My Oracle Support Banner

Audit SYS User Operations (How to Audit SYSDBA) (Doc ID 174340.1)

Last updated on MARCH 02, 2021

Applies to:

Oracle Database - Enterprise Edition - Version 11.2.0.3 to 11.2.0.4 [Release 11.2]
Oracle Database Cloud Schema Service - Version N/A and later
Oracle Database Exadata Express Cloud Service - Version N/A and later
Oracle Database Exadata Cloud Machine - Version N/A and later
Oracle Cloud Infrastructure - Database Service - Version N/A and later
Generic UNIX

Purpose

SYS  is a trusted user. Until version 9.2, there are no auditing nor security checking for commands issued by SYS, though SYS user is exposed as a RDBMS user also.With proper setup, users can actually connect as SYS user to administer the DB or issue any commands. This raises the concern that the omnipotent SYS'  actions are not audited.

There are recent legislation changes requiring accountability of all users in the system, including RDBMS, thus auditing SYS actions has become a top requirement.

This bulletin explains how to audit SQL statements issued by SYS, including users connecting as SYSDBA and SYSOPER.


For 12c Database SYSDBA auditing, refer to <Note 2024280.1>

Scope

This bulletin should be used as a reference by the DBAs who want to audit the activity performed by SYS/SYSDBA/SYSOPER

1. Only SYS/SYSDBA/SYSOPER actions are audited to address accountability. The actions performed by DBAs other than user SYS are not audited.

2. The new parameter AUDIT_SYS_OPERATIONS allows the audit of all statements issued by SYS/SYSDBA/SYSOPER in an OS audit trail file.



The SYS audit records must go to OS files since the user SYS can delete his actions from AUD$, whereas if the files are written to the OS, they can be secured from the Oracle DBA by root (root must have some means to transfer the files to a secure location). It is not possible to configure that these records go into the AUD$ table.


Exception: As 'AUDIT_FILE_DEST' is invalid on Windows, all Oracle audit trail information on Windows is recorded in the Windows event viewer.



Note: Starting with 10gR2 the audit data produced by a database running on Unix can be written to SYSLOG. See <Note 553225.1> for more details.

Details

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.