Great new feature of Oracle 11g.
Auditing Oracle software owner’s activities. It traces all events and commands of sysdba,sysoper privileges.Generaly SYS.AUD$ table contains auditing activities.But as Oracle software owner (SYSDBA owned) can easily remove auditing data from this SYS.AUD$
This parameter also privent hacker activity if it captures password of oracle software owner.When AUDIT_SYSLOG_LEVEL and AUDIT_SYS_OPERATIONS are combined, any commands
run as user SYS may be audited using the syslog facility. Since the files used by syslog are owned by root, and a DBA usually does not have access to the root account, DBAs will not be able to remove traces of their activity. Of course, this also applies to intruders who have managed to break into a machine and have gained access to the account of the ORACLE software owner but not to the root account.
AUDIT_SYSLOG_LEVEL enables OS audit logs to be written to the system via the syslog utility, if the AUDIT_TRAIL parameter is set to os. The value of facility can be any of the following: USER, LOCAL0- LOCAL7, SYSLOG, DAEMON, KERN, MAIL, AUTH, LPR,NEWS, UUCP or CRON. The value of level can be any of the following: NOTICE, INFO,
DEBUG, WARNING, ERR, CRIT, ALERT, EMERG.
Offcourse certain commands are accepted by Oracle otherwise you will get ORA-32028: Syslog facility or level not recognized error at database start time.
Thanks and regards,