Databases Reference
In-Depth Information
CHAPTER 1
■ ■ ■
Partially Documented
Parameters
F
iguratively speaking, the Oracle database management system has a tremendous number of
knobs to turn and switches to flip. Oracle9
i
Release 2 has 257 documented parameters, Oracle10
g
Release 2 has 258, and Oracle11
g
Release 1 has 294. Presumably there is no single DBA who has
memorized the meanings and permissible values for all those parameters. The
Oracle Database
Reference
manual of each respective release is the definitive source for documented initialization
parameters. This chapter scrutinizes the partially documented parameters
AUDIT_SYSLOG_LEVEL
,
PGA_AGGREGATE_TARGET
,
EVENT
, and
OS_AUTHENT_PREFIX
and provides information that is absent
from the
Oracle Database Reference
manual. Both
AUDIT_SYSLOG_LEVEL
and
OS_AUTHENT_PREFIX
are related to database security.
EVENT
is a curious parameter in the sense that the parameter
itself is documented, but permissible values are not. Among other things it may be used to
collect more evidence when errors occur or gather diagnostic information under the supervision of
Oracle Support Services. From a performance perspective, learning how
PGA_AGGREGATE_TARGET
is
handled internally allows a DBA to significantly reduce the response time of large sort operations.
AUDIT_SYSLOG_LEVEL
The initialization parameter
AUDIT_SYSLOG_LEVEL
is partially documented. Several inaccuracies
in the documentation suggest that the parameter is less useful than it actually is. Database
actions by
SYS
and/or database administrators or operators may be audited to the UNIX oper-
ating system's syslog daemon log files owned by the UNIX user root. This prevents privileged
database users from removing audit records that contain a log of their activities. The default
setting is to audit
CONNECT
,
STARTUP
, and
SHUTDOWN
with SYSDBA or SYSOPER privileges to files
owned by the ORACLE software owner, while not auditing SQL, PL/SQL statements, and other
actions with these privileges or other privileges, such as the role DBA, at all. In other words,
except for the aforementioned operations, standard auditing (see parameter
AUDIT_TRAIL
) as
well as fine grained auditing (see package
DBMS_FGA
) are switched off by default. As a conse-
quence, there will be no trace of many activities performed by privileged users. Auditing to
operating system files owned by the ORACLE software owner (
AUDIT_TRAIL=OS
) or to the data-
base table
SYS.AUD$
(
AUDIT_TRAIL=DB
) may be circumvented, since DBAs normally have access
to the ORACLE software owner's UNIX account as well as to
SYS.AUD$
, allowing them to easily
remove audit records generated for their actions. Auditing via the UNIX syslog facility is also
useful for detecting intrusions by hackers or manipulations by malevolent insiders.
3
