this article is basic of enabling auditing for SYS administrative user.
1. How to enable AUDIT for sys administrative user.
Step:
1. logon to database with sysdba user
2. set AUDIT_SYS_OPERATIONS parameter (mandatory) to TRUE
default value of this parameter is FALSE
This parameter is static means we required to bounce DATABASE to take effect of this parameter value.
3. set AUDIT_TRAIL parameter as per desired value.
default value of this parameter is none
4. set AUDIT_FILE_DEST = location path for audit records log file
default value of this parameter %ORACLE_BASE%/ORACLE_SID/adump
IF AUDIT_FILE_DEST parameter doesn't set or not point to valid directory then oracle will create audit file in %ORACLE_HOME%/rdbms/audit directory.
5. restart database
6. Setting the size or age of the operating system audit files
Example:
[oracle@recovery bin]$ ./sqlplus / as sysdba
SQL*Plus: Release 11.2.0.1.0 Production on Sat Sep 17 21:46:36 2011
Copyright (c) 1982, 2009, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> alter system set audit_sys_operations=TRUE scope=spfile;
System altered.
SQL> alter system set audit_trail='DB' scope=spfile;
System altered.
SQL> alter system set audit_file_dest='/db/admin/oramfe/adump/' scope=spfile;
System altered.
SQL> shutdown immediate
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> startup
ORACLE instance started.
Total System Global Area 2042241024 bytes
Fixed Size 1337548 bytes
Variable Size 973080372 bytes
Database Buffers 1056964608 bytes
Redo Buffers 10858496 bytes
Database mounted.
Database opened.
SQL> host ls -lrt /db/admin/oramfe/adump/
total 32
-rw-rw---- 1 oracle oracle 2585 Sep 17 21:48 oramfe_ora_12487_1.aud
-rw-rw---- 1 oracle oracle 750 Sep 17 21:48 oramfe_ora_12500_2.aud
-rw-rw---- 1 oracle oracle 1451 Sep 17 21:50 oramfe_ora_12602_1.aud
-rw-rw---- 1 oracle oracle 980 Sep 17 21:51 oramfe_ora_12671_1.aud
SQL> host cat /db/admin/oramfe/adump/oramfe_ora_12671_1.aud
Audit file /db/admin/oramfe/adump/oramfe_ora_12671_1.aud
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
ORACLE_HOME = /db/product/11.2.0/dbhome_1/
System name: Linux
Node name: recovery.fakhruddin.local
Release: 2.6.18-53.el5
Version: #1 SMP Wed Oct 10 16:34:02 EDT 2007
Machine: i686
Instance name: oramfe
Redo thread mounted by this instance: 1
Oracle process number: 20
Unix process pid: 12671, image: oracle@recovery.fakhruddin.local (TNS V1-V3)
Sat Sep 17 21:50:07 2011 +04:00
LENGTH : '160'
ACTION :[7] 'CONNECT'
DATABASE USER:[1] '/'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[6] 'oracle'
CLIENT TERMINAL:[5] 'pts/0'
STATUS:[1] '0'
DBID:[10] '3012735072'
Sat Sep 17 21:51:21 2011 +04:00
LENGTH : '173'
ACTION :[19] 'ALTER DATABASE OPEN'
DATABASE USER:[1] '/'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[6] 'oracle'
CLIENT TERMINAL:[5] 'pts/0'
STATUS:[1] '0'
DBID:[10] '3012735072'
On windows platform the audit records will captured in the event viewer log file.
start --->> control penals >>> administrative tools >>> event viewer >>>> application log
No comments:
Post a Comment