This section contains:
Oracle Database Vault uses audit events to track the following activities:
Realm Audit. You can audit both successful and failed actions, based on the auditing option that you set when you created the realm. The exception to this is actions performed by the schema owner.
Rule Set Audit. Audits the rule set processing results. You can audit both successful and failed processing. Realm authorizations can be managed using rule sets. You can audit the rule set processing results. Factor assignments and secure application roles audits can be managed using a rule set.
Factor Audit. You can audit both successful and failed factor processing. For failed factor processing, you can audit on all or any of the following events: Retrieval Error, Retrieval Null, Validation Error, Validation False, Trust Level Null, or Trust Level Less Than Zero.
Oracle Label Security Session Initialization Failed. Audits instances where the Oracle Label Security session fails to initialize.
Oracle Label Security Attempt to Upgrade Session Label Failed. Audits instances where the Oracle Label Security component prevents a session from setting a label that exceeds the maximum session label.
See Also:
"Audit Options" (for factors)
"Audit Options" (for rule sets)
Chapter 18, "Oracle Database Vault Reports," for information about viewing the audit reports
The Oracle Database Vault audit event records are stored in the AUDIT_TRAIL$
table, which is part of the DVSYS
schema. These audit records are not part of the Oracle Database audit trail, and how auditing is enabled in the database has no effect how Oracle Database Vault collects its audit data in the DVSYS.AUDIT_TRAIL$
table. In fact, even if auditing has been disabled in Oracle Database, then the Oracle Database Vault audit functionality continues to write to the DVSYS.AUDIT_TRAIL$
table. Users who have been granted the DV_OWNER
, DV_ADMIN
, or DV_SECANALYST
role can directly query the DVYS.AUDIT_TRAIL$
table.
Users who have been granted the DV_OWNER
, DV_ADMIN
, DV_SECANALYST
or DV_MONITOR
role can directly query the DVYS.AUDIT_TRAIL$
table.
Note:
Oracle Audit Vault and Database Firewall can collect the audit data for Oracle Database Vault. See Oracle Audit Vault and Database Firewall Administrator's Guide for more information.Table A-1 describes the format of the audit trail, which you must understand if you plan to create custom reports that use the DVSYS.AUDIT_TRAIL$
table.
Table A-1 Oracle Database Vault Audit Trail Format
Column | Datatype | Null | Description |
---|---|---|---|
|
|
|
Numeric identifier for the audit record |
|
|
Operating system login user name of the user whose actions were audited |
|
|
|
Name of the database user whose actions were audited |
|
|
|
Client computer name |
|
|
|
Identifier for the user's terminal |
|
|
|
Date and time of creation of the audit trail entry (in the local database session time zone) |
|
|
|
Creator of the object affected by the action, always |
|
|
|
Name of the object affected by the action. Expected values are:
|
|
|
|
|
Numeric action type code. The corresponding name of the action type is in the
|
|
|
Name of the action type corresponding to the numeric code in the |
|
|
|
The unique identifier of the record in the table specified under |
|
|
|
The unique name or natural key of the record in the table specified under |
|
|
|
The SQL text of the command procedure that was executed that resulted in the audit event being triggered |
|
|
|
The labels for all audit options specified in the record that resulted in the audit event being triggered. For example, a factor set operation that is supposed to audit on get failure and get |
|
|
|
The unique identifier of the rule set that was executing and caused the audit event to trigger |
|
|
|
The unique name of the rule set that was executing and caused the audit event to trigger |
|
|
|
Not used |
|
|
|
Not used |
|
|
|
An XML document that contains all of the factor identifiers for the current session at the point when the audit event was triggered |
|
|
|
Text comment on the audit trail entry, providing more information about the statement audited |
|
|
|
|
Numeric identifier for each Oracle session |
|
|
|
Same as the value in the |
|
|
|
Numeric identifier for the statement invoked that caused the audit event to be generated. This is empty for most Oracle Database Vault events. |
|
|
|
Oracle error code generated by the action. The error code for a statement or procedure invoked that caused the audit event to be generated. This is empty for most Oracle Database Vault events. |
|
|
Time stamp of creation of the audit trail entry (time stamp of user login for entries) in UTC (Coordinated Universal Time) time zone |
|
|
|
Proxy session serial number, if an enterprise user has logged in through the proxy mechanism |
|
|
|
Global user identifier for the user, if the user has logged in as an enterprise user |
|
|
|
Instance number as specified by the |
|
|
|
Operating system process identifier of the Oracle process |
|
|
|
Database login user name of the user whose actions were audited |
|
|
|
Date on which the action occurred, based on the |
|
|
|
Same as |
|
|
|
Same as |
You can create an archive of the Oracle Database Vault audit trail by exporting the DVSYS.AUDIT_TRAIL$
system table, which is owned by DVSYS
, to a dump file. You should periodically archive and then purge the audit trail to prevent it from growing too large.
To archive and purge the Oracle Database Vault audit trail:
Ensure that you or the user performing the export operation has been granted the appropriate authorization.
See "Using Oracle Data Pump in an Oracle Database Vault Environment" for more information.
Disable Oracle Database Vault.
At the operating system command prompt, create a directory for the Oracle Database Vault audit trail (for example, in $ORACLE_BASE/admin/$DB_UNIQUE_NAME/dvaudit
).
You may want to keep this directory in the same location as the operating system audit trail directories for Oracle Database, which by default is in the $ORACLE_BASE/admin/$DB_UNIQUE_NAME/adump
directory. In SQL*Plus, you can check the location of the audit trail directory as follows:
SHOW PARAMETER AUDIT_FILE_DEST
Output similar to the following appears:
NAME TYPE VALUE ------------------- ------- --------------------------------------- audit_file_dest string /opt/oracle/app/oracle/admin/orcl/adump
In SQL*Plus, create a directory object in which to generate the Oracle Database Vault audit trail. To do so, connect as SYS
or as any user who has the CREATE ANY DIRECTORY
privilege.
For example:
CREATE DIRECTORY dv_audit_dir AS '/opt/oracle/app/oracle/admin/orcl/dvaudit';
Enclose the directory path in single quotation marks, not double quotation marks.
In SQL*Plus, grant read and write privileges on the directory object to user DVSYS
.
For example:
GRANT READ, WRITE ON DIRECTORY dvaudit TO dvsys;
At the operating system command prompt, enter a command similar to the following to export the DVSYS.AUDIT_TRAIL$
audit table into a new dump file.
EXPDP DVSYS
Enter password: password
DIRECTORY=dvaudit \
TABLES=DVSYS.AUDIT_TRAIL$ \
QUERY=DVSYS.AUDIT_TRAIL$:"WHERE timestamp < 2009-08-03:19:34:59"
DUMPFILE=dv_audit_031607.dmp
In this specification:
DIRECTORY
: Enter the directory object that you created in Step 5. Ensure that the user who is running EXPDP
(DVSYS
in this example) has read and write permissions on this directory object. If you created the directory object, then you automatically have read and write permissions on it.
TABLES
: Enter DVSYS.AUDIT_TRAIL$
, the name of the audit trail table.
QUERY
: Optional. This setting writes a subset of the audit table contents to the dump file, in this case, audit records that are less than the timestamp
column value of 2009-08-03:19:34:59.
DUMPFILE
: Enter the name of the dump file that you want to create. The default extension is .dmp
, but you can use any extension. Ensure that the file name you specify is unique.
In SQL*Plus, purge the Oracle Database Vault audit trail table, now that you have archived it.
For example, if you archived all audit trail records that are less than the timestamp
column value of 2009-08-03:19:34:59
, enter the following statement:
DELETE FROM DVSYS.AUDIT_TRAIL$ WHERE TIMESTAMP < 2009-08-03:19:34:59;
To completely purge the audit trail and remove the extents allocated to the audit trail table, enter the following statement:
TRUNCATE TABLE DVSYS.AUDIT_TRAIL$;
Exit SQL*Plus.
Re-enable Oracle Database Vault.
When you install Oracle Database Vault, it creates several AUDIT
settings in the database. However, in order for these audit settings to take place, auditing must be enabled in this database. You can check if auditing is enabled by using the SHOW PARAMETER
command to find the value of the AUDIT_TRAIL
initialization parameter. By default, auditing is disabled in Oracle Database.
If the AUDIT_TRAIL
parameter is set to NONE
, then auditing is not enabled, so you must set AUDIT_TRAIL
. For detailed information about the AUDIT_TRAIL
parameter settings, see Oracle Database Security Guide and Oracle Database Reference.
Table A-2 lists the AUDIT
settings that Oracle Database Vault adds to the database.
Table A-2 Audit Policy Settings Oracle Database Vault Adds to Oracle Database
Audit Setting Type | Audited Statements (BY ACCESS and on Success or Failure Unless Otherwise Noted) |
---|---|
System Audit Settings/System Privilege Usage |
|
System Audit Settings/Object Management |
|
System Audit Settings/Intrusive Commands |
|
System Audit Settings/Administration Commands |
|
System Audit Settings/Audit Commands |
|
System Audit Settings/Access Control |
|
User Audit Settings for User Audit Settings for See Table 11-2, "Database Accounts Used by Oracle Database Vault" for more information about these accounts. See also these sections for detailed information on the |
|
|
|
|