Audit SYS User Operations (How to Audit SYSDBA)
(Doc ID 174340.1)
Last updated on MARCH 02, 2021
Applies to:Oracle Database - Enterprise Edition - Version 18.104.22.168 to 22.214.171.124 [Release 11.2]
Oracle Database Cloud Schema Service - Version N/A and later
Oracle Database Exadata Express Cloud Service - Version N/A and later
Oracle Database Exadata Cloud Machine - Version N/A and later
Oracle Cloud Infrastructure - Database Service - Version N/A and later
SYS is a trusted user. Until version 9.2, there are no auditing nor security checking for commands issued by SYS, though SYS user is exposed as a RDBMS user also.With proper setup, users can actually connect as SYS user to administer the DB or issue any commands. This raises the concern that the omnipotent SYS' actions are not audited.
There are recent legislation changes requiring accountability of all users in the system, including RDBMS, thus auditing SYS actions has become a top requirement.
This bulletin explains how to audit SQL statements issued by SYS, including users connecting as SYSDBA and SYSOPER.
For 12c Database SYSDBA auditing, refer to <Note 2024280.1>
This bulletin should be used as a reference by the DBAs who want to audit the activity performed by SYS/SYSDBA/SYSOPER
1. Only SYS/SYSDBA/SYSOPER actions are audited to address accountability. The actions performed by DBAs other than user SYS are not audited.
2. The new parameter AUDIT_SYS_OPERATIONS allows the audit of all statements issued by SYS/SYSDBA/SYSOPER in an OS audit trail file.
The SYS audit records must go to OS files since the user SYS can delete his actions from AUD$, whereas if the files are written to the OS, they can be secured from the Oracle DBA by root (root must have some means to transfer the files to a secure location). It is not possible to configure that these records go into the AUD$ table.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!