Integrating Oracle audit with SYSLOG
By using a standard audit, the resulting audit trails can be tampered with or deleted by database administrators or by an attacker who gained administrative privileges. This is a considerable security risk.
SYSLOG is a protocol (RFC5424) designed for transmitting event messages and alerts across an IP network. The messages are generated, for example, by an application (ftp, cron, or ssh), and a syslog daemon catches them and integrates them using a device or another remote daemon. In this recipe we will integrate the Oracle audit trails with rsyslog
.
Getting ready
All steps will be performed on the nodeorcl1
and HACKDB
database.
How to do it...
Integration with
syslog
requires the destination of audit trails to be placed externally. Change the audit trail toOS
as follows:SQL> alter system set audit_trail=OS scope=spfile; System altered.
rsyslog
is a more advanced variant ofsyslog
and is the default in Red Hat 6. The configuration file is/etc/rsyslog...