Database Reference
In-Depth Information
The practice of auditing an Oracle database, and generally keeping a check on the DBA privilege, is partly the
responsibility of the Unix SA function and partly a dedicated DB security monitoring function. Future practitioners
responsible for monitoring DB security are going to have to be much better at using the native OS tools already
present rather than costly third-party solutions. This is for both cost-reduction purposes and the fact that security is
becoming embedded into the database product itself.
A Centralized Syslog
Setting up a centralized syslog is reasonably straightforward, and free of any additional license charge, but there are
some basic concepts that are worth understanding in preparation. Firstly, Oracle syslog is OS-node specific, so for
RAC clusters each node will push DB syslog from its own instance. Essentially, the database pushes its audit trail to
the local OS syslog, and from the OS that syslog can be sent to any IP host on the network and/or to local disk. The
bonus with syslog is that the audit trail can easily be split to multiple locations.
Syslog setup requires just two configuration changes in the DB, followed by a restart. Then there is just one
configuration change on the OS, with no OS restart needed. I recommend making the OS configuration first, then
making sure that is working
before
setting up the DB audit trail. This will minimize the need for DB restarts due
to changed configuration, as the syslog itself will already be proven to be working. Follow these steps to turn on
syslogging for Oracle DB:
Edit
syslog.conf
as root (using a text editor such as
vi
) to contain the following lines. Be
aware that you
must
follow the facility level,
local4.info,
with a tab character, and not
with a space.
1.
#This entry will send all syslog local4.info to remote (@) server at ase.net
local4.info<TAB> @lab1-3.sr.ema.ase.net
Single-line replacement of spaces by tabs within
vi
editor may be required:
s/ /<ctrl-TAB>/g
vi
will show tab characters as blank by default, so issue the following command to be able
to differentiate tabs from spaces (tabs will be shown as
^I
):
:set list
2.
Restart syslog after a config change by issuing the following command on Linux:
service syslog restart
To restart syslog on Solaris use the following command:
svcadm restart system-log
3.
Then send a test syslog message to the syslog server from within bash:
logger -p local4.info "unique_string345"
