Using Linux Audit to Audit / Log All Oracle Related Activity

Using Linux Audit to Audit / Log All Oracle Related Activity

[Mathew Brown]

Hi,
  I was wondering if the Linux Audit Daemon could be used to address the
  issue of Oracle auditing.  Has anyone investigated this possibility? 
  Ideally, I would like to audit all network (listener) as well as all
  local access (an Oracle DBA running sqlplus directly on the machine). 
  Any ideas?  Thanks for your help.
-- 
  Mathew Brown
  mathewbrown@fastmail.fm

-- 
http://www.fastmail.fm - Or how I learned to stop worrying and
                          love email again

Re: Using Linux Audit to Audit / Log All Oracle Related Activity

[Steve Grubb]

On Monday 17 December 2007 08:21:18 Mathew Brown wrote:
> I was wondering if the Linux Audit Daemon could be used to address the
>   issue of Oracle auditing.  Has anyone investigated this possibility?

What would you like to know about Oracle?

>   Ideally, I would like to audit all network (listener) as well as all
>   local access (an Oracle DBA running sqlplus directly on the machine).

You mean accepting the connection? I think you can get all accepts that Oracle 
would issue, but I don't know if you will get the remote address in the logs. 
You also cannot tell it that you want accepts of a specific socket.

You might want to spend some time looking at Oracle from strace. That is about 
the view of the world from the Linux Audit System. If you can't find anything 
worth logging from that, it most likely means that you'd want Oracle to be 
patched to send meaningful events to the audit system.

-Steve

Re: Using Linux Audit to Audit / Log All Oracle Related Activity

[Mathew Brown]

On Mon, 17 Dec 2007 08:36:39 -0500, "Steve Grubb" <sgrubb@redhat.com>
said:
> On Monday 17 December 2007 08:21:18 Mathew Brown wrote:
> > I was wondering if the Linux Audit Daemon could be used to address the
> >   issue of Oracle auditing.  Has anyone investigated this possibility?
> 
> What would you like to know about Oracle?

Hi Steve,
  Thanks for your reply.  What I was interested in is auditing all
  queries and modifications to the database.  I'm looking at it from a
  compliance perspective (and trying to minimize the power of the sysdba
  account).  I've looked at alternative solutions such as the Oracle
  Vault which enables logging but it's too CPU intensive.  I thought
  that the Linux audit daemon might provide me with similar
  functionality but have the added benefit of not requiring writes
  locally (send to remove syslog for example).
 
> >   Ideally, I would like to audit all network (listener) as well as all
> >   local access (an Oracle DBA running sqlplus directly on the machine).
> 
> You mean accepting the connection? I think you can get all accepts that
> Oracle 
> would issue, but I don't know if you will get the remote address in the
> logs. 
> You also cannot tell it that you want accepts of a specific socket.
> 
> You might want to spend some time looking at Oracle from strace. That is
> about 
> the view of the world from the Linux Audit System. If you can't find
> anything 
> worth logging from that, it most likely means that you'd want Oracle to
> be 
> patched to send meaningful events to the audit system.
> 
> -Steve
-- 
  Mathew Brown
  mathewbrown@fastmail.fm

-- 
http://www.fastmail.fm - Faster than the air-speed velocity of an
                          unladen european swallow