Skip Headers
Oracle® Database Vault Administrator's Guide
11g Release 1 (11.1)

Part Number B31222-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

A Oracle Database Vault Auditing Policies

This appendix includes the following sections:

A.1 About the Baseline Oracle Database Vault Auditing Policy

A baseline auditing policy is installed with Oracle Database Vault. This policy audits the following components:

A.2 Enabling Oracle Database Vault Auditing

Before you can capture the Oracle Database Vault audit information, you must enable the audit trail by setting the AUDIT_TRAIL initialization parameter to OS, which writes the audit trail record to an operating system file. The default setting for AUDIT_TRAIL is DB, which writes the audit trail record to the data dictionary. For security reasons, use OS instead, because it reduces the likelihood of a Denial of Service (DoS) attack. To set this parameter, log on to SQL*Plus with SYSDBA privileges, set AUDIT_TRAIL to OS, and then restart the database. For example:

sqlplus "sys / as sysdba"
Enter password: password
Connected.

SQL> ALTER SYSTEM SET AUDIT_TRAIL = OS SCOPE=SPFILE;
SQL> ALTER SYSTEM SET AUDIT_TRAIL_DEST = directory_path DEFERRED;
SQL> SHUTDOWN NORMAL;
SQL> STARTUP;

For more information about the AUDIT_TRAIL parameter, see Oracle Database Security Guide and Oracle Database Reference.

A.3 Oracle Database Vault Audit Policy Settings

Table A-1 shows the audit settings in the core database auditing policy used with Oracle Database Vault.

Table A-1 Database Vault Audit Policy Settings

Audit Setting Type Audited Commands (BY ACCESS and on Success or Failure Unless Otherwise Noted)

System Audit Settings/System Privilege Usage

ALTER ANY

CREATE ANY

DELETE ANY

DROP ANY

EXECUTE ANY (whenever not successful)

FORCE ANY

GRANT ANY

INSERT ANY

UPDATE ANY

System Audit Settings/Object Management

ALTER DATABASE, PROFILE, ROLLBACK SEGMENT, SESSION, SYSTEM, TABLE, TABLESPACE, USER

CREATE CLUSTER, DATABASE LINK, INDEXTYPE, LIBRARY, OPERATOR, PUBLIC SYNONYM, PROCEDURE, PROFILE, ROLE, ROLLBACK SEGMENT, SEQUENCE, SESSION, SNAPSHOT, SYNONYM, TABLE, TABLESPACE, TRIGGER, TYPE, USER, VIEW

TRUNCATE

System Audit Settings/Intrusive Commands

ALTER SESSION

BECOME USER

CREATE SESSION

DEBUG CONNECT SESSION

RESTRICTED SESSION

System Audit Settings/Administration Commands

ADMINISTER DATABASE TRIGGER

BACKUP ANY TABLE

EXEMPT ACCESS POLICY

MANAGE TABLESPACE

System Audit Settings/Audit Commands

AUDIT ANY

AUDIT SYSTEM

System Audit Settings/Access Control

GRANT ANY PRIVILEGE/ANY OBJECT PRIVILEGE/ROLE

GRANT DIRECTORY

GRANT SEQUENCE

GRANT TABLE

GRANT TYPE

User Audit Settings for DVSYS/DVF

User Audit Settings for LBACSYS

See Table D-2, "Database Accounts Used by Oracle Database Vault" for more information about these accounts.

See also these sections for detailed information on the DVSYS and DVF schemas:

ADMINISTER DATABASE TRIGGER

ALTER object

AUDIT SYSTEM

BECOME USER

CLUSTER

COMMENT

CONTEXT

CREATE object

DATABASE LINK

DEBUG

DIRECTORY

DROP object

EXECUTE LIBRARY (whenever not successful)

EXECUTE PROCEDURE (whenever not successful)

EXEMPT ACCESS POLICY

EXEMPT IDENTITY POLICY

EXPORT FULL DATABASE

GRANT object

IMPORT FULL DATABASE

INDEX

MANAGE SCHEDULER

MANAGE TABLESPACE

MATERIALIZED VIEW (audits both accessing and creating materialized views)

SELECT SEQUENCE (whenever not successful)

SELECT TABLE (whenever not successful)

Object Audit Settings for DVF

AUDIT PACKAGE/PROCEDURE/FUNCTION/SEQUENCE/TABLE

COMMENT TABLE/VIEW

DELETE TABLE/VIEW

EXECUTE PACKAGE/PROCEDURE/FUNCTION (whenever not successful)

GRANT PACKAGE/PROCEDURE/FUNCTION/SEQUENCE/TABLE

RENAME PACKAGE/PROCEDURE/FUNCTION/SEQUENCE/VIEW/TABLE

SELECT SEQUENCE/TABLE/VIEW (whenever not successful)

Object Audit Settings for DVSYS

Object Audit Settings for LBACSYS

AUDIT PACKAGE/PROCEDURE/FUNCTION/SEQUENCE/TABLE

COMMENT TABLE/VIEW

DELETE TABLE/VIEW

EXECUTE PACKAGE/PROCEDURE/FUNCTION (whenever not successful)

GRANT PACKAGE/PROCEDURE/FUNCTION/SEQUENCE/TABLE

INSERT TABLE/VIEW

RENAME PACKAGE/PROCEDURE/FUNCTION/SEQUENCE/VIEW/TABLE

SELECT SEQUENCE/TABLE/VIEW (whenever not successful)

UPDATE TABLE/VIEW


A.4 Oracle Database Vault Specific Audit Events

After you have enabled auditing, you can define a database audit policy for auditing system commands, users, objects, and so on. However, the database audit policy does not inherently support several Oracle Database Vault events.

Oracle Database Vault defines custom events that you can choose to audit. This enables you to audit events not protected by the database audit policy. For example, if the run-time access control processing of retrieving the identifier for a factor fails, the audit options for the factor may dictate that this event be audited.

A.4.1 Custom Audit Events

The following list describes some of the custom audit events:

  • Session Initialization Failed Audit: Audits instances where the access control session fails to initialize.

  • Command Rule Audit: Audits the rule set processing results. You can audit both successful and failed processing.

  • Realm Authorization Audit: Realm authorizations can be managed using rule sets. You can audit the rule set processing results.

  • Realm Violation Audit: A realm violation occurs when the database account, performing an action on a realm object, is not authorized to perform that action in the realm. You can audit realm violations.

  • Factor Assignment Audit: A factor can have an associated rule set that is used to assign an identity to the factor at run time. You can audit both successful and failed processing.

  • Factor Evaluation Audit: Audits instances where a factor identity cannot be resolved and assigned (such as No data found or Too many rows). You can audit both successful and failed retrievals.

  • Oracle Label Security Session Initialization Failed: Audits instances where the Oracle Label Security session fails to initialize.

  • Oracle Label Security Attempt to Upgrade Session Label Failed: Audits instances where the Oracle Label Security component prevents a session from setting a label that exceeds the maximum session label.

  • Secure Role Audit: Secure application roles can be set based on rule sets. You can audit the associated rule set processing.

See Also:

A.4.2 Format of the Oracle Database Vault Audit Trail

The Oracle Database Vault custom audit event records are stored in the AUDIT_TRAIL$ table, which is part of the DVSYS schema. These audit records are not part of the typical Oracle Database audit trail. You can define an archiving policy for this audit trail.

Table A-2 describes the format of the audit trail.

Table A-2 Audit Trail Format

Parameter Type Description

OS_USERNAME

VARCHAR2(255)

Operating system login user name of the user whose actions were audited

USERNAME

VARCHAR2(30)

Name of the database user whose actions were audited

USERHOST

VARCHAR2(128)

Client computer name

TERMINAL

VARCHAR2(255)

Identifier for the user's terminal

TIMESTAMP

DATE

Date and time of creation of the audit trail entry (in the local database session time zone)

OWNER

VARCHAR2(30)

Creator of the object affected by the action, always DVSYS (because DVSYS is where objects are created)

OBJ_NAME

VARCHAR2(128)

Name of the object affected by the action. Expected values are:

  • ROLE$

  • REALM$

  • CODE$

  • FACTOR$

ACTION

NUMBER

Numeric action type code. The corresponding name of the action type is in the ACTION_NAME column. Expected ACTION and ACTION_NAME values are:

  • 10000: Factor Evaluation Audit

  • 10001: Factor Assignment Audit

  • 10002: Factor Expression Audit

  • 10003: Realm Violation Audit

  • 10004: Realm Authorization Audit

  • 10005: Command Authorization Audit

  • 10006: Secure Role Audit

  • 10007: Access Control Session Initialization Audit

  • 10008: Access Control Command Authorization Audit

  • 10009: Oracle Label Security Session Initialization Audit

  • 10010: Oracle Label Security Attempt to Upgrade Label Audit

ACTION_NAME

VARCHAR2(128)

Name of the action type corresponding to the numeric code in the ACTION column. You can extend the audit trail to include your own ACTION_NAME text, based on the audit events passed.

ACTION_OBJECT_ID

NUMBER

The unique identifier of the record in the table specified under OBJ_NAME.

ACTION_OBJECT_NAME

VARCHAR2(128)

The unique name or natural key of the record in the table specified under OBJ_NAME

SQL_TEXT

VARCHAR2(2000)

The SQL text of the command procedure that was executed that resulted in the audit event being triggered

AUDIT_OPTION

VARCHAR2(4000)

The labels for all audit options specified in the record that resulted in the audit event being triggered. For example, a factor set operation that is supposed to audit on get failure and get NULL would indicate these two options.

RULE_SET_ID

NUMBER

The unique identifier of the rule set that was executing and caused the audit event to trigger

RULE_SET_NAME

VARCHAR2(30)

The unique name of the rule set that was executing and caused the audit event to trigger

RULE_ID

NUMBER

The unique identifier of the rule that was executing and caused the audit event to trigger

RULE_NAME

VARCHAR2(30)

The unique name of the rule that was executing and caused the audit event to trigger

FACTOR_CONTEXT

VARCHAR2(4000)

An XML document that contains all of the factor identifiers for the current session at the point when the audit event was triggered

COMMENT_TEXT

VARCHAR2(4000)

Text comment on the audit trail entry, providing more information about the statement audited

SESSIONID

NUMBER

Numeric identifier for each Oracle session

STATEMENTID

NUMBER

Numeric identifier for the statement invoked that caused the audit event to be generated. This is empty for most Oracle Database Vault events.

RETURNCODE

NUMBER

Oracle error code generated by the action. The error code for a statement or procedure invoked that caused the audit event to be generated. This is empty for most Oracle Database Vault events.

CLIENT_ID

NUMBER

Client identifier for the Oracle session that triggered the audit event.

EXTENDED_TIMESTAMP

TIMESTAMP(6) WITH TIME ZONE

Time stamp of creation of the audit trail entry (time stamp of user login for entries) in UTC (Coordinated Universal Time) time zone.

PROXY_SESSIONID

NUMBER

Proxy session serial number, if an enterprise user has logged in through the proxy mechanism.

GLOBAL_UID

VARCHAR2(32)

Global user identifier for the user, if the user has logged in as an enterprise user

INSTANCE_NUMBER

NUMBER

Instance number as specified by the INSTANCE_NUMBER initialization parameter

OS_PROCESS

VARCHAR2(16)

Operating system process identifier of the Oracle process


A.5 Archiving the Oracle Database Vault Audit Trail

You can create an archive of the Oracle Database Vault audit trail by exporting the AUDIT_TRAIL$ system table, which is owned by DVSYS, to a dump file. You should periodically archive the audit trail to prevent it from growing too large.

To archive the Oracle Database Vault audit trail:

  1. Ensure that Data Pump Export is installed.

    Log on to SQL*Plus with administrative privileges and then run the following query:

    sqlplus "sys/as sysdba"
    Enter password: password
    SQL> SELECT ROLE FROM DBA_ROLES WHERE ROLE LIKE '%FULL%'
    

    If the query does not return the EXP_FULL_DATABASE and IMP_FULL_DATABASE roles, then Data Pump Export is not installed. To install Data Pump Export, run either the catexp.sql or catalog.sql script. For example:

    SQL> @/opt/oracle/app/oracle/admin/catexp.sql;
    

    See Oracle Database Utilities for more information about the Export utility.

  2. Disable Oracle Database Vault.

    See "Step 1: Disable Oracle Database Vault" for more information.

  3. If the DVSYS account is locked, then unlock it.

    You need to have this account unlocked when you run the EXPDP export command. Ensure that you are still logged on as SYS, connecting AS SYSDBA.

    ALTER USER dvsys IDENTIFIED BY password ACCOUNT UNLOCK;
    
  4. Confirm the location of the operating system audit trail.

    SHOW PARAMETER AUDIT_FILE_DEST
    
    NAME                 TYPE     VALUE
    -------------------  -------  ---------------------------------------
    audit_file_dest      string   /opt/oracle/app/oracle/admin/orcl/adump
    

    In general, you may want to keep your audit files in one location.

  5. In SQL*Plus, create a directory object in which to generate the Oracle Database Vault audit trail. To do so, connect as SYS or as any user who has the CREATE DIRECTORY privilege.

    For example:

    CREATE DIRECTORY dv_audit_dir AS '/opt/oracle/app/oracle/admin/orcl/adump';
    

    Enclose the directory path in single quotation marks, not double quotation marks.

  6. Grant read and write privileges on the directory object to user DVSYS.

    For example:

    GRANT READ, WRITE ON DIRECTORY dv_audit_dir TO dvsys; 
    
  7. At the operating system command line, enter a command similar to the following to export the DVSYS.AUDIT_TRAIL$ audit table into a new dump file.

    EXPDP DVSYS/password \
    DIRECTORY=dv_audit_dir \
    TABLES=DVSYS.AUDIT_TRAIL$ \
    QUERY=DVSYS.AUDIT_TRAIL$:"WHERE timestamp < 2007-04-03:19:34:59" 
    DUMPFILE=dv_audit_031607.dmp
    

    In this specification:

    • DIRECTORY: Enter the directory object that you created in Step 5. Ensure that that the user who is running EXPDP (DVSYS in this example) has read and write permissions on this directory object. If you created the directory object, then you automatically have read and write permissions on it.

    • TABLES: Enter DVSYS.AUDIT_TRAIL$, the name of the audit trail table.

    • QUERY: Optional. This setting writes a subset of the audit table contents to the dump file, in this case, audit records that are less than the timestamp column value of 2007-04-03:19:34:59.

    • DUMPFILE: Enter the name of the dump file that you want to create. The default extension is .dmp, but you can use any extension. Ensure that the file name you specify is unique.

  8. Purge the Oracle Database Vault audit trail table, now that you have archived it.

    For example, if you archived all audit trail records that are less than the timestamp column value of 2007-04-03:19:34:59, enter the following statement:

    DELETE FROM DVSYS.AUDIT_TRAIL$ WHERE timestamp < 2007-04-03:19:34:59;
    

    To completely purge the audit trail and remove the extents allocated to the audit trail table, enter the following statement:

    TRUNCATE TABLE DVSYS.AUDIT_TRAIL$;
    
  9. Exit SQL*Plus.