Using Linux Audit to Audit / Log All Oracle Related Activity
Mathew Brown
mathewbrown at fastmail.fm
Sat Dec 22 15:06:05 UTC 2007
On Mon, 17 Dec 2007 08:36:39 -0500, "Steve Grubb" <sgrubb at redhat.com>
said:
> On Monday 17 December 2007 08:21:18 Mathew Brown wrote:
> > I was wondering if the Linux Audit Daemon could be used to address the
> > issue of Oracle auditing. Has anyone investigated this possibility?
>
> What would you like to know about Oracle?
Hi Steve,
Thanks for your reply. What I was interested in is auditing all
queries and modifications to the database. I'm looking at it from a
compliance perspective (and trying to minimize the power of the sysdba
account). I've looked at alternative solutions such as the Oracle
Vault which enables logging but it's too CPU intensive. I thought
that the Linux audit daemon might provide me with similar
functionality but have the added benefit of not requiring writes
locally (send to remove syslog for example).
> > Ideally, I would like to audit all network (listener) as well as all
> > local access (an Oracle DBA running sqlplus directly on the machine).
>
> You mean accepting the connection? I think you can get all accepts that
> Oracle
> would issue, but I don't know if you will get the remote address in the
> logs.
> You also cannot tell it that you want accepts of a specific socket.
>
> You might want to spend some time looking at Oracle from strace. That is
> about
> the view of the world from the Linux Audit System. If you can't find
> anything
> worth logging from that, it most likely means that you'd want Oracle to
> be
> patched to send meaningful events to the audit system.
>
> -Steve
--
Mathew Brown
mathewbrown at fastmail.fm
--
http://www.fastmail.fm - Faster than the air-speed velocity of an
unladen european swallow
More information about the Linux-audit
mailing list