Using Linux Audit to Audit / Log All Oracle Related Activity

Steve Grubb sgrubb at redhat.com
Mon Dec 17 13:36:39 UTC 2007


On Monday 17 December 2007 08:21:18 Mathew Brown wrote:
> I was wondering if the Linux Audit Daemon could be used to address the
>   issue of Oracle auditing.  Has anyone investigated this possibility?

What would you like to know about Oracle?

>   Ideally, I would like to audit all network (listener) as well as all
>   local access (an Oracle DBA running sqlplus directly on the machine).

You mean accepting the connection? I think you can get all accepts that Oracle 
would issue, but I don't know if you will get the remote address in the logs. 
You also cannot tell it that you want accepts of a specific socket.

You might want to spend some time looking at Oracle from strace. That is about 
the view of the world from the Linux Audit System. If you can't find anything 
worth logging from that, it most likely means that you'd want Oracle to be 
patched to send meaningful events to the audit system.

-Steve




More information about the Linux-audit mailing list