Home » Oracle Database Audit

Oracle Database Audit

by tuanlp

Oracle Database Audit


This week there was a specific demand to configure and work with auditing in the Oracle database, in this way I will unravel how to use auditing in standard and enterprise environments.

Oracle Standard Database – In this edition we have the option of auditing with low flexibility of actions, but which in general can help your company meeting various demands of security auditing.

Oracle Enterprise Database – In this edition we have the option of auditing with flexible actions to be audited using Fine Grained Auditing (FGA), in this edition we have several possibilities to work with auditing.

1 – As a good practice, we will create a tablespace and move the audit objects to this tablespace, thus preventing the system tablespaces from growing too much and making our maintenance difficult.

1.1 - Check tablespace that the objects used in the audit are located.
SQL> SELECT SEGMENT_NAME,TABLESPACE_NAME FROM dba_segments WHERE SEGMENT_NAME in ('AUD$','FGA$');
SEGMENT_NAMETABLESPACE_NAME
AUD$TBS_AUDITORIA
FGA$SYSTEM
SQL> select segment_name,bytes/1024/1024 size_in_megabytes from dba_segments where segment_name in ('AUD$','FGA_LOG$');
SEGMENT_NAMESIZE_IN_MEGABYTES
FGA_LOG$.0625
AUD$.6875
1.2 - Creating tablespace TBS_AUDITORIA to use audit objects.
CREATE TABLESPACE "TBS_AUDITORIA" DATAFILE '+DATA' SIZE 1G AUTOEXTEND ON NEXT 1G,
LOGGING ONLINE PERMANENT BLOCKSIZE 8192 EXTENT MANAGEMENT LOCAL AUTOALLOCATE SEGMENT SPACE MANAGEMENT AUTO;

1.3 – Moving audit objects to tablespace TBS_AUDITORIA.

BEGIN
DBMS_AUDIT_MGMT.set_audit_trail_location(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD,
audit_trail_location_value => 'TBS_AUDITORIA');
END;
/
-- MOVENDO FGA_LOG$ PARA TABLESPACE TBS_AUDITORIA
BEGIN
DBMS_AUDIT_MGMT.set_audit_trail_location(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_FGA_STD,
audit_trail_location_value => 'TBS_AUDITORIA');
END;
/
1.4 - Checking the audit objects in the created tablespace TBS_AUDITORIA.
SELECT SEGMENT_NAME,TABLESPACE_NAME,segment_type FROM dba_segments WHERE SEGMENT_NAME in ('AUD$','FGA$');
SEGMENT_NAMETABLESPACE_NAMESEGMENT_TYPE
AUD$TBS_AUDITORIATABLE
FGA$SYSTEMTABLE
SQL> SELECT table_name, tablespace_name FROM dba_tables WHERE table_name IN ('AUD$', 'FGA_LOG$') ORDER BY table_name;
TABLE_NAMETABLESPACE_NAME
AUD$TBS_AUDITORIA
FGA_LOG$TBS_AUDITORIA
SQL> select segment_name,bytes/1024/1024 size_in_megabytes from dba_segments where segment_name in ('AUD$','FGA_LOG$');
SEGMENT_NAMESIZE_IN_MEGABYTES
FGA_LOG$.0625
AUD$.6875

2 – How to enable and use auditing in Oracle database standard edition.

/*AUDIT_TRAIL enables or disables database auditing.

Values: none Disables database auditing.

=======================

os

Enables database auditing and directs all audit records to the operating system’s audit trail.

db

=======================

Enables database auditing and directs all audit records to the database audit trail (the SYS.AUD$ table).

db,extended

=======================

Enables database auditing and directs all audit records to the database audit trail (the SYS.AUD$ table). In addition, populates the SQLBIND and SQLTEXT CLOB columns of the SYS.AUD$ table.

xml

=======================

Enables database auditing and writes all audit records to XML format OS files.

xml,extended

=======================

Enables database auditing and prints all columns of the audit trail, including SqlText and SqlBind values. */

2.1 – Before changing the parameters, we have to keep in mind the values that can be used, how we are going to configure the standard auditing saving the executed sql, having to use the db,extended option.

SQL> show parameter audit;
NAMETYPEVALUE
audit_file_deststring/u01/app/oracle/admin/orcl/adu
mp
dump
audit_sys_operationsbooleanFALSE
audit_syslog_levelstring
audit_trailstringNONE
SQL> alter system set audit_trail='DB','EXTENDED' scope=spfile;
System altered.
SQL> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> startup open;
ORA-32004: obsolete or deprecated parameter(s) specified for RDBMS instance
ORACLE instance started.
Total System Global Area | 417546240 | bytes
Fixed Size | 2253824 | bytes
Variable Size | 180358144 | bytes
Database Buffers | 230686720 | bytes
Redo Buffers | 4247552 | bytes
Database mounted.
Database opened.
SQL> show parameter audit;
NAMETYPEVALUE
audit_file_deststring/u01/app/oracle/admin/orcl/adu
mp
dump
audit_sys_operationsbooleanFALSE
audit_syslog_levelstring
audit_trailstringDB, EXTENDED

2.2 – If you want to enable auditing of SYS events.

-- ALTER SYSTEM SET audit_sys_operations=true SCOPE=spfile;

3 – Enabling DDL auditing of CESAR_TEST1 and CESAR_TEST2 users.

SQL>
AUDIT ALL BY CESAR_TEST1 BY ACCESS;
Audit succeeded.
SQL> AUDIT ALL BY CESAR_TEST2 BY ACCESS;
Audit succeeded.

4 – Enabling DML and DDL auditing of CESAR_TEST1 and CESAR_TEST2 users.

SQL>
AUDIT SELECT TABLE, UPDATE TABLE, INSERT TABLE, DELETE TABLE BY CESAR_TEST1 BY ACCESS;
Audit succeeded.
SQL> AUDIT SELECT TABLE, UPDATE TABLE, INSERT TABLE, DELETE TABLE BY CESAR_TEST2 BY ACCESS;
Audit succeeded.

5 – DBA_STMT_AUDIT_OPTS describes current system auditing options across the system and by user.

SQL> SELECT * FROM dba_stmt_audit_opts ORDER BY audit_option;
USER_NAMEPROXY_NAMEAUDIT_OPTIONSUCCESSFAILURE
ALTER ANY PROCEDUREBY ACCESSBY ACCESS
ALTER ANY TABLEBY ACCESSBY ACCESS
ALTER DATABASEBY ACCESSBY ACCESS
ALTER PROFILEBY ACCESSBY ACCESS
ALTER SYSTEMBY ACCESSBY ACCESS
CESAR_TEST1ALTER SYSTEMBY ACCESSBY ACCESS
CESARALTER SYSTEMBY ACCESSBY ACCESS
CESAR_TEST2ALTER SYSTEMBY ACCESSBY ACCESS
ALTER USERBY ACCESSBY ACCESS
CESAR_TEST2CLUSTERBY ACCESSBY ACCESS
CESARCLUSTERBY ACCESSBY ACCESS
CESAR_TEST1CLUSTERBY ACCESSBY ACCESS
CESARCONTEXTBY ACCESSBY ACCESS
CESAR_TEST1CONTEXTBY ACCESSBY ACCESS
CESAR_TEST2CONTEXTBY ACCESSBY ACCESS
CREATE ANY JOBBY ACCESSBY ACCESS
CREATE ANY LIBRARYBY ACCESSBY ACCESS
CREATE ANY PROCEDUREBY ACCESSBY ACCESS
CREATE ANY TABLEBY ACCESSBY ACCESS
CREATE EXTERNAL JOBBY ACCESSBY ACCESS
CREATE PUBLIC DATABASE LINKBY ACCESSBY ACCESS
CESAR_TEST2CREATE SESSIONBY ACCESSBY ACCESS
CREATE SESSIONBY ACCESSBY ACCESS
CESARCREATE SESSIONBY ACCESSBY ACCESS
CESAR_TEST1CREATE SESSIONBY ACCESSBY ACCESS
CREATE USERBY ACCESSBY ACCESS
CESAR_TEST1DATABASE LINKBY ACCESSBY ACCESS
CESARDATABASE LINKBY ACCESSBY ACCESS
DATABASE LINKBY ACCESSBY ACCESS
CESAR_TEST2DATABASE LINKBY ACCESSBY ACCESS
CESAR_TEST2DELETE TABLEBY ACCESSBY ACCESS
CESAR_TEST1DELETE TABLEBY ACCESSBY ACCESS
CESARDELETE TABLEBY ACCESSBY ACCESS
CESARDIMENSIONBY ACCESSBY ACCESS
CESAR_TEST2DIMENSIONBY ACCESSBY ACCESS
CESAR_TEST1DIMENSIONBY ACCESSBY ACCESS
CESAR_TEST1DIRECTORYBY ACCESSBY ACCESS
CESAR_TEST2DIRECTORYBY ACCESSBY ACCESS
DIRECTORYBY ACCESSBY ACCESS
CESARDIRECTORYBY ACCESSBY ACCESS
DROP ANY PROCEDUREBY ACCESSBY ACCESS
DROP ANY TABLEBY ACCESSBY ACCESS
DROP PROFILEBY ACCESSBY ACCESS
DROP USERBY ACCESSBY ACCESS
CESAREXECUTE PROCEDUREBY ACCESSBY ACCESS
EXEMPT ACCESS POLICYBY ACCESSBY ACCESS
GRANT ANY OBJECT PRIVILEGEBY ACCESSBY ACCESS
GRANT ANY PRIVILEGEBY ACCESSBY ACCESS
GRANT ANY ROLEBY ACCESSBY ACCESS
CESARINDEXBY ACCESSBY ACCESS
CESAR_TEST1INDEXBY ACCESSBY ACCESS
CESAR_TEST2INDEXBY ACCESSBY ACCESS
CESAR_TEST2INSERT TABLEBY ACCESSBY ACCESS
CESARINSERT TABLEBY ACCESSBY ACCESS
CESAR_TEST1INSERT TABLEBY ACCESSBY ACCESS
CESARMATERIALIZED VIEWBY ACCESSBY ACCESS
CESAR_TEST1MATERIALIZED VIEWBY ACCESSBY ACCESS
CESAR_TEST2MATERIALIZED VIEWBY ACCESSBY ACCESS
CESAR_TEST2MINING MODELBY ACCESSBY ACCESS
CESARMINING MODELBY ACCESSBY ACCESS
CESAR_TEST1MINING MODELBY ACCESSBY ACCESS
CESARNOT EXISTSBY ACCESSBY ACCESS
CESAR_TEST2NOT EXISTSBY ACCESSBY ACCESS
CESAR_TEST1NOT EXISTSBY ACCESSBY ACCESS
CESAR_TEST1PROCEDUREBY ACCESSBY ACCESS
CESARPROCEDUREBY ACCESSBY ACCESS
CESAR_TEST2PROCEDUREBY ACCESSBY ACCESS
CESARPROFILEBY ACCESSBY ACCESS
PROFILEBY ACCESSBY ACCESS
CESAR_TEST1PROFILEBY ACCESSBY ACCESS
CESAR_TEST2PROFILEBY ACCESSBY ACCESS
CESARPUBLIC DATABASE LINKBY ACCESSBY ACCESS
CESAR_TEST1PUBLIC DATABASE LINKBY ACCESSBY ACCESS
CESAR_TEST2PUBLIC DATABASE LINKBY ACCESSBY ACCESS
CESAR_TEST1PUBLIC SYNONYMBY ACCESSBY ACCESS
PUBLIC SYNONYMBY ACCESSBY ACCESS
CESAR_TEST2PUBLIC SYNONYMBY ACCESSBY ACCESS
CESARPUBLIC SYNONYMBY ACCESSBY ACCESS
ROLEBY ACCESSBY ACCESS
CESARROLEBY ACCESSBY ACCESS
CESAR_TEST1ROLEBY ACCESSBY ACCESS
CESAR_TEST2ROLEBY ACCESSBY ACCESS
CESAR_TEST1ROLLBACK SEGMENTBY ACCESSBY ACCESS
CESAR_TEST2ROLLBACK SEGMENTBY ACCESSBY ACCESS
CESARROLLBACK SEGMENTBY ACCESSBY ACCESS
CESAR_TEST1SELECT TABLEBY ACCESSBY ACCESS
CESAR_TEST2SELECT TABLEBY ACCESSBY ACCESS
CESARSELECT TABLEBY ACCESSBY ACCESS
CESAR_TEST1SEQUENCEBY ACCESSBY ACCESS
CESARSEQUENCEBY ACCESSBY ACCESS
CESAR_TEST2SEQUENCEBY ACCESSBY ACCESS
CESARSYNONYMBY ACCESSBY ACCESS
CESAR_TEST2SYNONYMBY ACCESSBY ACCESS
CESAR_TEST1SYNONYMBY ACCESSBY ACCESS
CESAR_TEST2SYSTEM AUDITBY ACCESSBY ACCESS
CESAR_TEST1SYSTEM AUDITBY ACCESSBY ACCESS
SYSTEM AUDITBY ACCESSBY ACCESS
CESARSYSTEM AUDITBY ACCESSBY ACCESS
CESARSYSTEM GRANTBY ACCESSBY ACCESS
CESAR_TEST2SYSTEM GRANTBY ACCESSBY ACCESS
SYSTEM GRANTBY ACCESSBY ACCESS
CESAR_TEST1SYSTEM GRANTBY ACCESSBY ACCESS
CESAR_TEST1TABLEBY ACCESSBY ACCESS
CESARTABLEBY ACCESSBY ACCESS
CESAR_TEST2TABLEBY ACCESSBY ACCESS
CESAR_TEST1TABLESPACEBY ACCESSBY ACCESS
CESARTABLESPACEBY ACCESSBY ACCESS
CESAR_TEST2TABLESPACEBY ACCESSBY ACCESS
CESAR_TEST2TRIGGERBY ACCESSBY ACCESS
CESARTRIGGERBY ACCESSBY ACCESS
CESAR_TEST1TRIGGERBY ACCESSBY ACCESS
CESAR_TEST2TYPEBY ACCESSBY ACCESS
CESARTYPEBY ACCESSBY ACCESS
CESAR_TEST1TYPEBY ACCESSBY ACCESS
CESARUPDATE TABLEBY ACCESSBY ACCESS
CESAR_TEST1UPDATE TABLEBY ACCESSBY ACCESS
CESAR_TEST2UPDATE TABLEBY ACCESSBY ACCESS
CESAR_TEST1USERBY ACCESSBY ACCESS
CESAR_TEST2USERBY ACCESSBY ACCESS
CESARUSERBY ACCESSBY ACCESS
CESARVIEWBY ACCESSBY ACCESS
CESAR_TEST2VIEWBY ACCESSBY ACCESS
CESAR_TEST1VIEWBY ACCESSBY ACCESS

123 rows selected.

6 – Verifying information auditing the operations of the environment.

SELECT
TO_CHAR (EXTENDED_TIMESTAMP,'DD-MM-RRRR HH24:MI:SS') DATA,
USERNAME, OS_USERNAME, USERHOST,TERMINAL,
OWNER,ACTION_NAME,OBJ_NAME,SQL_TEXT
FROM
DBA_AUDIT_TRAIL
WHERE USERNAME in ('CESAR_TEST1','CESAR_TEST2')
AND ACTION_NAME NOT LIKE '%SELECT%'
ORDER BY EXTENDED_TIMESTAMP DESC;
#image_title

Disabling auditing.

-- Disabling by user.
NOAUDIT SELECT TABLE, UPDATE TABLE, INSERT TABLE, DELETE TABLE BY CESAR_TEST1 BY ACCESS;
NOAUDIT SELECT TABLE, UPDATE TABLE, INSERT TABLE, DELETE TABLE BY CESAR_TEST2 BY ACCESS;
 
-- Drop created FGA rule.
SELECT 'EXEC DBMS_FGA.DROP_POLICY('''||OBJECT_SCHEMA||''','''||OBJECT_NAME||''','''||POLICY_NAME||''');'
FROM DBA_AUDIT_POLICIES;
 
-- Disabling at the database level.
show parameter audit;
alter system set audit_trail=none SCOPE=spfile;
shutdown immediate;
startup open;
show parameter audit;

You may also like