AUDIT_TRAIL Set to DB (DB,EXTENDED) yet Some Audited Entries for non-Sysdba Users Are Created in the OS Trail.
Last updated on NOVEMBER 21, 2017
Applies to:
Oracle Database - Enterprise Edition - Version 11.2.0.2 and laterInformation in this document applies to any platform.
Checked for relevance on 13-MAR-2013
Symptoms
The audit_trail is set to DB or even DB,EXTENDED, however, in the audit_file_dest directory there can be found files holding entries that are not created by SYS.
The AUDIT_SYS_OPERATIONS is set on TRUE.
SQL> show parameter audit
NAME TYPE VALUE
----------------------------------------
audit_file_dest string <some directory>
audit_sys_operations boolean TRUE
audit_trail string DB, EXTENDED
NAME TYPE VALUE
----------------------------------------
audit_file_dest string <some directory>
audit_sys_operations boolean TRUE
audit_trail string DB, EXTENDED
Audit entries are clearly not created by SYS:
LENGTH : '327'
ACTION :[172] ' SELECT st.name, st.address, st.protocol FROM "BET"."AQ$_SLIP_SUGGESTION_AQ_TABLE_S" st WHERE queue_name = :1 AND (bitand(st.subscriber_type, 1) = 1) ORDER BY st.name '
DATABASE USER:[7] 'SOMEUSER'
PRIVILEGE :[4] 'NONE'
CLIENT USER:[0] ''
CLIENT TERMINAL:[7] 'unknown'
STATUS:[1] '0'
DBID:[10] '1026917320'
ACTION :[172] ' SELECT st.name, st.address, st.protocol FROM "BET"."AQ$_SLIP_SUGGESTION_AQ_TABLE_S" st WHERE queue_name = :1 AND (bitand(st.subscriber_type, 1) = 1) ORDER BY st.name '
DATABASE USER:[7] 'SOMEUSER'
PRIVILEGE :[4] 'NONE'
CLIENT USER:[0] ''
CLIENT TERMINAL:[7] 'unknown'
STATUS:[1] '0'
DBID:[10] '1026917320'
Changes
The database has been upgraded to 10.2.0.5, 11.1.0.7 or 11.2
Cause
Sign In with your My Oracle Support account |
|
Don't have a My Oracle Support account? Click to get started |
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms