From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Using Linux Audit to Audit / Log All Oracle Related Activity Date: Mon, 17 Dec 2007 08:36:39 -0500 Message-ID: <200712170836.39984.sgrubb@redhat.com> References: <1197897678.9239.1226981649@webmail.messagingengine.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <1197897678.9239.1226981649@webmail.messagingengine.com> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: Mathew Brown List-Id: linux-audit@redhat.com On Monday 17 December 2007 08:21:18 Mathew Brown wrote: > I was wondering if the Linux Audit Daemon could be used to address the > =A0 issue of Oracle auditing. =A0Has anyone investigated this possibili= ty? What would you like to know about Oracle? > =A0 Ideally, I would like to audit all network (listener) as well as al= l > =A0 local access (an Oracle DBA running sqlplus directly on the machine= ). You mean accepting the connection? I think you can get all accepts that O= racle=20 would issue, but I don't know if you will get the remote address in the l= ogs.=20 You also cannot tell it that you want accepts of a specific socket. You might want to spend some time looking at Oracle from strace. That is = about=20 the view of the world from the Linux Audit System. If you can't find anyt= hing=20 worth logging from that, it most likely means that you'd want Oracle to b= e=20 patched to send meaningful events to the audit system. -Steve