| Oracle® Database Vault Administrator's Guide 11g Release 1 (11.1) Part Number B31222-01 |
|
|
View PDF |
| Oracle® Database Vault Administrator's Guide 11g Release 1 (11.1) Part Number B31222-01 |
|
|
View PDF |
This appendix includes the following sections:
A baseline auditing policy is installed with Oracle Database Vault. This policy audits the following components:
Access control configuration information that is stored in the oracle Database Vault database tables
Information that is stored in the Oracle Catalog (rollback segments, tablespaces, and so on)
The use of system privileges
The Oracle Label Security configuration
Before you can capture the Oracle Database Vault audit information, you must enable the audit trail by setting the AUDIT_TRAIL initialization parameter to OS, which writes the audit trail record to an operating system file. The default setting for AUDIT_TRAIL is DB, which writes the audit trail record to the data dictionary. For security reasons, use OS instead, because it reduces the likelihood of a Denial of Service (DoS) attack. To set this parameter, log on to SQL*Plus with SYSDBA privileges, set AUDIT_TRAIL to OS, and then restart the database. For example:
sqlplus "sys / as sysdba" Enter password: password Connected. SQL> ALTER SYSTEM SET AUDIT_TRAIL = OS SCOPE=SPFILE; SQL> ALTER SYSTEM SET AUDIT_TRAIL_DEST = directory_path DEFERRED; SQL> SHUTDOWN NORMAL; SQL> STARTUP;
For more information about the AUDIT_TRAIL parameter, see Oracle Database Security Guide and Oracle Database Reference.
Table A-1 shows the audit settings in the core database auditing policy used with Oracle Database Vault.
Table A-1 Database Vault Audit Policy Settings
| Audit Setting Type | Audited Commands (BY ACCESS and on Success or Failure Unless Otherwise Noted) |
|---|---|
|
System Audit Settings/System Privilege Usage |
|
|
System Audit Settings/Object Management |
|
|
System Audit Settings/Intrusive Commands |
|
|
System Audit Settings/Administration Commands |
|
|
System Audit Settings/Audit Commands |
|
|
System Audit Settings/Access Control |
|
|
User Audit Settings for User Audit Settings for See Table D-2, "Database Accounts Used by Oracle Database Vault" for more information about these accounts. See also these sections for detailed information on the |
|
|
|
|
|
|
After you have enabled auditing, you can define a database audit policy for auditing system commands, users, objects, and so on. However, the database audit policy does not inherently support several Oracle Database Vault events.
Oracle Database Vault defines custom events that you can choose to audit. This enables you to audit events not protected by the database audit policy. For example, if the run-time access control processing of retrieving the identifier for a factor fails, the audit options for the factor may dictate that this event be audited.
The following list describes some of the custom audit events:
Session Initialization Failed Audit: Audits instances where the access control session fails to initialize.
Command Rule Audit: Audits the rule set processing results. You can audit both successful and failed processing.
Realm Authorization Audit: Realm authorizations can be managed using rule sets. You can audit the rule set processing results.
Realm Violation Audit: A realm violation occurs when the database account, performing an action on a realm object, is not authorized to perform that action in the realm. You can audit realm violations.
Factor Assignment Audit: A factor can have an associated rule set that is used to assign an identity to the factor at run time. You can audit both successful and failed processing.
Factor Evaluation Audit: Audits instances where a factor identity cannot be resolved and assigned (such as No data found or Too many rows). You can audit both successful and failed retrievals.
Oracle Label Security Session Initialization Failed: Audits instances where the Oracle Label Security session fails to initialize.
Oracle Label Security Attempt to Upgrade Session Label Failed: Audits instances where the Oracle Label Security component prevents a session from setting a label that exceeds the maximum session label.
Secure Role Audit: Secure application roles can be set based on rule sets. You can audit the associated rule set processing.
See Also:
"Audit Options" (for factors)
"Audit Options" (for rule sets)
Defining Realm Authorization in Chapter 4, "Configuring Realms"
Chapter 11, "Oracle Database Vault Reports" for information about viewing the audit reports
The Oracle Database Vault custom audit event records are stored in the AUDIT_TRAIL$ table, which is part of the DVSYS schema. These audit records are not part of the typical Oracle Database audit trail. You can define an archiving policy for this audit trail.
Table A-2 describes the format of the audit trail.
Table A-2 Audit Trail Format
| Parameter | Type | Description |
|---|---|---|
|
|
|
Operating system login user name of the user whose actions were audited |
|
|
|
Name of the database user whose actions were audited |
|
|
|
Client computer name |
|
|
|
Identifier for the user's terminal |
|
|
|
Date and time of creation of the audit trail entry (in the local database session time zone) |
|
|
|
Creator of the object affected by the action, always |
|
|
|
Name of the object affected by the action. Expected values are:
|
|
|
|
Numeric action type code. The corresponding name of the action type is in the
|
|
|
|
Name of the action type corresponding to the numeric code in the |
|
|
|
The unique identifier of the record in the table specified under |
|
|
|
The unique name or natural key of the record in the table specified under |
|
|
|
The SQL text of the command procedure that was executed that resulted in the audit event being triggered |
|
|
|
The labels for all audit options specified in the record that resulted in the audit event being triggered. For example, a factor set operation that is supposed to audit on get failure and get |
|
|
|
The unique identifier of the rule set that was executing and caused the audit event to trigger |
|
|
|
The unique name of the rule set that was executing and caused the audit event to trigger |
|
|
|
The unique identifier of the rule that was executing and caused the audit event to trigger |
|
|
|
The unique name of the rule that was executing and caused the audit event to trigger |
|
|
|
An XML document that contains all of the factor identifiers for the current session at the point when the audit event was triggered |
|
|
|
Text comment on the audit trail entry, providing more information about the statement audited |
|
|
|
Numeric identifier for each Oracle session |
|
|
|
Numeric identifier for the statement invoked that caused the audit event to be generated. This is empty for most Oracle Database Vault events. |
|
|
|
Oracle error code generated by the action. The error code for a statement or procedure invoked that caused the audit event to be generated. This is empty for most Oracle Database Vault events. |
|
|
|
Client identifier for the Oracle session that triggered the audit event. |
|
|
|
Time stamp of creation of the audit trail entry (time stamp of user login for entries) in UTC (Coordinated Universal Time) time zone. |
|
|
|
Proxy session serial number, if an enterprise user has logged in through the proxy mechanism. |
|
|
|
Global user identifier for the user, if the user has logged in as an enterprise user |
|
|
|
Instance number as specified by the |
|
|
|
You can create an archive of the Oracle Database Vault audit trail by exporting the AUDIT_TRAIL$ system table, which is owned by DVSYS, to a dump file. You should periodically archive the audit trail to prevent it from growing too large.
To archive the Oracle Database Vault audit trail:
Ensure that Data Pump Export is installed.
Log on to SQL*Plus with administrative privileges and then run the following query:
sqlplus "sys/as sysdba"
Enter password: password
SQL> SELECT ROLE FROM DBA_ROLES WHERE ROLE LIKE '%FULL%'
If the query does not return the EXP_FULL_DATABASE and IMP_FULL_DATABASE roles, then Data Pump Export is not installed. To install Data Pump Export, run either the catexp.sql or catalog.sql script. For example:
SQL> @/opt/oracle/app/oracle/admin/catexp.sql;
See Oracle Database Utilities for more information about the Export utility.
Disable Oracle Database Vault.
See "Step 1: Disable Oracle Database Vault" for more information.
If the DVSYS account is locked, then unlock it.
You need to have this account unlocked when you run the EXPDP export command. Ensure that you are still logged on as SYS, connecting AS SYSDBA.
ALTER USER dvsys IDENTIFIED BY password ACCOUNT UNLOCK;
Confirm the location of the operating system audit trail.
SHOW PARAMETER AUDIT_FILE_DEST NAME TYPE VALUE ------------------- ------- --------------------------------------- audit_file_dest string /opt/oracle/app/oracle/admin/orcl/adump
In general, you may want to keep your audit files in one location.
In SQL*Plus, create a directory object in which to generate the Oracle Database Vault audit trail. To do so, connect as SYS or as any user who has the CREATE DIRECTORY privilege.
For example:
CREATE DIRECTORY dv_audit_dir AS '/opt/oracle/app/oracle/admin/orcl/adump';
Enclose the directory path in single quotation marks, not double quotation marks.
Grant read and write privileges on the directory object to user DVSYS.
For example:
GRANT READ, WRITE ON DIRECTORY dv_audit_dir TO dvsys;
At the operating system command line, enter a command similar to the following to export the DVSYS.AUDIT_TRAIL$ audit table into a new dump file.
EXPDP DVSYS/password \
DIRECTORY=dv_audit_dir \
TABLES=DVSYS.AUDIT_TRAIL$ \
QUERY=DVSYS.AUDIT_TRAIL$:"WHERE timestamp < 2007-04-03:19:34:59"
DUMPFILE=dv_audit_031607.dmp
In this specification:
DIRECTORY: Enter the directory object that you created in Step 5. Ensure that that the user who is running EXPDP (DVSYS in this example) has read and write permissions on this directory object. If you created the directory object, then you automatically have read and write permissions on it.
TABLES: Enter DVSYS.AUDIT_TRAIL$, the name of the audit trail table.
QUERY: Optional. This setting writes a subset of the audit table contents to the dump file, in this case, audit records that are less than the timestamp column value of 2007-04-03:19:34:59.
DUMPFILE: Enter the name of the dump file that you want to create. The default extension is .dmp, but you can use any extension. Ensure that the file name you specify is unique.
Purge the Oracle Database Vault audit trail table, now that you have archived it.
For example, if you archived all audit trail records that are less than the timestamp column value of 2007-04-03:19:34:59, enter the following statement:
DELETE FROM DVSYS.AUDIT_TRAIL$ WHERE timestamp < 2007-04-03:19:34:59;
To completely purge the audit trail and remove the extents allocated to the audit trail table, enter the following statement:
TRUNCATE TABLE DVSYS.AUDIT_TRAIL$;
Exit SQL*Plus.
