Enable Audit to sys user to SYSLOG in Oracle 10g
Workaround to Enable Audit to sys user to SYSLOG
Oracle 9i onward, we have new feature to enable audit for sysdba privilege users. Record Audition writes to the system audit log.
This is an example to audit sys user to SYSLOG utility.
Edit syslog.conf and insert below line.
vi /etc/syslog.conf
Step 1
# vi /etc/syslog.conf
user.notice /var/log/syslog-orcl
# touch /var/log/syslog-orcl
Syntax to Restart syslog etc/init.d/syslog restart
Step 2
# /etc/init.d/syslog restart
Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
Syntax to Modify AUDIT_SYSLOG_LEVEL initialization parameter on Database
AUDIT_SYSLOG_LEVEL = facility.level
Here the value of facility can be any of the below:
USER, LOCAL0-LOCAL7, SYSLOG, DAEMON, KERN, MAIL, AUTH, LPR, NEWS, UUCP or CRON.
The value of level can be any of the following: NOTICE, INFO, DEBUG, WARNING, ERR, CRIT, ALERT, EMERG .
Examples:
SYS> show parameter AUDIT_SYSLOG_LEVEL
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_syslog_level string
SYS> alter system set audit_syslog_level='user.notice' scope=spfile;
System altered.
Restart Oracle instance
SYS> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
SYS> startup
ORACLE instance started.
Total System Global Area 810053632 bytes
Fixed Size 2217712 bytes
Variable Size 645925136 bytes
Database Buffers 155189248 bytes
Redo Buffers 6721536 bytes
Database mounted.
Database opened.
Where and How to see log file?
# tail -f /var/log/syslog-orcl
Feb 27 11:37:39 RHEL5-ORQS Oracle Audit[18624]: LENGTH : '155' ACTION :[7] 'STARTUP' DATABASE USER:[1] '/' PRIVILEGE :[4] 'NONE' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[13] 'Not Available' STATUS:[1] '0' DBID:[0] ''
Feb 27 11:37:39 RHEL5-ORQS Oracle Audit[18827]: LENGTH : '148' ACTION :[7] 'CONNECT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[5] 'pts/1' STATUS:[1] '0' DBID:[0] ''
Test to Logon by sys: $ sqlplus "/ as sysdba"
SYS>
Syslog after logging as sysdba
# tail -f /var/log/syslog-orcl
Feb 27 11:40:12 RHEL5-ORQS Oracle Audit[19269]: LENGTH : '159' ACTION :[7] 'CONNECT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[5] 'pts/1' STATUS:[1] '0' DBID:[10] '1233539256'
Syntax to Audit sys operation (audit_sys_operations=true):
Example to display current value
SYS> show parameter audit_sys_operations
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_sys_operations boolean FALSE
Example to enable Audit or set true
SYS> alter system set audit_sys_operations=TRUE scope=spfile;
System altered.
SYS> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
SYS> startup
ORACLE instance started.
Total System Global Area 810053632 bytes
Fixed Size 2217712 bytes
Variable Size 645925136 bytes
Database Buffers 155189248 bytes
Redo Buffers 6721536 bytes
Database mounted.
Database opened.
Test Query with sysdba privilage: SYS> select count(*) from v$session;
COUNT(*)
----------
105
1 row selected.
Syslog after logging as sysdba
# tail -f /var/log/syslog-orcl
Feb 27 11:49:19 RHEL5-ORQS Oracle Audit[20698]: LENGTH : '183' ACTION :[30] 'select count(*) from v$session' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[5] 'pts/1' STATUS:[1] '0' DBID:[10] '1233539256'
Enjoy it........................
No comments:
Post a Comment