Re: audit_sys_operations apparently not working

I was meaning from a point of view of consistency. I have had a number of conversations with clients of mine who are running Oracle on different platforms including Windows and they would prefer a consistent approach. I do agree with your thoughts about security of the audit trail and whilst its most likely more secure than to files as you point out there are a lot of tools that allow access to the event log and also its simple to query the event log with SQL. Its just not consistent.

cheers

Pete

Andre van Winssen wrote:
> I do not agree to that as for windows. Oracle should write to the log most
> suitable for the platform it's running on and on windows that's the event
> log. There are lots of windows event log collection tools available. When
> these are being used it's very difficult to wipe out audit trails.
>
> Does anyone have practical experience with the SYSLOG facility, eg on linux
> or AIX ?
>
> Rgds,
> Andre
>
> -----Original Message-----
> From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org]
> On Behalf Of Pete Finnigan
> Sent: donderdag 19 maart 2009 9:47
> To: jkstill_at_gmail.com
> Cc: Oracle-L Freelists
> Subject: Re: audit_sys_operations apparently not working
>
> It goes to the event viewer Jared, this is an area I would like to see some
> consistency from Oracle. I think it should go to audit_file_dest on all
> o/s's.
>
> cheers
>
> Pete
>
> Jared Still wrote:

>> Platform:  Windows 23k Server SP2 64bit
>> Oracle: 10.2.0.4 EE
>>
>> I have two databases for which both audit_file_dest and 
>> audit_sys_operations are set.
>>
>>
>> NAME                      VALUE
>> VAL? MOD? MOD?
>> ------------------------- 
>> --------------------------------------------------
>> ---- ---- ----
>> audit_file_dest           D:\ORACLE\ORCL\102\RDBMS\AUDIT
>> Y    N    D
>> audit_sys_operations      TRUE
>> N    N    N
>> audit_trail               DB
>> N    N    N
>>
>> 3 rows selected.
>>
>>
>> Yet I don't find any audit files in audit_file_dest.
>>
>> Obvious possible problems:
>>   permissions - Local System user runs the Oracle service, and has 
>> full control of the directory
>>   full file system - it is not full, 40G free
>>
>> Even without audit_sys_operations=true, audit logs showing logons by 
>> SYS/SYSDBA should appear in the audit_file_dest directory.
>>
>> Checking a linux 10.2.0.4 database, I find that it works as expected.
>>
>> Before OYASR (Opening Yet Another Service Request) I thought it would 
>> be a good idea to ask here first.  For low priority issues, Oracle-L 
>> is usually faster. :)
>>
>> So, is there something I am missing, or is it just broke on Windows?
>>
>> I did search MetaLink^H^H^H^H^H^H^H^HMy Oracle Support, but didn't 
>> find anything useful.
>>
>> Jared Still
>> Certifiable Oracle DBA and Part Time Perl Evangelist
>>

-- 

Pete Finnigan
Director
PeteFinnigan.com Limited

Specialists in database security.

If you need help to audit or secure an Oracle database, please ask for
details of our courses and consulting services

Phone: +44 (0)1904 791188
Fax  : +44 (0)1904 791188
Mob  : +44 (0)7742 114223
email: pete_at_petefinnigan.com
site : http://www.petefinnigan.com

Registered Office: 9 Beech Grove, Acomb, York, YO26 5LD, United Kingdom
Company No       : 4664901
VAT No.          : 940 6681 14

Please note that this email communication is intended only for the
addressee and may contain confidential or privileged information. The
contents of this email may be circulated internally within your
organisation only and may not be communicated to third parties without
the prior written permission of PeteFinnigan.com Limited.  This email is
not intended nor should it be taken to create any legal relations,
contractual or otherwise.

--
http://www.freelists.org/webpage/oracle-l