AVCLI doubles audit trails, bug or feature?

I’ve start using the AV command line interface to administer AVDF. I use the tool fairly often to start, stop and monitor the audit trails. But recently I ran in a small issue after a typo. I just want to start the audit trail on the ADUMP directory of a database.

AVCLI> LIST TRAIL FOR SECURED TARGET TDB11A;
----------------------------------------------------------------------------------------------------------------------------------
| AUDIT_TRAIL_TYPE | HOST   | LOCATION                            | STATUS  | REQUEST_STATUS | ERROR_MESSAGE                     |
==================================================================================================================================
| DIRECTORY        | urania | /u00/app/oracle/admin/TDB11A/adump  | STOPPED |                |                                   |
| TABLE            | urania | SYS.AUD$                            | STOPPED |                |                                   |
| TRANSACTION LOG  | urania |                                     | STOPPED |                |                                   |
----------------------------------------------------------------------------------------------------------------------------------

AVCLI> START COLLECTION FOR SECURED TARGET TDB11A USING HOST urania FROM DIRECTORY '/u00/app/oracle/admin/TDB11A/adump/';

Request submitted successfully.

After submitting the start command I’ve checked the status of the audit trails. As expected the audit trail has been started and is now waiting in IDLE state on audit files. But wait there are two audit trails on the same directory?! One of them does have a backslash.

AVCLI> LIST TRAIL FOR SECURED TARGET TDB11A;
--------------------------------------------------------------------------------------------------------------
| AUDIT_TRAIL_TYPE | HOST   | LOCATION                            | STATUS  | REQUEST_STATUS | ERROR_MESSAGE |
==============================================================================================================
| DIRECTORY        | urania | /u00/app/oracle/admin/TDB11A/adump  | STOPPED |                |               |
| DIRECTORY        | urania | /u00/app/oracle/admin/TDB11A/adump/ | IDLE    |                |               |
| TABLE            | urania | SYS.AUD$                            | STOPPED |                |               |
| TRANSACTION LOG  | urania |                                     | STOPPED |                |               |
--------------------------------------------------------------------------------------------------------------

It is also possible to start both of them.

AVCLI> START COLLECTION FOR SECURED TARGET TDB11A USING HOST urania FROM DIRECTORY '/u00/app/oracle/admin/TDB11A/adump';

Request submitted successfully.

AVCLI> LIST TRAIL FOR SECURED TARGET TDB11A;
---------------------------------------------------------------------------------------------------------------
| AUDIT_TRAIL_TYPE | HOST   | LOCATION                            | STATUS  | REQUEST_STATUS  | ERROR_MESSAGE |
===============================================================================================================
| DIRECTORY        | urania | /u00/app/oracle/admin/TDB11A/adump  | STOPPED | START REQUESTED |               |
| DIRECTORY        | urania | /u00/app/oracle/admin/TDB11A/adump/ | IDLE    |                 |               |
| TABLE            | urania | SYS.AUD$                            | STOPPED |                 |               |
| TRANSACTION LOG  | urania |                                     | STOPPED |                 |               |
---------------------------------------------------------------------------------------------------------------

4 row(s) selected.

The command completed successfully. 

Since it does not make sense to have two audit trails on the same directory I tried to drop the second audit trail.

AVCLI> STOP COLLECTION FOR SECURED TARGET TDB11A USING HOST urania FROM DIRECTORY '/u00/app/oracle/admin/TDB11A/adump/';

Request submitted successfully.

AVCLI> DROP TRAIL FOR SECURED TARGET TDB11A USING HOST urania FROM DIRECTORY '/u00/app/oracle/admin/TDB11A/adump/';
ERROR: 
OAV-3025: Audit data has been gathered for trail /u00/app/oracle/admin/TDB11A/adump/ of type DIRECTORY for secured target TDB11A. cannot drop trail.
  • Why the heck I have a second audit trail?
  • Why it is not possible to remove it?

The answer to the second question is simple. Since both audit trails point to the same directory they also point somehow to the same audit data. In the current release 12.1.1 of Oracle Audit Vault and Database Firewall it is not possible to remove an audit trail if there were already collected audit data. Ok but why do I have a second audit trail to the same directory? The reason is not obvious but simply. Oracle did not implement a command to create new audit trails. Instead, they use the start command. If you execute

START COLLECTION FOR SECURED TARGET

and the requested audit trail does not yet exist, it will be created. Unfortunately this behavior is not mentioned in the AVCLI documentation. I could test this successfully for other trail types. In the case of directories, Oracle checks whether the directory exists and is accessible, but they do not normalize the path name. Which is why I end up with two similar audit trails.

Solution

For now there are only two possibilities. We either have to live with the second audit trail or we could try to manually drop the audit data related to this audit trail. But dropping means losing audit data, which is in most cases not feasible for production systems. I’ll provide a possible solution to drop trail data later on this blog. Oracle itself addressed this issue in a Bug 17544636 ONE CAN EASILY DUPLICATE AUDIT TRAILS WHEN USING AVCLI.

Conclusion

It is a nice feature to easily create audit trails. But I except to better workaround simple user errors / typos 🙂

References

Some links related to this post.