Re: auditing disabled still getting aud files

From: <fitzjarrell_at_cox.net>
Date: Tue, 18 Mar 2008 06:50:18 -0700 (PDT)
Message-ID: <188fa502-caec-4f1c-aa6a-8f83bc5cfbc0@u69g2000hse.googlegroups.com>


On Mar 17, 8:28 am, Ben <benal..._at_yahoo.com> wrote:
> 10.2.0.2 EE aix 5.2 64 bit. non rac, no asm
>
> I've found several bugs related to this on metalink but no
> resolutions.

> Bug # 4001394

This one doesn't apply to your situation because it references a situation where SYSDBA connect audit files are written every minute, resulting from a regular connection from a Veritas script as SYS as SYSDBA. No one from Oracle has stated that the writing of the SYSDBA connection audit files is a bug, and it isn't; you're getting nothing in the way of audit trails for any actions by SYS, as the only entries in these .aud files are connections as SYSDBA. Thus your setting of FALSE for the audit_sys_operations parameter is functioning as intended. Per the documentation:

"Regardless of whether database auditing is enabled, Oracle always audits certain database-related operations and writes them to the operating system audit file. These operations include the following:

Connections to the instance with administrator privileges

An audit record is generated that lists the operating system user connecting to Oracle as SYSOPER or SYSDBA. This provides for accountability of users with administrative privileges. Full auditing for these users can be enabled as explained in "Auditing Administrative Users"."
...
"When SYS auditing is enabled, both the ALTER SYSTEM and UPDATE statements are displayed in the operating system audit file as follows:

Thu Jan 24 12:58:00 2002
ACTION: 'CONNECT'
DATABASE USER: '/'
OSPRIV: SYSDBA
CLIENT USER: scott
CLIENT TERMINAL: pts/2
STATUS: 0 Thu Jan 24 12:58:00 2002
ACTION: 'alter system flush shared_pool' DATABASE USER: ''
OSPRIV: SYSDBA
CLIENT USER: scott
CLIENT TERMINAL: pts/2
STATUS: 0 Thu Jan 24 12:58:00 2002
ACTION: 'update salary set base=1000 where name='myname'' DATABASE USER: ''
OSPRIV: SYSDBA
CLIENT USER: scott
CLIENT TERMINAL: pts/2
STATUS: 0" You cannot turn the connection auditing for SYSDBA logins off. Period.

> , 5880268, 4296219.

These do not as they involve ASM, which you are not using. And you don't suffer from any bug, simply from not reading the documentation. See these links:

http://download.oracle.com/docs/cd/B10501_01/server.920/a96521/audit.htm#13370 http://download.oracle.com/docs/cd/B19306_01/network.102/b14266/cfgaudit.htm#sthref1820

The behavioiur hasn't changed between 9.2.0 and 10.2.0.

David Fitzjarrell Received on Tue Mar 18 2008 - 08:50:18 CDT

Original text of this message