Database Reference
In-Depth Information
SQL> exec time_test;
18-JAN-09
PL/SQL procedure successfully completed.
SQL> alter procedure time_test compile timestamp '1066-11-11:12:0:59';
Procedure altered.
SQL> select timestamp from User_objects where object_name='TIME_TEST';
TIMESTAMP
-------------------
1066-11-11:12:00:59
6.
Truncated record
s - All audit trails can suffer from truncation. But some, like syslog, are
highly configurable. To increase the size of a syslog entry capacity follow this procedure:
cp -p /usr/sbin/syslogd /usr/sbin/syslogd.bak
cd /usr/src/usr.sbin/syslogd/
vi syslogd.c
--find this line (line 71'ish):
#define MAXLINE 1024 /* maximum line length */
--change '1024' to new larger value (e.g. 2048 or 4096).
make obj && make depend && make && make install
/etc/rc.d/syslogd restart
7.
SYS turn off
- SYSDBA could turn off auditing with restart or directly through oradebug.
Any gaps in audit trail not coinciding with restarts below would look suspicious:
SQL> select startup_time from dba_hist_database_instance;
STARTUP_TIME
----------------------------------------------------------
27-SEP-13 04.15.46.000
03-OCT-13 14.05.04.000
03-OCT-13 16.38.17.000
03-OCT-13 17.30.03.000
8.
Not reactive
- Native audit trail is not reactive, though Chapter 6 does show how to
implement a native IPS.
9.
Audit trail storage
- Truncation and cycling errors can cause DoS of local disk.
10.
Effect of command not known
- Audit trails and monitoring don't always show the
resultant effect of the command run, e.g., what data was actually returned.
11.
Contains system activity
- Oracle syslog has a lot of internal RAC messaging in some
cases, which can actually be quite interesting for learning how Clusterware works.
12.
Audit trail bypasses -
e.g.,
dbms_sys_sql
can still be used to bypass audit trail among others
declare
myi integer;
begin
