OS File Monitoring

For Linux v5, there are two possible ways monitoring can occur. Some actions to monitor below will work only on one or the other method. The two methods are to use the Loadable Kernel Module. Actions that are detectable ONLY with this method are annotated with “(KO)". The other option is to not use the loadable kernel module, which will result in using the Linux built-in audited method. The actions that can only be monitored using this method are annotated with “(non-KO)". The actions that have no annotation other than the check mark can be monitored using either approach.

Note:

Monitoring remote file systems on Unix-based platforms is not supported. Likewise, monitoring remote file systems on Windows platforms is also not supported.

When restoring a file from the Recycle Bin on the Microsoft Windows operating system, capturing the user that made the change is not available since that feature is not available from the Operating System.

When using the audited monitoring method on Linux operating systems, not the Oracle kernel audit module method, directory creations are reported as file creation. Additionally, file create activity will be reported as a file modification instead of create. These are limitations of using the audited method of monitoring. If you use the Oracle kernel audit module approach for OS file monitoring on Linux, these limitations will not exist.

An X indicates support for the listed action and NS indicates "Not Supported".

Table 4-7 OS File Monitoring

Actions to Monitor	Linux					Windows						Solaris
	V4	V5		V6		XP		2003 Server		2008 Server (R1 and R2)		V9		V10		V11
	X86 32 bit	X86 32 bit	X86 64 bit	X86 32 bit	X86 64 bit	X86 32 bit	X86 64 Bit	X86 32 bit	X86 64 bit	X86 32 bit	X86 64 bit	X86 64 bit	Sparc	X86 64 bit	Sparc	X86 64 bit	Sparc
File Read (successful)	X	X	X	X	X	X	X	X	X	X	X	X	X	X	X	X	X
File Delete (Successful)	X	X	X	X	X	X	X	X	X	X	X	X	X	X	X	X	X
File Rename (successful)	X	X	X	X	X	X	X	X	X	X	X	X	X	X	X	X	X
File Create (successful)	X	X	X	X	X	X	X	X	X	X	X	X	X	X	X	X	X
File Content Modified (successful)	X	X	X	X	X	X	X	X	X	X	X	X	X	X	X	X	X
File Modified without content change	X	X	X	X	X	X	X	X	X	X	X	X	X	X	X	X	X
File Modified (failed)	NS	X (Non-KO)	NS	X (Non-KO)	X	NS	NS	NS	NS	NS	NS	NS	NS	NS	NS	NS	NS
File Permission Change (successful)	NS	X (non-KO)	X (non-KO)	X (KO)	X	NS	NS	NS	NS	NS	NS	X	X	X	X	X	X
File Ownership Change (successful)	NS	X (non-KO)	X (non-KO)	X (KO)	X	NS	NS	NS	NS	NS	NS	X	X	X	X	X	X
File content modified (successful) Archive File	NS	X (non-KO)	X (non-KO)	X	X	X	X	X	X	X	X	X	X	X	X	X	X
File Read (failed)	NS	NS	NS	NS	NS	NS	NS	NS	NS	NS	NS	X	X	X	X	X	X
File Delete (failed)	NS	X (Non-KO)	X (Non-KO)	NS	NS	NS	NS	NS	NS	NS	NS	X	X	X	X	X	X
File Rename (failed)	NS	X (Non-KO)	X (Non-KO)	X (non-KO)	X (non-KO)	NS	NS	NS	NS	NS	NS	X	X	X	X	X	X
File Create (failed)	NS	X (non-KO)	X (non-KO)	X (non-KO)	X (non-KO)	NS	NS	NS	NS	NS	NS	X	X	X	X	X	X
File Permission Change (Failed)	NS	X	X	X	X	NS	NS	NS	NS	NS	NS	X	X	X	X	X	X
File Ownership Change (failed)	NS	X	X	X	X	NS	NS	NS	NS	NS	NS	X	X	X	X	X	X

Table 4-8 OS File Monitoring (continued)

Actions to Monitor	SUSE Linux			AIX
	V10	V11		V5.3	V6.1
	X86 32 bit	X86 32 bit	X86 64 bit	POWER	POWER
File Read (successful)	X	X (KO)	X (KO)	X	X
File Delete (Successful)	X	X (KO)	X (KO)	X	X
File Rename (successful)	X	X	X	X	X
File Create (successful)	X	X	X	X	X
File Content Modified (successful)	X	X	X	X	X
File Modified without content change (successful)	X	X	X	X	X
File Modified (failed)	NS	NS	NS	X	X
File Permission Change (successful)	X	X (KO)	X	X	X
File Ownership Change (successful)	X	X (KO)	X	X	X
File content modified (successful) Archive File	X	X	X	X	X
File Read (failed)	NS	NS	NS	X	X
File Delete (failed)	NS	NS	NS	X	X
File Rename (failed)	NS	X (Non-KO)	X (Non-KO)	X	X
File Create (failed)	NS	NS	X (Non-KO)	X	X
File Permission Change (Failed	NS	X (Non-KO)	X (Non-KO)	X	X
File Ownership Change (failed)	NS	X (Non-KO)	X (Non-KO)	X	X