8/16/2019 Audt_11

1/10

Parameter

Value

Meaning

DB Enables database auditing and directs all audit records to the database audit trail (SYS.AUD$),except for records that are ala!s ritten to the operating s!ste" audit trail

DB,E#E%DED Does all actions of AUD&'A&*DB and also populates the S+ bind and S+ text colu"nsof the SYS.AUD$ table

# Enables database auditing and directs all audit records in # for"at to an operating s!ste"file

#,E#E%DED Does all actions of AUD&'A&*#, adding the S+ bind and S+ text colu"ns

-S (reco""ended) Enables database auditing and directs all audit records to an operating s!ste" file

&n addition, the folloing database para"eters should be set

init.ora para"eter AUD&'/&E'DES 0 D!na"ic para"eter specif!ing the location of the operating s!ste" audittrail. he default location on Unix1inux is $-A2E'BASE1ad"in1$-A2E'S&D1adu"p. he default on3indos is the e4ent log. /or opti"al perfor"ance, it should refer to a director! on a dis5 that is locall! attached tothe host running the -racle instance.init.ora para"eter AUD&'SYS'-6EA&-%S 0 Enables the auditing of operations issued b! user SYS, andusers connecting ith SYSDBA, SYS-6E, SYSAS, SYSBA27U6, SYS7 and SYSD8 pri4ileges. he audittrail data is ritten to the operating s!ste" audit trail. his para"eter should be set to true.

Using Default Auditing for Securit!9ele4ant S+State"ents and 6ri4ileges

3hen !ou use Database 2onfiguration Assistant (DB2A) to create a ne database, -racleDatabase configures the database to audit the "ost co""onl! used securit!9rele4ant S+state"ents and pri4ileges. &t also sets the AUDIT_TRAIL initiali:ation para"eter to DB. &f !ou decideto use a different audit trail t!pe (for exa"ple, OS if !ou ant to rite the audit trail records tooperating s!ste" files), then !ou can do that -racle Database continues to audit the pri4ileges thatare audited b! default. &f !ou disable auditing b! setting the AUDIT_TRAIL para"eter to NONE, thenno auditing ta5es place.

-racle Database audits the folloing pri4ileges b! default

 ALTER ANY

PROCEDURE

CREATE ANY LIBRARY DROP ANY TABLE

 ALTER ANY

TABLE

CREATE ANY PROCEDURE DROP PROFILE

 ALTER

DATABASE

CREATE ANY TABLE DROP USER  

 ALTER PROFILE CREATE EXTERNAL JOB EXEMPT ACCESS POLICY

8/16/2019 Audt_11

2/10

8/16/2019 Audt_11

3/10

• Setting he 

• Serial %u"ber  

• Exa"ples 

• ;alues

The following list provides a description of each value5

3O3E or -!,SE 0/ !uditing is disabled. #efault until Oracle g.

#4 or T+"E 0/ !uditing is enabled% with all audit records stored in

the database audit trial (!"#$). #efault from Oracle g.

#4*E6TE3#E# 7/ Same as #4% but the S,*4'3# and S,*TE6T columns are also

populated.

6&,0/ !uditing is enabled% with all audit records stored as 6&, format OS files.

6&,*E6TE3#E# 7/ Same as 6&,% but the S,*4'3# and S,*TE6T columns are

also populated.

OS 0/ !uditing is enabled% with all audit records directed to the operating system8s

file specified by !"#'T*-',E*#EST.

Note: 'n Oracle g +elease % #4*E6TE3#E# was used in place of 9#4%E6TE3#E#9. The6&, options were brought inOracle g +elease :.

The !"#'T*-',E*#EST parameter specifies the OS directory used for the audit trail when

the OS% 6&, and 6&,*E6TE3#E# options are used. 't is also the location for all mandatoryauditing specified by the !"#'T*SS*O;E+!T'O3S parameter.

The !"#'T*SS*O;E+!T'O3S static parameter enables or disables the auditing of

operations issued by users connecting with SS#4! or SSO;E+ privileges% including theSS user. !ll audit records are written to the OS audit trail.

+un the $O+!l script while connected as SS (no need

to run this% if you ran catalog.s>l at the time of database creation).

#tart AuditingSyntax of audit command5audit statement_!pti!n$pri(ilege_!pti!n' )*+ user, )*+ sessi!n$access',

)-.ene(er success/ul$n!t success/ul',

• Business internet connection 

• English dictionar! online 

• rial 

• 6rints 

• Enterprise rent a truc5 

• 2atalogs

Only the statement*option or privilege*option part is mandatory. The other clauses are

optional and enabling them allows audit be more specific.

There are three levels that can be audited5

#tatement le(el!uditing will be done at statement level.

http://satya-dba.blogspot.com/2009/01/whats-new-in-10g.htmlhttp://satya-dba.blogspot.com/2009/01/whats-new-in-11g.htmlhttp://satya-dba.blogspot.com/2009/01/whats-new-in-10g.html#10grel1http://satya-dba.blogspot.com/2009/01/whats-new-in-10g.html#10grel2http://satya-dba.blogspot.com/2009/01/whats-new-in-10g.htmlhttp://satya-dba.blogspot.com/2009/01/whats-new-in-11g.htmlhttp://satya-dba.blogspot.com/2009/01/whats-new-in-10g.html#10grel1http://satya-dba.blogspot.com/2009/01/whats-new-in-10g.html#10grel2

8/16/2019 Audt_11

4/10

Statements that can be audited are found in ST&T*!"#'T*O;T'O3*&!;.S,/ audit table by scott?

!udit records can be found in #4!*ST&T*!"#'T*O;TS.

S,/ select @ from #4!*ST&T*!"#'T*O;TS?

O*0ect le(el!uditing will be done at obAect level.

These obAects can be audited5 tables% views% se>uences% packages% stored procedures andstored functions.

S,/ audit insert% update% delete on scott.emp by hr?

!udit records can be found in #4!*O4B*!"#'T*O;TS.S,/ select @ from #4!*O4B*!"#'T*O;TS?

Pri(ilege le(el!uditing will be done at privilege level.

!ll system privileges that are found in SSTE&*;+'C',EDE*&!; can be audited.S,/ audit create tablespace% alter tablespace by all?

Specify !,, ;+'C',EDES to audit all system privileges.

!udit records can be found in #4!*;+'C*!"#'T*O;TS.S,/ select @ from #4!*;+'C*!"#'T*O;TS?

Audit !pti!ns%Y #E##IONSpecify 4 SESS'O3 if you want Oracle to write a single record for all S, statements of thesame type issued and operations of the same type executed on the same schema obAects in

the same session.

Oracle database can write to an operating system audit file but cannot read it to detectwhether an entry has already been written for a particular operation. Therefore% if you areusing an operating system file for the audit trail (that is% the

!"#'T*T+!', initialiation parameter is set to OS)% then the database may write multiplerecords to the audit trail file even if you specify 4 SESS'O3.

S,/ audit create% alter% drop on currency by xe by session?

S,/ audit alter materialied view by session?

%Y A11E##Specify 4 !

8/16/2019 Audt_11

5/10

Specify F=E3ECE+ S"?

select userid, returncode from sys.aud$;

select userid, returncode from sys.aud$;

SELECT * FROM ALL!EFA"!#TOTS;

ELECT * FROM !%ASTMTA"!#TOTS;

SELECT * FROM d&aauditm'mtconfi'(arams;

SELECT * FROM !%AR#)A"!#TOTS;

SELECT * FROM !%AO%A"!#TOTS  +ERE O+-ER  /EFF/ A-! O%ECT-AME L#0E /EM1/; 

select statementid,entryid,username,actionname,returncode,o2ner, o&3name,su&str4(ri5used,6,78 (ri5,  SESACT#O-S  from d&aaudittrail

  order &y sessionid,entryid; 

SELECT *FROM  d&aauditm'mtconfi'(arams+ERE  (arametername L#0E /A"!#T F#LE MA91/;

 COL"M- username FORMAT A7 COL"M- o&3name FORMAT A6:

8/16/2019 Audt_11

6/10

 COL"M- actionname FORMAT A6 COL"M- s?SELECT username,o&3name,actionname, s

8/16/2019 Audt_11

7/10

 ObAect Owner 0 The owner of the obAect that was interacted with. ObAect 3ame 0 name of the obAect that was interacted with.

 !ction 3ame 0 The action that occurred against the obAect ('3SE+T% ";#!TE% #E,ETE%SE,Eueries.

• S,*4'3# 0 The values of any bind variables if any.

• S,*TE6T 0 The S, statement that initiated the audit action.

The S,*4'3# and S,*TE6T columns are only populated when the!"#'T*T+!',J#4*E6TE3#E# or !"#'T*T+!',J6&,*E6TE3#E# initialiation parameter is

set.

MaintenanceThe audit trail must be deleted2archived on a regular basis to prevent the SS.!"#$ table

growing to an unacceptable sie.

Only users who have been granted specific access to SS.!"#$ can access the table to

select% alter or delete from it. This is usually Aust the user SS or any user who haspermissions. There are two specific roles that allow access to SS.!"#$ for select and

delete% these are #E,ETE*

not be granted to general users.

!uditing modifications of the data in the audit trail itself can be achieved as followsS,/ !"#'T '3SE+T% ";#!TE% #E,ETE O3 sys.aud$ 4 !

8/16/2019 Audt_11

8/10

and privilege audit options can include the 4 "SE+ option to specify a list of users to limitthe scope of the statement and privilege audit options.

S,/ 3O!"#'T?S,/ 3O!"#'T session?

S,/ 3O!"#'T session 4 scott% hr?S,/ 3O!"#'T #E,ETE O3 emp?

S,/ 3O!"#'T SE,E

8/16/2019 Audt_11

9/10

!lso note that there are two additional parameters audit*sys*operations andaudit*syslog*level that you should consider setting if you are concerned about the SS

account activity.

. audit*sys*operations 0 this initialiation parameter tells Oracle to turn on auditing of the

SS connections% and users connecting with the SS#4! or SSO;E+ privilege. 't has either

a T+"E or -!,SE value

:. audit*syslog*level 7 this initialiation parameter enables SS and standard OS auditing

records to be written to the system using the SS,OD utility

3ow that weNve enables operating system auditing% it is always nice to see exactly whatweNve accomplished. Fhile this is not an exhaustive example% it does touch the surface of

what we are trying to accomplish here. Suppose now that we have an un0authoried accessattempt (failed login) to our database through the use of the S

8/16/2019 Audt_11

10/10

such as S, statements% privileges% schemas% obAects% and network and multitier activity.3ow is the time to dig in% see how far standard auditing can take you to gain compliancy

and then fill in the gaps. The issue becomes whether you can provide auditors everythingthey need to pass your audit. 'f you can monitor all database traffic and take appropriate

action then you will pass% otherwise you are in for a lot of work. 4ut more on that latter.