Auditing table in Oracle 10g
Friday, June 22, 2012
Auditing in Oracle 10g
This article presents an overview of auditing in Oracle 10g Release 2. Many of the topics presented here have been covered in previous articles, but this serves to bring them all together.
Related articles.
- Fine Grained Auditing (9i)
- Fine Grained Auditing Enhancements (10g)
- Uniform Audit Trail (10g)
- Audit Trail Contents (10g)
- Auditing Enhancements (DBMS_AUDIT_MGMT) in Oracle Database 11g Release 2
Server Setup
Auditing is a default feature of the Oracle server. The initialization parameters that influence its behaviour can be displayed using the
SHOW PARAMETER SQL*Plus command.
SQL> SHOW PARAMETER AUDIT
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest string C:\ORACLE\PRODUCT\10.2.0\ADMIN
\DB10G\ADUMP
audit_sys_operations boolean FALSE
audit_trail string NONE
SQL>
Auditing is disabled by default, but can enabled by setting the
AUDIT_TRAIL static parameter, which has the following allowed values.
AUDIT_TRAIL = { none | os | db | db,extended | xml | xml,extended }
The following list provides a description of each setting:
noneorfalse- Auditing is disabled.dbortrue- Auditing is enabled, with all audit records stored in the database audit trial (SYS.AUD$).db,extended- Asdb, but theSQL_BINDandSQL_TEXTcolumns are also populated.xml- Auditing is enabled, with all audit records stored as XML format OS files.xml,extended- Asxml, but theSQL_BINDandSQL_TEXTcolumns are also populated.os- Auditing is enabled, with all audit records directed to the operating system's audit trail.
Note. In Oracle 10g Release 1,
db_extended was used in place of db,extended. The XML options are new to Oracle 10g Release 2.
The
AUDIT_SYS_OPERATIONS static parameter enables or disables the auditing of operations issued by users connecting with SYSDBA or SYSOPER privileges, including the SYS user. All audit records are written to the OS audit trail.
The
AUDIT_FILE_DEST parameter specifies the OS directory used for the audit trail when the os, xml and xml,extended options are used. It is also the location for all mandatory auditing specified by the AUDIT_SYS_OPERATIONSparameter.
To enable auditing and direct audit records to the database audit trail, we would do the following.
SQL> ALTER SYSTEM SET audit_trail=db SCOPE=SPFILE; System altered. SQL> SHUTDOWN Database closed. Database dismounted. ORACLE instance shut down. SQL> STARTUP ORACLE instance started. Total System Global Area 289406976 bytes Fixed Size 1248600 bytes Variable Size 71303848 bytes Database Buffers 213909504 bytes Redo Buffers 2945024 bytes Database mounted. Database opened. SQL>
Audit Options
One look at the AUDIT command syntax should give you an idea of how flexible Oracle auditing is. There is no point repeating all this information, so instead we will look at a simple example.
First we create a new user called AUDIT_TEST.
CONNECT sys/password AS SYSDBA CREATE USER audit_test IDENTIFIED BY password DEFAULT TABLESPACE users TEMPORARY TABLESPACE temp QUOTA UNLIMITED ON users; GRANT connect TO audit_test; GRANT create table, create procedure TO audit_test;
Next we audit all operations by the AUDIT_TEST user.
CONNECT sys/password AS SYSDBA AUDIT ALL BY audit_test BY ACCESS; AUDIT SELECT TABLE, UPDATE TABLE, INSERT TABLE, DELETE TABLE BY audit_test BY ACCESS; AUDIT EXECUTE PROCEDURE BY audit_test BY ACCESS;
These options audit all DDL and DML, along with some system events.
- DDL (CREATE, ALTER & DROP of objects)
- DML (INSERT UPDATE, DELETE, SELECT, EXECUTE).
- SYSTEM EVENTS (LOGON, LOGOFF etc.)
Next, we perform some operations that will be audited.
CONN audit_test/password CREATE TABLE test_tab ( id NUMBER ); INSERT INTO test_tab (id) VALUES (1); UPDATE test_tab SET id = id; SELECT * FROM test_tab; DELETE FROM test_tab; DROP TABLE test_tab;
In the next section we will look at how we view the contents of the audit trail.
View Audit Trail
The audit trail is stored in the
SYS.AUD$ table. Its contents can be viewed directly or via the following views.SELECT view_name FROM dba_views WHERE view_name LIKE 'DBA%AUDIT%' ORDER BY view_name; VIEW_NAME ------------------------------ DBA_AUDIT_EXISTS DBA_AUDIT_OBJECT DBA_AUDIT_POLICIES DBA_AUDIT_POLICY_COLUMNS DBA_AUDIT_SESSION DBA_AUDIT_STATEMENT DBA_AUDIT_TRAIL DBA_COMMON_AUDIT_TRAIL DBA_FGA_AUDIT_TRAIL DBA_OBJ_AUDIT_OPTS DBA_PRIV_AUDIT_OPTS DBA_REPAUDIT_ATTRIBUTE DBA_REPAUDIT_COLUMN DBA_STMT_AUDIT_OPTS 14 rows selected. SQL>
The three main views are shown below.
DBA_AUDIT_TRAIL- Standard auditing only (fromAUD$).DBA_FGA_AUDIT_TRAIL- Fine-grained auditing only (fromFGA_LOG$).DBA_COMMON_AUDIT_TRAIL- Both standard and fine-grained auditing.
The most basic view of the database audit trail is provided by the
DBA_AUDIT_TRAIL view, which contains a wide variety of information. The following query displays the some of the information from the database audit trail.
COLUMN username FORMAT A10
COLUMN owner FORMAT A10
COLUMN obj_name FORMAT A10
COLUMN extended_timestamp FORMAT A35
SELECT username,
extended_timestamp,
owner,
obj_name,
action_name
FROM dba_audit_trail
WHERE owner = 'AUDIT_TEST'
ORDER BY timestamp;
USERNAME EXTENDED_TIMESTAMP OWNER OBJ_NAME ACTION_NAME
---------- ----------------------------------- ---------- ---------- ----------------------------
AUDIT_TEST 16-FEB-2006 14:16:55.435000 +00:00 AUDIT_TEST TEST_TAB CREATE TABLE
AUDIT_TEST 16-FEB-2006 14:16:55.514000 +00:00 AUDIT_TEST TEST_TAB INSERT
AUDIT_TEST 16-FEB-2006 14:16:55.545000 +00:00 AUDIT_TEST TEST_TAB UPDATE
AUDIT_TEST 16-FEB-2006 14:16:55.592000 +00:00 AUDIT_TEST TEST_TAB SELECT
AUDIT_TEST 16-FEB-2006 14:16:55.670000 +00:00 AUDIT_TEST TEST_TAB DELETE
AUDIT_TEST 16-FEB-2006 14:17:00.045000 +00:00 AUDIT_TEST TEST_TAB DROP TABLE
6 rows selected.
SQL>
When the audit trail is directed to an XML format OS file, it can be read using a text editor or via the
V$XML_AUDIT_TRAIL view, which contains similar information to the DBA_AUDIT_TRAIL view.
COLUMN db_user FORMAT A10
COLUMN object_schema FORMAT A10
COLUMN object_name FORMAT A10
COLUMN extended_timestamp FORMAT A35
SELECT db_user,
extended_timestamp,
object_schema,
object_name,
action
FROM v$xml_audit_trail
WHERE object_schema = 'AUDIT_TEST'
ORDER BY extended_timestamp;
DB_USER EXTENDED_TIMESTAMP OBJECT_SCH OBJECT_NAM ACTION
---------- ----------------------------------- ---------- ---------- ----------
AUDIT_TEST 16-FEB-2006 14:14:33.417000 +00:00 AUDIT_TEST TEST_TAB 1
AUDIT_TEST 16-FEB-2006 14:14:33.464000 +00:00 AUDIT_TEST TEST_TAB 2
AUDIT_TEST 16-FEB-2006 14:14:33.511000 +00:00 AUDIT_TEST TEST_TAB 6
AUDIT_TEST 16-FEB-2006 14:14:33.542000 +00:00 AUDIT_TEST TEST_TAB 3
AUDIT_TEST 16-FEB-2006 14:14:33.605000 +00:00 AUDIT_TEST TEST_TAB 7
AUDIT_TEST 16-FEB-2006 14:14:34.917000 +00:00 AUDIT_TEST TEST_TAB 12
6 rows selected.
SQL>
Several fields were added to both the standard and fine-grained audit trails in Oracle 10g, including the following.
EXTENDED_TIMESTAMP- A more precise value than the exisingTIMESTAMPcolumn.PROXY_SESSIONID- Proxy session serial number when an enterprise user is logging in via the proxy method.GLOBAL_UID- Global Universal Identifier for an enterprise user.INSTANCE_NUMBER- TheINSTANCE_NUMBERvalue from the actioning instance.OS_PROCESS- Operating system process id for the oracle process.TRANSACTIONID- Transaction identifier for the audited transaction. This column can be used to join to theXIDcolumn on theFLASHBACK_TRANSACTION_QUERYview.SCN- System change number of the query. This column can be used in flashback queries.SQL_BIND- The values of any bind variables if any.SQL_TEXT- The SQL statement that initiated the audit action.
The
SQL_BIND and SQL_TEXT columns are only populated when the AUDIT_TRAIL parameter is set to db,extended or xml,extended.Labels: Audit table level in Oracle 10g
0 comments:
Subscribe to:
Post Comments (Atom)
Powered by Blogger.