OS Audit trail

Printable View

09-18-2002, 02:12 AM
Sonia

Hi,
What purpose does audit_trial=OS serve; any way whether you
set it to OS or not it is going to auditing and generate the os files.....

Could any body guide me...... does this generate any extra information.

Regards
sonia
09-18-2002, 02:40 AM
SANJAY_G

Your audit information is saved in OS, outside the database when you set AUDIT_TRAIL=OS

Sanjay
09-18-2002, 03:08 AM
Sonia

No sanjay.....what i meant to say was whether u set it to
OS or not, anyway ORACLE is going to write into audit file
at the OS level...then what is the use of it ?

[Edited by sonia on 09-18-2002 at 03:16 AM]
09-18-2002, 03:12 AM
pando

you know the difference between trace and audit files???
09-18-2002, 03:21 AM
noor

Hello,

Auditing option allows you to collect some information related to DML, DLL, connections ... (Suspicious or normal Database Activity). You can store data collect in the database (in SYS.AUD$ table) or in an OS file (OS level).

Hope this help
09-18-2002, 03:27 AM
Sonia

Yes noor,
What i am trying to say is irrespective of setting it to OS or DB, audit files are always generated in the path specified by audit_file_dest.....
So what for is this audit_tria=OS....
09-18-2002, 03:32 AM
pando

it´s obvious you have not read the docs

quote:

Events Audited by Default
Regardless of whether database auditing is enabled, Oracle will always audit certain database-related actions into the operating system audit trail. These events include the following:

Instance startup

An audit record is generated that lists the OS user starting the instance, the user's terminal identifier, the date and time stamp, and whether database auditing was enabled or disabled. This is stored in the OS audit trail because the database audit trail is not available until after startup has successfully completed. Recording the state of database auditing at startup also prevents an administrator from restarting a database with database auditing disabled (so they can perform unaudited actions).

Instance shutdown

An audit record is generated that lists the OS user shutting down the instance, the user's terminal identifier, the date and time stamp.

Connections to the database with administrator privileges

An audit record is generated that lists the OS user connecting to Oracle as SYSOPER or SYSDBA, to provide accountability of users with administrator privileges.
09-18-2002, 04:24 AM
SANJAY_G

Quote:

Originally posted by sonia
No sanjay.....what i meant to say was whether u set it to
OS or not, anyway ORACLE is going to write into audit file
at the OS level...then what is the use of it?

If you set AUDIT_TRAIL=OS whatever auditing you turn on, will be saved to OS files but if you set it to DB, the information will go to sys.aud$ (other than default audit, as pando mentioned)

Sanjay

[Edited by SANJAY_G on 09-18-2002 at 04:27 AM]
01-05-2005, 03:43 PM
dbbyleo

Quote:

Originally posted by pando
it´s obvious you have not read the docs
quote:

Events Audited by Default
Regardless of whether database auditing is enabled, Oracle will always audit certain database-related actions into the operating system audit trail. These events include the following:

Instance startup

An audit record is generated that lists the OS user starting the instance, the user's terminal identifier, the date and time stamp, and whether database auditing was enabled or disabled. This is stored in the OS audit trail because the database audit trail is not available until after startup has successfully completed. Recording the state of database auditing at startup also prevents an administrator from restarting a database with database auditing disabled (so they can perform unaudited actions).

I'm starting to understand this aspect of auditing, but I don't see the information about whether auditing was disabled or enabled at startup in the audit file. The only I see in the audit record about the startup is this:

....
Wed Jan 5 12:34:24 2005
ACTION : 'STARTUP'
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: jsmith
CLIENT TERMINAL: Not Available
STATUS: 0
...

So where's the info about auditing being on or off at startup??
01-08-2005, 06:42 AM
yls177

Quote:

Originally posted by dbbyleo
I'm starting to understand this aspect of auditing, but I don't see the information about whether auditing was disabled or enabled at startup in the audit file. The only I see in the audit record about the startup is this:

....
Wed Jan 5 12:34:24 2005
ACTION : 'STARTUP'
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: jsmith
CLIENT TERMINAL: Not Available
STATUS: 0
...

So where's the info about auditing being on or off at startup??

what your saw is exactly what pando is referring to
03-09-2005, 03:45 PM
dbbyleo

What?

Quote:

what your saw is exactly what pando is referring to

I can see that database startup is audited to the OS. But Pando also stated that the OS audit record would include whether Auditing was disabled or enabled at database startup.

So Again, I repeat...

Where in the audit record (as I previously listed) does it indicate whether Auditing was enabled OR disabled at database startup???
03-09-2005, 10:11 PM
kris123

ur confuzing me:confused:
03-14-2005, 01:01 PM
dbbyleo

I can see and read the OS audit file that Oracle produces.

What I am asking is.....

WITHIN THE OS AUDIT FILE...where does it say whether database auditing was turned on OR off during database startup???

Again, here's an example of an entry in the OS Audit file:

....
Wed Jan 5 12:34:24 2005
ACTION : 'STARTUP'
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: jsmith
CLIENT TERMINAL: Not Available
STATUS: 0
...

Where in this entry does it say that database auditing is enabled OR disabled?????

From what I can see, it DOES NOT indicate the state of database auditing. Pando seems to be referencing an Oracle document that I am trying to validate.

Is my question more clear now?
03-15-2005, 12:30 AM
kris123

:D AFAMKIC, the fact that the OS file got some messages written, it
shows that auditing is active. If you set AUDIT_TRAIL=OS you will
see a lot more messages depending on what objects you have audited.
03-18-2005, 11:58 AM
dbbyleo

NO, I believe that assumption wrong.

Oracle says regardless of whether database auditing is on or off, an OS audit file will always by generated upon server startup or shutdowns. REGARDLESS!

As a matter of fact, I have turned of database auditing (AUDIT_TRAIL=NONE) and an OS audit file continues to be generated whenever I login as sysdba. At this point, it only audits that I logged in as sysdba, and nothing else, but nonetheless, it audits even with database auditing off.

So again, the question remains unanswered....

"Where in thr OS audit trail does it state whether database auditing was on or off on startup???"
03-18-2005, 12:22 PM
davey23uk

that os file is nothing to do with database auditing, so why should it say whether normal auditing is turned on or off?
03-18-2005, 01:42 PM
dbbyleo

The Oracle Document titled, Oracle9i Database Administrator's Guide Release 2 (9.2), Part Number A96521-01, says that it does. See the following link for the exact text:
http://www.stanford.edu/dept/itss/do...udit.htm#13370

if you read the text, it DOES make sence as to why you would want to have the OS audit file determine is database auditing is ON or OFF.