 26 22:42 prd_ora_11086_1.aud
-rw-r----- 1 oracle oinstall 3227 Jul 26 22:58 prd_ora_11216_1.aud
-rw-r----- 1 oracle oinstall 2140 Jul 26 22:59 prd_ora_14010_1.aud
-rw-r----- 1 oracle oinstall 755 Jul 26 22:59 prd_ora_14052_1.aud
-rw-r----- 1 oracle oinstall 768 Jul 26 22:59 prd_ora_14126_1.aud
-rw-r----- 1 oracle oinstall 762 Jul 26 22:59 prd_ora_14052_2.aud
-rw-r----- 1 oracle oinstall 772 Jul 26 22:59 prd_ora_14226_1.aud
[oracle@node4 adump]$
[oracle@node4 adump]$ cat prd_ora_14226_1.aud
....
......
........
..............
...................
System name: Linux
Node name: node4.oracle.com
Release: 2.6.32-100.26.2.el5
Version: #1 SMP Tue Jan 18 20:11:49 EST 2011
Machine: x86_64
Instance name: prd
Redo thread mounted by this instance: 1
Oracle process number: 19
Unix process pid: 14226, image: oracle@node4.oracle.com (TNS V1-V3)
Sun Jul 26 22:59:07 2015 +05:30
LENGTH : '160'
ACTION :[7] 'CONNECT'
DATABASE USER:[1] '/'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[6] 'oracle'
CLIENT TERMINAL:[5] 'pts/1'
STATUS:[1] '0'
DBID:[10] '1924794093'
## Above is a audit record which specifies that mandatory auditing of the sysdba and its a login record
No comments:
Post a Comment