Search This Blog

Saturday, September 17, 2011

Audit is not enabled but still .aud files generated

You might be not know... if database audit is not enabled then also oracle audit few database operation and records in the OS audit files (*.aud).

[oracle@spiora bin]$ ./sqlplus / as sysdba

SQL*Plus: Release 10.2.0.4.0 - Production on Sat Sep 17 19:21:11 2011

Copyright (c) 1982, 2007, Oracle.  All Rights Reserved.


Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> show parameter audit_sys_operations

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
audit_sys_operations                 boolean     FALSE

SQL> show parameter audit_trail

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
audit_trail                          string      DB_EXTENDED

SQL> show parameter audit_file

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest                      string      /db/app/oracle/Db_1/rdbms/audi
                                                 t
SQL> host ls -lrt /db/app/oracle/Db_1/rdbms/audit

/db/app/oracle/Db_1/rdbms/audit:
ora_10033.aud  ora_12623.aud  ora_21641.aud  ora_30348.aud  ora_3974.aud
ora_10085.aud  ora_1264.aud   ora_21644.aud  ora_30349.aud  ora_3975.aud
ora_10148.aud  ora_12650.aud  ora_2186.aud   ora_30351.aud  ora_3991.aud
ora_10154.aud  ora_12652.aud  ora_21988.aud  ora_30352.aud  ora_3994.aud

lets have a look what inside this aud files

SQL>  host cat /db/app/oracle/Db_1/rdbms/audit/ora_26457.aud
Audit file /db/app/oracle/Db_1/rdbms/audit/ora_26457.aud
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
ORACLE_HOME = /db/app/oracle/Db_1
System name:    Linux
Node name:      spiora.dummy.local
Release:        2.6.9-34.ELsmp
Version:        #1 SMP Fri Feb 24 16:54:53 EST 2006
Machine:        i686
Instance name: orcl
Redo thread mounted by this instance: 1
Oracle process number: 15
Unix process pid: 26457, image: oracle@spiora.dummy.local (TNS V1-V3)

Sat Sep 17 19:21:11 2011
LENGTH : '137'
ACTION :[7] 'CONNECT'
DATABASE USER:[1] '/'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[6] 'oracle'
CLIENT TERMINAL:[5] 'pts/1'
STATUS:[1] '0'

Below are the following operations which is audit if audit is not enabled. (mandatory audit)

mandatory auditing
Activities that are audited by default, regardless of whether or not auditing was enabled. These activities include connections to the instance with administrator privileges, database startups, and database shutdowns. Oracle Database writes these activities to the operating system audit trail.



2 comments:

Muhammad Abdul Halim said...

Thanks , Now its clear.

Regards
Halim

Mohammed Taj said...

I am Glad, its helpful.

Taj