Moving AUD$ to another Tablespace and Adding Triggers to AUD$

1. Login to the server as SYSDBA

$ connect sys/<password>

SQL> SHOW PARAMETER AUDIT

“it should be NONE”

2. If audit_trail= DB then alter parameter audit_trail=NONE as

SQL> ALTER SYSTEM SET AUDIT_TRAIL=NONE SCOPE=SPFILE;

SQL> SHUT IMMEDIATE

SQL> STARTUP

SQL> SHOW PARAMETER AUDIT “It should show NONE”

3. Create table space AUDIT so that it can be used instead of SYSTEM table space for auditing

SQL> CREATE TABLESPACE AUDIT_TBS DATAFILE SIZE 1000M AUTOEXTEND ON NEXT 1024K MAXSIZE
UNLIMITED;

SQL> ALTER USER SYSTEM QUOTA UNLIMITED ON AUDIT_TBS;

4. Clone table AUD$ in SYSTEM schema from SYS schema

SQL> CREATE TABLE SYSTEM.AUD$ TABLESPACE AUDIT_TBS AS SELECT * FROM SYS.AUD$;

5. Create index on cloned table AUD$ in SYSTEM schema

SQL> CREATE INDEX SYSTEM.I_AUD ON SYSTEM.AUD$(SESSIONID, SES$TID);

6. Rename the SYS audit table

SQL> RENAME AUD$ TO AUD$_TEMP;

 7. Create view on SYSTEM audit table

SQL> CREATE VIEW AUD$ AS SELECT * FROM SYSTEM.AUD$;

8. Grant ALL and DELETE privileges to SYS AND DELETE_CATALOG_ROLE

$ connect system/<password>

SQL> GRANT ALL ON AUD$ TO SYS WITH GRANT OPTION;

SQL> GRANT DELETE ON AUD$ TO DELETE_CATALOG_ROLE;

9. Enable auditing

$ connect sys/<password>

SQL> ALTER SYSTEM SET AUDIT_TRAIL=DB SCOPE=SPFILE;

SQL> SHUT IMMEDIATE

SQL> STARTUP

SQL> SHOW PARAMETER AUDIT “It should show DB”

10. Recreate the data dictionary views for auditing

SQL> @$ORACLE_HOME/rdbms/admin/cataudit.sql

11. Create table to record additional information about the action performed by user

SQL> CREATE TABLE SYSTEM.ACCOUNTING

(USERNAME VARCHAR2(30), LOGIN_TIME DATE, LOGOFF_TIME DATE,
SCHEMANAME VARCHAR2(30), OSUSER VARCHAR2(15), PROCESS VARCHAR2(12),
MACHINE VARCHAR2(64), TERMINAL VARCHAR2(8), PROGRAM VARCHAR2(64),
TYPE VARCHAR2(10), LOGICAL_READ NUMBER, PHYSICAL_READ NUMBER,
SID NUMBER, SESSION_SID NUMBER, CPU_TIME NUMBER)
TABLESPACE AUDIT_TBS ;
 12. Create trigger so that the accounting table in SYSTEM schema is updated accordingly

SQL> CREATE OR REPLACE TRIGGER ACC_TRIGGER

AFTER UPDATE ON SYSTEM.AUD$ FOR EACH ROW
WHEN (NEW.ACTION# = 101 OR NEW.ACTION# = 102)
DECLARE
V_CONC_ID NUMBER;
BEGIN
V_CONC_ID := 99;
INSERT INTO SYSTEM.ACCOUNTING
SELECT :NEW.USERID,
:NEW.TIMESTAMP#,
:NEW.LOGOFF$TIME,
SS.SCHEMANAME,
SS.OSUSER,
SS.PROCESS,
SS.MACHINE,
SS.TERMINAL,
SS.PROGRAM,
SS.TYPE,
:NEW.LOGOFF$LREAD,
:NEW.LOGOFF$PREAD,
ST.SID,
SS.AUDSID,
ST.VALUE
FROM V$STATNAME S, V$SESSTAT ST, V$SESSION SS
WHERE S.STATISTIC# = ST.STATISTIC# AND ST.SID = SS.SID
AND :NEW.SESSIONID = SS.AUDSID
AND S.NAME='CPU USED BY THIS SESSION';
END;
/

13. Accounting table can be queried as follows:

SQL> SELECT OSUSER,USERNAME, TO_CHAR(LOGIN_TIME,'DD.MM.YY:HH:MI') LOGIN,

TO_CHAR(LOGOFF_TIME,'DD.MM.YY:HH:MI') LOGOUT, MACHINE, CPU_TIME
FROM SYSTEM.ACCOUNTING;