원래 connect shutdown startup 은 os로 떨어진다



AUDIT_SYS_OPERATIONS Set To FALSE Yet Audit Files Are Generated (문서 ID 308066.1)


Oracle Server - Enterprise Edition - Version 9.2.0.1 to 11.2.0.3 [Release 9.2 to 11.2]
Information in this document applies to any platform.
Checked for relevance on 11-Sep-2010




SYMPTOMS

Users find audit file are generated at Audit_File_Dest location. They can see database instance has the following setting .


1. audit_sys_operations=FALSE
2. audit_file_dest=/oracle10g/10.1.0/rdbms/audit
3. audit_trail=NONE

Although the audit_sys_operations is set to FALSE, the audit files were still been generated audit_file_dest.

AUDIT FILE ( *.aud ) output includes

Wed May 4 09:23:30 2005
ACTION : 'CONNECT'
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: oracle10g
CLIENT TERMINAL: pts/3
STATUS: 0


CAUSE

Expected behavior. Regardless of whether database auditing is enabled, Oracle always audits certain database-related operations and writes them to the operating system audit file.


SOLUTION

These operations include the following operations are audited:

Connections to the instance with administrator privileges

An audit record is generated that lists the operating system user connecting to Oracle as SYSOPER
or SYSDBA. This provides for accountability of users with administrative privileges. Full auditing
for these users can be enabled as explained in "Auditing Administrative Users".

Database startup

An audit record is generated that lists the operating system user starting the instance, the user's terminal identifier, the date and time stamp, and whether database auditing was enabled or disabled. This is stored in the operating system audit trail because the database audit trail is not available until after startup has successfully completed. Recording the state of database auditing at startup helps detect when an administrator has restarted a database with database auditing disabled (thus enabling the administrator to perform unaudited actions).

Database shutdown

An audit record is generated that lists the operating system user shutting down the instance, the
user's terminal identifier, and the date and time stamp.