Database Reference
In-Depth Information
Using AUDIT_SYSLOG_LEVEL
As stated earlier, the string assigned to
AUDIT_SYSLOG_LEVEL
must consist of a facility name and
a priority or level. Surprisingly, when doing a
SHOW
PARAMETER
or a
SELECT
from
V$PARAMETER
,
merely the facility is visible—the dot as well as the level are suppressed.
3
For example, with
the entry
*.audit_syslog_level='USER.NOTICE'
in the
SPFILE
used to start the instance,
SHOW
PARAMETER
yields:
SQL> SHOW PARAMETER audit_syslog_level
NAME TYPE VALUE
------------------------------------ ----------- -----
audit_syslog_level string USER
SQL> SELECT value FROM v$parameter WHERE name='audit_syslog_level';
VALUE
-----
USER
Yet, when executing
CONNECT
/
AS
SYSDBA
, the facility and level logged in
/var/adm/messages
on Solaris is “user.notice”:
Feb 21 11:45:52 dbserver Oracle Audit[27742]: [ID 441842 user.notice]
ACTION : 'CONNECT'
Feb 21 11:45:52 dbserver DATABASE USER: '/'
Feb 21 11:45:52 dbserver PRIVILEGE : SYSDBA
Feb 21 11:45:52 dbserver CLIENT USER: oracle
Feb 21 11:45:52 dbserver CLIENT TERMINAL: pts/3
Feb 21 11:45:52 dbserver STATUS: 0
If an
SPFILE
is used, the full setting is available by querying
V$SPPARAMETER
:
SQL> SELECT value FROM v$spparameter WHERE name='audit_syslog_level';
VALUE
-----------
user.notice
Auditing Non-Privileged Users
Of course, you may also direct audit records pertaining to non-privileged users to the system
log by setting
AUDIT_TRAIL=OS
in addition to
AUDIT_SYSLOG_LEVEL
. Non-privileged users cannot
delete audit trails logging their actions. The search for perpetrators with queries against auditing
views, such as
DBA_AUDIT_STATEMENT
or
DBA_AUDIT_OBJECT
, is easier than searching the system
log. For these reasons, keeping the audit trails of non-privileged users inside the database with
AUDIT_TRAIL=DB
is preferred. With the latter setting, audit trails are written to the table
SYS.AUD$
and may be queried through the aforementioned data dictionary views. Setting
AUDIT_TRAIL=NONE
switches off auditing of actions by non-privileged users.
3.
Test performed with ORACLE DBMS version 10.2.0.3.