SOME AUDITING TIPS
You can specify DB,EXTENDED in either of the following ways:
ALTER SYSTEM SET AUDIT_TRAIL=DB, EXTENDED SCOPE=SPFILE;
ALTER SYSTEM SET AUDIT_TRAIL='DB','EXTENDED' SCOPE=SPFILE;
However, do not enclose DB, EXTENDED in quotes, for example:
ALTER SYSTEM SET AUDIT_TRAIL='DB, EXTENDED' SCOPE=SPFILE;
OS Directs all audit records to an operating system file.
Directs audit records to the database audit trail (the SYS.AUD$ table), except for mandatory and SYS audit records, which are always written to the operating system audit trail
The operating system and database audit trails both capture many of the same types of actions.
Operating System Audit Record Equivalent DBA_AUDIT_TRAIL View Column
SYS$OPTIONS Indicates what audit option was set with AUDIT Or
NOAUDIT, or what privilege was granted or revoked.
SES$TID Does not have an equivalent in the DBA_AUDIT_TRAIL
view, but it does appear in the SYS.AUD$ table
SPARE2 Does not have an equivalent in the DBA_AUDIT_TRAIL
view, but it does appear in the SYS.AUD$ table
If you set AUDIT_SYS_OPERATIONS to TRUE and AUDIT_TRAIL to XML or XML,EXTENDED, then Oracle Database writes SYS audit records operating system files in XML format.
AUDIT_SYSLOG_LEVEL, which writes SYS and standard OS audit records to the system audit log using the SYSLOG utility. This option only applies to UNIX environments.
The XML AUDIT_TRAIL value does not affect syslog audit file. In other words, if you have set the AUDIT_TRAIL parameter to XML, then the syslog audit records will still be in text format, not XML file format.
To write SYS and mandatory audit files to operating system files in XML format: Set AUDIT_TRAIL to XML or XML,EXTENDED, set AUDIT_SYS_OPERATIONS to TRUE, but do not set the AUDIT_SYSLOG_LEVEL parameter.
To write SYS and mandatory audit records to syslog audit files and standard audit
records to XML audit files: Set AUDIT_TRAIL to XML or XML,EXTENDED, set AUDIT_
SYS_OPERATIONS to TRUE, and set the AUDIT_SYSLOG_LEVEL parameter.
If the AUDIT_TRAIL initialization parameter is set to XML (or XML, EXTENDED), then Oracle Database writes audit records to the operating system as XML files. You can use the V$XML_AUDIT_TRAIL view to make XML audit records available to database administrators through a SQL query, providing enhanced usability.
The DBA_COMMON_AUDIT_TRAIL view includes the standard and fine grained audit trails written to database tables, XML-format audit trail records, and the contents of the V$XML_AUDIT_TRAIL dynamic view (standard, fine grained, SYS and mandatory).
Syslog Audit Trail
Potential security vulnerability for the operating system audit trail is that a privileged user, such as a database administrator, can modify or delete database audit records. To minimize this risk, you can use a syslog audit trail. Syslog is a standard protocol on UNIX-based systems for logging information from different components of a network. Applications call the syslog() function to log information to the syslog daemon, which then determines where to log the information. You can configure syslog to log information to a file or to a dedicated host by editing the syslog.conf file. You can also configure syslog to alert a specified set of users when information is logged.
Setting the Size of the Operating System Audit Trail
To control the size of the operating system audit trail, set theDBMS_AUDIT_MGMT.OS_FILE_MAX_SIZE property by using the DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_PROPERTY PL/SQL procedure. Remember that you must have the EXECUTE privilege for the DBMS_AUDIT_MGMT PL/SQL package before you can use it. When the operating system file meets the size limitation you set, Oracle Database stops adding records to the current file and then creates a new operating system file for the subsequent records. For more information about the DBMS_AUDIT_MGMT PL/SQL package.
SETTING THE SIZE OF THE OPERATING SYSTEM AUDIT TRAIL
AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_OS,
AUDIT_TRAIL_PROPERTY => DBMS_AUDIT_MGMT.OS_FILE_MAX_SIZE,
AUDIT_TRAIL_PROPERTY_VALUE => 102400);
Note: 1) AUDIT_TRAIL_PROPERTY_VALUE: Sets the maximum size to 102400 kilobytes, that is,
10 MB. The default setting is 10,000 kilobytes (approximately 10 MB). Do not exceed 2 GB.
2) DBMS_AUDIT_MGMT.OS_FILE_MAX_SIZE property, which sets the maximum size. To find the
status of the current property settings, query the PARAMETER_NAME and PARAMETER_VALUE
columns of the DBA_AUDIT_MGMT_CONFIG_PARAMS data dictionary view.
SETTING THE AGE OF THE OPERATING SYSTEM AUDIT TRAIL
AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_OS,
AUDIT_TRAIL_PROPERTY => DBMS_AUDIT_MGMT.OS_FILE_MAX_AGE,
AUDIT_TRAIL_PROPERTY_VALUE => 10 );
Note: 1) AUDIT_TRAIL_PROPERTY_VALUE: Sets the maximum age to 10 days. Enter a value
between 1 and 495. The default age is 5 days.
2) DBMS_AUDIT_MGMT.OS_FILE_MAX_AGE property to set the maximum age. To find the status
of the current property setting, query the DBA_AUDIT_MGMT_CONFIG_PARAMS data dictionary
DBA_AUDIT_MGMT_CLEAN_EVENTS Displays the history of purge events. Periodically, as user SYS connected with the SYSDBA privilege, you should delete the contents of this view so that it does not grow too large.
DBA_AUDIT_MGMT_CLEANUP_JOBS Displays the currently configured audit trail purge jobs
DBA_AUDIT_MGMT_CONFIG_PARAMS Displays the currently configured audit trail properties that are used by the DBMS_AUDIT_MGMT PL/SQL package
DBA_AUDIT_MGMT_LAST_ARCH_TS Displays the last archive timestamps that have set for audit trail purges.
Listing Active Object Audit Options for Specific Objects
SELECT * FROM DBA_OBJ_AUDIT_OPTS WHERE OWNER = 'BHUVAN' AND OBJECT_NAME LIKE 'EMP%';
The view returns information about all the audit options for the specified object. The information in the view is interpreted as follows:
* A dash (-) indicates that the audit option is not set.
* The S character indicates that the audit option is set BY SESSION.
* The A character indicates that the audit option is set BY ACCESS.
* Each audit option has two possible settings, WHENEVER SUCCESSFUL and WHENEVER NOT SUCCESSFUL, separated by a slash (/). For example, the DELETE audit option for BHUVAN.emp is set by ACCESS for successful DELETE statements and not set at all for unsuccessful DELETE statements.
Oracle AUDITING VIEWS
DBA_FGA_AUDIT_TRAIL - display the captured audit info (FGA only (F GA_LOG$))
DBA_AUDIT_EXISTS - displays audit trail entries produced by AUDIT EXISTS & AUDIT NOT EXISTS.
DBA_AUDIT_OBJECT -- displays audit trail records for all objects in the database.
DBA_AUDIT_POLICIES -- identify FGA audit policies
DBA_AUDIT_POLICY_COLUMNS - Identify FGA audit policies for columns level in FGA
DBA_AUDIT_SESSION - display session level auditing information
DBA_AUDIT_STATEMENT - display statement level auditing information
DBA_AUDIT_TRAIL - display the captured audit info (Standard auditing only ( AUD$))
DBA_COMMON_AUDIT_TRAIL -- displays the captured audit info for standard & FGA
DBA_OBJ_AUDIT_OPTS -- display any object auditing
DBA_PRIV_AUDIT_OPTS -- display any privilege auditing
DBA_STMT_AUDIT_OPTS -- display any statement auditing
DBA_AUDIT_MGMT_CLEANUP_JOBS - Displays the currently configured audit trail purge jobs
DBA_AUDIT_MGMT_CLEAN_EVENTS -- Displays the history of purge events. Periodically as user SYS connected with the SYSDBA privilege, you should delete the contents of this view so that it does not grow too large.
DBA_AUDIT_MGMT_CONFIG_PARAMS -- displays information about the currently configured audit trail properties that are used by the DBMS_AUDIT_MGMT PL/SQL package.
DBA_AUDIT_MGMT_LAST_ARCH_TS -- Displays the last archive timestamps that have set for audit trail purges.
V$XML_AUDIT_TRAIL -- If you are writing to an XML file, you can query the
Operating System Audit Trail Records: Example
COMMENT$TEXT: "Authenticated by: DATABASE; Client address:
OS$USERID: "NT AUTHORITY\SYSTEM"
In this example:
■ LENGTH refers to the total number of bytes used in this audit record. This number includes the trailing newline bytes (\n), if any, at the end of the audit record.
■  brackets indicate the length of each value for each audit entry. For example, the USERID entry, DBSNMP, is 6 bytes long.
■ SESSIONID indicates the audit session ID number. You can also find the session ID by querying the AUDSID column in the V$SESSION data dictionary view.
■ ENTRYID indicates the current audit entry number, assigned to each audit trail record. The audit ENTRYID sequence number is shared between fine-grained audit records and regular audit records.
■ STATEMENT is a numeric ID assigned to the statement the user runs. It appears for each statement issued during the user session, because a statement can result in multiple audit records.
■ ACTION is a numeric value representing the action the user performed. The corresponding name of the action type is in the AUDIT_ACTIONS table. For example, action 100 refers to LOGON.
■ RETURNCODE indicates if the audited action was successful. 0 indicates success. If the action fails, the return code lists the Oracle Database error number. For example, if you try to drop a non-existent table, the error number is ORA-00903 invalid table name, which in turn translates to 903 in the RETURNCODE setting.
■ COMMENT$TEXT indicates additional comments about the audit record. For example, for LOGON audit records, it can indicate the authentication method. It corresponds to the COMENT_TEXT column of the DBA_COMMON_AUDIT_TRAIL data dictionary view.
■ DBID is a database identifier calculated when the database is created. It corresponds to the DBID column of the V$DATABASE data dictionary view.
■ ECONTEXT_ID indicates the application execution context identifier.
■ PRIVS$USED refers to the privilege that was used to perform an action. To find the privilege, query the SYSTEM_PRIVILEGE_MAP table. For example, privilege 5 refers to -5 in this table, which means CREATE SESSION. PRIVS$USED corresponds to the PRIV_USED column in the DBA_COMMON_AUDIT_TRAIL, which lists the privilege by name. Other possible values are as follows:
■ SCN (for example, SCN:8934328925) indicates the System Change Number (SCN). Use this value if you want to perform a flashback query to find the value of a setting (for example, a column) at a time in the past. For example, to find the value of the ORDER_TOTAL column of the OE.ORDERS table based on the SCN number, use the following SELECT statement:
SELECT ORDER_TOTAL FROM OE.ORDERS AS OF SCN = 8934328925
WHERE ORDER_TOTAL = 86;
■ SES_ACTIONS indicates the actions that took place during the session. This field is present only if the event was audited with the BY SESSION clause. Because this field does not explain in detail the actions that occurred during the session, you should configure the audit event with the BY ACCESS clause. The SES_ACTIONS field contains 16 characters. Positions 14, 15, and 16 are reserved for future use. In the first 12 characters, each position indicates the result of an action. They are: ALTER, AUDIT, COMMENT, DELETE, GRANT, INDEX, INSERT, LOCK, RENAME, SELECT, UPDATE, and FLASHBACK. For example, if the user had successfully run the ALTER statement, the SES_ACTIONS setting is as follows: S--------------- The S, in the first position (for ALTER), indicates success. Had the ALTER statement failed, the letter F would have appeared in its place. If the action resulted in both a success and failure, then the letter is B.
■ SES$TID indicates the ID of the object affected by the audited action.
■ SPARE2 indicates whether the user modified SYS.AUD$ table. 0 means the user modified SYS.AUD$; otherwise, the value is NULL.