Sie sind auf Seite 1von 84

Auditing Database

Users,
Privileges, and Objects
Nael T. El yazji

5
1
Separation of Responsibilities
– Users with DBA privileges must be trusted. Consider:
• Abuse of trust
• That audit trails protect the trusted position
– DBA responsibilities must be shared.
– Accounts must never be shared.
– The DBA and the system administrator must be
different people.
– Separate operator and DBA responsibilities.
3
Applying the Principle of Least
Privilege
– Protect the data dictionary:
• O7_DICTIONARY_ACCESSIBILITY=FALSE

– Revoke unnecessary privileges from


PUBLIC:
REVOKE EXECUTE ON UTL_SMTP, UTL_TCP, UTL_HTTP,
UTL_FILE FROM PUBLIC;

– Limit users with administrative privileges.


– Restrict remote database authentication:
REMOTE_OS_AUTHENT=FALSE
Why Auditing
• Make database users accountable for their
actions.
• Track who accessed the data for
protection and compliance

5
Why Auditing
• Protect against superuser accounts or
DBA

6
Monitoring for Compliance
• Monitoring or auditing must be an integral part of your
security procedures.
• Review the following:
– Mandatory auditing
– Standard database auditing
– Value-based auditing
– Fine-grained auditing (FGA)
– DBA auditing

7
Audit Tool Comparisons
Type of Audit What Is Audited? What Can Be in
?the Audit Trail
Standard database Privilege use, including Fixed set of data,
auditing object access including the
SQL statement
and bind
Privileged user Connections by default Fixed set of data
auditing When enabled, all the
statements that are
issued
Fine-grained SQL statements Fixed set of data,
auditing (INSERT, UPDATE, including the
(FGA) DELETE, and SQL statement
SELECT) based on and bind;
content extensible
through event
handlers
Mandatory Auditing

• Auditing all database startups, all


database shutdowns, and all sysdba or
sysoper logons. This is called mandatory
auditing.
Standard Database Auditing:
Overview
• Is enabled through the AUDIT_TRAIL
parameter.
• Can audit:
– Login events
– Exercise of system privileges
– Exercise of object privileges
– Use of SQL statements

10
Standard Database Auditing
1 Enable
database Parameter
DBA auditing. User
file executes
2 Specify audit options. command.

Database
Server
process
Audit
Generate
options
audit trail.
3 Review audit
information.
Audit
trail OS or XML
4 Maintain audit audit
trail. trail
11
Parameter File
pfile spfile
Text file Binary file
Parameters in pfile can be edited spfile can not be edited using a text
using any text editor editor. Instead it can only be altered
using the “”ALTER SYSTEM””
command
Default location of pfile – Default location of spfile –
$ORACLE_HOME/dbs/init[SID].ora $ORACLE_HOME/dbs/spfile[SID].or
where [SID] – is the name of the a where [SID] – is the name of the
.instance .instance
;SHOW PARAMETER spfile ;SHOW PARAMETER spfile
The RMAN utility can not take The RMAN utility can take backup of
backup of a pfile .a spfile
create pfile ='C:\init.ora' from spfile 12
Show spfile, pfile
In your Database
SHOW PARAMETER spfile;
create pfile ='C:\init.ora' from spfile

13
Standard Database
Auditing
Settings

14
Enable Standard Auditing
• There are two stages involved when using
standard auditing.
– The first is to enable the audit mechanism
– and the second is to define the audit categories
• SQL> alter system set audit_trail=db
scope=spfile;
• The AUDIT_TRAIL parameter is a static
parameter and cannot be modified without
restarting the database instance.
15
Setting the AUDIT_TRAIL Parameter
• The parameter values can be:
– NONE (or FALSE) : Disables collection of audit records
– DB: Enables auditing with records stored in the database.
SYS.AUD$
– DB,EXTENDED: Populates SQLBIND and SQLTEXT columns
– OS: Audit records will be written to the operating system’s audit trail
the Application Log on Windows, or the AUDIT_FILE_DEST
directory on Unix.
– XML: Enables auditing with records stored in XML format OS files
– XML,EXTENDED: Includes SQLBIND and SQLTEXT information
OS: Enables auditing with records stored in the OS audit trail

16
Set AUDIT_TRAIL parameter
• None ALTER SYSTEM SET audit_trail = FALSE SCOPE=SPFILE ;
ALTER SYSTEM SET audit_trail = NONE SCOPE=SPFILE ;

ALTER SYSTEM SET audit_trail = DB SCOPE=SPFILE ;


• DB ALTER SYSTEM SET audit_trail = DB_EXTENDED SCOPE=SPFILE ;

• OS ALTER SYSTEM SET audit_trail = OS SCOPE=SPFILE ;


ALTER SYSTEM SET audit_trail= XML SCOPE = SPFILE;

SHUTDOWN IMMEDIATE
STARTUP

Show parameter AUDIT

Show parameter AUDIT_FILE_DEST


17
Enabling Auditing

ALTER SYSTEM SET audit_trail=‘XML’ SCOPE=SPFILE;

• Restart database after modifying a static initialization


parameter.
19
NEXT LECT.

20
Audit Log Location Options
• Who has access?
– The database audit table is accessible to:
– SYSDBA
– The DBA role
– Anyone with the * ANY TABLE privileges
• OS audit files are accessible to:
– The root user on the repository machine Any user
depending on directory permissions

21
Maintaining the Audit Trail

• The audit trail should be maintained. Follow


these best practice guidelines:
– Review and store old records.
– Prevent storage problems.
– Avoid loss of records.
Moving the Database Audit Trail from the SYSTEM
Tablespace 11.2

• The database audit trail (SYS.AUD$ and


SYS.FGA_LOG$ tables) can be moved from the
SYSTEM tablespace to:
– SYSAUX tablespace
– User-created tablespace
• In oracle 11g release 2 and above can use the
• DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_LOCATION
• procedure to move the audit trail tables from the
current tablespace to a user-specified
tablespace
23
SET_AUDIT_TRAIL_LOCATION
parameter 11.2

• The DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_LOCATION
procedure has the following parameters:
• AUDIT_TRAIL_TYPE: Specifies the database audit trail
type.
• DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD: Indicates
the standard audit trail table (SYS.AUD$)
• DBMS_AUDIT_MGMT.AUDIT_TRAIL_FGA_STD: Indicates
the fine-grained audit trail table (SYS.FGA_LOG$)
• DBMS_AUDIT_MGMT.AUDIT_TRAIL_DB_STD: Indicates
the standard and fine-grained audit trail tables
• AUDIT_TRAIL_LOCATION_VALUE: Specifies the destination
tablespace
DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_LOCATION(
AUDIT_TRAIL_TYPE=>DBMS_AUDIT_MGMT.AUDIT_TRAIL_DB_STD,
AUDIT_TRAIL_LOCATION_VALUE => ‘AUDIT_TBS') 24
Limiting the Size of the
Operating System Audit Trail 11.2

• the DBMS_AUDIT_MGMT.OS_FILE_MAX_SIZE property


specifies the maximum size to which an operating
system or XML audit file can grow before a new
file is opened.
• Set the property by using the
• The DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_PROPERTY procedure:

DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_PROPERTY(
• The default value is 10 MB
AUDIT_TRAIL_TYPE=>DBMS_AUDIT_MGMT.AUDIT_TRAIL_OS,
AUDIT_TRAIL_PROPERTY=>DBMS_AUDIT_MGMT.OS_FILE_MAX_SIZE
,
AUDIT_TRAIL_PROPERTY_VALUE=>15000) 25
Limiting the Age of the
Operating System Audit Trail 11.2

• The DBMS_AUDIT_MGMT.OS_FILE_MAX_AGE property specifies


the maximum age in days that an operating system or
XML audit file is open before a new file is created.
• Set the property by using the
– DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_PROPERTY procedure

DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_PROPERTY(
AUDIT_TRAIL_TYPE=>DBMS_AUDIT_MGMT.AUDIT_TRAIL_OS,
AUDIT_TRAIL_PROPERTY=>DBMS_AUDIT_MGMT.OS_FILE_MAX_AGE,
• The default value is 5 days.
AUDIT_TRAIL_PROPERTY_VALUE=>14)

26
27
Audit Qualifiers
• Auditing When Successful, When
Unsuccessful, and Both
– WHENEVER SUCCESSFUL, WHENEVER
NOT SUCCESSFUL, or both.
– The default is to create an audit record in both
cases
SQL> audit update on scott.emp by access whenever not
successful;
Audit succeeded.

28
Audit Qualifiers cont.
• BY SESSION and BY ACCESS
– If you specify BY ACCESS, Oracle creates one audit
record for each access.
– If you specify BY SESSION, Oracle writes a single
audit record per combination of session, object, and
SQL statement type
• In oracle 11g r2 both BY SESSION and BY
ACCESS cause Oracle Database to write one
audit record for each audited statement and
operation
SQL> audit all on scott.emp by access;
Audit succeeded. 29
Audit Qualifiers cont.
• Auditing may be focused BY SESSION or
BY ACCESS with the exception of audited
DDL statements, which are always BY
ACCESS.
• BY SESSION is the default for statement
and object auditing.
• BY ACCESS is the default for privilege
auditing
30
Audit records are written out
as the actions occur and are
NOT rolled back with a
transaction
SQL> update emp set comm=300 where empno=4444;
SQL> rollback;

But when you look at the audit trail you will find the
following

31
32
NEXT LECT.

33
For levels of
Auditing
1. Statements
2. Privileges
3. Objects.
4. Fine-grained access

34
TIP
• Auditing of any type increases the amount
of work that the database must do.
• In order to limit this workload, you should
focus your auditing closely and not track
events of minimal significance.

35
Statement auditing
• Statement auditing  audits SQL statements by type of
statement, not by the specific schema objects on which
the statement operates.
• SQL statement auditing (non-focused and focused):

AUDIT table;
– Categories:
AUDIT SELECT TABLE BY SCOTT BY ACCESS;
• Data definition statements (DDL) For example, AUDIT TABLE audits all
CREATE TABLE and DROP TABLE statements and TRUNCATE TABLE.
• Data manipulation statements (DML) For example, AUDIT SELECT
TABLE audits all SELECT ... FROM TABLE or SELECT ... FROM VIEW
statements

36
Statement Auditing
• Statement auditing allows you to track who is issuing specific
types of statements. 
• You enable auditing of specific SQL statements with an AUDIT
statement.
AUDIT sql_statement [, sql_statement ...]
]BY user[,user ...][
BY SESSION [WHENEVER [NOT] SUCCESSFUL][
BY ACCESS [WHENEVER [NOT] SUCCESSFUL][
• EX.
– AUDIT table;
– AUDIT table BY khaled;
– AUDIT table BY khaled WHENEVER NOT SUCCESSFUL;
– AUDIT INSERT TABLE BY khaled BY ACCESS;
– NOAUDIT table BY khaled;
– AUDIT NOT EXIST;
37
Statement Auditing
• You can identify the statement auditing options that have
been enabled in your database by querying the
DBA_STMT_AUDIT_OPTS data dictionary view.
SQL> select * from DBA_STMT_AUDIT_OPTS;
• To disable auditing of a specific SQL statement, use a
NOAUDIT statement.
– NOAUDIT session;
– NOAUDIT not exists;

38
System-privilege auditing
• Privilege auditing is the auditing of SQL
statements that use a system privilege.
• You can audit the use of any system privilege
• For example, if you enable AUDIT SELECT ANY
TABLE, Oracle Database audits all SELECT
tablename statements issued by users who have
the SELECT ANY TABLE privilege.
• System-privilege auditing (nonfocused and
focused):
AUDIT select any table, create any trigger;
AUDIT select any table BY hr BY SESSION; 39
Privilege Auditing
• Privilege auditing involves monitoring and recording the
execution of SQL statements that require a specific system
privilege, such as SELECT ANY TABLE or GRANT ANY
PRIVILEGE.
• In the AUDIT command, you can specify any system
privilege.
– AUDIT create any table;
– AUDIT create any table BY khaled;
– AUDIT DELETE ANY TABLE BY khaled BY ACCESS;
• To disable auditing of a system privilege, use a NOAUDIT
statement.
– NOAUDIT alter profile;
– NOAUDIT delete any table BY khaled;
– NOAUDIT alter user BY khaled;
40
Privilege Auditing

• SQL> grant create any table to scott;


Grant succeeded.
• SQL> audit create any table by scott by access;
Audit succeeded.
• SQL> connect scott
• Enter password: *****
Connected.
• SQL> create table TAB_WONT_SHOW(i int);
Table created.
• SQL> create table HR.TAB_WILL_SHOW(i int);
Table created.
• select
USERNAME,OWNER,OBJ_NAME,ACTION_NAME,PRIV_USED
from dba_audit_trail;

• audit all privileges by scott by access;


Auditing Sessions
• Audit unsuccessful attempts to connect
AUDIT CREATE SESSION BY ACCESS
;WHENEVER NOT SUCCESSFUL

• Monitor DBA_AUDIT_SESSION

43
Object-privilege auditing
• Schema object auditing is the auditing of
specific statements on a particular schema object, such
as AUDIT SELECT ON HR.EMPLOYEES.
• For example, object auditing can audit all SELECT and
DML statements permitted by object privileges, such as
SELECT or DELETE statements on a given table.
• You can audit statements that reference tables, views,
sequences, standalone stored procedures or functions,
and packages.
• Object-privilege auditing (nonfocused and focused):
AUDIT ALL on hr.employees;
AUDIT UPDATE,DELETE on hr.employees BY ACCESS; 44
Object-privilege auditing
• Schema object auditing lets you track
access to an object.
• It can be used to audit actions on tables,
views, procedures, sequences, directories,
and user-defined data types.
• The specific syntax for schema object
auditing is:
AUDIT object_privilege[,object_privilege ...] ON
[schema.]objectname | DEFAULT
BY SESSION [WHENEVER [NOT] SUCCESSFUL][
BY ACCESS [WHENEVER [NOT] SUCCESSFUL][ 45
TIP
• Oracle will audit embedded objects. That
is, if you have turned on auditing for a
table, and that table is referenced in a
view, then accessing the view will
generate an audit record for the table.

46
Specifying Audit Options
cont.
• An example of a poorly focused audit
command is:
– AUDIT TABLE
– This audit command generates a large amount of
information capturing any operation that affects any
table
• A better example of an audit command
(because it is more narrowly focused) is
– AUDIT DELETE ON hr.employees WHENEVER
SUCCESSFUL
47
Viewing Auditing Options
Data Dictionary View Description
ALL_DEF_AUDIT_OPTS Default audit options
DBA_STMT_AUDIT_OPTS Statement auditing options
DBA_PRIV_AUDIT_OPTS Privilege auditing options
DBA_OBJ_AUDIT_OPTS Schema object auditing options

48
49
NEXT LECT.

50
HOWTO Use NOAUDIT
• if you execute AUDIT ALL
• you run NOAUDIT ALL
• You don’t use the access/session qualifier
when you use NOAUDIT, for example

SQL> noaudit create table by access;


noaudit create table by access
*
ERROR at line 1:
ORA-01718: BY ACCESS | SESSION clause not allowed for
NOAUDIT
SQL> noaudit create table;
Noaudit succeeded. 51
HOWTO Use NOAUDIT
• NOAUDIT ALL
• This will not stop all auditing. It will only
stop global AUDIT statements such as
AUDIT ALL or AUDIT NOT EXIST.

52
HOWTO Use NOAUDIT
• And you execute
SQL> noaudit all;
Noaudit succeeded.

• you will still be auditing

53
HOWTO Use NOAUDIT
• Therefore, when you want to disable
certain audits you need to reverse your
calls to AUDIT with equivalent calls to
NOAUDIT.
SQL> noaudit create session by scott;
Noaudit succeeded.
SQL> noaudit create any table by scott;
Noaudit succeeded.

• So Now
SQL> select * from dba_stmt_audit_opts;
no rows selected
54
HOWTO Use NOAUDIT
• You can use the WHENEVER qualifier to
change the cases in which an audit record
is created:
SQL> noaudit select on scott.emp_details whenever
successful;

55
the SYSDBA and SYSOPER Users

56
Introduction
• Mandatory auditing logs SYS connections but does not
show you what the user SYS did.
• Standard auditing itself does not write audit records for
SYS. Ex, audit rule SQL> select count(*) from aud$;
COUNT(*)
------------
1578
SQL> audit all on scott.emp;
Audit succeeded.

• Now access the table (still as the user SYS)


SQL> select count(*) from scott.emp;
COUNT(*)
------- SQL> select count(*) from aud$;
14 COUNT(*)
------------ 57
1578
Auditing the SYSDBA and
SYSOPER Users
• Control auditing of privileged users with the
following parameters:
– AUDIT_SYS_OPERATIONS enables additional
auditing of the SYSDBA or SYSOPER actions.
– AUDIT_FILE_DEST controls the location of the
audit trail. The default is:
• On Windows: Windows Application Event Log
• (UNIX or Linux)
– First: $ORACLE_BASE/admin/<ORACLE_SID>/adump
– Second: $ORACLE_HOME/rdbms/audit

58
Auditing the SYSDBA and
SYSOPER Users

SQL> alter system set audit_sys_operations=true


scope=spfile;
System altered.

• Then, shutdown and startup the database.

59
TIP
• Both mandatory auditing and standard auditing do
not log activity performed by SYS.
• To enable SYS auditing set
AUDIT_SYS_OPERATIONS to TRUE and restart
the database.
• SYS auditing is always logged to operating system
files and defaults to the a dump directory.
• SYS auditing logs indiscriminately make sure that
you have enough space in AUDIT_FILE_DEST

60
Viewing the SYSDBA Audit
Trails

61
Audit to XML Files
• Audit records can be sent to XML format
files
– Standard audit
– SYS operations audit records
– Fine-grained audit (FGA) records
• XML files can be read with a variety of
readers.
• XML files can be protected by the OS
SELECT * FROM V$XML_AUDIT_TRAIL;
62
Protecting Even Further
• Anyone with the execution privilege on the UTL_FILE-
supplied package can remove the audit trail file from the
OS, using the FREMOVE procedure.
• You can limit the capabilities through the use of the
UTL_FILE package, by either
– Revoking the privilege from PUBLIC
– Revoking the CREATE DIRECTORY system privilege from PUBLIC
• The OS user who owns the Oracle software still owns the
XML audit trail files, and anyone with access to the server
and that user account can delete them. However, by
limiting the privileges, you can achieve a reasonable level
of security.

63
NEXT LECT.

64
Value-Based
Auditing

65
Value-Based Auditing

A user makes a The trigger fires. Audit record is


change. created by the trigger.

User’s change Audit record is


is made. inserted into an audit
trail table.
Value-Based Auditing (cont)
The key to value-based auditing is the audit trigger
CREATE OR REPLACE TRIGGER system.hrsalary_audit
AFTER UPDATE OF salary
ON hr.employees
REFERENCING NEW AS NEW OLD AS OLD
FOR EACH ROW
BEGIN
IF :old.salary != :new.salary THEN
INSERT INTO system.audit_employees
,VALUES (sys_context('userenv','os_user'), sysdate
,sys_context('userenv','ip_address’)
new.employee_id ||' salary changed from:
;)old.salary|| ' to '||:new.salary:||'
;END IF
;END
/ 67
Fine-Grained
Auditing

Auditing DML Statements 68


Fine-Grained Auditing
• FGA only audits DML and SELECT
SQL> begin
2 dbms_fga.add_policy(
3 object_schema=>'SCOTT',
4 object_name=>'EMP',
5 policy_name=>'EMP_ACCESS'
6 );
7 end;
8 /
PL/SQL procedure successfully completed.
• You will just define an audit trail on the
SCOTT.EMP table regardless of the access
(SELECT or DML)
69
Fine-Grained Auditing
– Monitors data access on the basis of content
– Audits SELECT, INSERT, UPDATE, DELETE.
– Can be linked to one or more columns in a table or view
– May fire a procedure
– Is administered with the DBMS_FGA package

Policy: AUDIT_EMPS_SALARY
SELECT name, salary
FROM employees
WHERE
department_id = 10; employees
FGA Policy
• Defines: dbms_fga.add_policy (
object_schema => 'HR',
– Audit criteria object_name => 'EMPLOYEES',
– Audit action policy_name => 'audit_emps_salary',
audit_condition=> 'department_id=10',
– Is created with audit_column => 'SALARY',
DBMS_FGA handler_schema => 'secure',
.ADD_POLICY handler_module => 'log_emps_salary',
enable => TRUE,
statement_types => 'SELECT,UPDATE');

SELECT name, job_id


FROM employees;

SELECT name, salary


FROM employees SECURE.LOG_
WHERE EMPS_SALARY
department_id = 10;
employees
FGA audit trail
Triggering Audit Events
• The following SQL statements cause an
audit event:
)*(SELECT count
FROM hr.employees
WHERE department_id = 10
;AND salary > &v_salary
SELECT salary
;FROM hr.employees
• The following statement does not cause
an audit event
SELECT last_name
FROM hr.employees
;WHERE department_id = 10 72
Define FGA Policies
• The default is to audit any access that involves any of these columns.
• To explicitly set the behavior use one of
SQL> begin
2 dbms_fga.add_policy(
3 object_schema=>'SCOTT',
4 object_name=>'EMP',
5 policy_name=>'EMP_ACCESS',
6 audit_column=>'SAL,COMM',
7 audit_column_opts=>DBMS_FGA.ANY_COLUMNS);
8 end;
• if you want to specify that only inserts and updates are audited you
can set begin
dbms_fga.add_policy(
object_schema=>'SCOTT',
object_name=>'EMP',
policy_name=>'EMP_ACCESS',
audit_column=>'SAL,COMM',
statement_types=>'INSERT, UPDATE',
audit_column_opts=>DBMS_FGA.ANY_COLUMNS); 73
end;
begin
dbms_fga.add_policy(
object_schema=>'SCOTT',
object_name=>'EMP',
policy_name=>'EMP_ACCESS',
audit_column=>'SAL,COMM',
statement_types=>'INSERT, UPDATE',
audit_column_opts=>DBMS_FGA.ANY_COLUMNS,
audit trail=>DBMS FGA.DB + DBMS FGA.EXTENDED);
end;
/
• If you want the audit records to be written to XML files and to
include the SQL text and bind values
begin
dbms_fga.add_policy(
object_schema=>'SCOTT',
object_name=>'EMP',
policy_name=>'EMP_ACCESS',
audit_column=>'SAL,COMM',
statement_types=>'INSERT, UPDATE',
audit_column_opts=>DBMS_FGA.ANY_COLUMNS, 74
audit trail=>DBMS FGA.XML + DBMS FGA.EXTENDED);
Data Dictionary Views
View Name Description
DBA_FGA_AUDIT_TRAIL All FGA events
All FGA policies for objects that the current
ALL_AUDIT_POLICIES user can access
DBA_AUDIT_POLICIES All FGA policies in the database
All FGA policies for objects in the current
USER_AUDIT_POLICIES user schema

75
DBMS_FGA Package
• Use DBMS_FGA to maintain FGA policies.
• Grant the EXECUTE privilege only to
administrators.
• The DBMS_FGA package includes the
following subprograms:
Subprogram Description
Creates an audit policy by using the
ADD_POLICY supplied predicate as the audit condition
DROP_POLICY Drops an audit policy
ENABLE_POLICY Enables an audit policy
DISABLE_POLICY Disables an audit policy
76
Enabling and Disabling an FGA Policy

• Enable a policy
dbms_fga.enable_policy (
object_schema => 'hr',
object_name => 'employees',
policy_name => 'audit_emps_salary' );

• Disable a policy
dbms_fga.disable_policy (
object_schema => 'hr',
object_name => 'employees',
policy_name => 'audit_emps_salary' );

77
Dropping an FGA Policy

BEGIN
dbms_fga.drop_policy (
object_schema => 'hr',
object_name => 'employees',
policy_name => 'audit_emps_salary');
END;

78
FGA Policy Guidelines
• Setting policy parameters
– Audit conditions
• To audit all statements, use a NULL or TRUE condition.
• If the audit condition syntax is invalid, an ORA-28112
error is raised when the audited object is accessed.
– Audit columns
• If audit column is set to NULL, all columns are audited.
– If the audit column name is valid but incorrect, the
wrong statements are audited.

79
FGA Policy Errors
• Policy creation errors occur when:
– The audited table or view does not exist
– The policy already exists; error ORA-28101 is
raised
– The audit column does not exist
• Audited SQL statements fail when:
– The audit condition is invalid
– The event handler does not exist or is invalid

80
Remember that
• FGA does not require a database restart to
be enabled you simply add a policy for
auditing to start.
• FGA gives you granular control over what to
audit it a statement level, at a column level,
and at a row level.
• A policy dynamically specifies where audit
records should be written to FGA_LOG$ or
to operating system files
81
82
Uniform Audit Trails
• Use AUDIT_TRAIL to enable database auditing

STATEMENTID,
ENTRYID
AUDIT_TRAIL=DB,EXTENDED

DBA_AUDIT_TRAIL DBA_FGA_AUDIT_TRAIL

EXTENDED_TIMESTAMP,
PROXY_SESSIONID, GLOBAL_UID,
INSTANCE_NUMBER, OS_PROCESS, TRANSACTIONID,
SCN, SQL_BIND, SQL_TEXT

DBA_COMMON_AUDIT_TRAIL
Thanks

85