Database Reference
In-Depth Information
When
AUDIT_SYSLOG_LEVEL
and
AUDIT_SYS_OPERATIONS
are combined, any SQL and PL/SQL
run as user
SYS
may be audited using the syslog facility. Since the files used by syslog are owned
by root, and a DBA usually does not have access to the root account, DBAs will not be able to
remove traces of their activity. Of course, this also applies to intruders who have managed to
break into a machine and have gained access to the account of the ORACLE software owner but
not to the root account. The same applies to hackers who have cracked the password of a priv-
ileged database user and are able to connect via Oracle Net.
On Windows, the parameters
AUDIT_SYSLOG_LEVEL
and
AUDIT_FILE_DEST
are not implemented,
since the Windows event log serves as the operating system audit trail (see Figure 1-1). Just
like on UNIX,
CONNECT
,
STARTUP
, and
SHUTDOWN
are unconditionally logged. When
AUDIT_SYS_
OPERATIONS=TRUE
is set, operations with
SYSDBA
or
SYSOPER
privileges are also written to the
Windows event log, which may be viewed by navigating to
Start
➤
Control Panel
➤
Admin-
istrative Tools
Event Viewer
. The logging category used is
Application
and the source is
named
Oracle.
ORACLE_SID
. Events for a certain DBMS instance may be filtered by choosing
View
➤
Filter
.
The
Oracle Database Reference 10g Release 2
manual explains
AUDIT_SYSLOG_LEVEL
as
follows (page 1-22):
➤
AUDIT_SYSLOG_LEVEL enables OS audit logs to be written to the system via the syslog
utility, if the AUDIT_TRAIL parameter is set to os. The value of facility can be any of the
following: USER, LOCAL0- LOCAL7, SYSLOG, DAEMON, KERN, MAIL, AUTH, LPR,
NEWS, UUCP or CRON. The value of level can be any of the following: NOTICE, INFO,
DEBUG, WARNING, ERR, CRIT, ALERT, EMERG.
Tests of the new feature on a Solaris 10 and a Red Hat Linux system showed that the docu-
mentation is inaccurate on three counts:
1.
AUDIT_SYSLOG_LEVEL
is independent of
AUDIT_TRAIL
. When
AUDIT_SYSLOG_LEVEL
is set
and
AUDIT_TRAIL
has the default value
NONE
,
CONNECT
,
STARTUP
, and
SHUTDOWN
are logged
via syslog.
Setting the parameters
AUDIT_SYSLOG_LEVEL
and
AUDIT_SYS_OPERATIONS=TRUE
causes
any actions such as SQL and PL/SQL statements executed with
SYSDBA
or
SYSOPER
privileges to be logged via syslog, even if
AUDIT_TRAIL=NONE
.
2.
3.
Only certain combinations of facility and level are acceptable. Unacceptable combina-
tions cause the error “ORA- 32028: Syslog facility or level not recognized” and prevent
DBMS instances from starting.
If the documentation were accurate, it would not be possible to audit actions performed
with
SYSDBA
or
SYSOPER
privileges to the system log, while auditing actions by other users to the
data dictionary base table
SYS.AUD$
. However, such a limitation does not exist.