Backtonormalview:http://oraclebase.com/articles/10g/auditing10gr2.

php

AuditinginOracle10gRelease2
ThisarticlepresentsanoverviewofauditinginOracle10gRelease2.Manyofthetopicspresentedherehavebeencoveredin
previousarticles,butthisservestobringthemalltogether.
ServerSetup
AuditOptions
ViewAuditTrail
MaintenanceandSecurity
FineGrainedAuditing
Relatedarticles.
FineGrainedAuditing(9i)
FineGrainedAuditingEnhancements(10g)
UniformAuditTrail(10g)
AuditTrailContents(10g)
AuditingEnhancements(DBMS_AUDIT_MGMT)inOracleDatabase11gRelease2

ServerSetup
AuditingisadefaultfeatureoftheOracleserver.Theinitializationparametersthatinfluenceitsbehaviourcanbedisplayedusing
theSHOWPARAMETERSQL*Pluscommand.
SQL>SHOWPARAMETERAUDIT
NAMETYPEVALUE

audit_file_deststringC:\ORACLE\PRODUCT\10.2.0\ADMIN
\DB10G\ADUMP
audit_sys_operationsbooleanFALSE
audit_trailstringNONE
SQL>
Auditingisdisabledbydefault,butcanenabledbysettingtheAUDIT_TRAILstaticparameter,whichhasthefollowingallowed
values.
AUDIT_TRAIL={none|os|db|db,extended|xml|xml,extended}
Thefollowinglistprovidesadescriptionofeachsetting:
noneorfalseAuditingisdisabled.
dbortrueAuditingisenabled,withallauditrecordsstoredinthedatabaseaudittrial(SYS.AUD$).
db,extendedAsdb,buttheSQL_BINDandSQL_TEXTcolumnsarealsopopulated.
xmlAuditingisenabled,withallauditrecordsstoredasXMLformatOSfiles.
xml,extendedAsxml,buttheSQL_BINDandSQL_TEXTcolumnsarealsopopulated.
osAuditingisenabled,withallauditrecordsdirectedtotheoperatingsystem'saudittrail.
Note.InOracle10gRelease1,db_extendedwasusedinplaceofdb,extended.TheXMLoptionsarenewtoOracle10g
Release2.
TheAUDIT_SYS_OPERATIONSstaticparameterenablesordisablestheauditingofoperationsissuedbyusersconnectingwith
SYSDBAorSYSOPERprivileges,includingtheSYSuser.AllauditrecordsarewrittentotheOSaudittrail.
TheAUDIT_FILE_DESTparameterspecifiestheOSdirectoryusedfortheaudittrailwhentheos,xmlandxml,extendedoptions
areused.ItisalsothelocationforallmandatoryauditingspecifiedbytheAUDIT_SYS_OPERATIONSparameter.
Toenableauditinganddirectauditrecordstothedatabaseaudittrail,wewoulddothefollowing.
SQL>ALTERSYSTEMSETaudit_trail=dbSCOPE=SPFILE;
Systemaltered.

SQL>SHUTDOWN
Databaseclosed.
Databasedismounted.
ORACLEinstanceshutdown.
SQL>STARTUP
ORACLEinstancestarted.
TotalSystemGlobalArea289406976bytes
FixedSize1248600bytes
VariableSize71303848bytes
DatabaseBuffers213909504bytes
RedoBuffers2945024bytes
Databasemounted.
Databaseopened.
SQL>

AuditOptions
OnelookattheAUDITcommandsyntaxshouldgiveyouanideaofhowflexibleOracleauditingis.Thereisnopointrepeatingall
thisinformation,soinsteadwewilllookatasimpleexample.
FirstwecreateanewusercalledAUDIT_TEST.
CONNECTsys/passwordASSYSDBA
CREATEUSERaudit_testIDENTIFIEDBYpassword
DEFAULTTABLESPACEusers
TEMPORARYTABLESPACEtemp
QUOTAUNLIMITEDONusers;
GRANTconnectTOaudit_test;
GRANTcreatetable,createprocedureTOaudit_test;
NextweauditalloperationsbytheAUDIT_TESTuser.
CONNECTsys/passwordASSYSDBA
AUDITALLBYaudit_testBYACCESS;
AUDITSELECTTABLE,UPDATETABLE,INSERTTABLE,DELETETABLEBYaudit_testBYACCESS;
AUDITEXECUTEPROCEDUREBYaudit_testBYACCESS;
TheseoptionsauditallDDLandDML,alongwithsomesystemevents.
DDL(CREATE,ALTER&DROPofobjects)
DML(INSERTUPDATE,DELETE,SELECT,EXECUTE).
SYSTEMEVENTS(LOGON,LOGOFFetc.)
Next,weperformsomeoperationsthatwillbeaudited.
CONNaudit_test/password
CREATETABLEtest_tab(
idNUMBER
);
INSERTINTOtest_tab(id)VALUES(1);
UPDATEtest_tabSETid=id;
SELECT*FROMtest_tab;
DELETEFROMtest_tab;
DROPTABLEtest_tab;
Inthenextsectionwewilllookathowweviewthecontentsoftheaudittrail.

ViewAuditTrail
TheaudittrailisstoredintheSYS.AUD$table.Itscontentscanbevieweddirectlyorviathefollowingviews.
SELECTview_name
FROMdba_views
WHEREview_nameLIKE'DBA%AUDIT%'
ORDERBYview_name;
VIEW_NAME

DBA_AUDIT_EXISTS
DBA_AUDIT_OBJECT
DBA_AUDIT_POLICIES
DBA_AUDIT_POLICY_COLUMNS
DBA_AUDIT_SESSION
DBA_AUDIT_STATEMENT
DBA_AUDIT_TRAIL
DBA_COMMON_AUDIT_TRAIL
DBA_FGA_AUDIT_TRAIL
DBA_OBJ_AUDIT_OPTS
DBA_PRIV_AUDIT_OPTS
DBA_REPAUDIT_ATTRIBUTE
DBA_REPAUDIT_COLUMN
DBA_STMT_AUDIT_OPTS
14rowsselected.
SQL>
Thethreemainviewsareshownbelow.
DBA_AUDIT_TRAILStandardauditingonly(fromAUD$).
DBA_FGA_AUDIT_TRAILFinegrainedauditingonly(fromFGA_LOG$).
DBA_COMMON_AUDIT_TRAILBothstandardandfinegrainedauditing.
ThemostbasicviewofthedatabaseaudittrailisprovidedbytheDBA_AUDIT_TRAILview,whichcontainsawidevarietyof
information.Thefollowingquerydisplaysthesomeoftheinformationfromthedatabaseaudittrail.
COLUMNusernameFORMATA10
COLUMNownerFORMATA10
COLUMNobj_nameFORMATA10
COLUMNextended_timestampFORMATA35
SELECTusername,
extended_timestamp,
owner,
obj_name,
action_name
FROMdba_audit_trail
WHEREowner='AUDIT_TEST'
ORDERBYtimestamp;
USERNAMEEXTENDED_TIMESTAMPOWNEROBJ_NAMEACTION_NAME

AUDIT_TEST16FEB200614:16:55.435000+00:00AUDIT_TESTTEST_TABCREATETABLE
AUDIT_TEST16FEB200614:16:55.514000+00:00AUDIT_TESTTEST_TABINSERT
AUDIT_TEST16FEB200614:16:55.545000+00:00AUDIT_TESTTEST_TABUPDATE
AUDIT_TEST16FEB200614:16:55.592000+00:00AUDIT_TESTTEST_TABSELECT
AUDIT_TEST16FEB200614:16:55.670000+00:00AUDIT_TESTTEST_TABDELETE
AUDIT_TEST16FEB200614:17:00.045000+00:00AUDIT_TESTTEST_TABDROPTABLE
6rowsselected.
SQL>

WhentheaudittrailisdirectedtoanXMLformatOSfile,itcanbereadusingatexteditororviatheV$XML_AUDIT_TRAILview,
whichcontainssimilarinformationtotheDBA_AUDIT_TRAILview.
COLUMNdb_userFORMATA10
COLUMNobject_schemaFORMATA10
COLUMNobject_nameFORMATA10
COLUMNextended_timestampFORMATA35
SELECTdb_user,
extended_timestamp,
object_schema,
object_name,
action
FROMv$xml_audit_trail
WHEREobject_schema='AUDIT_TEST'
ORDERBYextended_timestamp;
DB_USEREXTENDED_TIMESTAMPOBJECT_SCHOBJECT_NAMACTION

AUDIT_TEST16FEB200614:14:33.417000+00:00AUDIT_TESTTEST_TAB1
AUDIT_TEST16FEB200614:14:33.464000+00:00AUDIT_TESTTEST_TAB2
AUDIT_TEST16FEB200614:14:33.511000+00:00AUDIT_TESTTEST_TAB6
AUDIT_TEST16FEB200614:14:33.542000+00:00AUDIT_TESTTEST_TAB3
AUDIT_TEST16FEB200614:14:33.605000+00:00AUDIT_TESTTEST_TAB7
AUDIT_TEST16FEB200614:14:34.917000+00:00AUDIT_TESTTEST_TAB12
6rowsselected.
SQL>
SeveralfieldswereaddedtoboththestandardandfinegrainedaudittrailsinOracle10g,includingthefollowing.
EXTENDED_TIMESTAMPAmoreprecisevaluethantheexisingTIMESTAMPcolumn.
PROXY_SESSIONIDProxysessionserialnumberwhenanenterpriseuserislogginginviatheproxymethod.
GLOBAL_UIDGlobalUniversalIdentifierforanenterpriseuser.
INSTANCE_NUMBERTheINSTANCE_NUMBERvaluefromtheactioninginstance.
OS_PROCESSOperatingsystemprocessidfortheoracleprocess.
TRANSACTIONIDTransactionidentifierfortheauditedtransaction.ThiscolumncanbeusedtojointotheXIDcolumnon
theFLASHBACK_TRANSACTION_QUERYview.
SCNSystemchangenumberofthequery.Thiscolumncanbeusedinflashbackqueries.
SQL_BINDThevaluesofanybindvariablesifany.
SQL_TEXTTheSQLstatementthatinitiatedtheauditaction.
TheSQL_BINDandSQL_TEXTcolumnsareonlypopulatedwhentheAUDIT_TRAILparameterissettodb,extendedor
xml,extended.

MaintenanceandSecurity
Auditingshouldbeplannedcarefullytocontrolthequantityofauditinformation.Onlyauditspecificoperationsorobjectsof
interest.Overtimeyoucanrefinethelevelofauditingtomatchyourrequirements.
Thedatabaseaudittrailmustbedeleted,orarchived,onaregularbasistopreventtheSYS.AUD$tablegrowingtoan
unnacceptablesize.OnlyDBAsshouldhavemaintenanceaccesstotheaudittrail.Auditingmodificationsofthedataintheaudit
trailitselfcanbeachievedusingthefollowingstatement.
AUDITINSERT,UPDATE,DELETEONsys.aud$BYACCESS;
TheOSandXMLaudittrailsaremanagedthroughtheOS.ThesefilesshouldbesecuredattheOSlevelbyassigningthecorrect
filepermissions.

FineGrainedAuditing(FGA)
FinegrainedauditingextendsOraclestandardauditingcapabilitiesbyallowingtheusertoauditactionsbasedonuserdefined
predicates.ItisindependantoftheAUDIT_TRAILparametersettingandallauditrecordsarestoredintheFGA_LOG$table,rather
thantheAUD$table.Thefollowingexampleillustrateshowfinegrainedauditingisused.

First,createatesttable.
CONNaudit_test/password
CREATETABLEemp(
empnoNUMBER(4)NOTNULL,
enameVARCHAR2(10),
jobVARCHAR2(9),
mgrNUMBER(4),
hiredateDATE,
salNUMBER(7,2),
commNUMBER(7,2),
deptnoNUMBER(2)
);
INSERTINTOemp(empno,ename,sal)VALUES(9999,'Tim',1);
INSERTINTOemp(empno,ename,sal)VALUES(9999,'Larry',50001);
COMMIT;
Thefollowingpolicyauditsanyqueriesofsalariesgreaterthan50,000.
CONNsys/passwordASsysdba
BEGIN
DBMS_FGA.add_policy(
object_schema=>'AUDIT_TEST',
object_name=>'EMP',
policy_name=>'SALARY_CHK_AUDIT',
audit_condition=>'SAL>50000',
audit_column=>'SAL');
END;
/
Queryingbothemployeesprovestheauditingpolicyworksasexpected.
CONNaudit_test/password
SELECTsalFROMempWHEREename='Tim';
SELECTsalFROMempWHEREename='Larry';
CONNsys/passwordASSYSDBA
SELECTsql_text
FROMdba_fga_audit_trail;
SQL_TEXT

SELECTsalFROMempWHEREename='Larry'
1rowselected.
SQL>
ExtraprocessingcanbeassociatedwithanFGAeventbydefiningadatabaseprocedureandassociatingthistotheauditevent.
ThefollowingexampleassumestheFIRE_CLERKprocedurehasbeendefined.
BEGIN
DBMS_FGA.add_policy(
object_schema=>'AUDIT_TEST',
object_name=>'EMP',
policy_name=>'SALARY_CHK_AUDIT',
audit_condition=>'SAL>50000',
audit_column=>'SAL',
handler_schema=>'AUDIT_TEST',
handler_module=>'FIRE_CLERK',

enable=>TRUE);
END;
/
TheDBMS_FGApackagecontainsthefollowingprocedures.
ADD_POLICY
DROP_POLICY
ENABLE_POLICY
DISABLE_POLICY
InOracle9ifinegrainedauditingwaslimitedtoqueries,butinOracle10githasbeenextendedtoincludeDMLstatements,as
shownbythefollowingexample.
Cleardowntheaudittrail.
CONNsys/passwordASSYSDBA
TRUNCATETABLEfga_log$;
SELECTsql_textFROMdba_fga_audit_trail;
norowsselected.
ApplythepolicytotheSALcolumnoftheEMPtable.
BEGIN
DBMS_FGA.add_policy(
object_schema=>'AUDIT_TEST',
object_name=>'EMP',
policy_name=>'SAL_AUDIT',
audit_condition=>NULL,EquivalenttoTRUE
audit_column=>'SAL',
statement_types=>'SELECT,INSERT,UPDATE,DELETE');
END;
/
Testtheauditing.
CONNaudit_test/password
SELECT*FROMempWHEREempno=9998;
INSERTINTOemp(empno,ename,sal)VALUES(9998,'Bill',1);
UPDATEempSETsal=10WHEREempno=9998;
DELETEempWHEREempno=9998;
ROLLBACK;
Checktheaudittrail.
CONNsys/passwordASSYSDBA
SELECTsql_textFROMdba_fga_audit_trail;
SQL_TEXT

SELECT*FROMempWHEREempno=9998
INSERTINTOemp(empno,ename,sal)VALUES(9998,'Bill',1)
UPDATEempSETsal=10WHEREempno=9998
DELETEempWHEREempno=9998
4rowsselected.
Dropthepolicy.
CONNsys/passwordASSYSDBA
BEGIN
DBMS_FGA.drop_policy(
object_schema=>'AUDIT_TEST',
object_name=>'EMP',
policy_name=>'SAL_AUDIT');
END;
/
Formoreinformationsee:

FineGrainedAuditing(9i)
FineGrainedAuditingEnhancements(10g)
UniformAuditTrail(10g)
AuditTrailContents(10g)
AuditingEnhancements(DBMS_AUDIT_MGMT)inOracleDatabase11gRelease2
ConfiguringandAdministeringAuditing(10gR2)
AUDIT(10gR2)
Hopethishelps.RegardsTim...
BacktotheTop.
Backtonormalview:http://oraclebase.com/articles/10g/auditing10gr2.php