In my previous topic I have given an idea about basics of oracle database auditing. Before entering in this topic I assume that my previous topic “Basics of Database Auditing” has already been read.
Actions Audited by Default
Regardless of whether database auditing is enabled, Oracle Database always audits certain database-related operations and writes them to the operating system audit file. This fact is called mandatory auditing, and it includes the following operations:
- Connections to the instance with administrator privileges (connecting to Oracle Database as SYSOPER or SYSDBA.)
- Database startup
- Database shutdown
Enabling and Disabling Standard Auditing
(A)Setting the AUDIT_TRAIL Initialization Parameter
ALTER SYSTEM SET AUDIT_TRAIL =value scope=spfile;
The AUDIT_TRAIL initialization parameter must be set to enable standard auditing. It may take any of the six values.
- DB: Enables database auditing and directs all audit records to the database audit trail (SYS.AUD$), except for records that are always written to the operating system audit trail.
- XML: All elements of the AuditRecord node except Sql_Text and Sql_Bind will be printed to the operating system XML audit file.
- DB,EXTENDED: Does all actions of AUDIT_TRAIL=DB and also populates the SQL bind and SQL text CLOB-type columns of the SYS.AUD$ table, wherever possible. (These two columns are populated only when this parameter is specified.)
- XML,EXTENDED: Does all actions of AUDIT_TRAIL=XML and also populates the SQL bind and SQL text CLOB-type columns of the SYS.AUD$ table, wherever possible. (These columns are populated only when this parameter is specified.)
- OS: Enables database auditing and directs all audit records to an operating system file
- NONE: Disables standard auditing (This value is the default.)
(B)Specifying a Directory for the Operating System Auditing Trail
The AUDIT_FILE_DEST initialization parameter specifies an operating system directory into which the audit trail is written when either AUDIT_TRAIL=OS or AUDIT_TRAIL=XML is specified.
Mandatory auditing information also goes into that directory, as do audit records for user SYS if the AUDIT_SYS_OPERATIONS initialization parameter is specified.
AUDIT_FILE_DEST can be changed with ALTER SYSTEM SET AUDIT_FILE_DEST = DEFERRED, meaning the new destination will be effective for all subsequent sessions.
If the AUDIT_FILE_DEST parameter is not specified, then the default location on Solaris is $ORACLE_BASE/admin/$DB_UNIQUE_NAME/adump.
(C)Enabling Standard Auditing Options
To use the AUDIT statement to set statement and privilege options, you must have the AUDIT SYSTEM privilege.
To use it to set object audit options, you must own the object to be audited or have the AUDIT ANY privilege.
Audit statements that set statement and privilege audit options can include a BY clause to specify a list of users or application proxies to limit the scope of the statement and privilege audit options.
When setting auditing options, you can also specify the following conditions for auditing:
- BY SESSION/BY ACCESS
BY SESSION causes Oracle Database to write a single record for all SQL statements of the same type issued in the same session. BY ACCESS causes Oracle to write one record for each access.
- WHENEVER SUCCESSFUL/WHENEVER NOT SUCCESSFUL
WHENEVER SUCCESSFUL chooses auditing only for statements that succeed. WHENEVER NOT SUCCESSFUL chooses auditing only for statements that fail or result in errors.
Auditing Connections and Disconnections
AUDIT SESSION;
AUDIT SESSION BY PROD7, PROD72;
Enabling Privilege Auditing
AUDIT DELETE ANY TABLE BY ACCESS WHENEVER NOT SUCCESSFUL;
Enabling Object Auditing
AUDIT SELECT, INSERT, DELETE ON PROD7.USER_ACTIVITY BY ACCESS WHENEVER SUCCESSFUL;
(D)Turning Off Statement and Privilege Auditing
The following statement turns off all statement audit options:
NOAUDIT ALL;
The following statement turns off all privilege audit options:
NOAUDIT ALL PRIVILEGES;
Turning Off Object Auditing
NOAUDIT ALL ON PROD7;
Turning Off Network Auditing
NOAUDIT NETWORK;
Purging Audit Records from the Audit Trail
For example, to delete all audit records from the audit trail, enter the following statement:
DELETE FROM SYS.AUD$;
Alternatively, to delete all audit records from the audit trail generated as a result of auditing the table emp, enter the following statement:
DELETE FROM SYS.AUD$ WHERE obj$name=’EMP’;
(E)Viewing Database Audit Trail Information DBA_STMT_AUDIT_OPTS
DBA_STMT_AUDIT_OPTS
Describes current system auditing options across the system and by user.
DBA_PRIV_AUDIT_OPTS
Describes current system privileges being audited across the system and by user.
DBA_OBJ_AUDIT_OPTS USER_OBJ_AUDIT_OPTS
Describes auditing options on all objects. The USER view describes auditing options on all objects owned by the current user.
DBA_AUDIT_TRAIL USER_AUDIT_TRAIL
Lists all audit trail entries. The USER view shows audit trail entries relating to current user.
DBA_AUDIT_OBJECT USER_AUDIT_OBJECT
Contains audit trail records for all objects in the system. The USER view lists audit trail records for statements concerning objects that are accessible to the current user.
DBA_AUDIT_SESSION USER_AUDIT_SESSION
Lists all audit trail records concerning CONNECT and DISCONNECT. The USER view lists all audit trail records concerning connections and disconnections for the current user.
DBA_AUDIT_STATEMENT USER_AUDIT_STATEMENT
Lists audit trail records concerning GRANT, REVOKE, AUDIT, NOAUDIT, and ALTER SYSTEM statements throughout the database, or for the USER view, issued by the user.
DBA_AUDIT_EXISTS
Lists audit trail entries produced BY AUDIT NOT EXISTS.