Question on Auditing 12C

auditoracleoracle-12c

I have the following configuration information:

audit_sys_operations                                                            
TRUE   

audit_file_dest                                                                 
D:\ORACLE\ADMIN\DBSERVER\ADUMP  

audit_trail                                                                     
DB                                                                              

SQL> spool off;

This tells me that audit data for the SYS user is being saved in a database file. If the SYS user has full access to DB, does this not defeat the purpose of audit SYS files being stored on the DB server?

Best Answer

AUDIT_SYS_OPERATIONS

The audit records are written to the operating system's audit trail.

SYS audit entries are not stored in the database, but on the host in text files (or the event log on Windows).

But yes, you are correct, if you are SYS, you have full access to the database, and the host, with the user the database runs as. So yes, you can manipulate audit rules and data as well.

For that reason (and performance-wise), usually I suggest using AUDIT_SYSLOG_LEVEL, and configuring syslog to forward all entries to a remote server.

Related Solutions

Oracle 11g .DMP viewer

First of all you need to create a directory on the database.

Create or Replace Directory IMP_DIR as 'Path\Path\';

Ensure the user that will import the file has the privilige to Read & Write on the directory (In case you are not using SYS)

GRANT Read, Write ON DIRECTORY IMP_DIR TO user;

Then, include the directory parameter within the import statement

impdp 'sys AS SYSDBA' file=dump.dmp full=yes log=implog.txt directory=IMP_DIR

Oracle 12c Express Enterprise Manager webpage does not load

After contacting Oracle support, I've -kinda- been able to figure out what was going on. This server has 4 network adaptors, 1 adaptor connected to the network, and 3 unconfigured adaptors connected to an iSCSI storage. The problem seems to be caused by the web-client, or EM server (not sure here) trying to send the webpage request to the wrong adaptor.

For anyone facing the same issue, you can check this by browsing to the URL (using the hostname.domain) and then checking the listener.log file (-oracle_base-/diag/tnslsnr/-instance-/listener/trace/listener.log). For me, in the error message a different IP address than the servers main network adaptors IP address was shown. The IP address of one of the network adaptors connected to the iSCSI where shown. When omitting the IP addresses in my original post, I didn't spot this IP address difference.

18-DEC-2015 14:17:04 * http * (ADDRESS=(PROTOCOL=tcps)(HOST=<NOT SERVER IP address!>%14)(PORT=62119)) * handoff * http * 12518
TNS-12518: TNS:listener could not hand off client connection
 TNS-12560: TNS:protocol adapter error

When disabling the additional network adaptors, everything works fine.

Additionally, when going to "chrome://net-internals/#dns" in chrome, the IP addresses of all four network adaptors showed up for my hostname.

Apparently, this problem -does not- happen, when browsing to the webpage from another host. Also, nslookup returns only the correct IP address. So it seems this is not a DNS issue, but a local issue. I think this is not a full answer to the problem, as disabling network adaptors can't be a final solution, but I hope anyone facing this issue in the future has "more to go on" now...

Where does the discrepancy between IP address returned by the DNS server, and the IP addresses used by web browsers come from?

I've also made some additional changes that might have influenced the end-solution, so for completeness I'll include them. Not sure if relevant...:

Increased processes parameter of the database from 300 to 1000
Altered the "dispatchers" parameter by adding "(DISPATCHERS=5)"

Best Answer

Related Solutions

Oracle 11g .DMP viewer

Oracle 12c Express Enterprise Manager webpage does not load

Related Question