Database Reference
In-Depth Information
After enabling auditing for database connections established by non-privileged users, e.g.,
as in:
SQL> AUDIT CONNECT BY appuser /* audit_trail=os set */;
entries similar to the following are written to the syslog facility (example from Solaris):
Feb 21 11:41:14 dbserver Oracle Audit[27684]: [ID 930208 user.notice]
SESSIONID: "15" ENTRYID: "1" STATEMENT: "1" USERID: "APPUSER"
USERHOST: "dbserver" TERMINAL: "pts/3" ACTION: "100" RETURNCODE: "0"
COMMENT$TEXT: "Authenticated by: DATABASE" OS$USERID: "oracle"
PRIV$USED: 5
Another entry is added to
/var/adm/messages
when a database session ends:
Feb 21 11:44:41 dbserver Oracle Audit[27684]: [ID 162490 user.notice]
SESSIONID: "15" ENTRYID: "1" ACTION: "101" RETURNCODE: "0"
LOGOFF$PREAD: "1" LOGOFF$LREAD: "17" LOGOFF$LWRITE: "0" LOGOFF$DEAD:
"0" SESSIONCPU: "2"
Note that additional data provided on the actions LOGON (100) and LOGOFF (101) conforms
to the columns of the view
DBA_AUDIT_SESSION
. Translation from action numbers to action
names is done via the view
AUDIT_ACTIONS
as in this example:
SQL> SELECT action, name FROM audit_actions WHERE action IN (100,101)
ACTION NAME
------ ------
100 LOGON
101 LOGOFF
When
AUDIT_SYSLOG_LEVEL=AUTH.INFO
,
AUDIT_SYS_OPERATIONS=FALSE
and
AUDIT_TRAIL=NONE
,
CONNECT
,
STARTUP
, and
SHUTDOWN
are logged via syslog. With these settings, an instance shutdown
on Solaris writes entries similar to the following to
/var/adm/messages
:
Feb 21 14:40:01 dbserver Oracle Audit[29036]:[ID 63719 auth.info] ACTION:'SHUTDOWN'
Feb 21 14:40:01 dbserver DATABASE USER: '/'
Feb 21 14:40:01 dbserver PRIVILEGE : SYSDBA
Feb 21 14:40:01 dbserver CLIENT USER: oracle
Feb 21 14:40:01 dbserver CLIENT TERMINAL: pts/3
Feb 21 14:40:01 dbserver STATUS: 0
When
AUDIT_SYSLOG_LEVEL=AUTH.INFO
,
AUDIT_SYS_OPERATIONS=TRUE
, and
AUDIT_TRAIL=NONE
,
SQL and PL/SQL statements executed with
SYSDBA
or
SYSOPER
privileges are also logged via
syslog. Dropping a user after connecting with
/ AS SYSDBA
results in a syslog entry similar to the
one shown here: