Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Auditing question

Re: Auditing question

From: R.B <rich.bevan_at_bt.com>
Date: Wed, 10 Dec 2003 11:06:35 +0000 (UTC)
Message-ID: <br6unr$189$1@visp.bt.co.uk>


"Pete Finnigan" <plsql_at_petefinnigan.com> wrote in message news:a6fW2LBwpk1$Qxl2_at_peterfinnigan.demon.co.uk...
> Hi,
>
> You have specified that the auditing should be in sent to the database
> and stored in sys.aud$ but you have also specified a file destination
> that is only applicable when auditing is directed to the operating
> system. You say you are getting a .aud file?, have you checked out if a
> record is created in table sys.aud$ ? - if not maybe you are using
> spfile rather than pfile and audit was already enabled to the OS? -
> check the run time parameters in v$parameter to see what the database
> thinks it is doing.
>
> You are better off auditing to the database from a reporting point of
> view as its simple SQL but for security reasons auditing to the file
> system can be more secure as you can immediately write off the audit to
> a secure file system or to another machine to stop anyone changing the
> audit trail.
>
> Also check out a paper i wrote quite recently called "An introduction to
> simple Oracle auditing" - at http://www.petefinnigan.com/orasec.htm - if
> it helps a bit.
>
> kind regards
>
> Pete
> --
> Pete Finnigan
> email:pete_at_petefinnigan.com
> Web site: http://www.petefinnigan.com - Oracle security audit specialists
> Book:Oracle security step-by-step Guide - see http://store.sans.org for
details.

Peter,
Thank you for your reply (as well as the others in the post). Can you clarify a couple of points:

At the moment if I issue 'create table' this get logged in the o/s file (.aud), so if I remove the audit_file_dest from my initSID.ora file a bounce the db (I know I should be using spfiles) should a record of the actual statement get written into the sys.aud$ i.e I will be able to see that user xx ran 'create table' on dd/mm/yy (albeit by using the one of the views)

Also where will the actions audited as a result of setting audit_sys_operations be written as Anurag pointed out?

Obviously I will be testing this out myself but I would be grateful of your feedback,

Thanks Received on Wed Dec 10 2003 - 05:06:35 CST

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US