• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 383
  • Last Modified:

How to disable auditing

I tried setting AUDIT_TRAIL parameter to NONE but it does not seem sufficient. Audit files are still written to the audit directory. Can anyone help?
0
YZlat
Asked:
YZlat
  • 8
  • 8
  • 4
  • +2
4 Solutions
 
slightwv (䄆 Netminder) Commented:
Did you bounce the database after setting this?  If not, I believe you need to.
0
 
DavidSenior Oracle Database AdministratorCommented:
Just for giggles, the host and the file share are used by one and only one database instance?
0
 
YZlatAuthor Commented:
no, there are a number of databases on the host
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
slightwv (䄆 Netminder) Commented:
OK?

I believe what dvz was getting at is:  Are there other databases generating audit records in the same folder?

You also didn't mention if you had bounced the database...
0
 
YZlatAuthor Commented:
Yes, I have bounced the database. And I did check, it is not the case where other databases generate audit files in the folder of another database.

This is the strangest thing ever. None of the databases have auditing enabled, yet some still create audit files.

This particular database id not even running - I started it up, disabled auditing, did the same for its standby on another server and then shut them both back down.

Still .aud files are produced
0
 
slightwv (䄆 Netminder) Commented:
See if audit_sys_operations is set:
http://docs.oracle.com/cd/E11882_01/server.112/e40402/initparams015.htm#REFRN10005

Also check audit_syslog_level.
0
 
YZlatAuthor Commented:
slightwv, I checked the audit_sys_operations and it is set to false, and audit_syslog_level is set to blank
0
 
slightwv (䄆 Netminder) Commented:
OK, I'm officially out of ideas.

I'll send out a call for help to see if other Experts might have additional ideas.

I would suggest opening an SR with Oracle Support to see what might be going on.
0
 
Mark GeerlingsDatabase AdministratorCommented:
Who owns the files in this audit directory?  Is that the same O/S user as the one that runs your Oracle database(s)?

What do the contents of those files look like?  Can you post a small portion of one of them here?  (Remove or edit any confidential information first, like: usernames, passwords, etc.)

What is your server O/S: Linux , UNIX, Windows, etc?
0
 
Franck PachotCommented:
Hi,

AUDIT_SYS_OPERATIONS=false only reduce the auditing, but STARTUP, SHUTDOWN, and SYSDBA CONNECT are always audited.

STARTUP and SHUTDOWN should not be an issue as it should not happen too frequently...

sysdba connection should not happen frequently. You must avoid using that for monitoring, OEM agent connection, etc. there is no other solutions.

Regards,
Franck.
0
 
DavidSenior Oracle Database AdministratorCommented:
YZlat, any progress at your end?
0
 
YZlatAuthor Commented:
Nope, the .aud files are still massproduced for the database that has been shut down. i am working on laternative solution - to run the script daily that will remove old audit files.

Although there should be a way to disable auditing completely for a dtabase that is in a shutdown state and is not in use
0
 
slightwv (䄆 Netminder) Commented:
I've not done much with auditing but I seriously doubt Oracle can generate audit records for a database that is shut down.

Something else is likely going on here.
0
 
Franck PachotCommented:
If you drop the adump directory then you will not have audit file, and anyone that tries to do an audited operation will have an error.
0
 
YZlatAuthor Commented:
frankpachot, are you sure it's a good idea? I do not need anymore problems on that server.

Is there a way to detect who and what is generating those audit files?
0
 
slightwv (䄆 Netminder) Commented:
Personally I wouldn't suggest troubleshooting this via the method of renaming the folder and see what system complains.

I would open an SR with Oracle Support.
0
 
slightwv (䄆 Netminder) Commented:
>>Is there a way to detect who and what is generating those audit files?

There should be some information inside the files that should assist in narrowing down what instance they are coming from.
0
 
Franck PachotCommented:
Hi,

Of course it's not a good idea if you think that you have critical processes connecting as sysdba. They will have ORA-09925: Unable to create audit trail file

>> Is there a way to detect who and what is generating those audit files?
well, the good thing is that it is audited. In the .aud file you have information about time, user, terminal, ...

Regards,
Franck.
0
 
DavidSenior Oracle Database AdministratorCommented:
So post a couple of the .aud, please.
0
 
YZlatAuthor Commented:
Here are the contents of .aud file:

Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
ORACLE_HOME = /u01/app/oracle/product/11.2.0.3
System name:    AIX
Node name:      server001
Release:        1
Version:        6
Machine:        MACHINENAME
Instance name: DBName
Redo thread mounted by this instance: 0 <none>
Oracle process number: 0
Unix process pid: 22741122, image: oracle@server001.domain.com

Thu Dec  5 16:10:28 2013 -05:00
LENGTH : '160'
ACTION :[7] 'CONNECT'
DATABASE USER:[3] 'sys'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[6] 'oracle'
CLIENT TERMINAL:[13] 'Not Available'
STATUS:[1] '0'
DBID:[0] ''

Open in new window


I know sysdba action will always be auditied, but the database is not running
0
 
slightwv (䄆 Netminder) Commented:
>>I know sysdba action will always be auditied, but the database is not running

Think about it.  If sysdba will always be audited, how do you start up a database?
0
 
Mark GeerlingsDatabase AdministratorCommented:
Your database may not be running, but this audit log entry indicates that someone (or some process) is attempting to connect to the database with "SYSDBA" privileges.  That is like a .super-user, or administrator.

You may want to determine who or what this is.
0
 
YZlatAuthor Commented:
markgeer, any tips on how to do that?
0
 
DavidSenior Oracle Database AdministratorCommented:
First, it has to be someone with access to a OS account on that host.  And if the person expected it to work, I'd start with those to whom DBA role has been granted.

Secondly, the individual has to either have set up a job (possibly in dbms_scheduler if you're using OEM or Grid Control), a cronjob, or a deferred shell script -- or it's interactive.  Your SA should be able to determine who was logged on at that time, and from what IP address.  Is the attempt is repeatative?  Is the repetition regular, like every weekday at 16:10, or not?

Thirdly, have you simply pinged the set of DBAs and asked them?
0
 
Franck PachotCommented:
Hi,
Yes, your instance is shut down (Redo thread mounted by this instance: 0) bur you have a job  - not a user (CLIENT TERMINAL:[13] 'Not Available') that tries to connect as sysdba from server001.domain.com OS user 'oracle'
You should check what is doing that (cron job, deamon script , ???)
Regards,
Franck.
0
 
Mark GeerlingsDatabase AdministratorCommented:
"any tips on how to do that?"

Without knowing your system, that is somewhat difficult.  Dvz gave you some suggestions.  We don't know who manages the O/S and access to your servers.  I assumed that you would know that.
0
 
YZlatAuthor Commented:
Still no luck:( I might just go ahead and open SR with Oracle
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

  • 8
  • 8
  • 4
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now