Professional Documents
Culture Documents
Value
Meaning
DB
Enables database auditing and directs all audit records to the database audit trail (SYS.AUD$),
except for records that are always written to the operating system audit trail
DB,EXTENDED
Does all actions of AUDIT_TRAIL=DB and also populates the SQL bind and SQL text columns
of the SYS.AUD$ table
XML
Enables database auditing and directs all audit records in XML format to an operating system
file
XML,EXTENDED
Does all actions of AUDIT_TRAIL=XML, adding the SQL bind and SQL text columns
OS (recommended) Enables database auditing and directs all audit records to an operating system file
ALTER ANY
TABLE
DROP PROFILE
ALTER
DATABASE
DROP USER
ALTER SYSTEM
ALTER USER
CREATE SESSION
AUDIT SYSTEM
CREATE USER
CREATE ANY
JOB
uditing in Oracle
Auditing in Oracle
The auditing mechanism for Oracle is extremely flexible. Oracle stores information that is
relevant to auditing in its data dictionary.
Every time a user attempts anything in the database where audit is enabled the Oracle
kernel checks to see if an audit record should be created or updated (in the case or a
session record) and generates the record in a table owned by the SYS user called AUD$.
This table is, by default, located in the SYSTEM tablespace. This itself can cause problems
with potential denial of service attacks. If the SYSTEM tablespace fills up, the database will
hang.
init parameters
Until Oracle 10g, auditing is disabled by default, but can be enabled by setting the
AUDIT_TRAIL static parameter in the init.ora file.
From Oracle 11g, auditing is enabled for some system level privileges.
SQL> show parameter audit
NAME
---------------------audit_file_dest
audit_sys_operations
audit_syslog_level
audit_trail
transaction_auditing
TYPE
VALUE
------------ ------------string
?/rdbms/audit
boolean
FALSE
string
NONE
string
DB
boolean
TRUE
Prints
Catalogs
Setting The
Serial Number
Examples
Values
DB_EXTENDED > Same as DB, but the SQL_BIND and SQL_TEXT columns are also
populated.
XML-> Auditing is enabled, with all audit records stored as XML format OS files.
XML_EXTENDED > Same as XML, but the SQL_BIND and SQL_TEXT columns are
also populated.
OS -> Auditing is enabled, with all audit records directed to the operating system's
file specified by AUDIT_FILE_DEST.
Note: In Oracle 10g Release 1, DB_EXTENDED was used in place of "DB,EXTENDED". The
XML options were brought inOracle 10g Release 2.
The AUDIT_FILE_DEST parameter specifies the OS directory used for the audit trail when
the OS, XML and XML_EXTENDED options are used. It is also the location for all mandatory
auditing specified by the AUDIT_SYS_OPERATIONS parameter.
The AUDIT_SYS_OPERATIONS static parameter enables or disables the auditing of
operations issued by users connecting with SYSDBA or SYSOPER privileges, including the
SYS user. All audit records are written to the OS audit trail.
Run the $ORACLE_HOME/rdbms/admin/cataudit.sql script while connected as SYS (no need
to run this, if you ran catalog.sql at the time of database creation).
Start Auditing
Syntax of audit command:
audit {statement_option|privilege_option} [by user] [by {session|access}]
[whenever {successful|not successful}]
Trial
Prints
Catalogs
Only the statement_option or privilege_option part is mandatory. The other clauses are
optional and enabling them allows audit be more specific.
There are three levels that can be audited:
Statement level
Auditing will be done at statement level.
Audit options
BY SESSION
Specify BY SESSION if you want Oracle to write a single record for all SQL statements of the
same type issued and operations of the same type executed on the same schema objects in
the same session.
Oracle database can write to an operating system audit file but cannot read it to detect
whether an entry has already been written for a particular operation. Therefore, if you are
using an operating system file for the audit trail (that is, the
AUDIT_TRAIL initialization parameter is set to OS), then the database may write multiple
records to the audit trail file even if you specify BY SESSION.
SQL> audit create, alter, drop on currency by xe by session;
SQL> audit alter materialized view by session;
BY ACCESS
Specify BY ACCESS if you want Oracle database to write one record for each audited
statement and operation.
If you specify statement options or system privileges that audit data definition language
(DDL) statements, then thedatabase automatically audits by access regardless of whether
you specify the BY SESSION clause or BY ACCESS clause.
For statement options and system privileges that audit SQL statements other than DDL, you
can specify either BY SESSION or BY ACCESS. BY SESSION is the default.
SQL> audit update on health by access;
SQL> audit alter sequence by tester by access;
WHENEVER [NOT] SUCCESSFUL
Specify WHENEVER SUCCESSFUL to audit only SQL statements and operations that succeed.
Specify WHENEVER NOT SUCCESSFUL to audit only SQL statements and operations that fail
or result in errors.
If you omit this clause, then Oracle Database performs the audit regardless of success or
failure.
SQL> audit insert, update, delete on hr.emp by hr by session whenever not successful;
SQL> audit materialized view by pingme by access whenever successful;
Examples
Auditing for every SQL statement related to roles (create, alter, drop or set a role).
SQL> AUDIT ROLE;
Auditing for every statement that reads files from database directory
SQL> AUDIT READ ON DIRECTORY ext_dir;
Auditing for every statement that performs any operation on the sequence
SQL> AUDIT ALL ON hr.emp_seq;
select userid, returncode from sys.aud$;
input_type,
status,
to_char(end_time,'yyyy-mm-dd hh24:mi')
output_bytes_display
from v$rman_backup_job_details
order by session_key desc;
end_time,
Object Owner - The owner of the object that was interacted with.
Object Name - name of the object that was interacted with.
Action Name - The action that occurred against the object (INSERT, UPDATE, DELETE,
SELECT, EXECUTE)
Fine Grained Auditing (FGA), introduced in Oracle9i, allowed recording of row-level changes
along with SCN numbers to reconstruct the old data, but they work for select statements
only, not for DML such as update, insert, and delete.
From Oracle 10g, FGA supports DML statements in addition to selects.
Several fields have been added to both the standard and fine-grained audit trails:
TRANSACTIONID - Transaction identifier for the audited transaction. This column can
be used to join to the XID column on the FLASHBACK_TRANSACTION_QUERY view.
SCN - System change number of the query. This column can be used in flashback
queries.
Maintenance
The audit trail must be deleted/archived on a regular basis to prevent the SYS.AUD$ table
growing to an unacceptable size.
Only users who have been granted specific access to SYS.AUD$ can access the table to
select, alter or delete from it. This is usually just the user SYS or any user who has
permissions. There are two specific roles that allow access to SYS.AUD$ for select and
delete, these are DELETE_CATALOG_ROLE and SELECT_CATALOG_ROLE. These roles should
not be granted to general users.
Auditing modifications of the data in the audit trail itself can be achieved as follows
SQL> AUDIT INSERT, UPDATE, DELETE ON sys.aud$ BY ACCESS;
To delete all audit records from the audit trail:
SQL> DELETE FROM sys.aud$;
From Oracle 11g R2, we can change audit table's (SYS.AUD$ and SYS.FGA_LOG$)
tablespace and we can periodically delete the audit trail records using DBMS_AUDIT_MGMT
package.
Disabling Auditing
The NOAUDIT statement turns off the various audit options of Oracle. Use it to reset
statement, privilege and object audit options. A NOAUDIT statement that sets statement
and privilege audit options can include the BY USER option to specify a list of users to limit
the scope of the statement and privilege audit options.
SQL>
SQL>
SQL>
SQL>
SQL>
SQL>
SQL>
SQL>
NOAUDIT;
NOAUDIT session;
NOAUDIT session BY scott, hr;
NOAUDIT DELETE ON emp;
NOAUDIT SELECT TABLE, INSERT TABLE, DELETE TABLE, EXECUTE PROCEDURE;
NOAUDIT ALL;
NOAUDIT ALL PRIVILEGES;
NOAUDIT ALL ON DEFAULT;
Also note that there are two additional parameters audit_sys_operations and
audit_syslog_level that you should consider setting if you are concerned about the SYS
account activity.
1. audit_sys_operations - this initialization parameter tells Oracle to turn on auditing of the
SYS connections, and users connecting with the SYSDBA or SYSOPER privilege. It has either
a TRUE or FALSE value
2. audit_syslog_level this initialization parameter enables SYS and standard OS auditing
records to be written to the system using the SYSLOG utility
Now that weve enables operating system auditing, it is always nice to see exactly what
weve accomplished. While this is not an exhaustive example, it does touch the surface of
what we are trying to accomplish here. Suppose now that we have an un-authorized access
attempt (failed login) to our database through the use of the SCOTT/TIGER account.
1. Being good DBAs weve locked this account and any attempts will be now be met with
the account is locked message:
[oracle@ludwig adump]$ sqlplus scott/tiger
SQL*Plus: Release 11.1.0.6.0 - Production on Thu Dec 10 06:51:43 2009
Copyright (c) 1982, 2007, Oracle. All rights reserved.
ERROR:
ORA-28000: the account is locked
2. And now, because of auditing, this attempt will not go unnoticed and will be reported in
the audit_file_dest location:
[oracle@ludwig ~]$ cd $ORACLE_HOME/adump
[oracle@ludwig adump]$ more ora_3817.aud
Audit file /opt/app/oracle/admin/db11/adump/ora_3817.aud
Oracle Database 11g Enterprise Edition Release 11.1.0.6.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
ORACLE_HOME = /opt/app/oracle/product/11.1.0/db_1
System name: Linux
Node name:
ludwig
Release:
2.6.18-8.el5
Version:
#1 SMP Thu Mar 15 19:57:35 EDT 2007
Machine:
i686
Instance name: db11
Redo thread mounted by this instance: 1
Oracle process number: 18
Unix process pid: 3817, image: oracle@ludwig (TNS V1-V3)
Thu Dec 10 06:48:46 2009
SESSIONID: "280057" ENTRYID: "1" STATEMENT: "1" USERID: "SCOTT" USERHOST:
"ludwig" TERMINAL: "pts/1" ACTION: "100"
RETURNCODE: "28000" COMMENT$TEXT: "Authenticated by: DATABASE" OS$USERID:
"oracle"
Now that you have the settings changed, you can start monitoring the activity on the SYS
account. Remember standard auditing can monitor and record various user database actions
such as SQL statements, privileges, schemas, objects, and network and multitier activity.
Now is the time to dig in, see how far standard auditing can take you to gain compliancy
and then fill in the gaps. The issue becomes whether you can provide auditors everything
they need to pass your audit. If you can monitor all database traffic and take appropriate
action then you will pass, otherwise you are in for a lot of work. But more on that latter.