icon-pdfDownload PDF lhs-panel
lhs-panel Click here to expand

Adding Oracle Server

  • Navigate to Settings > Log Source Configuration > Database Audit.
  • Next, select the Oracle tab.
  • Click on + Add oracle server if no oracle servers are configured.
  • Expand the list by clicking the "+" icon to add a new device
    • Adding Oracle Server
  • Choose from the drop-down menu to add Configured devices, Workgroup devices, domain devices, etc.
  • To add new devices manually, click on Configure Manually and enter Log Source.
  • If the device type is Unix, check the Add as Syslog device box. If the device type is Windows, enter Username > Password > Verify Credentials and click on Select.
  • Based on your selected device type, choose between Windows and Unix platform options. If you have configured the log sources manually, the platforms will be automatically updated.
  • Click on Add to add the log source.

Oracle Server Configuration

Reference: http://download.oracle.com/docs/cd/B28359_01/network.111/b28531/auditing.htm#CEGBIIJD

For Oracle server installed in Windows platform

  • Connect to SQL *Plus using the sqlplus command.
  • Execute the command given below to check whether the audit_trail is set to OS or not.
    • Copy to Clipboard

    Show parameter AUDIT_TRAIL;

  • Change audit parameters using the below command:
    • Copy to Clipboard

    Show parameter AUDIT_TRAIL;ALTER SYSTEM SET AUDIT_TRAIL=OS SCOPE=SPFILE;

  • Restart the Oracle server to let the changes take effect.
  • To disable AUDIT_TRAIL
    • Copy to Clipboard

    ALTER SYSTEM SET audit_trail = NONE SCOPE=SPFILE ;

For Oracle Server installed in Unix platform

  • Execute the command given below to check whether the audit_trail is set to OS or not.
    • Copy to Clipboard

    Show parameter AUDIT_TRAIL;

  • Change audit parameters using the below command:
    • Copy to Clipboard

    ALTER SYSTEM SET AUDIT_TRAIL=OS SCOPE=SPFILE;

To enable Oracle syslog auditing, follow the procedure given below:

  1. Manually add and set the AUDIT_SYSLOG_LEVEL parameter in the initialization parameter file, initsid.ora.

    The AUDIT_SYSLOG_LEVEL parameter is set to specify a facility and priority in the format AUDIT_SYSLOG_LEVEL=facility.priority.

    facility: Describes the part of the operating system that is logging the message. Accepted values are user, local0–local7, syslog, daemon, kern, mail, auth, lpr, news, uucp, and cron.

    The local0–local7 values are predefined tags that enable you to sort the syslog message into categories. These categories can be log files or other destinations that the syslog utility can access. To find more information about these types of tags, refer to the syslog utility MAN page.

    priority: Defines the severity of the message. Accepted values are notice, info, debug, warning, err, crit, alert, and emerg.

    The syslog daemon compares the value assigned to the facility argument of the AUDIT_SYSLOG_LEVEL parameter with the syslog.conf file to determine where to log information.

    For example,the following statement identifies the facility as local1 with a priority level of warning:

    AUDIT_SYSLOG_LEVEL=local1.warning

    2. See Oracle Database Reference for more information about AUDIT_SYSLOG_LEVEL.

  2. Log in to the machine that contains the syslog configuration file, /etc/syslog.conf, with the superuser (root) privilege.
  3. Add the audit file destination to the syslog configuration file /etc/syslog.conf.

    For example: assuming you had set the AUDIT_SYSLOG_LEVEL to local1.warning, enter the following:

    Copy to Clipboard

    local1.warning /var/log/audit.log

    This setting logs all warning messages to the /var/log/audit.log file.

  4. Restart the syslog logger:
    5. Copy to Clipboard

    $/etc/rc.d/init.d/syslog restart

    Now, all audit records will be captured in the file /var/log/audit.log through the syslog daemon.

  5. Restart the Oracle server so that the changes take effect.
    6. Note: When logged in as SYSDBA/SYSOPER, Oracle database provides limited information on database activity monitoring. Hence, to get the complete audit trail activities of Oracle database, we suggest that you log in as a user with privilege other than SYSDBA/SYSOPER.

Auditing statements

DDL

You can audit DDL activities of a selected user in the database.

  • To enable auditing of all privileges of users:
    • Copy to Clipboard

    AUDIT ALL PRIVILEGES by user_name; (or)
    AUDIT CREATE TABLE by user_name;

  • To enable auditing of specific privileges:
    • Copy to Clipboard

    AUDIT CREATE TABLE by user_name;

    Add your required auditing option near "CREATE TABLE".

  • Restart the Oracle server to let the changes take effect.
    • Note: To check the audit options that are enabled under any user, execute the statement given below.
    Copy to Clipboard

    SELECT user_name, audit_option, success, failure FROM DBA_STMT_AUDIT_OPTS;

DML

This auditing enables you to audit specific statements on a particular object. It always applies to all users of the database.

    Copy to Clipboard

    AUDIT SELECT, INSERT, UPDATE, DELETE on table_name

    You can also add your required auditing option(s) here.

  • The following statement specifies default auditing options for objects that might be created in the future:
    • Copy to Clipboard

    AUDIT SELECT, INSERT, UPDATE, DELETE on DEFAULT;

  • Restart the Oracle server to let the changes take effect.
    • Note: To check the audit options that are enabled under any object, simply execute the below statement.
      Copy to Clipboard

      SELECT OWNER, OBJECT_NAME, OBJECT_TYPE, INS, UPD, DEL FROM DBA_OBJ_AUDIT_OPTS;

    To disable audit option, use NOAUDIT instead of AUDIT in same statement.

    Details about the audit options are available here.

Copyright © 2020, ZOHO Corp. All Rights Reserved.

Get download link