Auditing in Oracle.
Auditing is used to track the occurrence of SQL statements in subsequent user sessions.
In this article will see how can dba track all types of sql operations (select,insert,update,delete drop,create and alter) of particular user.
Auditing is a default feature of the Oracle server. The initialization parameters that influence its behaviour can be displayed using the SHOW PARAMETER
|
1 2 3 4 5 6 7 |
SYS> SHOW PARAMETER AUDIT NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ audit_file_dest string /oraeng/app/oracle/admin/ord/adump audit_sys_operations boolean FALSE audit_trail string NONE unified_audit_sga_queue_size integer 1048576 |
Auditing is disabled by default, but can enabled by setting the AUDIT_TRAIL static parameter, which has the following allowed values.
|
1 |
AUDIT_TRAIL = { none | os | db | db,extended | xml | xml,extended } |
The following list provides a description of each setting:
noneorfalse– Auditing is disabled.dbortrue– Auditing is enabled, with all audit records stored in the database audit trial (SYS.AUD$).db,extended– Asdb, but theSQL_BINDandSQL_TEXTcolumns are also populated.xml– Auditing is enabled, with all audit records stored as XML format OS files.xml,extended– Asxml, but theSQL_BINDandSQL_TEXTcolumns are also populated.os– Auditing is enabled, with all audit records directed to the operating system’s audit trail.
To enable auditing and direct audit records to the database audit trail, we would do the following.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
SYS>>ALTER SYSTEM SET audit_trail=db SCOPE=SPFILE; System altered. SYS>>shutdown Database closed. Database dismounted. ORACLE instance shut down. SYS>>startup ORACLE instance started. Total System Global Area 1895825408 bytes Fixed Size 2925744 bytes Variable Size 570428240 bytes Database Buffers 1308622848 bytes Redo Buffers 13848576 bytes Database mounted. Database opened. SYS>>sho parameter audit NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ audit_file_dest string /oraeng/app/oracle/admin/ord/adump audit_sys_operations boolean TRUE audit_syslog_level string audit_trail string DB unified_audit_sga_queue_size integer 1048576 |
Now we will create user called aud_test with required privileges.
|
1 2 3 4 5 6 |
SYS>>CREATE USER aud_test IDENTIFIED BY aud_test DEFAULT TABLESPACE users TEMPORARY TABLESPACE temp QUOTA UNLIMITED ON users; User created. SYS>>GRANT connect TO aud_test; Grant succeeded. SYS>>GRANT create table, create procedure TO aud_test; Grant succeeded. |
Give permissions to audit all operations to the AUD_TEST user.
These options audit all DDL and DML, along with some system events.
–> DDL (CREATE, ALTER & DROP of objects)
–>DML (INSERT UPDATE, DELETE, SELECT, EXECUTE).
–>SYSTEM EVENTS (LOGON, LOGOFF etc.)
|
1 2 3 4 5 6 |
SYS>>AUDIT ALL BY aud_test by access; Audit succeeded. SYS>>AUDIT SELECT TABLE, UPDATE TABLE, INSERT TABLE, DELETE TABLE BY aud_test by access; Audit succeeded. SYS>>AUDIT EXECUTE PROCEDURE BY aud_test by access; Audit succeeded. |
connect to AUD_TEST and create a table object then perform DML operations.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
SYS>>conn aud_test/aud_test Connected. AUD_TEST>>create table test_sep(sno number,name varchar2(10)); Table created. AUD_TEST>>insert into test_sep values(10,'AJAY'); 1 row created. AUD_TEST>>insert into test_sep values(20,'KUMAR'); 1 row created. AUD_TEST>>insert into test_sep values(30,'VINOD'); 1 row created. AUD_TEST>>commit; Commit complete. AUD_TEST>>select * from test_sep; SNO NAME ------ -------- 10 AJAY 20 KUMAR 30 VINOD AUD_TEST>>update test_sep set name='KTEXPERTS' where sno=20; 1 row updated. AUD_TEST>>commit; Commit complete. AUD_TEST>>select * from test_sep; SNO NAME ------ ---------- 10 AJAY 20 KTEXPERTS 30 VINOD |
In the next section we will look at how we view the contents of the audit trail.
The audit trail is stored in the SYS.AUD$ table. Its contents can be viewed directly or via the following views.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
SYS>>SELECT view_name FROM dba_views WHERE view_name LIKE 'DBA%AUDIT%' ORDER BY view_name; VIEW_NAME -------------------------------------------------------------------------------- DBA_AUDIT_EXISTS DBA_AUDIT_MGMT_CLEANUP_JOBS DBA_AUDIT_MGMT_CLEAN_EVENTS DBA_AUDIT_MGMT_CONFIG_PARAMS DBA_AUDIT_MGMT_LAST_ARCH_TS DBA_AUDIT_OBJECT DBA_AUDIT_POLICIES DBA_AUDIT_POLICY_COLUMNS DBA_AUDIT_SESSION DBA_AUDIT_STATEMENT DBA_AUDIT_TRAIL DBA_COMMON_AUDIT_TRAIL DBA_DV_PATCH_ADMIN_AUDIT DBA_FGA_AUDIT_TRAIL DBA_OBJ_AUDIT_OPTS DBA_OLS_AUDIT_OPTIONS DBA_PRIV_AUDIT_OPTS DBA_REPAUDIT_ATTRIBUTE DBA_REPAUDIT_COLUMN DBA_SA_AUDIT_OPTIONS DBA_STMT_AUDIT_OPTS DBA_XS_AUDIT_POLICY_OPTIONS DBA_XS_AUDIT_TRAIL DBA_XS_ENB_AUDIT_POLICIES 24 rows selected. |
The most basic view of the database audit trail is provided by the DBA_AUDIT_TRAIL view, which contains a wide variety of information. The following query displays the some of the information from the database audit trail.
SELECT few of the columns from DBA_AUDIT_TRAIL Data Dictionary View.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
SYS>>set pages 500 lines 500 SYS>> COLUMN username FORMAT A10 SYS>> COLUMN owner FORMAT A10 SYS>> COLUMN obj_name FORMAT A10 SYS>> COLUMN extended_timestamp FORMAT A35 SYS>> SELECT username,extended_timestamp,owner,obj_name,action_name FROM dba_audit_trail WHERE owner ='AUD_TEST' ORDER BY timestamp; USERNAME EXTENDED_TIMESTAMP OWNER OBJ_NAME ACTION_NAME ---------- ----------------------------------- ---------- ---------- ---------------------------- AUD_TEST 02-AUG-18 07.03.12.061572 PM +05:30 AUD_TEST TEST_SEP CREATE TABLE AUD_TEST 02-AUG-18 07.03.58.052671 PM +05:30 AUD_TEST TEST_SEP INSERT AUD_TEST 02-AUG-18 07.04.11.411888 PM +05:30 AUD_TEST TEST_SEP INSERT AUD_TEST 02-AUG-18 07.05.03.304228 PM +05:30 AUD_TEST TEST_SEP INSERT AUD_TEST 02-AUG-18 07.05.24.116901 PM +05:30 AUD_TEST TEST_SEP SELECT AUD_TEST 02-AUG-18 07.06.23.669604 PM +05:30 AUD_TEST TEST_SEP UPDATE AUD_TEST 02-AUG-18 07.06.30.958158 PM +05:30 AUD_TEST TEST_SEP SELECT |
As a DBA we will come to know which os user and from system IP address user connected to perform the transaction.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 |
SYS>>select OS_USERNAME,USERNAME,USERHOST,OBJ_NAME,TIMESTAMP,SCN from dba_audit_trail where username='AUD_TEST'; OS_USERNAME USERNAME USERHOST OBJ_NAME TIMESTAMP SCN ---------- ---------- --------------- ------------------------------ --------- ---------- oracle AUD_TEST dba20.ord.com DBMS_APPLICATION_INFO 02-AUG-18 1750208 oracle AUD_TEST dba20.ord.com DBMS_APPLICATION_INFO 02-AUG-18 1750210 oracle AUD_TEST dba20.ord.com DBMS_STANDARD 02-AUG-18 1750257 oracle AUD_TEST dba20.ord.com DBMS_APPLICATION_INFO 02-AUG-18 1752203 oracle AUD_TEST dba20.ord.com DBMS_APPLICATION_INFO 02-AUG-18 1752205 oracle AUD_TEST dba20.ord.com 02-AUG-18 oracle AUD_TEST dba20.ord.com TEST_SEP 02-AUG-18 1750428 oracle AUD_TEST dba20.ord.com DUAL 02-AUG-18 1750202 oracle AUD_TEST dba20.ord.com SQLPLUS_PRODUCT_PROFILE 02-AUG-18 1750204 oracle AUD_TEST dba20.ord.com PRODUCT_PRIVS 02-AUG-18 1750204 oracle AUD_TEST dba20.ord.com SQLPLUS_PRODUCT_PROFILE 02-AUG-18 1750206 oracle AUD_TEST dba20.ord.com PRODUCT_PRIVS 02-AUG-18 1750206 oracle AUD_TEST dba20.ord.com DUAL 02-AUG-18 1750212 oracle AUD_TEST dba20.ord.com TEST_SEP 02-AUG-18 1750384 oracle AUD_TEST dba20.ord.com TEST_SEP 02-AUG-18 1750433 oracle AUD_TEST dba20.ord.com DUAL 02-AUG-18 1752197 oracle AUD_TEST dba20.ord.com SQLPLUS_PRODUCT_PROFILE 02-AUG-18 1752199 oracle AUD_TEST dba20.ord.com PRODUCT_PRIVS 02-AUG-18 1752199 oracle AUD_TEST dba20.ord.com SQLPLUS_PRODUCT_PROFILE 02-AUG-18 1752201 oracle AUD_TEST dba20.ord.com PRODUCT_PRIVS 02-AUG-18 1752201 oracle AUD_TEST dba20.ord.com DUAL 02-AUG-18 1752207 oracle AUD_TEST dba20.ord.com AUD$ 02-AUG-18 oracle AUD_TEST dba20.ord.com SYSTEM_PRIVILEGE_MAP 02-AUG-18 oracle AUD_TEST dba20.ord.com SYSTEM_PRIVILEGE_MAP 02-AUG-18 oracle AUD_TEST dba20.ord.com STMT_AUDIT_OPTION_MAP 02-AUG-18 oracle AUD_TEST dba20.ord.com AUDIT_ACTIONS 02-AUG-18 oracle AUD_TEST dba20.ord.com DBA_AUDIT_TRAIL 02-AUG-18 oracle AUD_TEST dba20.ord.com TEST_SEP 02-AUG-18 1752218 oracle AUD_TEST dba20.ord.com TEST_SEP 02-AUG-18 1750317 oracle AUD_TEST dba20.ord.com TEST_SEP 02-AUG-18 1750323 oracle AUD_TEST dba20.ord.com TEST_SEP 02-AUG-18 1750375 oracle AUD_TEST dba20.ord.com 02-AUG-18 oracle AUD_TEST dba20.ord.com 02-AUG-18 oracle AUD_TEST dba20.ord.com TEST_SEP 02-AUG-18 oracle AUD_TEST dba20.ord.com 02-AUG-18 oracle AUD_TEST dba20.ord.com 02-AUG-18 |
All the information regarding AUDITING stored in sys.aud$.
Simple we can truncate those information by using TRUNCATE command.
|
1 2 3 4 |
SYS>>truncate table sys.aud$; Table truncated. SYS>> SELECT username,extended_timestamp,owner,obj_name,action_name FROM dba_audit_trail WHERE owner ='AUD_TEST' ORDER BY timestamp; no rows selected |
In above query the result is no rows selected because we truncated info from sys.aud$.
Thank you ………..
Note: Please test scripts in Non Prod before trying in Production.
Loading...