User Tools

Site Tools


audit_mini-howto

Description

Little document on how to audit oracle things.

Enable audit

To enable audit we must set the init parameter, normally that is:

ALTER SYSTEM SET AUDIT_TRAIL='DB','EXTENDED' SCOPE=SPFILE;
ALTER SYSTEM SET audit_file_dest='/u02/admin/<DBSID>/adump' SCOPE=SPFILE ;

You must restart Oracle to make the change effective. Ensure that you have a purged process and enough diskspace on audit_file_dest cause Oracle WILL log SYS actions there (SYS actions are ALWAYS logged).

AUDIT_TRAIL can be:

  • OS
  • DB
  • DB,EXTENDED
  • XML
  • XML,EXTENDED

More info here

You can check if audit is enabled with the following query:

COL NAME FORMAT A50
COL VALUE FORMAT A50
SELECT NAME, VALUE FROM V$PARAMETER WHERE NAME LIKE '%audit%' ;

The kind of audit methods are described here

Query actual config

General configuration:

 COLUMN PARAMETER_NAME format A40 ; 
 COLUMN PARAMETER_VALUE format A40 ; 
SELECT * FROM DBA_AUDIT_MGMT_CONFIG_PARAMS;

AUDIT parameters:

COL OWNER FORMAT A30
COL OBJECT_NAME FORMAT A30
COL OBJECT_TYPE FORMAT A23
COL ALT FORMAT A3
COL AUD FORMAT A3
COL COM FORMAT A3
COL DEL FORMAT A3
COL GRA FORMAT A3
COL IND FORMAT A3
COL INS FORMAT A3
COL LOC FORMAT A3
COL REN FORMAT A3
COL SEL FORMAT A3
COL UPD FORMAT A3
COL EXE FORMAT A3
COL CRE FORMAT A3
COL REA FORMAT A3
COL WRI FORMAT A3
COL FBK FORMAT A3
SELECT * FROM DBA_OBJ_AUDIT_OPTS ;
COL USER_NAME FORMAT COL30;
COL USER_NAME FORMAT A30;
COL PROXY_NAME FORMAT A30 ;
COL AUDIT_OPTION FORMAT A40;
COL SUCCESS FORMAT A10;
COL FAILURE FORMAT A10;
SELECT  * FROM DBA_STMT_AUDIT_OPTS ;

Disable default config (if you want)

NOAUDIT ALTER SYSTEM ;
NOAUDIT SYSTEM AUDIT ;
NOAUDIT CREATE SESSION ;
NOAUDIT CREATE USER ;
NOAUDIT ALTER USER ;
NOAUDIT DROP USER ;
NOAUDIT PUBLIC SYNONYM ;
NOAUDIT DATABASE LINK ;
NOAUDIT ROLE ;
NOAUDIT PROFILE ;
NOAUDIT CREATE ANY TABLE ;
NOAUDIT ALTER ANY TABLE ;
NOAUDIT DROP ANY TABLE ;
NOAUDIT CREATE PUBLIC DATABASE LINK ;
NOAUDIT GRANT ANY ROLE ;
NOAUDIT SYSTEM GRANT ;
NOAUDIT ALTER DATABASE ;
NOAUDIT CREATE ANY PROCEDURE ;
NOAUDIT ALTER ANY PROCEDURE ;
NOAUDIT DROP ANY PROCEDURE ;
NOAUDIT ALTER PROFILE ;
NOAUDIT DROP PROFILE ;
NOAUDIT GRANT ANY PRIVILEGE ;
NOAUDIT CREATE ANY LIBRARY ;
NOAUDIT EXEMPT ACCESS POLICY ;
NOAUDIT GRANT ANY OBJECT PRIVILEGE ;
NOAUDIT CREATE ANY JOB ;
NOAUDIT CREATE EXTERNAL JOB ;

AUDIT ANYTHING to the main table

AUDIT INSERT, UPDATE, DELETE ON sys.aud$ BY ACCESS;

Useful Tables

  • AUDIT CONFIGURATION TABLES
Name Description
DBA_PRIV_AUDIT_OPTS Describes current system privileges being audited across the system and by user
DBA_STMT_AUDIT_OPTS Describes current statement auditing options across the system and by user
DBA_AUDIT_POLICIES Lists all the fine-grained auditing policies on the system
DBA_AUDIT_MGMT_CONFIG_PARAMS Displays the currently configured audit trail properties that are used by the DBMS_AUDIT_MGMT PL/SQL package
DBA_AUDIT_POLICY_COLUMNS Describes the fine-grained auditing policy columns on the tables and views throughout the database.
DBA_OBJ_AUDIT_OPTS Displays the objects on which auditing options have been enabled
ALL_AUDIT_POLICIES Describes the fine-grained auditing policies on the tables and views accessible to the current user
ALL_AUDIT_POLICY_COLUMNS Describes the fine-grained auditing policy columns on the tables and views accessible to the current user.
ALL_DEF_AUDIT_OPTS Lists default object-auditing options that are to be applied when objects are created
  • TRAIL TABLES
Name Description
DBA_AUDIT_OBJECT Lists audit trail records for all objects in the system
DBA_AUDIT_STATEMENT Lists audit trail records concerning GRANT, REVOKE, AUDIT, NOAUDIT, and ALTER SYSTEM statements throughout the database
DBA_AUDIT_SESSION Lists all audit trail records concerning CONNECT and DISCONNECT
DBA_AUDIT_TRAIL Lists all standard audit trail entries in the AUD$ table
DBA_COMMON_AUDIT_TRAIL Combines standard and fine-grained audit log records, and includes SYS and mandatory audit records written in XML format
DBA_FGA_AUDIT_TRAIL Lists audit trail records for fine-grained auditing.
  • Less important:
Name Description
DBA_AUDIT_EXISTS Lists audit trail entries produced BY AUDIT NOT EXISTS
DBA_AUDIT_MGMT_CLEAN_EVENTS “Displays the history of purge events. Periodically, as user SYS connected with the SYSDBA privilege, you should delete the contents of this view so that it does not grow too large. For example:
DELETE FROM DBA_AUDIT_MGMT_CLEAN_EVENTS
DBA_AUDIT_MGMT_CLEANUP_JOBS Displays the currently configured audit trail purge jobs
DBA_AUDIT_MGMT_LAST_ARCH_TS Displays the last archive timestamps that have set for audit trail purges.
V$LOGMNR_CONTENTS Contains log history information. To query this view, you must have the SELECT ANY TRANSACTION privilege.
V$XML_AUDIT_TRAIL Shows standard, fine-grained, SYS, and mandatory audit records written in XML format files.

Querys

The audit must be enabled.

Format

Its a good practice to format the columns before quering them:

COLUMN USERNAME FORMAT A30 ;
COLUMN USERHOST FORMAT A20 ;
COLUMN OWNER FORMAT A30 ;
COLUMN OBJ_NAME FORMAT A30 ;
COLUMN ACTION_NAME FORMAT A18 ;
COLUMN NEW_OWNER FORMAT A30 ;
COLUMN NEW_NAME FORMAT A30 ;
COLUMN SES_ACTIONS FORMAT A10 ;
COLUMN SESSIONID FORMAT 99999999 ;
COLUMN ENTRYID FORMAT 9999 ;
COLUMN STATEMENTID FORMAT 9999 ;
COLUMN RETURNCODE FORMAT 9999 ;
COLUMN INSTANCE_NUMBER FORMAT 9999 ;
COLUMN SCN FORMAT 99999999999 ;
COLUMN SQL_BIND FORMAT A10 ;
COLUMN SQL_TEXT FORMAT A10 ;
COLUMN OBJ_EDITION_NAME FORMAT A10 ;

Query FAILED User logins

COL ETIMESTAMP FORMAT A22
COL DB_USER FORMAT         A40
COL OS_USER FORMAT         A40
COL USERHOST FORMAT        A25
COL OBJECT_SCHEMA FORMAT   A15
COL STATEMENT_TYPE FORMAT  A20
 
SELECT TO_CHAR(EXTENDED_TIMESTAMP,('DD-MM-YYYY HH24:MI:SS')) ETIMESTAMP,
	 DB_USER , 
	 OS_USER , 
	 USERHOST , 
	 OBJECT_SCHEMA , 
     RETURNCODE,
	 STATEMENT_TYPE
FROM DBA_COMMON_AUDIT_TRAIL
WHERE RETURNCODE <>0
ORDER BY EXTENDED_TIMESTAMP
;

Query User logins

COL ETIMESTAMP FORMAT A22
COL DB_USER FORMAT         A10
COL OS_USER FORMAT         A10
COL USERHOST FORMAT        A25
COL OBJECT_SCHEMA FORMAT   A15
COL STATEMENT_TYPE FORMAT  A20
 
SELECT TO_CHAR(EXTENDED_TIMESTAMP,('DD-MM-YYYY HH24:MI:SS')) ETIMESTAMP,
	 DB_USER , 
	 OS_USER , 
	 USERHOST , 
	 OBJECT_SCHEMA , 
	 STATEMENT_TYPE
FROM DBA_COMMON_AUDIT_TRAIL
WHERE STATEMENT_TYPE IN ('LOGON','LOGOFF','LOGOFF BY CLEANUP')
ORDER BY EXTENDED_TIMESTAMP
;

From where a user connects

COL ETIMESTAMP FORMAT A22
COL DB_USER FORMAT         A10
COL OS_USER FORMAT         A10
COL USERHOST FORMAT        A25
COL OBJECT_SCHEMA FORMAT   A15
 
SELECT 	 DB_USER , 
	 OS_USER , 
	 USERHOST ,
         TO_CHAR(EXTENDED_TIMESTAMP,('DD-MM-YYYY HH24:MI:SS')) ETIMESTAMP,
	 OBJECT_SCHEMA
FROM DBA_COMMON_AUDIT_TRAIL
WHERE STATEMENT_TYPE = 'LOGON'
ORDER BY EXTENDED_TIMESTAMP
;

Query everygthing BUT LOGIN events

With SQL:

SET PAGES 0
COL ETIMESTAMP FORMAT A22
COL DB_USER FORMAT         A10
COL OS_USER FORMAT         A10
COL USERHOST FORMAT        A25
COL OBJECT_SCHEMA FORMAT   A15
COL OBJECT_NAME FORMAT     A30
COL STATEMENT_TYPE FORMAT  A20
COL SQL_TEXT FORMAT        A90
 
SELECT TO_CHAR(EXTENDED_TIMESTAMP,('DD-MM-YYYY HH24:MI:SS')) ETIMESTAMP,
	 DB_USER , 
	 OS_USER , 
	 USERHOST , 
	 OBJECT_SCHEMA , 
	 OBJECT_NAME , 
	 STATEMENT_TYPE , 
	 SQL_TEXT
FROM DBA_COMMON_AUDIT_TRAIL
WHERE STATEMENT_TYPE NOT IN ('LOGON','LOGOFF','LOGOFF BY CLEANUP')
ORDER BY EXTENDED_TIMESTAMP
;

Without SQL:

SET PAGES 0
COL ETIMESTAMP FORMAT A22
COL DB_USER FORMAT         A10
COL OS_USER FORMAT         A10
COL USERHOST FORMAT        A25
COL OBJECT_SCHEMA FORMAT   A15
COL OBJECT_NAME FORMAT     A30
COL STATEMENT_TYPE FORMAT  A20
 
SELECT TO_CHAR(EXTENDED_TIMESTAMP,('DD-MM-YYYY HH24:MI:SS')) ETIMESTAMP,
	 DB_USER , 
	 OS_USER , 
	 USERHOST , 
	 OBJECT_SCHEMA , 
	 OBJECT_NAME , 
	 STATEMENT_TYPE
FROM DBA_COMMON_AUDIT_TRAIL
WHERE STATEMENT_TYPE NOT IN ('LOGON','LOGOFF','LOGOFF BY CLEANUP')
ORDER BY EXTENDED_TIMESTAMP
;

Searching the SQL of an audit record

This query will display ressults on 2 rows each one. First, the SELECT query to obtain the desired SQL and just bellow the information of that query:

SET PAGES 0
SET LINESIZE 150
SET COLSEP |
COL SELECT_TEXT FORMAT     A150
COL ETIMESTAMP FORMAT      A22
COL DB_USER FORMAT         A10
COL OS_USER FORMAT         A10
COL OBJECT_SCHEMA FORMAT   A15
COL OBJECT_NAME FORMAT     A35
COL STATEMENT_TYPE FORMAT  A20
 
SELECT 'SELECT SQL_TEXT FROM DBA_COMMON_AUDIT_TRAIL WHERE SESSION_ID = ' || SESSION_ID ||
' AND STATEMENTID = ' || STATEMENTID || ' AND ENTRYID = ' || ENTRYID || ' ; ' SELECT_TEXT, TO_CHAR(EXTENDED_TIMESTAMP,('DD-MM-YYYY HH24:MI:SS')) ETIMESTAMP,
	DB_USER , 
	OS_USER , 
	OBJECT_SCHEMA , 
	OBJECT_NAME , 
	STATEMENT_TYPE
FROM DBA_COMMON_AUDIT_TRAIL
WHERE STATEMENT_TYPE NOT IN ('LOGON','LOGOFF','LOGOFF BY CLEANUP')
ORDER BY EXTENDED_TIMESTAMP
;

Policies

COL OWNER FORMAT A30
COL OBJECT_NAME FORMAT A30
COL OBJECT_TYPE FORMAT A23
COL ALT FORMAT A3
COL AUD FORMAT A3
COL COM FORMAT A3
COL DEL FORMAT A3
COL GRA FORMAT A3
COL IND FORMAT A3
COL INS FORMAT A3
COL LOC FORMAT A3
COL REN FORMAT A3
COL SEL FORMAT A3
COL UPD FORMAT A3
COL EXE FORMAT A3
COL CRE FORMAT A3
COL REA FORMAT A3
COL WRI FORMAT A3
COL FBK FORMAT A3
COL REF FORMAT A3
SELECT * FROM DBA_OBJ_AUDIT_OPTS ;

&

COLUMN USER_NAME FORMAT A33 ;
COLUMN PROXY_NAME FORMAT A33 ;
COLUMN AUDIT_OPTION FORMAT A40 ;
COLUMN SUCCESS FORMAT A20 ;
COLUMN FAILURE FORMAT A20 ;
SELECT  USER_NAME,
   AUDIT_OPTION,
   SUCCESS,
   FAILURE
FROM DBA_STMT_AUDIT_OPTS ORDER BY USER_NAME;

Failed querys by day

SELECT THEDAY, COUNT(*)
FROM (
    SELECT TO_CHAR(EXTENDED_TIMESTAMP,('DD-MM-YYYY')) THEDAY
    FROM DBA_COMMON_AUDIT_TRAIL 
    WHERE STATEMENT_TYPE NOT IN ('LOGON','LOGOFF','LOGOFF BY CLEANUP')
    AND NOT RETURNCODE=0
    AND NOT (SUBSTR(SQL_TEXT,1,30) LIKE '%INSERT%' OR SUBSTR(SQL_TEXT,1,30) LIKE '%MERGE%')
    ORDER BY EXTENDED_TIMESTAMP
    )
GROUP BY THEDAY
ORDER BY THEDAY
;

DBA_AUDIT_TRAIL Maintenance

You must be careful about DBA_AUDIT_TRAIL records so you don't exhaust the SYSAUX tablespace space. Erasing records by time is as simple as :

DELETE FROM SYS.AUD$ WHERE NTIMESTAMP# < (SYSDATE-10) ;

Examples

Auditing login failures

Creating the rule:

audit CREATE SESSION whenever NOT successful;

And as usual, the query:

COL OS_USERNAME FORMAT A20
COL USERNAME FORMAT A20
COL TERMINAL FORMAT A30
COL LOGONTIME FORMAT A25
SELECT
   os_username,
   username,
   terminal,
   to_char(TIMESTAMP,'MM-DD-YYYY HH24:MI:SS') LOGONTIME
FROM
   dba_audit_trail
WHERE ROWNUM <30;

Auditing Objects

Copy/paste of oracle documentation:

The object must be a table, view, sequence, stored procedure, function, package, materialized view, mining model, or library.

For example, I want to audit all the executions of the procedures by a user:

AUDIT EXECUTE PROCEDURE BY ORAUSER BY ACCESS ;

Query that rule:

COLUMN USER_NAME FORMAT A33 ;
COLUMN PROXY_NAME FORMAT A33 ;
COLUMN AUDIT_OPTION FORMAT A40 ;
COLUMN SUCCESS FORMAT A20 ;
COLUMN FAILURE FORMAT A20 ;
SELECT  USER_NAME,
   AUDIT_OPTION,
   SUCCESS,
   FAILURE
FROM DBA_STMT_AUDIT_OPTS ORDER BY USER_NAME;

Now you can query the DBA_AUDIT_OBJECT table for results, for example:

COLUMN USERNAME FORMAT A10 ;
COLUMN USERHOST FORMAT A20 ;
COLUMN OWNER FORMAT A10 ;
COLUMN OBJ_NAME FORMAT A20 ;
COLUMN ACTION_NAME FORMAT A18 ;
COLUMN NEW_OWNER FORMAT A10 ;
COLUMN NEW_NAME FORMAT A10 ;
COLUMN SES_ACTIONS FORMAT A10 ;
COLUMN SESSIONID FORMAT 99999999 ;
COLUMN ENTRYID FORMAT 9999 ;
COLUMN STATEMENTID FORMAT 9999 ;
COLUMN RETURNCODE FORMAT 9999 ;
COLUMN INSTANCE_NUMBER FORMAT 9999 ;
COLUMN SCN FORMAT 99999999999 ;
COLUMN SQL_BIND FORMAT A10 ;
COLUMN SQL_TEXT FORMAT A10 ;
COLUMN OBJ_EDITION_NAME FORMAT A10 ;
 
 
SELECT 	USERNAME,
	USERHOST,
	OWNER,
	OBJ_NAME,
	ACTION_NAME,
	NEW_OWNER,
	NEW_NAME,
	SES_ACTIONS,
	SESSIONID,
	ENTRYID,
	STATEMENTID,
	RETURNCODE,
	INSTANCE_NUMBER,
	SCN,
	SQL_BIND,
	SQL_TEXT,
	OBJ_EDITION_NAME,
	TIMESTAMP
FROM DBA_AUDIT_OBJECT ;

Disable audit

To simply disable AUDITING on statements:

NOAUDIT ALL STATEMENTS;

You must use the same syntax as the AUDIT, for example:

NOAUDIT EXECUTE PROCEDURE BY ORAUSER;

To completely disable audit:

ALTER SYSTEM SET AUDIT_TRAIL=NONE SCOPE=SPFILE ;

And restart the instance of DDBB

Links

FGA

audit_mini-howto.txt · Last modified: 2016/05/09 12:18 by dodger