Text of Oracle Auditing Natalka Roshak Presented to ABCD-Oracle 4 March 2004
Slide 1
Oracle Auditing Natalka Roshak Presented to ABCD-Oracle 4 March 2004
Slide 2
Oracle Auditing - Natalka Roshak - http://rdbms-insight.com About me Oracle and Sybase Database Administrator, Analyst and Architect Experienced database programmer Oracle Certified Professional (OCP) Regular columnist for Oracle trade magazine, orafaq.com, and other trade publications Oracle consultant, serving customers across North America Available for consulting engagements http://rdbms-insight.com
Slide 3
Oracle Auditing - Natalka Roshak - http://rdbms-insight.com About this presentation Presented to Oracle users group at Harvard University, ABCD-Oracle 4 March 2004
Slide 4
Oracle Auditing - Natalka Roshak - http://rdbms-insight.com Auditing 2 main types of auditing: Oracle-supplied auditing using AUD$ Trigger-based DML auditing
Slide 5
Oracle Auditing - Natalka Roshak - http://rdbms-insight.com Oracle vs. Trigger-based Auditing Different scope & application: AUD$ does not record any of the data values involved in a DML change; need to use trigger- based auditing to capture this info Obviously, Oracle auditing allows auditing of non-DML statements, eg. ALTER ROLE
Oracle Auditing - Natalka Roshak - http://rdbms-insight.com Enabling Oracle Auditing First step: set static initialization parameter AUDIT_TRAIL in INIT.ORA Values: DB/TRUE OS NONE/FALSE
Slide 9
Oracle Auditing - Natalka Roshak - http://rdbms-insight.com OS Audit Trail Even if OS audit trail is not enabled, Oracle will still write default actions to OS audit trail: instance startup instance shutdown connections to the database as SYSOPER or SYSDBA
Slide 10
Oracle Auditing - Natalka Roshak - http://rdbms-insight.com OS Audit Trail
Slide 11
Oracle Auditing - Natalka Roshak - http://rdbms-insight.com DB trail Writes all audit information to SYS.AUD$ AUD$ installed by catalog.sql Create auditing data dictionary views by running $oracle_home\rdbms\admin\cataudit.sql Remove these views using catnoaud.sql
Slide 12
Oracle Auditing - Natalka Roshak - http://rdbms-insight.com SYS.AUD$ SQL> desc aud$ Name Null? Type ----------------------------------------- -------- -------------- SESSIONID NOT NULL NUMBER ENTRYID NOT NULL NUMBER STATEMENT NOT NULL NUMBER TIMESTAMP# NOT NULL DATE USERID VARCHAR2(30) USERHOST VARCHAR2(128) TERMINAL VARCHAR2(255) ACTION# NOT NULL NUMBER RETURNCODE NOT NULL NUMBER OBJ$CREATOR VARCHAR2(30) OBJ$NAME VARCHAR2(128) AUTH$PRIVILEGES VARCHAR2(16) AUTH$GRANTEE VARCHAR2(30) NEW$OWNER VARCHAR2(30) NEW$NAME VARCHAR2(128) SES$ACTIONS VARCHAR2(19) SES$TID NUMBER LOGOFF$LREAD NUMBER LOGOFF$PREAD NUMBER LOGOFF$LWRITE NUMBER LOGOFF$DEAD NUMBER LOGOFF$TIME DATE COMMENT$TEXT VARCHAR2(4000) SPARE1 VARCHAR2(255) SPARE2 NUMBER OBJ$LABEL RAW(255) SES$LABEL RAW(255) PRIV$USED NUMBER
Slide 13
Oracle Auditing - Natalka Roshak - http://rdbms-insight.com Audit Views STMT_AUDIT_OPTION_MAP Contains information about auditing option type codes. AUDIT_ACTIONS Contains descriptions for audit trail action type codes. ALL_DEF_AUDIT_OPTS Contains default object-auditing options that will be applied when objects are created. DBA_STMT_AUDIT_OPTS Describes current system auditing options across the system and by user. DBA_PRIV_AUDIT_OPTS Describes current system privileges being audited across the system and by user. DBA_OBJ_AUDIT_OPTS, USER_OBJ_AUDIT_OPTS Describes auditing options on all objects. USER view describes auditing options on all objects owned by the current user. DBA_AUDIT_TRAIL, USER_AUDIT_TRAIL Lists all audit trail entries. USER view shows audit trail entries relating to current user. DBA_AUDIT_OBJECT,USER_AUDIT_OBJECT Contains audit trail records for all objects in the system. USER view lists audit trail records for statements concerning objects that are accessible to the current user. DBA_AUDIT_SESSION, USER_AUDIT_SESSION Lists all audit trail records concerning CONNECT and DISCONNECT. USER view lists all audit trail records concerning connections and disconnections for the current user. DBA_AUDIT_STATEMENT, USER_AUDIT_STATEMENT Lists audit trail records concerning GRANT, REVOKE, AUDIT, NOAUDIT, and ALTER SYSTEM statements throughout the database, or for the USER view, issued by the user. DBA_AUDIT_EXISTS Lists audit trail entries produced by AUDIT EXISTS and AUDIT NOT EXISTS.
Slide 14
Oracle Auditing - Natalka Roshak - http://rdbms-insight.com 3 levels of audit options Statement Audits on the type of SQL statement used, such as any SQL statement on a table (which records each CREATE, TRUNCATE, and DROP TABLE statement) Object Audits specific statements on specific objects, such as ALTER TABLE on the EMP table Privilege Audits use of a particular system privilege, such as CREATE TABLE
Slide 15
Oracle Auditing - Natalka Roshak - http://rdbms-insight.com Statement Auditing Eg. AUDIT SELECT BY SCOTT audits all select statements performed by SCOTT AUDIT SELECT TABLE, UPDATE TABLE BY SCOTT, BLAKE;
Slide 16
Oracle Auditing - Natalka Roshak - http://rdbms-insight.com Object Auditing Eg. AUDIT SELECT ON scott.emp; AUDIT SELECT ON scott.emp WHENEVER NOT SUCCESSFUL; AUDIT SELECT ON scott.emp WHENEVER SUCCESSFUL; AUDIT ALL ON scott.emp ;
Slide 17
Oracle Auditing - Natalka Roshak - http://rdbms-insight.com Privilege Auditing eg. AUDIT GRANT SEQUENCE audits any statements of the type: GRANT privilege ON sequence ; REVOKE privilege ON sequence ; AUDIT EXECUTE PROCEDURE audits CALL of any procedure AUDIT SELECT TABLE audits SELECT FROM table/view/materialized view;
Slide 18
Oracle Auditing - Natalka Roshak - http://rdbms-insight.com Privilege auditing, cont AUDIT INDEX audits any statements of the type: CREATE INDEX ALTER INDEX DROP INDEX AUDIT NOT EXISTS audits all SQL stmts that fail because an object doesnt exist AUDIT SYSTEM AUDIT audits all AUDIT/NOAUDIT statments *AUDIT SESSION audits logon/logoff
Slide 19
Oracle Auditing - Natalka Roshak - http://rdbms-insight.com BY SESSION/ACCESS BY SESSION: One audit record is inserted for one session, regardless of the number of times the statement is executed BY ACCESS: One audit record is inserted each time the statement is executed Default is BY SESSION
Slide 20
Oracle Auditing - Natalka Roshak - http://rdbms-insight.com Further examples AUDIT SESSION BY JOHN, ALEX WHENEVER NOT SUCCESSFUL; AUDIT UPDATE, DELETE ON scott.emp BY ACCESS; NOAUDIT UPDATE, DELETE ON scott.emp;
Oracle Auditing - Natalka Roshak - http://rdbms-insight.com AUD$ fields For 100/101 events (ACTION# IN (100,101)): col SPARE1 = OS username col RETURNCODE = ora-xxxx returncode col TERMINAL = terminal name (eg. ttyp3 in UNIX, machine name in Windows) col COMMENT$TEXT = IP and port of client -- very useful!
Slide 24
Oracle Auditing - Natalka Roshak - http://rdbms-insight.com Extracting the IP select userid, terminal, spare1, substr(s1,1,instr(s1,')')-1) IP, returncode, timestamp# from (select A.*, substr(comment$text,instr(comment$text,'HOST=')+5, 100) s1 from aud$ a where action# in (100,101) ) order by IP;
