7/27/2019 Auditing .doc

1/8

Auditing in Oracle 10g Release 2

This article presents an overview of auditing in Oracle 10g Release 2. Many of the topics presented here have been covered inprevious articles, but this serves to bring them all together.

erver etup !udit Options

"iew !udit Trail

Maintenance and ecurity

#ine $rained !uditing

Related articles.

#ine $rained !uditing %&i'

#ine $rained !uditing (nhancements %10g'

)niform !udit Trail %10g'

!udit Trail *ontents %10g'

!uditing (nhancements %+M-!)+T-M$MT' in Oracle +atabase 11g Release 2

Server Setup

!uditing is a default feature of the Oracle server. The initiali/ation parameters that influence its behaviour can be displayed

using the SHOW PARAMETER3lus command.

SQL> SHOW PARAMETER AUDIT

NAME TYPE VALUE------------------------------------ -----------------------------------------audit_file_dest sti!"#$%ORA#LE%PRODU#T%&'()('%ADMIN %D*&'+%ADUMPaudit_s,s_.eati!s /lea! 0ALSEaudit_tail sti!" NONESQL>

!uditing is disabled by default, but can enabled by setting the AUDIT_TRAILstatic parameter, which has the followingallowed values.

AUDIT_TRAIL 1 2 !!e 3 s 3 d/ 3 d/4e5te!ded 3 56l 3 56l4e5te!ded 7

The following list provides a description of each setting4

!!eor false5 !uditing is disabled.

d/or tue5 !uditing is enabled, with all audit records stored in the database audit trial %SYS(AUD8'.

d/4e5te!ded5 !s d/, but the SQL_*INDand SQL_TE9Tcolumns are also populated.

56l5 !uditing is enabled, with all audit records stored as 6M format O files.

http://www.oracle-base.com/articles/10g/auditing-10gr2.php#server_setuphttp://www.oracle-base.com/articles/10g/auditing-10gr2.php#audit_optionshttp://www.oracle-base.com/articles/10g/auditing-10gr2.php#view_audit_trailhttp://www.oracle-base.com/articles/10g/auditing-10gr2.php#view_audit_trailhttp://www.oracle-base.com/articles/10g/auditing-10gr2.php#maintenance_and_securityhttp://www.oracle-base.com/articles/10g/auditing-10gr2.php#fine_grained_auditinghttp://www.oracle-base.com/articles/9i/security-enhancements-9i.php#FineGrainedAuditinghttp://www.oracle-base.com/articles/10g/database-security-enhancements-10g.php#fgahttp://www.oracle-base.com/articles/10g/database-security-enhancements-10g.php#uniform_audit_trailhttp://www.oracle-base.com/articles/10g/database-security-enhancements-10g.php#audit_trail_contentshttp://www.oracle-base.com/articles/11g/auditing-enhancements-11gr2.phphttp://www.oracle-base.com/articles/10g/auditing-10gr2.php#audit_optionshttp://www.oracle-base.com/articles/10g/auditing-10gr2.php#view_audit_trailhttp://www.oracle-base.com/articles/10g/auditing-10gr2.php#maintenance_and_securityhttp://www.oracle-base.com/articles/10g/auditing-10gr2.php#fine_grained_auditinghttp://www.oracle-base.com/articles/9i/security-enhancements-9i.php#FineGrainedAuditinghttp://www.oracle-base.com/articles/10g/database-security-enhancements-10g.php#fgahttp://www.oracle-base.com/articles/10g/database-security-enhancements-10g.php#uniform_audit_trailhttp://www.oracle-base.com/articles/10g/database-security-enhancements-10g.php#audit_trail_contentshttp://www.oracle-base.com/articles/11g/auditing-enhancements-11gr2.phphttp://www.oracle-base.com/articles/10g/auditing-10gr2.php#server_setup

7/27/2019 Auditing .doc

2/8

56l4e5te!ded5 !s 56l, but the SQL_*INDand SQL_TE9Tcolumns are also populated.

s5 !uditing is enabled, with all audit records directed to the operating system7s audit trail.

8ote. n Oracle 10g Release 1, d/_e5te!dedwas used in place of d/4e5te!ded. The 6M options are new toOracle 10g Release 2.

The AUDIT_SYS_OPERATIONS static parameter enables or disables the auditing of operations issued by usersconnecting with 9+! or 9O3(R privileges, including the 9 user. !ll audit records are written to the O audit trail.

The AUDIT_0ILE_DESTparameter specifies the O directory used for the audit trail whenthe s, 56land 56l4e5te!dedoptions are used. t is also the location for all mandatory auditing specified bythe AUDIT_SYS_OPERATIONS parameter.

To enable auditing and direct audit records to the database audit trail, we would do the following.

SQL> ALTER SYSTEM SET audit_tail1d/ S#OPE1SP0ILE:

S,ste6 alteed(

SQL> SHUTDOWNData/ase ;lsed(Data/ase dis6u!ted(ORA#LE i!sta!;e s STARTUPORA#LE i!sta!;e stated(

Ttal S,ste6 +l/al Aea )?@'?B /,tes0i5ed SiCe &)@'' /,tesVaia/le SiCe B&'@ /,tesData/ase *uffes )&?'?'@ /,tes

Red *uffes )?@')@ /,tesData/ase 6u!ted(Data/ase .e!ed(SQL>

Audit Options

One loo: at the!)+Tcommand synta; should give you an idea of how fle;ible Oracle auditing is. There is no point repeatingall this information, so instead we will loo: at a simple e;ample.

#irst we create a new user called !)+T-T(T.

#ONNE#T s,sF.ass=d AS SYSD*A

#REATE USER audit_test IDENTI0IED *Y .ass=d DE0AULT TA*LESPA#E uses TEMPORARY TA*LESPA#E te6. QUOTA UNLIMITED ON uses:

+RANT ;!!e;t TO audit_test:+RANT ;eate ta/le4 ;eate .;edue TO audit_test:

8e;t we audit all operations by the !)+T-T(T user.

#ONNE#T s,sF.ass=d AS SYSD*A

http://docs.oracle.com/cd/B19306_01/server.102/b14200/statements_4007.htmhttp://docs.oracle.com/cd/B19306_01/server.102/b14200/statements_4007.htmhttp://docs.oracle.com/cd/B19306_01/server.102/b14200/statements_4007.htmhttp://docs.oracle.com/cd/B19306_01/server.102/b14200/statements_4007.htm

7/27/2019 Auditing .doc

3/8

AUDIT ALL *Y audit_test *Y A##ESS:AUDIT SELE#T TA*LE4 UPDATE TA*LE4 INSERT TA*LE4 DELETE TA*LE *Y audit_test*Y A##ESS:AUDIT E9E#UTE PRO#EDURE *Y audit_test *Y A##ESS:

These options audit all ++ and +M, along with some system events.

++ %*R(!T(, !T(R < +RO3 of ob=ects'

+M %8(RT )3+!T(, +((T(, ((*T, (6(*)T('.

9T(M ("(8T %O$O8, O$O## etc.'

8e;t, we perform some operations that will be audited.

#ONN audit_testF.ass=d

#REATE TA*LE test_ta/ G id NUM*ER:

INSERT INTO test_ta/ Gid VALUES G&:UPDATE test_ta/ SET id 1 id:SELE#T 0ROM test_ta/:DELETE 0ROM test_ta/:

DROP TA*LE test_ta/:

n the ne;t section we will loo: at how we view the contents of the audit trail.

View Audit Trail

The audit trail is stored in the SYS(AUD8table. ts contents can be viewed directly or via the following views.

SELE#T Jie=_!a6e0ROM d/a_Jie=sWHERE Jie=_!a6e LIKE D*AAUDITORDER *Y Jie=_!a6e:

VIEW_NAME------------------------------

D*A_AUDIT_E9ISTSD*A_AUDIT_O*E#TD*A_AUDIT_POLI#IESD*A_AUDIT_POLI#Y_#OLUMNSD*A_AUDIT_SESSIOND*A_AUDIT_STATEMENTD*A_AUDIT_TRAILD*A_#OMMON_AUDIT_TRAILD*A_0+A_AUDIT_TRAILD*A_O*_AUDIT_OPTSD*A_PRIV_AUDIT_OPTSD*A_REPAUDIT_ATTRI*UTED*A_REPAUDIT_#OLUMN

D*A_STMT_AUDIT_OPTS

7/27/2019 Auditing .doc

4/8

&@ =s sele;ted(

SQL>

The three main views are shown below.

D*A_AUDIT_TRAIL5 tandard auditing only %from AUD8'.

D*A_0+A_AUDIT_TRAIL5 #ine5grained auditing only %from 0+A_LO+8'.

D*A_#OMMON_AUDIT_TRAIL 5 oth standard and fine5grained auditing.

The most basic view of the database audit trail is provided by the D*A_AUDIT_TRAILview, which contains a wide varietyof information. The following >uery displays the some of the information from the database audit trail.

#OLUMN use!a6e 0ORMAT A&'#OLUMN =!e 0ORMAT A&'#OLUMN /_!a6e 0ORMAT A&'

#OLUMN e5te!ded_ti6esta6. 0ORMAT A

SELE#T use!a6e4 e5te!ded_ti6esta6.4 =!e4 /_!a6e4 a;ti!_!a6e0ROM d/a_audit_tailWHERE =!e 1 AUDIT_TESTORDER *Y ti6esta6.:

USERNAME E9TENDED_TIMESTAMP OWNER O*_NAMEA#TION_NAME

---------- ----------------------------------- ---------- --------------------------------------AUDIT_TEST &-0E*-)'' &@$&$(@''' ''$'' AUDIT_TEST TEST_TA* #REATETA*LEAUDIT_TEST &-0E*-)'' &@$&$(&@''' ''$'' AUDIT_TEST TEST_TA* INSERTAUDIT_TEST &-0E*-)'' &@$&$(@''' ''$'' AUDIT_TEST TEST_TA* UPDATEAUDIT_TEST &-0E*-)'' &@$&$(?)''' ''$'' AUDIT_TEST TEST_TA* SELE#TAUDIT_TEST &-0E*-)'' &@$&$(B'''' ''$'' AUDIT_TEST TEST_TA* DELETEAUDIT_TEST &-0E*-)'' &@$&B$''('@''' ''$'' AUDIT_TEST TEST_TA* DROPTA*LE

=s sele;ted(

SQL>

?hen the audit trail is directed to an 6M format O file, it can be read using a te;t editor or via

the V89ML_AUDIT_TRAIL view, which contains similar information to theD*A_AUDIT_TRAILview.

#OLUMN d/_use 0ORMAT A&'#OLUMN /e;t_s;

7/27/2019 Auditing .doc

5/8

/e;t_!a6e4 a;ti!0ROM J856l_audit_tailWHERE /e;t_s;

7/27/2019 Auditing .doc

6/8

AUDIT INSERT4 UPDATE4 DELETE ON s,s(aud8 *Y A##ESS:

The O and 6M audit trails are managed through the O. These files should be secured at the O level by assigning thecorrect file permissions.

Fine Grained Auditing (FGA

#ine grained auditing e;tends Oracle standard auditing capabilities by allowing the user to audit actions based on user5defined

predicates. t is independant of the AUDIT_TRAILparameter setting and all audit records are stored inthe 0+A_LO+8table, rather than the AUD8table. The following e;ample illustrates how fine grained auditing is used.

#irst, create a test table.

#ONN audit_testF.ass=d

#REATE TA*LE e6. Ge6.! NUM*ERG@ NOT NULL4

e!a6e VAR#HAR)G&'4/ VAR#HAR)G?46" NUM*ERG@4

7/27/2019 Auditing .doc

7/8

------------------------------------------SELE#T sal 0ROM e6. WHERE e!a6e 1 La,

& = sele;ted(

SQL>

(;tra processing can be associated with an #$! event by defining a database procedure and associating this to the audit

event. The following e;ample assumes the 0IRE_#LERKprocedure has been defined.

*E+IN D*MS_0+A(add_.li;,G /e;t_s; AUDIT_TEST4 /e;t_!a6e 1> EMP4 .li;,_!a6e 1> SALARY_#HK_AUDIT4 audit_;!diti! 1> SAL > ''''4 audit_;lu6! 1> SAL4

TRUE:END:F

The D*MS_0+Apac:age contains the following procedures.

ADD_POLI#Y

DROP_POLI#Y

ENA*LE_POLI#Y

DISA*LE_POLI#Y

n Oracle&i fine grained auditing was limited >ueries, but in Oracle 10g it has been e;tended to include +M statements, asshown by the following e;ample.

-- #lea d=! t

7/27/2019 Auditing .doc

8/8

SELE#T 0ROM e6. WHERE e6.! 1 ???:INSERT INTO e6. Ge6.!4 e!a6e4 sal VALUES G???4 *ill4 &:UPDATE e6. SET sal 1 &' WHERE e6.! 1 ???:DELETE e6. WHERE e6.! 1 ???:ROLL*A#K:

-- #