Protecting contents of AUDIT_FILE_DEST from 'oracle' OS user on *NIX...

From: David Mann <>
Date: Fri, 18 Nov 2011 09:41:15 -0500
Message-ID: <>

I have been diving into auditing over the past few weeks and have worked out almost all the scenarios that we are interested in auditing. Most of the actions are related to user activity. We have one database where the customer wants all SYS activity audited as well. These are 10gR2 or later databases on Solaris and Linux.

So I checked multiple blog posts, articles, and metalink docs and finally saw one that mentioned my concern... I was trying to figure out what can keep a SYS user from invoking say UTL_FILE and messing with a file that lives in AUDIT_FILE_DEST directory or just logging in as the oracle OS user and rm * in the AUDIT_FILE_DEST directory.

From [ID 174340.1] "Audit SYS User Operations". : "The SYS audit records must go to OS files since the user SYS can delete his actions from AUD$, whereas if the files are written to the OS, they can be secured from the Oracle DBA by root (root must have some means to transfer the files to a secure location). It is not possible to configure that these records go into the AUD$ table."

I can only think of one right now but it doesn't seem nearly secure enough. I guess I could have a sysadmin write a cron script to run as root and copy contents of the directory to a destination not acccessible by the oracle OS user. But what is the resolution of CRON? 1 minute? Of course would have to make sure we only copied the file once so if the source file was changed at a later date it could be detected.

Can anyone suggest any other configurations or mechanisms can be set up to protect these files?



Dave Mann - Database Stuff -
-- Received on Fri Nov 18 2011 - 08:41:15 CST

Original text of this message