Operating System Activity Monitoring on Oracle Exadata Servers

2.7.3 Operating System Activity Monitoring on Oracle Exadata Servers

Each Exadata server is configured with auditd to audit system-level activity.

Starting with Oracle Exadata System Software release 19.1.0 and Oracle Linux 7, the audit rules for Oracle Exadata are stored in the /etc/audit/rules.d/01-exadata_audit.rules file.

Additional custom rules should be placed in separate audit rule files in the /etc/audit/rules.d directory, such as /etc/audit/rules.d/20-customer_audit.rules. These custom audit rule files are preserved across updates to Oracle Exadata System Software.

When the auditd service starts, it runs the augenrules utility. This utility merges all component audit rules files found in the audit rules directory, /etc/audit/rules.d, and places the merged results in the /etc/audit/audit.rules file. Component audit rule files, must end in .rules to be processed by augenrules. All other files in the /etc/audit/rules.d directory are ignored. The files are concatenated in order, based on their natural sort order and stripped of empty lines and comment (#) lines.

As in previous releases of Oracle Exadata System Software, the audit rules are immutable. A reboot is needed to effect changes to audit rules.

Parent topic: Monitoring and Auditing of Oracle Exadata Database Machine