Auditing in Oracle 10g Release 2

This article presents an overview of auditing in Oracle 10g Release 2. Many of the topics presented here have been covered in previous articles, but this serves to bring them all together.

erver etup !udit Options "iew !udit Trail Maintenance and ecurity #ine $rained !uditing

Related articles.

#ine $rained !uditing %&i' #ine $rained !uditing (nhancements %10g' )niform !udit Trail %10g' !udit Trail *ontents %10g' !uditing (nhancements %+,M -!)+.T-M$MT' in Oracle +atabase 11g Release 2

Server Setup
!uditing is a default feature of the Oracle server. The initiali/ation parameters that influence its behaviour can be displayed using the SHOW PARAMETER 0123lus command.

SQL> SHOW PARAMETER AUDIT NAME TYPE VALUE ------------------------------------ ---------------------------------------audit_file_dest st i!" #$%ORA#LE%PRODU#T%&'()('%ADMIN %D*&'+%ADUMP audit_s,s_-.e ati-!s /--lea! 0ALSE audit_t ail st i!" NONE SQL>
!uditing is disabled by default, but can enabled by setting the allowed values.

AUDIT_TRAIL static parameter, which has the following

AUDIT_TRAIL 1 2 !-!e 3 -s 3 d/ 3 d/4e5te!ded 3 56l 3 56l4e5te!ded 7

The following list provides a description of each setting4

!-!e or false 5 !uditing is disabled. d/ or t ue 5 !uditing is enabled, with all audit records stored in the database audit trial %SYS(AUD8'. d/4e5te!ded 5 !s d/, but the SQL_*IND and SQL_TE9T columns are also populated. 56l5 !uditing is enabled, with all audit records stored as 6M1 format O
files.

56l4e5te!ded 5 !s 56l, but the SQL_*IND and SQL_TE9T columns are also populated. -s5 !uditing is enabled, with all audit records directed to the operating system7s audit trail.

8ote. .n Oracle 10g Release 1, d/_e5te!ded was used in place of d/4e5te!ded. The 6M1 options are new to Oracle 10g Release 2. The AUDIT_SYS_OPERATIONS static parameter enables or disables the auditing of operations issued by users connecting with 9 +,! or 9 O3(R privileges, including the 9 user. !ll audit records are written to the O audit trail. The AUDIT_0ILE_DEST parameter specifies the O directory used for the audit trail when the -s, 56l and 56l4e5te!ded options are used. .t is also the location for all mandatory auditing specified by the AUDIT_SYS_OPERATIONS parameter. To enable auditing and direct audit records to the database audit trail, we would do the following.

SQL> ALTER SYSTEM SET audit_t ail1d/ S#OPE1SP0ILE: S,ste6 alte ed( SQL> SHUTDOWN Data/ase ;l-sed( Data/ase dis6-u!ted( ORA#LE i!sta!;e s<ut d-=!( SQL> STARTUP ORA#LE i!sta!;e sta ted( T-tal S,ste6 +l-/al A ea 0i5ed SiCe Va ia/le SiCe Data/ase *uffe s Red- *uffe s Data/ase 6-u!ted( Data/ase -.e!ed( SQL> )>?@'A?BA &)@>A'' B&D'D>@> )&D?'?E'@ )?@E')@ /,tes /,tes /,tes /,tes /,tes

Audit Options
One loo: at the !)+.T command synta; should give you an idea of how fle;ible Oracle auditing is. There is no point repeating all this information, so instead we will loo: at a simple e;ample. #irst we create a new user called !)+.T-T( T.

#ONNE#T s,sF.ass=- d AS SYSD*A #REATE USER audit_test IDENTI0IED *Y .ass=- d DE0AULT TA*LESPA#E use s TEMPORARY TA*LESPA#E te6. QUOTA UNLIMITED ON use s: +RANT ;-!!e;t TO audit_test: +RANT ; eate ta/le4 ; eate . -;edu e TO audit_test:
8e;t we audit all operations by the !)+.T-T( T user.

#ONNE#T s,sF.ass=- d AS SYSD*A

AUDIT ALL *Y audit_test *Y A##ESS: AUDIT SELE#T TA*LE4 UPDATE TA*LE4 INSERT TA*LE4 DELETE TA*LE *Y audit_test *Y A##ESS: AUDIT E9E#UTE PRO#EDURE *Y audit_test *Y A##ESS:
These options audit all ++1 and +M1, along with some system events.

++1 %*R(!T(, !1T(R < +RO3 of ob=ects' +M1 %.8 (RT )3+!T(, +(1(T(, (1(*T, (6(*)T('. 9 T(M ("(8T %1O$O8, 1O$O## etc.'

8e;t, we perform some operations that will be audited.

#ONN audit_testF.ass=- d #REATE TA*LE test_ta/ G id NUM*ER H: INSERT UPDATE SELE#T DELETE INTO test_ta/ GidH VALUES G&H: test_ta/ SET id 1 id: I 0ROM test_ta/: 0ROM test_ta/:

DROP TA*LE test_ta/:

.n the ne;t section we will loo: at how we view the contents of the audit trail.

View Audit Trail

The audit trail is stored in the SYS(AUD8 table. .ts contents can be viewed directly or via the following views.

SELE#T Jie=_!a6e 0ROM d/a_Jie=s WHERE Jie=_!a6e LIKE LD*AMAUDITML ORDER *Y Jie=_!a6e: VIEW_NAME -----------------------------D*A_AUDIT_E9ISTS D*A_AUDIT_O*NE#T D*A_AUDIT_POLI#IES D*A_AUDIT_POLI#Y_#OLUMNS D*A_AUDIT_SESSION D*A_AUDIT_STATEMENT D*A_AUDIT_TRAIL D*A_#OMMON_AUDIT_TRAIL D*A_0+A_AUDIT_TRAIL D*A_O*N_AUDIT_OPTS D*A_PRIV_AUDIT_OPTS D*A_REPAUDIT_ATTRI*UTE D*A_REPAUDIT_#OLUMN D*A_STMT_AUDIT_OPTS

&@ SQL>

-=s sele;ted(

The three main views are shown below.

D*A_AUDIT_TRAIL 5 tandard auditing only %from AUD8'. D*A_0+A_AUDIT_TRAIL 5 #ine5grained auditing only %from 0+A_LO+8'. D*A_#OMMON_AUDIT_TRAIL 5 ,oth standard and fine5grained auditing.

The most basic view of the database audit trail is provided by the D*A_AUDIT_TRAIL view, which contains a wide variety of information. The following >uery displays the some of the information from the database audit trail.

#OLUMN #OLUMN #OLUMN #OLUMN

use !a6e 0ORMAT A&' -=!e 0ORMAT A&' -/O_!a6e 0ORMAT A&' e5te!ded_ti6esta6. 0ORMAT ADE

SELE#T use !a6e4 e5te!ded_ti6esta6.4 -=!e 4 -/O_!a6e4 a;ti-!_!a6e 0ROM d/a_audit_t ail WHERE -=!e 1 LAUDIT_TESTL ORDER *Y ti6esta6.: USERNAME E9TENDED_TIMESTAMP A#TION_NAME ---------- -------------------------------------------------------------AUDIT_TEST &A-0E*-)''A &@$&A$EE(@DE''' P''$'' TA*LE AUDIT_TEST &A-0E*-)''A &@$&A$EE(E&@''' P''$'' AUDIT_TEST &A-0E*-)''A &@$&A$EE(E@E''' P''$'' AUDIT_TEST &A-0E*-)''A &@$&A$EE(E?)''' P''$'' AUDIT_TEST &A-0E*-)''A &@$&A$EE(AB'''' P''$'' AUDIT_TEST &A-0E*-)''A &@$&B$''('@E''' P''$'' TA*LE A -=s sele;ted( OWNER O*N_NAME

---------- ---------AUDIT_TEST TEST_TA* AUDIT_TEST AUDIT_TEST AUDIT_TEST AUDIT_TEST AUDIT_TEST TEST_TA* TEST_TA* TEST_TA* TEST_TA* TEST_TA* #REATE INSERT UPDATE SELE#T DELETE DROP

SQL>
?hen the audit trail is directed to an 6M1 format O file, it can be read using a te;t editor or via the V89ML_AUDIT_TRAIL view, which contains similar information to theD*A_AUDIT_TRAIL view.

#OLUMN #OLUMN #OLUMN #OLUMN

d/_use 0ORMAT A&' -/Oe;t_s;<e6a 0ORMAT A&' -/Oe;t_!a6e 0ORMAT A&' e5te!ded_ti6esta6. 0ORMAT ADE

SELE#T d/_use 4 e5te!ded_ti6esta6.4 -/Oe;t_s;<e6a4

-/Oe;t_!a6e4 a;ti-! 0ROM J856l_audit_t ail WHERE -/Oe;t_s;<e6a 1 LAUDIT_TESTL ORDER *Y e5te!ded_ti6esta6.: D*_USER A#TION ------------------AUDIT_TEST & AUDIT_TEST ) AUDIT_TEST A AUDIT_TEST D AUDIT_TEST B AUDIT_TEST &) A E9TENDED_TIMESTAMP O*NE#T_S#H O*NE#T_NAM

----------------------------------- ---------- ---------&A-0E*-)''A &@$&@$DD(@&B''' P''$'' &A-0E*-)''A &@$&@$DD(@A@''' P''$'' &A-0E*-)''A &@$&@$DD(E&&''' P''$'' &A-0E*-)''A &@$&@$DD(E@)''' P''$'' &A-0E*-)''A &@$&@$DD(A'E''' P''$'' &A-0E*-)''A &@$&@$D@(?&B''' P''$'' AUDIT_TEST TEST_TA* AUDIT_TEST TEST_TA* AUDIT_TEST TEST_TA* AUDIT_TEST TEST_TA* AUDIT_TEST TEST_TA* AUDIT_TEST TEST_TA*

-=s sele;ted(

SQL>
everal fields were added to both the standard and fine5grained audit trails in Oracle 10g, including the following.

E9TENDED_TIMESTAMP 5 ! more precise value than the e;ising TIMESTAMP column. PRO9Y_SESSIONID 5 3ro;y session serial number when an enterprise user is logging in via the pro;y method. +LO*AL_UID 5 $lobal )niversal .dentifier for an enterprise user. INSTAN#E_NUM*ER 5 The INSTAN#E_NUM*ER value from the actioning instance. OS_PRO#ESS 5 Operating system process id for the oracle process. TRANSA#TIONID 5 Transaction identifier for the audited transaction. This column can be used to =oin to the 9ID column on the 0LASH*A#K_TRANSA#TION_QUERY view. S#N 5
ystem change number of the >uery. This column can be used in flashbac: >ueries.

SQL_*IND 5 The values of any bind variables if any. SQL_TE9T 5 The

01 statement that initiated the audit action.

The SQL_*IND and SQL_TE9T columns are only populated when the to d/4e5te!ded or 56l4e5te!ded.

AUDIT_TRAIL parameter is set

Maintenance and Security

!uditing should be planned carefully to control the >uantity of audit information. Only audit specific operations or ob=ects of interest. Over time you can refine the level of auditing to match your re>uirements. The database audit trail must be deleted, or archived, on a regular basis to prevent the SYS(AUD8 table growing to an unnacceptable si/e.Only +,!s should have maintenance access to the audit trail. !uditing modifications of the data in the audit trail itself can be achieved using the following statement.

AUDIT INSERT4 UPDATE4 DELETE ON s,s(aud8 *Y A##ESS:

The O and 6M1 audit trails are managed through the O . These files should be secured at the O level by assigning the correct file permissions.

Fine Grained Auditing (FGA

#ine grained auditing e;tends Oracle standard auditing capabilities by allowing the user to audit actions based on user5defined predicates. .t is independant of the AUDIT_TRAILparameter setting and all audit records are stored in the 0+A_LO+8 table, rather than the AUD8 table. The following e;ample illustrates how fine grained auditing is used. #irst, create a test table.

#ONN audit_testF.ass=- d #REATE TA*LE e6. G e6.!NUM*ERG@H NOT NULL4 e!a6e VAR#HAR)G&'H4 O-/ VAR#HAR)G?H4 6" NUM*ERG@H4 <i edate DATE4 sal NUM*ERGB4)H4 ;-66 NUM*ERGB4)H4 de.t!NUM*ERG)H H: INSERT INTO e6. Ge6.!-4 e!a6e4 salH VALUES G????4 LTi6L4 &H: INSERT INTO e6. Ge6.!-4 e!a6e4 salH VALUES G????4 LLa ,L4 E'''&H: #OMMIT:
The following policy audits any >ueries of salaries greater than @A0,000.

#ONN s,sF.ass=- d AS s,sd/a *E+IN D*MS_0+A(add_.-li;,G -/Oe;t_s;<e6a 1> -/Oe;t_!a6e 1> .-li;,_!a6e 1> audit_;-!diti-! 1> audit_;-lu6! 1> END: F

LAUDIT_TESTL4 LEMPL4 LSALARY_#HK_AUDITL4 LSAL > E''''L4 LSALLH:

0uerying both employees proves the auditing policy wor:s as e;pected.

#ONN audit_testF.ass=- d SELE#T sal 0ROM e6. WHERE e!a6e 1 LTi6L: SELE#T sal 0ROM e6. WHERE e!a6e 1 LLa ,L: #ONN s,sF.ass=- d AS SYSD*A SELE#T sQl_te5t 0ROM d/a_f"a_audit_t ail: SQL_TE9T

-----------------------------------------SELE#T sal 0ROM e6. WHERE e!a6e 1 LLa ,L & -= sele;ted(

SQL>
(;tra processing can be associated with an #$! event by defining a database procedure and associating this to the audit event. The following e;ample assumes the 0IRE_#LERKprocedure has been defined.

*E+IN D*MS_0+A(add_.-li;,G -/Oe;t_s;<e6a 1> -/Oe;t_!a6e 1> .-li;,_!a6e 1> audit_;-!diti-! 1> audit_;-lu6! 1> <a!dle _s;<e6a 1> <a!dle _6-dule 1> e!a/le 1> END: F

LAUDIT_TESTL4 LEMPL4 LSALARY_#HK_AUDITL4 LSAL > E''''L4 LSALL4 LAUDIT_TESTL4 L0IRE_#LERKL4 TRUEH:

The D*MS_0+A pac:age contains the following procedures.

ADD_POLI#Y DROP_POLI#Y ENA*LE_POLI#Y DISA*LE_POLI#Y

.n Oracle&i fine grained auditing was limited >ueries, but in Oracle 10g it has been e;tended to include +M1 statements, as shown by the following e;ample.

-- #lea d-=! t<e audit t ail( #ONN s,sF.ass=- d AS SYSD*A TRUN#ATE TA*LE f"a_l-"8: SELE#T sQl_te5t 0ROM d/a_f"a_audit_t ail: !-=s sele;ted( t<e SAL ;-lu6! -f t<e EMP ta/le( LAUDIT_TESTL4 LEMPL4 LSAL_AUDITL4 NULL4 -- EQuiJale!t t- TRUE LSALL4 LSELE#T4INSERT4UPDATE4DELETELH:

-- A..l, t<e .-li;, t*E+IN D*MS_0+A(add_.-li;,G -/Oe;t_s;<e6a 1> -/Oe;t_!a6e 1> .-li;,_!a6e 1> audit_;-!diti-! 1> audit_;-lu6! 1> state6e!t_t,.es 1> END: F

-- Test t<e auditi!"( #ONN audit_testF.ass=- d

SELE#T I 0ROM e6. WHERE e6.!- 1 ???>: INSERT INTO e6. Ge6.!-4 e!a6e4 salH VALUES G???>4 L*illL4 &H: UPDATE e6. SET sal 1 &' WHERE e6.!- 1 ???>: DELETE e6. WHERE e6.!- 1 ???>: ROLL*A#K: -- #<e;R t<e audit t ail( #ONN s,sF.ass=- d AS SYSD*A SELE#T sQl_te5t 0ROM d/a_f"a_audit_t ail: SQL_TE9T -------------------------------------SELE#T I 0ROM e6. WHERE e6.!- 1 ???> INSERT INTO e6. Ge6.!-4 e!a6e4 salH VALUES G???>4 L*illL4 &H UPDATE e6. SET sal 1 &' WHERE e6.!- 1 ???> DELETE e6. WHERE e6.!- 1 ???> @ -=s sele;ted(

-- D -. t<e .-li;,( #ONN s,sF.ass=- d AS SYSD*A *E+IN D*MS_0+A(d -._.-li;,G -/Oe;t_s;<e6a 1> LAUDIT_TESTL4 -/Oe;t_!a6e 1> LEMPL4 .-li;,_!a6e 1> LSAL_AUDITLH: END: F