Re: Auditing question

"Pete Finnigan" <plsql_at_petefinnigan.com> wrote in message news:a6fW2LBwpk1$Qxl2_at_peterfinnigan.demon.co.uk...
> Hi,
>
> You have specified that the auditing should be in sent to the database
> and stored in sys.aud$ but you have also specified a file destination
> that is only applicable when auditing is directed to the operating
> system. You say you are getting a .aud file?, have you checked out if a
> record is created in table sys.aud$ ? - if not maybe you are using
> spfile rather than pfile and audit was already enabled to the OS? -
> check the run time parameters in v$parameter to see what the database
> thinks it is doing.
>
> You are better off auditing to the database from a reporting point of
> view as its simple SQL but for security reasons auditing to the file
> system can be more secure as you can immediately write off the audit to
> a secure file system or to another machine to stop anyone changing the
> audit trail.
>
> Also check out a paper i wrote quite recently called "An introduction to
> simple Oracle auditing" - at http://www.petefinnigan.com/orasec.htm - if
> it helps a bit.
>
> kind regards
>
> Pete
> --
> Pete Finnigan
> email:pete_at_petefinnigan.com
> Web site: http://www.petefinnigan.com - Oracle security audit specialists
> Book:Oracle security step-by-step Guide - see http://store.sans.org for details.

Pete,

Don't you think the *.aud files are being created as audit files of SYS (i.e. sysdba) logins. Oracle is auditing SYS logins and creating *.aud files for them. audit_sys_operations will cause the operations done via sys user to be audited also. In that case the audit_file_dest should designate the directory where these aud files go? Maybe thats what confusing the OP.

... Apart from that, I'd agree that the create table audits are going to the database (sys.aud$ table)

Anurag Received on Tue Dec 09 2003 - 18:57:44 CST