Solved

How to disable auditing

Posted on 2013-10-25
28
329 Views
Last Modified: 2013-12-31
I tried setting AUDIT_TRAIL parameter to NONE but it does not seem sufficient. Audit files are still written to the audit directory. Can anyone help?
0
Comment
Question by:YZlat
  • 8
  • 8
  • 4
  • +2
28 Comments
 
LVL 76

Expert Comment

by:slightwv (䄆 Netminder)
ID: 39601304
Did you bounce the database after setting this?  If not, I believe you need to.
0
 
LVL 23

Expert Comment

by:David
ID: 39601373
Just for giggles, the host and the file share are used by one and only one database instance?
0
 
LVL 35

Author Comment

by:YZlat
ID: 39617787
no, there are a number of databases on the host
0
 
LVL 76

Expert Comment

by:slightwv (䄆 Netminder)
ID: 39617805
OK?

I believe what dvz was getting at is:  Are there other databases generating audit records in the same folder?

You also didn't mention if you had bounced the database...
0
 
LVL 35

Author Comment

by:YZlat
ID: 39621576
Yes, I have bounced the database. And I did check, it is not the case where other databases generate audit files in the folder of another database.

This is the strangest thing ever. None of the databases have auditing enabled, yet some still create audit files.

This particular database id not even running - I started it up, disabled auditing, did the same for its standby on another server and then shut them both back down.

Still .aud files are produced
0
 
LVL 76

Accepted Solution

by:
slightwv (䄆 Netminder) earned 63 total points
ID: 39621612
See if audit_sys_operations is set:
http://docs.oracle.com/cd/E11882_01/server.112/e40402/initparams015.htm#REFRN10005

Also check audit_syslog_level.
0
 
LVL 35

Author Comment

by:YZlat
ID: 39638809
slightwv, I checked the audit_sys_operations and it is set to false, and audit_syslog_level is set to blank
0
 
LVL 76

Expert Comment

by:slightwv (䄆 Netminder)
ID: 39641626
OK, I'm officially out of ideas.

I'll send out a call for help to see if other Experts might have additional ideas.

I would suggest opening an SR with Oracle Support to see what might be going on.
0
 
LVL 34

Expert Comment

by:Mark Geerlings
ID: 39641655
Who owns the files in this audit directory?  Is that the same O/S user as the one that runs your Oracle database(s)?

What do the contents of those files look like?  Can you post a small portion of one of them here?  (Remove or edit any confidential information first, like: usernames, passwords, etc.)

What is your server O/S: Linux , UNIX, Windows, etc?
0
 
LVL 15

Assisted Solution

by:Franck Pachot
Franck Pachot earned 125 total points
ID: 39641843
Hi,

AUDIT_SYS_OPERATIONS=false only reduce the auditing, but STARTUP, SHUTDOWN, and SYSDBA CONNECT are always audited.

STARTUP and SHUTDOWN should not be an issue as it should not happen too frequently...

sysdba connection should not happen frequently. You must avoid using that for monitoring, OEM agent connection, etc. there is no other solutions.

Regards,
Franck.
0
 
LVL 23

Expert Comment

by:David
ID: 39642524
YZlat, any progress at your end?
0
 
LVL 35

Author Comment

by:YZlat
ID: 39644722
Nope, the .aud files are still massproduced for the database that has been shut down. i am working on laternative solution - to run the script daily that will remove old audit files.

Although there should be a way to disable auditing completely for a dtabase that is in a shutdown state and is not in use
0
 
LVL 76

Expert Comment

by:slightwv (䄆 Netminder)
ID: 39644866
I've not done much with auditing but I seriously doubt Oracle can generate audit records for a database that is shut down.

Something else is likely going on here.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 15

Expert Comment

by:Franck Pachot
ID: 39645164
If you drop the adump directory then you will not have audit file, and anyone that tries to do an audited operation will have an error.
0
 
LVL 35

Author Comment

by:YZlat
ID: 39662523
frankpachot, are you sure it's a good idea? I do not need anymore problems on that server.

Is there a way to detect who and what is generating those audit files?
0
 
LVL 76

Expert Comment

by:slightwv (䄆 Netminder)
ID: 39662533
Personally I wouldn't suggest troubleshooting this via the method of renaming the folder and see what system complains.

I would open an SR with Oracle Support.
0
 
LVL 76

Expert Comment

by:slightwv (䄆 Netminder)
ID: 39662539
>>Is there a way to detect who and what is generating those audit files?

There should be some information inside the files that should assist in narrowing down what instance they are coming from.
0
 
LVL 15

Assisted Solution

by:Franck Pachot
Franck Pachot earned 125 total points
ID: 39662549
Hi,

Of course it's not a good idea if you think that you have critical processes connecting as sysdba. They will have ORA-09925: Unable to create audit trail file

>> Is there a way to detect who and what is generating those audit files?
well, the good thing is that it is audited. In the .aud file you have information about time, user, terminal, ...

Regards,
Franck.
0
 
LVL 23

Expert Comment

by:David
ID: 39663336
So post a couple of the .aud, please.
0
 
LVL 35

Author Comment

by:YZlat
ID: 39699548
Here are the contents of .aud file:

Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
ORACLE_HOME = /u01/app/oracle/product/11.2.0.3
System name:    AIX
Node name:      server001
Release:        1
Version:        6
Machine:        MACHINENAME
Instance name: DBName
Redo thread mounted by this instance: 0 <none>
Oracle process number: 0
Unix process pid: 22741122, image: oracle@server001.domain.com

Thu Dec  5 16:10:28 2013 -05:00
LENGTH : '160'
ACTION :[7] 'CONNECT'
DATABASE USER:[3] 'sys'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[6] 'oracle'
CLIENT TERMINAL:[13] 'Not Available'
STATUS:[1] '0'
DBID:[0] ''

Open in new window


I know sysdba action will always be auditied, but the database is not running
0
 
LVL 76

Expert Comment

by:slightwv (䄆 Netminder)
ID: 39699552
>>I know sysdba action will always be auditied, but the database is not running

Think about it.  If sysdba will always be audited, how do you start up a database?
0
 
LVL 34

Expert Comment

by:Mark Geerlings
ID: 39699556
Your database may not be running, but this audit log entry indicates that someone (or some process) is attempting to connect to the database with "SYSDBA" privileges.  That is like a .super-user, or administrator.

You may want to determine who or what this is.
0
 
LVL 35

Author Comment

by:YZlat
ID: 39700868
markgeer, any tips on how to do that?
0
 
LVL 23

Assisted Solution

by:David
David earned 62 total points
ID: 39701066
First, it has to be someone with access to a OS account on that host.  And if the person expected it to work, I'd start with those to whom DBA role has been granted.

Secondly, the individual has to either have set up a job (possibly in dbms_scheduler if you're using OEM or Grid Control), a cronjob, or a deferred shell script -- or it's interactive.  Your SA should be able to determine who was logged on at that time, and from what IP address.  Is the attempt is repeatative?  Is the repetition regular, like every weekday at 16:10, or not?

Thirdly, have you simply pinged the set of DBAs and asked them?
0
 
LVL 15

Expert Comment

by:Franck Pachot
ID: 39701084
Hi,
Yes, your instance is shut down (Redo thread mounted by this instance: 0) bur you have a job  - not a user (CLIENT TERMINAL:[13] 'Not Available') that tries to connect as sysdba from server001.domain.com OS user 'oracle'
You should check what is doing that (cron job, deamon script , ???)
Regards,
Franck.
0
 
LVL 34

Expert Comment

by:Mark Geerlings
ID: 39701289
"any tips on how to do that?"

Without knowing your system, that is somewhat difficult.  Dvz gave you some suggestions.  We don't know who manages the O/S and access to your servers.  I assumed that you would know that.
0
 
LVL 35

Author Closing Comment

by:YZlat
ID: 39748170
Still no luck:( I might just go ahead and open SR with Oracle
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Note: this article covers simple compression. Oracle introduced in version 11g release 2 a new feature called Advanced Compression which is not covered here. General principle of Oracle compression Oracle compression is a way of reducing the d…
Configuring and using Oracle Database Gateway for ODBC Introduction First, a brief summary of what a Database Gateway is.  A Gateway is a set of driver agents and configurations that allow an Oracle database to communicate with other platforms…
Via a live example show how to connect to RMAN, make basic configuration settings changes and then take a backup of a demo database
This video shows how to Export data from an Oracle database using the Original Export Utility.  The corresponding Import utility, which works the same way is referenced, but not demonstrated.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now