Hi and thanks for reading,
I'm really new to oracle, I have an oracle database, and it needs to have a permanent log, not even the sys user should be able to modify it or disable it. I read all the docs I could find on google, and from here:
https://docs.oracle.com/cd/B28359_01/server.111/b28337/tdpsg_auditing.htm#CEGIDHAG
I learnt how I can prevent de sys user to modify the log by using AUDIT_TRAIL OS. Using OS value makes oracle write the log in a os file, in which the sys user does not have access. But it is required to avoid the sys user to disable the log, to prevent frauds even from the sysadmin that has the password for sys or system user. (If there is another way to prevent frauds from the sys admin, it is also welcome)
I have oracle 11g and there is no budget to buy anything else.
Best Answer
There is no way to limit the abilities of the SYS user. It is a super user account, similar to root on a UNIX operating system.
If a user changes the logging method, this act will be logged. The last OS-level log will show the act of changing it. So your DBA will not be able to disable logging without leaving a record.
Note that the auditing features of Oracle are greatly improved in version 12c. If you can upgrade, you probably should.