Re: what does audit_sys_operations actually audit
From: Tim Gorman <tim_at_evdbt.com>
Date: Wed, 07 Jan 2009 11:46:16 -0700
Message-ID: <4964F878.7000705_at_evdbt.com>
AUDIT_SYS_OPERATIONS only sends records to the OS audit trail, not the
DB audit trail (i.e. SYS.AUD$). Check the files in your
AUDIT_FILE_DEST.
Rationale: Why leave audit records for SYSDBA where SYSDBA users can tamper with them? Oracle sends them to OS files so they can be protected (if necessary) from tampering by SYSDBA. Now, you just have to trust your OS sysadmins.... ;-)
Douglas Cowles wrote:
Date: Wed, 07 Jan 2009 11:46:16 -0700
Message-ID: <4964F878.7000705_at_evdbt.com>
Rationale: Why leave audit records for SYSDBA where SYSDBA users can tamper with them? Oracle sends them to OS files so they can be protected (if necessary) from tampering by SYSDBA. Now, you just have to trust your OS sysadmins.... ;-)
Douglas Cowles wrote:
-- http://www.freelists.org/webpage/oracle-l Received on Wed Jan 07 2009 - 12:46:16 CST
I turned on audit_sys_operations in a dev database but nothing seems to be being added to the sys.aud$ table.
SQL> show parameter audit_sys_operations;
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_sys_operations boolean TRUE
SQL> show user;
USER is "SYS"
SQL>
SQL> select sqltext from sys.aud$ where ntimestamp# between to_date('01-07-09 13:15','MM-DD-RR HH24:MI') and sysdate;
SQLTEXT
--------------------------------------------------------------------------------
SQL> select count(1) from sys.aud$ where ntimestamp# between to_date('01-07-09 13:15','MM-DD-RR HH24:MI') and sysdate;
COUNT(1)
----------
1
SQL> create table test(a number);
Table created.
SQL> insert into test values (1);
1 row created.
SQL> delete from test;
1 row deleted.
SQL> drop table test;
Table dropped.
SQL> select count(1) from sys.aud$ where ntimestamp# between to_date('01-07-09 13:15','MM-DD-RR HH24:MI') and sysdate;
COUNT(1)
----------
1
No new rows added.. What's the deal?
Dc.