Oracle Database Auditing
Please note that from 12c Unified Auditing has been introduced . Hence for 12c database and above views and functionality will be different as pre defined audit policies were introduced .
Until Oracle 10g, auditing is disabled by default, but can be enabled by setting the AUDIT_TRAIL static parameter in the init.ora file.
From Oracle 11g, auditing is enabled for some system level privileges.
Oracle stores information that is relevant to auditing in its data dictionary.
Every time a user attempts anything in the database where audit is enabled the Oracle kernel checks to see if an audit record should be created or updated .
Audit data can be stored in a database (SYS.AUD$) table or in an OS file residing in AUDIT_FILE_DEST (default is $ORACLE_HOME/rdbms/audit) directory.
This table is, by default, located in the SYSTEM tablespace. This itself can cause problems with potential denial of service attacks. If the SYSTEM tablespace fills up, the database will hang.
AUDIT_TRAIL can have the following values :
AUDIT_TRAIL={NONE or FALSE| OS| DB or TRUE| DB_EXTENDED| XML |XML_EXTENDED}
The following list provides a description of each value:
NONE or FALSE -> Auditing is disabled. Default until Oracle 10g.
DB or TRUE -> Auditing is enabled, with all audit records stored in the database audit trial (AUD$). Default from Oracle 11g.
DB_EXTENDED –> Same as DB, but the SQL_BIND and SQL_TEXT columns are also populated.
XML-> Auditing is enabled, with all audit records stored as XML format OS files.
XML_EXTENDED –> Same as XML, but the SQL_BIND and SQL_TEXT columns are also populated.
OS -> Auditing is enabled, with all audit records directed to the operating system’s file specified by AUDIT_FILE_DEST
#########################
Unified Auditing in 12c
#########################
If you enable the unified audit feature announced with 12c, all audit records will be in the UNIFIED_AUDIT_TRAIL table. Logon failure records will not be in this table because the corresponding policy is not enabled by default. The policy ORA_LOGON_FAILURES must be enabled to audit the Failed Logon attempts.
The unified audit trail, which resides in a read-only table in the AUDSYS schema in the SYSAUX tablespace, makes this information available in an uniform format in the UNIFIED_AUDIT_TRAIL data dictionary view.
When the database is writable, audit records are written to the unified audit trail. If the database is not writable, then audit records are written to new format operating system files in the POSIX file system in the $ORACLE_BASE/audit/$ORACLE_SID directory.
Bug 17466854 – Cannot set Unified Auditing in Standard Edition (MOS)
Patch 17466854
2 new roles were introduced
AUDIT_ADMIN
Manages audit configuration & audit trail
AUDIT_VIEWER
Analysis audit data
Enable ORA_LOGON_FAILURES to track failed logon attempts . You can enable the ORA_LOGON_FAILURES policy as follows.
SQL> audit policy ORA_LOGON_FAILURES;
To turn off this audit, type the following:
NOAUDIT POLICY hr_emp_select BY dcollins;
Records will then be created. You can see the number of records related to this policy with a query like the one below.
SELECT audit_type,
unified_audit_policies,
action_name,
return_code,
COUNT (*)
FROM unified_audit_trail
WHERE unified_audit_policies = 'ORA_LOGON_FAILURES'
GROUP BY audit_type,
unified_audit_policies,
action_name,
return_code
ORDER BY COUNT (*);
To see all the audits captured for the HR user, type
SELECT EVENT_TIMESTAMP, CLIENT_PROGRAM_NAME, ACTION_NAME,
UNIFIED_AUDIT_POLICIES
FROM UNIFIED_AUDIT_TRAIL
WHERE DBUSERNAME = 'HR'
ORDER BY EVENT_TIMESTAMP DESC;
To see which users or roles have been enabled to be audited by policies in the database, type
By default 7 audit policies will be present in a 12c database.
SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES;
To see what privileges are being audited by default for specific policies
SELECT POLICY_NAME, AUDIT_OPTION, AUDIT_OPTION_TYPE
FROM AUDIT_UNIFIED_POLICIES
order by policy_name, AUDIT_OPTION;
DEFAULT POLICIES IN 12C DATABASE :-
SQL> select distinct POLICY_NAME from AUDIT_UNIFIED_POLICIES;
select AUDIT_OPTION from AUDIT_UNIFIED_POLICIES where POLICY_NAME='ORA_SECURECONFIG';
Manually creating Audit policy :
CREATE AUDIT POLICY MY_POLICY
PRIVILEGES SELECT ANY TABLE
ACTIONS CREATE TABLE, DROP TABLE;
AUDIT POLICY MY_POLICY BY HR;
How to view audit information with Oracle 12c
After configuring for and turning on auditing, see what audit data is being collected.
DBA_AUDIT_TRAIL shows all audit entries in the system.
DBA_AUDIT_OBJECT shows all audit entries in the system for objects.
DBA_AUDIT_STATEMENT shows audit entries for the statements GRANT, REVOKE, AUDIT, NOAUDIT, and ALTER SYSTEM.
Cleaning sysaux
If the ORA_LOGON_FAILURES policy is enabled, your SYSAUX tablespace can be full in a short time, as too many records will be created. You can learn more about SYSAUX tablespace in the article named “SYSAUX Tablespace Usage”.
You can create a job to automatically remove old records. The following command can be used to create a job that will delete every 24 hours. The first deletion will take place 24 hours after you run the command.
BEGIN
DBMS_AUDIT_MGMT.CREATE_PURGE_JOB (
AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,
AUDIT_TRAIL_PURGE_INTERVAL => 24,
AUDIT_TRAIL_PURGE_NAME => 'Audit_Trail_Purge_Job',
USE_LAST_ARCH_TIMESTAMP => TRUE,
CONTAINER => DBMS_AUDIT_MGMT.CONTAINER_CURRENT);
END;
/
The following command can be used to change the job’s schedule.
BEGIN
DBMS_AUDIT_MGMT.SET_PURGE_JOB_INTERVAL(
AUDIT_TRAIL_PURGE_NAME => 'Audit_Trail_Purge_Job',
AUDIT_TRAIL_INTERVAL_VALUE => 48);
END;
/
Fine-grain auditing (FGA) allows us to audit users accessing data of a certain criteria. As per standard auditing we can audit select, insert, update and delete operations. We use the package dbms_fga to add, remove, enable and disable FGA auditing policies, it is virtually impossible to bypass these policies, one nice feature is that we can attach handlers (like a trigger) to the policies which can execute procedures.
There are many options that can be applied to the dbms_fga package, here are some simple examples :
The FGA method was introduced in the Oracle 9i database release. However, this method provided support for only the SELECT statements. With the 10g database release, it becomes possible to extend the FGA method to UPDATE, INSERT, and DELETE statements as well
Creating the FGA policy say “FGA_AUDIT”:
begin
dbms_fga.add_policy (
object_schema=>'ABDUL',
object_name=>'NEW',
policy_name=>'FGA_AUDIT',
audit_column=>'name',
enable=>true,
statement_types=>'select,update');
end;
/
Removing FGA policy :-
begin
dbms_fga.drop_policy (
object_schema=>'ABDUL',
object_name=>'NEW',
policy_name=>'FGA_AUDIT');
end;
/
Enabling FGA policy :-
begin
dbms_fga.enable_policy (
object_schema=>'ABDUL',
object_name=>'NEW',
policy_name=>'FGA_AUDIT');
end;
/
Disabling FGA policy :-
begin
dbms_fga.disable_policy (
object_schema=>'ABDUL',
object_name=>'NEW',
policy_name=>'FGA_AUDIT');
end;
/
Query FGA audit
select db_user,scn,sql_text from dba_fga_audit_trail where db_user='ABDUL';
#########################
Audit Management till 11g
#########################
Levels of auditing
Three levels of Auditing:-
Statement level
Object level
System/privilege level
Statement level auditing :-
Auditing will be done at statement level.
Statements that can be audited are found in STMT_AUDIT_OPTION_MAP.
SQL> audit table by Abdul;
Audit succeeded.
SQL> select * from DBA_STMT_AUDIT_OPTS;
USER_NAME PROXY_NAME AUDIT_OPTION SUCCESS FAILURE
--------- ---------- ------------ --------- ---------
ABDUL TABLE BY ACCESS BY ACCESS
SQL> conn ABDUL/ABDUL;
Connected.
SQL> create table new(name varchar(20));
Table created.
SQL> select USERNAME,TIMESTAMP,ACTION_NAME from dba_audit_trail where USERNAME='ABDUL';
USERNAME TIMESTAMP ACTION_NAME
-------------------- --------- ------------
ABDUL 12-AUG-19 CREATE TABLE
Object level auditing :-
Auditing will be done at object level.
These objects can be audited: tables, views, sequences, packages, stored procedures and stored functions.
SQL> audit insert on ABDUL.testtab;
Audit succeeded.
SQL> insert into ABDUL.testtab values('oracle');
1 row created.
SQL> select object_name,object_type,ins,sel from dba_obj_audit_opts where owner='ABDUL';
OBJECT_NAME OBJECT_TYPE INS SEL
------------ ----------- ------- ----
TESTTAB TABLE S/S -/-
select username,timestamp,action_name,sys_privilege,priv_used from dba_audit_trail where username='ABDUL'
USERNAME TIMESTAMP ACTION_NAME SYS_PRIVILEGE PRIV_USED
-------- --------- ----------- ------------- -----------------
DBWR 12-OCT-18 SESSION_REC INSERT ANY TABLE
System/Privilege level auditing :-
Auditing will be done at privilege level.
All system privileges that are found in SYSTEM_PRIVILEGE_MAP can be audited.
SQL> audit create any table by ABDUL;
Audit succeeded.
SQL> select privilege,user_name from dba_priv_audit_opts where user_name='ABDUL';
PRIVILEGE USER_NAME
---------------------------------------- --------------------
CREATE ANY TABLE ABDUL
SQL> grant dba to ABDUL;
Grant succeeded.
SQL> create table testtab(name varchar(20));
Table created.
select username,timestamp,action_name,sys_privilege,priv_used from dba_audit_trail where username='ABDUL'
USERNAME TIMESTAMP ACTION_NAME SYS_PRIVILEGE PRIV_USED
-------- --------- ----------- ------------- -----------------
HARI 12-OCT-19 CREATE TABLE CREATE ANY TABLE
Audit Failed Logins till 11g
The Oracle auditing utility has this command:
audit create session whenever not successful;
To enable auditing of failed sign-on attempts:
1 - Add initialization parameters & bounce instance:
audit_trail=true
audit_file_dest='/u01/app/oracle/mysid/mydir/'
2 - Enable auditing of failed logion attempts as SYSDBA:
SQL> audit create session whenever not successful;
3 - You can now view failed login attempts in dba_audit_trail:
select OS_USERNAME,USERNAME,USERHOST,to_char(timestamp,'MM-DD-YYYY HH24:MI:SS'), returncode
from dba_audit_trail
where returncode > 0
Please note that from 12c Unified Auditing has been introduced . Hence for 12c database and above views and functionality will be different as pre defined audit policies were introduced .
Until Oracle 10g, auditing is disabled by default, but can be enabled by setting the AUDIT_TRAIL static parameter in the init.ora file.
From Oracle 11g, auditing is enabled for some system level privileges.
Oracle stores information that is relevant to auditing in its data dictionary.
Every time a user attempts anything in the database where audit is enabled the Oracle kernel checks to see if an audit record should be created or updated .
Audit data can be stored in a database (SYS.AUD$) table or in an OS file residing in AUDIT_FILE_DEST (default is $ORACLE_HOME/rdbms/audit) directory.
This table is, by default, located in the SYSTEM tablespace. This itself can cause problems with potential denial of service attacks. If the SYSTEM tablespace fills up, the database will hang.
AUDIT_TRAIL can have the following values :
AUDIT_TRAIL={NONE or FALSE| OS| DB or TRUE| DB_EXTENDED| XML |XML_EXTENDED}
The following list provides a description of each value:
NONE or FALSE -> Auditing is disabled. Default until Oracle 10g.
DB or TRUE -> Auditing is enabled, with all audit records stored in the database audit trial (AUD$). Default from Oracle 11g.
DB_EXTENDED –> Same as DB, but the SQL_BIND and SQL_TEXT columns are also populated.
XML-> Auditing is enabled, with all audit records stored as XML format OS files.
XML_EXTENDED –> Same as XML, but the SQL_BIND and SQL_TEXT columns are also populated.
OS -> Auditing is enabled, with all audit records directed to the operating system’s file specified by AUDIT_FILE_DEST
#########################
Unified Auditing in 12c
#########################
If you enable the unified audit feature announced with 12c, all audit records will be in the UNIFIED_AUDIT_TRAIL table. Logon failure records will not be in this table because the corresponding policy is not enabled by default. The policy ORA_LOGON_FAILURES must be enabled to audit the Failed Logon attempts.
The unified audit trail, which resides in a read-only table in the AUDSYS schema in the SYSAUX tablespace, makes this information available in an uniform format in the UNIFIED_AUDIT_TRAIL data dictionary view.
When the database is writable, audit records are written to the unified audit trail. If the database is not writable, then audit records are written to new format operating system files in the POSIX file system in the $ORACLE_BASE/audit/$ORACLE_SID directory.
Bug 17466854 – Cannot set Unified Auditing in Standard Edition (MOS)
Patch 17466854
2 new roles were introduced
AUDIT_ADMIN
Manages audit configuration & audit trail
AUDIT_VIEWER
Analysis audit data
Enable ORA_LOGON_FAILURES to track failed logon attempts . You can enable the ORA_LOGON_FAILURES policy as follows.
SQL> audit policy ORA_LOGON_FAILURES;
To turn off this audit, type the following:
NOAUDIT POLICY hr_emp_select BY dcollins;
Records will then be created. You can see the number of records related to this policy with a query like the one below.
SELECT audit_type,
unified_audit_policies,
action_name,
return_code,
COUNT (*)
FROM unified_audit_trail
WHERE unified_audit_policies = 'ORA_LOGON_FAILURES'
GROUP BY audit_type,
unified_audit_policies,
action_name,
return_code
ORDER BY COUNT (*);
LOGON success action is audited by unified audit policy ORA_LOGON_FAILURES after executing NOAUDIT & AUDIT command (Doc ID 2305054.1)
SQL> col DBUSERNAME for a10
SQL> col ACTION_NAME for a10
SQL> col UNIFIED_AUDIT_POLICIES for a20
SQL> col RETURN_CODE for 9999999
SQL> select DBUSERNAME,ACTION_NAME,UNIFIED_AUDIT_POLICIES,RETURN_CODE from unified_audit_trail where UNIFIED_AUDIT_POLICIES = 'ORA_LOGON_FAILURES';
To see all the audits captured for the HR user, type
SELECT EVENT_TIMESTAMP, CLIENT_PROGRAM_NAME, ACTION_NAME,
UNIFIED_AUDIT_POLICIES
FROM UNIFIED_AUDIT_TRAIL
WHERE DBUSERNAME = 'HR'
ORDER BY EVENT_TIMESTAMP DESC;
To see which users or roles have been enabled to be audited by policies in the database, type
By default 7 audit policies will be present in a 12c database.
To see what privileges are being audited by default for specific policies
SELECT POLICY_NAME, AUDIT_OPTION, AUDIT_OPTION_TYPE
FROM AUDIT_UNIFIED_POLICIES
order by policy_name, AUDIT_OPTION;
DEFAULT POLICIES IN 12C DATABASE :-
SQL> select distinct POLICY_NAME from AUDIT_UNIFIED_POLICIES;
select AUDIT_OPTION from AUDIT_UNIFIED_POLICIES where POLICY_NAME='ORA_SECURECONFIG';
Manually creating Audit policy :
CREATE AUDIT POLICY MY_POLICY
PRIVILEGES SELECT ANY TABLE
ACTIONS CREATE TABLE, DROP TABLE;
AUDIT POLICY MY_POLICY BY HR;
CREATE AUDIT POLICY ORA_SELECT ACTIONS All on owner.table;
CREATE AUDIT POLICY <POLICY_NAME> ACTIONS ALL ONLY TOPLEVEL;
CREATE AUDIT POLICY test_audit_policy
ACTIONS SELECT ON schema.tab1,
SELECT ON schema.tab2,
SELECT ON schema.tab1_VIEW,
SELECT ON schema.tab1_SYNONYM ;
AUDIT POLICY test_audit_policy
AUDIT POLICY <POLICY_NAME>;
AUDIT POLICY <POLICY_NAME> BY <Desired USER>; <<<<< Can add users separated by ','
OR
AUDIT POLICY <POLICY_NAME> except sys,system <<<<<<< Can add any more.
NOAUDIT POLICY hr_emp_select BY sys,system ;
NOAUDIT POLICY hr_emp_select ;
After configuring for and turning on auditing, see what audit data is being collected.
DBA_AUDIT_TRAIL shows all audit entries in the system.
DBA_AUDIT_OBJECT shows all audit entries in the system for objects.
DBA_AUDIT_STATEMENT shows audit entries for the statements GRANT, REVOKE, AUDIT, NOAUDIT, and ALTER SYSTEM.
-- find statements audited in the database:
col user_name for a12 heading "User name"
col audit_option format a30 heading "Audit Option"
set pages 1000
prompt
prompt System auditing options across the system and by user
select user_name,audit_option,success,failure from sys.dba_stmt_audit_opts
order by user_name, proxy_name, audit_option
/
-- Find privileges audited in the database:
col user_name for a12 heading "User name"
col privilege for a30 heading "Privilege"
set pages 1000
prompt
prompt System Privileges audited across system
select user_name,privilege,success,failure from dba_priv_audit_opts
order by user_name, proxy_name, privilege
/
select parameter , value from gv$option where parameter like '%Aud%';
select * from dba_audit_mgmt_config_params where parameter_name in ('DB AUDIT TABLESPACE') and audit_trail ='UNIFIED AUDIT TRAIL';
SELECT table_name , partition_type , def_tablespace_name , interval from dba_part_tables where table_name ='AUD$UNIFIED';
SELECT * FROM DBA_SCHEDULER_JOBS WHERE job_name like 'UNIFIED_AUDIT%';
select * from DBA_SCHEDULER_JOB_details where job_name like 'UNIFIED_AUDIT%';
Cleaning sysaux
If the ORA_LOGON_FAILURES policy is enabled, your SYSAUX tablespace can be full in a short time, as too many records will be created. You can learn more about SYSAUX tablespace in the article named “SYSAUX Tablespace Usage”.
You can create a job to automatically remove old records. The following command can be used to create a job that will delete every 24 hours. The first deletion will take place 24 hours after you run the command.
BEGIN
DBMS_AUDIT_MGMT.CREATE_PURGE_JOB (
AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,
AUDIT_TRAIL_PURGE_INTERVAL => 24,
AUDIT_TRAIL_PURGE_NAME => 'Audit_Trail_Purge_Job',
USE_LAST_ARCH_TIMESTAMP => TRUE,
CONTAINER => DBMS_AUDIT_MGMT.CONTAINER_CURRENT);
END;
/
The following command can be used to change the job’s schedule.
BEGIN
DBMS_AUDIT_MGMT.SET_PURGE_JOB_INTERVAL(
AUDIT_TRAIL_PURGE_NAME => 'Audit_Trail_Purge_Job',
AUDIT_TRAIL_INTERVAL_VALUE => 48);
END;
/
Mixed Auditing Vs Pure Auditing
1. Mixed auditing – By default it is enable in 12c. It enables to use both traditional auditing and unified auditing methods. I.e. apart from traditional auditing we can use all the features of unified auditing. Once we are comfortable with the unified concept, we can migrate exiting audit setup to unified policy , we can enable pure auditing.
This serves as a good mediator for an easy and hassle free switch to the preferred Unified auditing.
2. Pure auditing – Once pure auditing is enabled. We cannot use the traditional auditing methods.
Which unified auditing mode enabled for my database
SQL> SELECT value FROM v$option WHERE parameter = 'Unified Auditing';
FALSE – > MIXED AUDTING
TRUE –> PURE AUDITING
How to change from MIXED to PURE auditing:(relink library)
SQL> shut immediate
[oracle@orcl:~ orcldemo] cd $ORACLE_HOME/rdbms/lib
[oracle@orcl:lib orcldemo] make -f ins_rdbms.mk uniaud_on ioracle ORACLE_HOME=$ORACLE_HOME
/usr/bin/ar d /oradb/app/oracle/product/12.2.0.1/db_1/rdbms/lib/libknlopt.a kzanang.o
/usr/bin/ar cr /oradb/app/oracle/product/12.2.0.1/db_1/rdbms/lib/libknlopt.a /oradb/app/oracle/product/12.2.0.1/db_1/rdbms/lib/kzaiang.o
chmod 755 /oradb/app/oracle/product/12.2.0.1/db_1/bin
- Linking Oracle
rm -f /oradb/app/oracle/product/12.2.0.1/db_1/rdbms/lib/oracle
SQL> startup;
SQL> SELECT VALUE FROM V$OPTION WHERE PARAMETER='Unified Auditing'
SYS AUDITING:-
With mix auditing, sys audit records will be written to both os level and unified_trail also if audit action policy is enable.
FOR MIXED AUDITING:
Administrative user sessions generate SYS audit records. These records are written if the AUDIT_SYS_OPERATIONS initialization parameter is set to TRUE.This process writes the records only to the traditional audit trails. However, when unified audit policies are enabled for administrative users,
these unified audit records are also written to unified audit trail.
FOR PURE UNIFIED AUDITING:
All sys audit records will be written to UNIFIED_AUDIT_TRAIL TABLE ONLY
1. Mixed auditing – By default it is enable in 12c. It enables to use both traditional auditing and unified auditing methods. I.e. apart from traditional auditing we can use all the features of unified auditing. Once we are comfortable with the unified concept, we can migrate exiting audit setup to unified policy , we can enable pure auditing.
This serves as a good mediator for an easy and hassle free switch to the preferred Unified auditing.
2. Pure auditing – Once pure auditing is enabled. We cannot use the traditional auditing methods.
Which unified auditing mode enabled for my database
SQL> SELECT value FROM v$option WHERE parameter = 'Unified Auditing';
FALSE – > MIXED AUDTING
TRUE –> PURE AUDITING
How to change from MIXED to PURE auditing:(relink library)
SQL> shut immediate
[oracle@orcl:~ orcldemo] cd $ORACLE_HOME/rdbms/lib
[oracle@orcl:lib orcldemo] make -f ins_rdbms.mk uniaud_on ioracle ORACLE_HOME=$ORACLE_HOME
/usr/bin/ar d /oradb/app/oracle/product/12.2.0.1/db_1/rdbms/lib/libknlopt.a kzanang.o
/usr/bin/ar cr /oradb/app/oracle/product/12.2.0.1/db_1/rdbms/lib/libknlopt.a /oradb/app/oracle/product/12.2.0.1/db_1/rdbms/lib/kzaiang.o
chmod 755 /oradb/app/oracle/product/12.2.0.1/db_1/bin
- Linking Oracle
rm -f /oradb/app/oracle/product/12.2.0.1/db_1/rdbms/lib/oracle
SQL> startup;
SQL> SELECT VALUE FROM V$OPTION WHERE PARAMETER='Unified Auditing'
SYS AUDITING:-
With mix auditing, sys audit records will be written to both os level and unified_trail also if audit action policy is enable.
FOR MIXED AUDITING:
Administrative user sessions generate SYS audit records. These records are written if the AUDIT_SYS_OPERATIONS initialization parameter is set to TRUE.This process writes the records only to the traditional audit trails. However, when unified audit policies are enabled for administrative users,
these unified audit records are also written to unified audit trail.
FOR PURE UNIFIED AUDITING:
All sys audit records will be written to UNIFIED_AUDIT_TRAIL TABLE ONLY
#########################
FGA (FINE_GRAINED_AUDITING)
#########################
FGA (FINE_GRAINED_AUDITING)
#########################
Fine-grain auditing (FGA) allows us to audit users accessing data of a certain criteria. As per standard auditing we can audit select, insert, update and delete operations. We use the package dbms_fga to add, remove, enable and disable FGA auditing policies, it is virtually impossible to bypass these policies, one nice feature is that we can attach handlers (like a trigger) to the policies which can execute procedures.
There are many options that can be applied to the dbms_fga package, here are some simple examples :
The FGA method was introduced in the Oracle 9i database release. However, this method provided support for only the SELECT statements. With the 10g database release, it becomes possible to extend the FGA method to UPDATE, INSERT, and DELETE statements as well
For the FGA method to work, an audit condition is not needed. The database audits all statements that access the object if you do not specify an audit condition. DELETE statements are always audited because all columns are deleted together. It only creates an audit record if a statement manipulates or selects specific rows that meet the FGA policy.
begin
dbms_fga.add_policy (
object_schema=>'ABDUL',
object_name=>'NEW',
policy_name=>'FGA_AUDIT',
audit_column=>'name',
enable=>true,
statement_types=>'select,update');
end;
/
Removing FGA policy :-
begin
dbms_fga.drop_policy (
object_schema=>'ABDUL',
object_name=>'NEW',
policy_name=>'FGA_AUDIT');
end;
/
Enabling FGA policy :-
begin
dbms_fga.enable_policy (
object_schema=>'ABDUL',
object_name=>'NEW',
policy_name=>'FGA_AUDIT');
end;
/
Disabling FGA policy :-
begin
dbms_fga.disable_policy (
object_schema=>'ABDUL',
object_name=>'NEW',
policy_name=>'FGA_AUDIT');
end;
/
Query FGA audit
select db_user,scn,sql_text from dba_fga_audit_trail where db_user='ABDUL';
Audit Management till 11g
#########################
Levels of auditing
Three levels of Auditing:-
Statement level
Object level
System/privilege level
Statement level auditing :-
Auditing will be done at statement level.
Statements that can be audited are found in STMT_AUDIT_OPTION_MAP.
SQL> audit table by Abdul;
Audit succeeded.
SQL> select * from DBA_STMT_AUDIT_OPTS;
USER_NAME PROXY_NAME AUDIT_OPTION SUCCESS FAILURE
--------- ---------- ------------ --------- ---------
ABDUL TABLE BY ACCESS BY ACCESS
SQL> conn ABDUL/ABDUL;
Connected.
SQL> create table new(name varchar(20));
Table created.
SQL> select USERNAME,TIMESTAMP,ACTION_NAME from dba_audit_trail where USERNAME='ABDUL';
USERNAME TIMESTAMP ACTION_NAME
-------------------- --------- ------------
ABDUL 12-AUG-19 CREATE TABLE
Object level auditing :-
Auditing will be done at object level.
These objects can be audited: tables, views, sequences, packages, stored procedures and stored functions.
SQL> audit insert on ABDUL.testtab;
Audit succeeded.
SQL> insert into ABDUL.testtab values('oracle');
1 row created.
SQL> select object_name,object_type,ins,sel from dba_obj_audit_opts where owner='ABDUL';
OBJECT_NAME OBJECT_TYPE INS SEL
------------ ----------- ------- ----
TESTTAB TABLE S/S -/-
select username,timestamp,action_name,sys_privilege,priv_used from dba_audit_trail where username='ABDUL'
USERNAME TIMESTAMP ACTION_NAME SYS_PRIVILEGE PRIV_USED
-------- --------- ----------- ------------- -----------------
DBWR 12-OCT-18 SESSION_REC INSERT ANY TABLE
System/Privilege level auditing :-
Auditing will be done at privilege level.
All system privileges that are found in SYSTEM_PRIVILEGE_MAP can be audited.
SQL> audit create any table by ABDUL;
Audit succeeded.
SQL> select privilege,user_name from dba_priv_audit_opts where user_name='ABDUL';
PRIVILEGE USER_NAME
---------------------------------------- --------------------
CREATE ANY TABLE ABDUL
SQL> grant dba to ABDUL;
Grant succeeded.
SQL> create table testtab(name varchar(20));
Table created.
select username,timestamp,action_name,sys_privilege,priv_used from dba_audit_trail where username='ABDUL'
USERNAME TIMESTAMP ACTION_NAME SYS_PRIVILEGE PRIV_USED
-------- --------- ----------- ------------- -----------------
HARI 12-OCT-19 CREATE TABLE CREATE ANY TABLE
The Oracle auditing utility has this command:
audit create session whenever not successful;
To enable auditing of failed sign-on attempts:
1 - Add initialization parameters & bounce instance:
audit_trail=true
audit_file_dest='/u01/app/oracle/mysid/mydir/'
2 - Enable auditing of failed logion attempts as SYSDBA:
SQL> audit create session whenever not successful;
3 - You can now view failed login attempts in dba_audit_trail:
select OS_USERNAME,USERNAME,USERHOST,to_char(timestamp,'MM-DD-YYYY HH24:MI:SS'), returncode
from dba_audit_trail
where returncode > 0
select ntimestamp#, userid, userhost, spare1, comment$text from sys.aud$ where returncode=1017 order by 1;
Purge Audit records :
Purging of audit records can be done either using traditional purge method or using New Feature DBMS_AUDIT_MGMT
Purging using traditional Method :
alter index SYS.I_AUD1 rebuild online;
exec dbms_stats.gather_table_stats (ownname=>'SYS', tabname=>'AUD$' , estimate_percent=>10, cascade=>TRUE, degree=>5);
Purging using New New Feature DBMS_AUDIT_MGMT
New Feature DBMS_AUDIT_MGMT To Manage And Purge Audit Information (Doc ID 731908.1)
Manually Purging
SELECT * FROM dba_audit_mgmt_config_params;
sql>BEGIN
DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD,
use_last_arch_timestamp => FALSE); NOTE:- (Set FALSE to purge all records/files)
END;
/
OR
sql>BEGIN
DBMS_AUDIT_MGMT.set_last_archive_timestamp(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD,
last_archive_time => SYSTIMESTAMP-5);
END;
Setting auto purge
COLUMN audit_trail FORMAT A20
COLUMN last_archive_ts FORMAT A40
sql>SELECT * FROM dba_audit_mgmt_last_arch_ts;
sql>BEGIN
DBMS_AUDIT_MGMT.clean_audit_trail(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD,
use_last_arch_timestamp => TRUE); NOTE- (Set TRUE to only purge records/files older than the timestamp specified for the audit trail)
END;
/
Generate script to check enabled audit in database :
Example for statement auditing :
Reference :
https://docs.oracle.com/cd/E25054_01/network.1111/e16543/auditing.htm
#########################
Pointing Audit to syslog
#########################
Recently we moved our audit pointing to syslog since we onboard Splunk in our environment to read audit .
Below was steps for pointing audit to syslog and settings from splunk agent side
References :
How To Set the AUDIT_SYSLOG_LEVEL Parameter? (Doc ID 553225.1)
How To Enable Database Syslog Auditing On Solaris (Doc ID 1450842.1)
SYSLOG Auditing Fails To Write Entries To The File Destination Set In SYSLOG.CONF (Doc ID 1314077.1)
Purge Audit records :
Purging of audit records can be done either using traditional purge method or using New Feature DBMS_AUDIT_MGMT
Purging using traditional Method :
1) Take export backup of 2019 data that will be delete using below scrpt
exp '"/ as sysdba"' FILE=cpp_audit_2019-12-31.dmp log=cpp_audit_2019-12-31.log tables=AUD\$ query=\"WHERE TO_CHAR\(NTIMESTAMP\#,\'YYYY\'
2) Enable restricted session
alter system enable restricted session;
2) create backup table with required data that needs to be retained and purge from aud$
select sum(bytes/1024/1024/1024) from dba_segments where segment_name like 'AUD$';
select count(*) from aud$ where TO_CHAR(NTIMESTAMP# , 'YYYY') like '%2020%' ;
( Verify tablespace has enough space before proceeding )
create table temp_aud tablespace AUDIT_EFP as select * from sys.aud$ where TO_CHAR(NTIMESTAMP# , 'YYYY') like '%2020%';
select count(*) from temp_aud ;
truncate table sys.aud$;
select count(*) from SYS.AUD$;
insert into sys.aud$ select * from temp_aud;
commit ;
select count(*) from SYS.AUD$;
exec dbms_stats.gather_table_stats (ownname=>'SYS', tabname=>'AUD$' , estimate_percent=>10, cascade=>TRUE, degree=>5);
3) disable restricted session ;
alter system disable restricted session;
4) drop backup table created .
Drop table temp_aud ;
Purging using New New Feature DBMS_AUDIT_MGMT
New Feature DBMS_AUDIT_MGMT To Manage And Purge Audit Information (Doc ID 731908.1)
Manually Purging
SELECT * FROM dba_audit_mgmt_config_params;
sql>BEGIN
DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD,
use_last_arch_timestamp => FALSE); NOTE:- (Set FALSE to purge all records/files)
END;
/
OR
sql>BEGIN
DBMS_AUDIT_MGMT.set_last_archive_timestamp(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD,
last_archive_time => SYSTIMESTAMP-5);
END;
Setting auto purge
COLUMN audit_trail FORMAT A20
COLUMN last_archive_ts FORMAT A40
sql>SELECT * FROM dba_audit_mgmt_last_arch_ts;
sql>BEGIN
DBMS_AUDIT_MGMT.clean_audit_trail(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD,
use_last_arch_timestamp => TRUE); NOTE- (Set TRUE to only purge records/files older than the timestamp specified for the audit trail)
END;
/
Generate script to check enabled audit in database :
Example for statement auditing :
AUDIT ADMINISTER KEY MANAGEMENT BY ACCESS ;
AUDIT ALTER ANY PROCEDURE BY ACCESS ;
AUDIT ALTER ANY SQL TRANSLATION PROFILE BY ACCESS ;
AUDIT ALTER ANY TABLE BY ACCESS ;
AUDIT ALTER DATABASE BY ACCESS ;
AUDIT ALTER PROFILE BY ACCESS ;
AUDIT ALTER SYSTEM BY ACCESS ;
AUDIT ALTER USER BY ACCESS ;
AUDIT AUDIT SYSTEM BY ACCESS ;
AUDIT BECOME USER BY ACCESS ;
AUDIT COMMENT TABLE BY ACCESS ;
AUDIT CONTEXT BY ACCESS ;
AUDIT CREATE ANY JOB BY ACCESS ;
AUDIT CREATE ANY LIBRARY BY ACCESS ;
AUDIT CREATE ANY PROCEDURE BY ACCESS ;
AUDIT CREATE ANY SQL TRANSLATION PROFILE BY ACCESS ;
AUDIT CREATE ANY TABLE BY ACCESS ;
AUDIT CREATE EXTERNAL JOB BY ACCESS ;
AUDIT CREATE LIBRARY BY ACCESS ;
AUDIT CREATE PUBLIC DATABASE LINK BY ACCESS ;
AUDIT CREATE SESSION BY ACCESS ;
AUDIT CREATE SQL TRANSLATION PROFILE BY ACCESS ;
AUDIT CREATE USER BY ACCESS ;
AUDIT DATABASE LINK BY ACCESS ;
AUDIT DIMENSION BY ACCESS ;
AUDIT DIRECTORY BY ACCESS ;
AUDIT DROP ANY PROCEDURE BY ACCESS ;
AUDIT DROP ANY SQL TRANSLATION PROFILE BY ACCESS ;
AUDIT DROP ANY TABLE BY ACCESS ;
AUDIT DROP PROFILE BY ACCESS ;
AUDIT DROP USER BY ACCESS ;
AUDIT EXEMPT ACCESS POLICY BY ACCESS ;
AUDIT EXEMPT REDACTION POLICY BY ACCESS ;
AUDIT GRANT ANY OBJECT PRIVILEGE BY ACCESS ;
AUDIT GRANT ANY PRIVILEGE BY ACCESS ;
AUDIT GRANT ANY ROLE BY ACCESS ;
AUDIT GRANT DIRECTORY BY ACCESS ;
AUDIT GRANT PROCEDURE BY ACCESS ;
AUDIT GRANT SEQUENCE BY ACCESS ;
AUDIT GRANT TABLE BY ACCESS ;
AUDIT GRANT TYPE BY ACCESS ;
AUDIT INDEX BY ACCESS ;
AUDIT LOCK TABLE BY ACCESS ;
AUDIT LOGMINING BY ACCESS ;
AUDIT MATERIALIZED VIEW BY ACCESS WHENEVER NOT SUCCESSFUL ;
AUDIT NOT EXISTS BY ACCESS ;
AUDIT PLUGGABLE DATABASE BY ACCESS ;
AUDIT PROCEDURE BY ACCESS ;
AUDIT PROFILE BY ACCESS ;
AUDIT PUBLIC DATABASE LINK BY ACCESS ;
AUDIT PUBLIC SYNONYM BY ACCESS ;
AUDIT PURGE DBA_RECYCLEBIN BY ACCESS ;
AUDIT RESTRICTED SESSION BY ACCESS ;
AUDIT ROLE BY ACCESS ;
AUDIT ROLLBACK SEGMENT BY ACCESS ;
AUDIT SELECT ANY DICTIONARY BY ACCESS ;
AUDIT SELECT TABLE BY ACCESS WHENEVER NOT SUCCESSFUL ;
AUDIT SEQUENCE BY ACCESS ;
AUDIT SYNONYM BY ACCESS ;
AUDIT SYSTEM AUDIT BY ACCESS ;
AUDIT SYSTEM GRANT BY ACCESS ;
AUDIT TABLE BY ACCESS ;
AUDIT TRANSLATE ANY SQL BY ACCESS ;
AUDIT TRIGGER BY ACCESS ;
AUDIT TYPE BY ACCESS ;
AUDIT USER BY ACCESS ;
AUDIT VIEW BY ACCESS ;
Reference :
https://docs.oracle.com/cd/E25054_01/network.1111/e16543/auditing.htm
#########################
Pointing Audit to syslog
#########################
Recently we moved our audit pointing to syslog since we onboard Splunk in our environment to read audit .
Below was steps for pointing audit to syslog and settings from splunk agent side
References :
How To Set the AUDIT_SYSLOG_LEVEL Parameter? (Doc ID 553225.1)
How To Enable Database Syslog Auditing On Solaris (Doc ID 1450842.1)
SYSLOG Auditing Fails To Write Entries To The File Destination Set In SYSLOG.CONF (Doc ID 1314077.1)
For Syslog :
A) As root user
1) take backup of /etc/syslog.conf
2) Modify /etc/syslog.conf as under ( note to use tab and not space)
3) the syslog services needs restarting after this file is changed
svcadm restart svc:/system/system-log:default
B) add below database parameters and restart database as oracle user
1) table backup of database spfile
2) Verify below 2 parameters are set
alter system set audit_file_dest='/oradata/
alter system set audit_sys_operations=true scope=spfile;
update database syslog parameters as under
exec dbms_audit_mgmt.set_audit_
exec dbms_audit_mgmt.set_audit_
For Splunk :
A) as splunk user
1) Ensure attached Splunk_TA_oracle directory is present under /opt/splunkforwarder/etc/apps/
2) /opt/splunkforwarder/etc/apps/
[monitor:///var/log/oracle/
sourcetype = oracle:audit:text
disabled = false
index = moe
crcSalt = <SOURCE>
3) Need to ensure " useACK = true" line is not present in file /opt/splunkforwarder/etc/apps/
[tcpout]
defaultGroup = primary_indexers
maxQueueSize = 7MB
#useACK = true
forceTimebasedAutoLB = true
forwardedindex.2.whitelist = (_audit|_introspection|_
#IP of Heavy Forwarder
[tcpout:primary_indexers]
server = XX.XXX.XX.XX:XXXX
4) Restart splunk services with splunk user and check if audit files are listed
/opt/splunkforwarder/bin/splunk restart
/opt/splunkforwarder/bin/splunk list monitor
Verification:
Verifiy entres are getting written in /var/log/oracle/oracleaudit.
Rollback steps :
1) restore backup of /etc/syslog taken and restart syslog services
2) restore backup of database spfile and restart database
References :
SCRIPT: Generate AUDIT and NOAUDIT Statements for Current Audit Settings (Doc ID 287436.1)
SRDC - How to Collect Standard Information for Database Auditing (Doc ID 1901113.1)
