2.7.3 Operating System Activity Monitoring on Oracle Exadata Servers

Each Exadata server is configured with auditd to audit system-level activity.

To manage audits and generate reports use the auditctl command. The audit rules are in the /etc/audit/audit.rules file. Any changes are not preserved when applying a patch set.

Starting with Oracle Exadata System Software release 19.1.0 and Oracle Linux 7, the audit rules specific to Oracle Exadata are stored in the /etc/audit/rules.d/01-exadata_audit.rules file.

When the auditd service starts, it runs the augenrules utility. This utility merges all component audit rules files found in the audit rules directory, /etc/audit/rules.d, and places the merged results in the /etc/audit/audit.rules file. Component audit rule files, must end in .rules to be processed by augenrules. All other files in the /etc/audit/rules.d directory are ignored. The files are concatenated in order, based on their natural sort order and stripped of empty lines and comment (#) lines. Auditing rules not specific to Oracle Exadata should be placed in a separate audit rules file in the /etc/audit/rules.d directory, such as /etc/audit/rules.d/20-customer_audit.rules.

As in previous releases of Oracle Exadata System Software, the audit rules are immutable. A reboot is needed to effect changes to audit rules.