Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Audit trails to syslogs

RE: Audit trails to syslogs

From: Powell, Mark D <mark.powell_at_eds.com>
Date: Tue, 20 Jun 2006 12:35:04 -0400
Message-ID: <5A14AF34CFF8AD44A44891F7C9FF410507A85A88@usahm236.amer.corp.eds.com> 





 In that case:


>>



AUDIT_SYSLOG_LEVELProperty Description 


Parameter type String 


Syntax AUDIT_SYSLOG_LEVEL = facility.level 
Default value none 


Modifiable No 


Basic No 




AUDIT_SYSLOG_LEVEL enables OS audit logs to be written to the system via
the SYSLOG utility if the AUDIT_TRAIL parameter is set to os.



The value of facility can be any of the following: USER, LOCAL0-LOCAL7,
SYSLOG, DAEMON, KERN, MAIL, AUTH, LPR, NEWS, UUCP or CRON.



The value of level can be any of the following: NOTICE, INFO, DEBUG,
WARNING, ERR, CRIT, ALERT, EMERG .


If you use this parameter, it is best to assign a file corresponding to
every facility.level combination (especially kern.emerg) in syslog.conf
. Sometimes these are assigned to print to the console in the default
syslog.conf file. This can become annoying and will be useless as audit
logs.Also, if you use this parameter, it is best to set the maximum
length of syslog messages in the system to 512 bytes. <<




I also found this in Oracle(r) Database Security Guide 10g Release 2
(10.2) Part Number B14266-01, Ch 8


>> 



8.1.1.3 Syslog Audit Trail


One potential security vulnerability for an operating system audit trail
is that a privileged user, such as a DBA, can modify or delete audit
records. In order to minimize this risk, you can use a syslog audit
trail. Syslog is a standard protocol on UNIX-based systems for logging
information from different components of a network. Applications call
the syslog() function to log information to the syslog daemon, which
then determines where to log the information. You can configure syslog
to log information to a file name syslog.conf, to the console, or to a
remote, dedicated log host. You can also configure syslog to alert a
specified set of users when information is logged.



Because applications, such as an Oracle process, use the syslog()
function to log information to the syslog daemon, a privileged user does
not need to have permissions to the file system where messages are
logged. For this reason, audit records stored using a syslog audit trail
can be more secure than audit records stored using an operating system
audit trail. In addition to restricting permissions to a file system for
a privileged user, for a syslog audit trail to be secure, neither
privileged users nor the Oracle process should have root access to the
system where the audit records are written.
<<



There is a significant amount of information on auditing in this manual.



HTH -- Mark D Powell --




-----Original Message-----


From: Reidy, Ron [mailto:Ron.Reidy_at_arraybiopharma.com] 
Sent: Tuesday, June 20, 2006 12:03 PM


To: Powell, Mark D; Oracle Discussion List
Subject: RE: Audit trails to syslogs



The original question was syslog, not regular OS files.  The init params
for this are:



AUDIT_TRAIL=OS



AUDIT_SYSLOG_LEVEL=USER.ALERT



--
Ron Reidy

-----Original Message-----
From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org]
Sent: Tuesday, June 20, 2006 9:50 AM
To: Oracle Discussion List
Subject: RE: Audit trails to syslogs

According to the 8.1.7 Reference manual (the oldest I could find
quickly) this feature has been around a while:



>>

AUDIT_TRAIL
Parameter type:  String 
 
Syntax  AUDIT_TRAIL = {NONE | FALSE | DB | TRUE | OS} 
 
Parameter class:  Static 
 
Default value:  NONE 
 
AUDIT_TRAIL enables or disables the automatic writing of rows to the
audit trail.  
 
NONE or FALSE: Audit records are not written. 

OS: enables system-wide auditing and causes audited records to be
written to the operating system's audit trail. 

DB or TRUE: enables system-wide auditing and causes audited records to
be written to the database audit trail (the SYS.AUD$ table).  
<<

Then as now Oracle provides no means of reading the OS audit trail.  You
have to write your own program or acquire a third party product.

HTH -- Mark D Powell --

-----Original Message-----
From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Reidy, Ron
Sent: Tuesday, June 20, 2006 10:42 AM
To: stalinsk_at_gmail.com; Oracle Discussion List
Subject: RE: Audit trails to syslogs

I don't think this is available until 10.2.

-----Original Message-----
From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Stalin
Sent: Monday, June 19, 2006 11:08 PM
To: Oracle Discussion List
Subject: Audit trails to syslogs

All,

I'm looking for pointers to log audit trails to syslog. I understand
this has been a feature in 10.2 release but unfortunately i'm on 10g R1.

Any help is appreciated.

Thanks
Stalin
--
http://www.freelists.org/webpage/oracle-l



This electronic message transmission is a PRIVATE communication which
contains information which may be confidential or privileged. The
information is intended to be for the use of the individual or entity
named above. If you are not the intended recipient, please be aware that
any disclosure, copying, distribution or use of the contents of this
information is prohibited. Please notify the sender  of the delivery
error by replying to this message, or notify us by telephone
(877-633-2436, ext. 0), and then delete it from your system.

--
http://www.freelists.org/webpage/oracle-l


--
http://www.freelists.org/webpage/oracle-l


--
http://www.freelists.org/webpage/oracle-l


Received on Tue Jun 20 2006 - 11:35:04 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US