ORACLE Audit
ORACLE Audit
ORACLE Audit
Auditing
If an unauthorized user is deleting data, the DBA might decide to audit all connections to the
database and all successful and unsuccessful deletions from all tables in the database. The DBA
can gather statistics about which tables are being updated, how many logical I/Os are performed,
and how many concurrent users connect at peak times.
Auditing Guidelines
Restrict auditing by first identifying the auditing requirements, and setting minimal auditing
options that will cater to the requirements. Object auditing must be used where possible to reduce
the number of entries generated. If statement or privilege auditing needs to be used, the following
settings can minimize audit generation:
• Specifying users to audit
• Auditing by session, and not by access
• Auditing either successes or failures, but not both
• Audit records may be written to either SYS.AUD$ or the operating system’s audit trail. The
ability to use the operating system’s audit trail is operating system dependent.
Monitoring the Growth of the Audit Trail
If the audit trail becomes full, no more audit records can be inserted, and audited statements will
not execute successfully. Errors are returned to all users that issue an audited statement. You must
free some space in the audit trail before these statements can be executed.
• Audited by default
– Instance startup and Instance shutdown
– Administrator privileges
• Database auditing
– Enabled by DBA
– Cannot record column values
• Value-based or application auditing
– Implemented through code
– Can record column values
– Used to track changes to tables
Auditing categories
Regardless of whether database auditing is enabled, Oracle always records some database
operations into the operating system audit trail. These are:
• Instance startup: The audit record details the operating system user starting the instance, the
users terminal identifier, the date and time stamp and whether database auditing was
enabled or disabled.
• Instance shutdown: This details the operating system user shutting down the instance, the
user’s terminal identifier, the date and time stamp.
• Administrator privileges: This details the operating system user connecting to Oracle with
administrator privileges.
Database Auditing
Database auditing is the monitoring and recording of selected user database actions. Information
about the event is stored in the audit trail.
The audit trail can be used to investigate suspicious activity. For example, if an unauthorized user
is deleting data from tables, the database administrator may decide to audit all connections to the
database in conjunction with successful and unsuccessful deletions of rows from tables in the
database.
Audit options
OS audit
Database trail
Audit trail
• Statement auditing
AUDIT TABLE;
• Privilege auditing
AUDIT create any trigger;
Audit Options
Statement auditing: This is the selective auditing of SQL statements, not the specific schema
objects on which it operates. For example, AUDIT TABLE tracks several DDL statements
regardless of the table on which they are issued. You can set statement auditing to audit selected
users or every user in the database.
Privilege auditing: This is the selective auditing of system privileges to perform corresponding
actions, such as AUDIT CREATE ANY TRIGGER. You can set privilege auditing to audit a
selected user or every user in the database.
Schema object auditing: This is the selective auditing of specific statements on a particular
schema object, such as AUDIT SELECT ON HR.EMPLOYEES. Schema object auditing always
applies to all users of the database.
You can specify any auditing option, and specify the following conditions:
• WHENEVER SUCCESSFUL / WHENEVER NOT SUCCESSFUL
• BY SESSION / BY ACCESS
For specific users or for all users in the database (statement and privilege auditing only).
Fine-Grained Auditing
• Provides the monitoring of data access based on
content
• Implemented using the DBMS_FGA package
Audit Options
Fine Grained auditing: This provides the monitoring of data access based on content. A PL/SQL
package DBMS_FGA administers value-based audit policies. Using DBMS_FGA, the DBA creates
an audit policy on the target table. If any of the rows returned from a query block matches the
audit condition, an audit event entry, including username, SQL text, bind variable, policy name,
session id, timestamp, and other attributes are inserted into the audit trail.
Disabling Auditing
Use the NOAUDIT statement to stop auditing chosen by the AUDIT command.
Note: A NOAUDIT statement reverses the effect of a previous AUDIT statement. Note that the
NOAUDIT statement must have the same syntax as the previous AUDIT statement and that it
only reverses the effects of that particular statement. Therefore, if one AUDIT statement
(statement A) enables auditing for a specific user, and a second (statement B) enables auditing for
all users, then a NOAUDIT statement to disable auditing for all users reverses statement B, but
leaves statement A in effect and continues to audit the user that statement A specified.