Auditing in Oracle Database

Auditing in Oracle Database: In this article we will discuss about Auditing in Oracle Database. Here we use our Oracle 19c database. Auditing is a default feature in Oracle Database to monitoring and recording of configured database actions, from both database users and nondatabase users. Below are the initialization parameters that can be displayed and describe its behaviour by using “show parameter audit” command.

SQL> show parameter audit

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest                      string      /u01/app/oracle/admin/PROD/adu
                                                 mp
audit_sys_operations                 boolean     TRUE
audit_syslog_level                   string
audit_trail                          string      DB
unified_audit_common_systemlog       string
unified_audit_sga_queue_size         integer     1048576
unified_audit_systemlog              string
SQL>

Auditing is enabled by default in Oracle 19c database. But we can enabled or disabled by setting the AUDIT_TRAIL static parameter, which has the following allowed values.

AUDIT_TRAIL = { NONE | OS | DB | DB,EXTENDED | XML | XML,EXTENDED }

The AUDIT_TRAIL parameter values define database auditing status. You can take any of the following values:

  • NONE :- Auditing is disabled.
  • OS :- Auditing is enabled, with all audit records directed to the operating system’s audit trail.
  • DB :- Auditing is enabled, with all audit records stored in the database audit trial (SYS.AUD$).
  • DB,EXTENDED :- As DB, but the SQL_BIND and SQL_TEXT columns are also populated.
  • XML :- Auditing is enabled, with all audit records stored as XML format OS files.
  • XML,EXTENDED :- As XML, but the SQL_BIND and SQL_TEXT columns are also populated.

Move AUD$ Table to Another Tablespace:

How to check the tablespace for AUD$ Table and move AUD$ Table to Another Tablespace:

SQL> set lines 400 pages 400
SQL> col owner for a10
SQL> col segment_name for a10
SQL> col tablespace_name for a15
SQL> select owner, segment_name, segment_type, tablespace_name, bytes/1024/1024 as MB from dba_segments where segment_name in ('AUD$','FGA_LOG$');

OWNER      SEGMENT_NA SEGMENT_TYPE       TABLESPACE_NAME         MB
---------- ---------- ------------------ --------------- ----------
SYS        AUD$       TABLE              SYSTEM               .0625
SYS        FGA_LOG$   TABLE              SYSTEM               .0625

SQL>
SQL> BEGIN
  2  DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_LOCATION(
  3  audit_trail_type           => DBMS_AUDIT_MGMT.AUDIT_TRAIL_DB_STD,
  4  audit_trail_location_value => 'AUDIT_DATA');
  5  END;
  6  /

PL/SQL procedure successfully completed.

SQL>
SQL> select owner, segment_name, segment_type, tablespace_name, bytes/1024/1024 as MB from dba_segments where segment_name in ('AUD$','FGA_LOG$');

OWNER      SEGMENT_NA SEGMENT_TYPE       TABLESPACE_NAME         MB
---------- ---------- ------------------ --------------- ----------
SYS        AUD$       TABLE              AUDIT_DATA           .0625
SYS        FGA_LOG$   TABLE              AUDIT_DATA           .0625

SQL>

Audit Options:

Firstly, create a new user name TEST and grant priviliges.

SQL> create user TEST identified by test;

User created.

SQL> grant connect to TEST;

Grant succeeded.

SQL> grant create table, create procedure to TEST;

Grant succeeded.

SQL>

Afterthat, we audit all operations by the TEST user.

SQL> audit all by TEST by access;

Audit succeeded.

SQL> audit select table, update table, insert table, delete table by TEST by access;

Audit succeeded.

SQL> audit execute procedure by TEST by access;

Audit succeeded.

SQL>

Now, we perform some operations in TEST user that will be audited.

SQL> conn TEST
Enter password:
Connected.
SQL>
SQL> create table employees (id varchar2(10), name varchar(50), location char(20), salary varchar2(10));

Table created.

SQL>
SQL> insert into employees values (1001,'prasanta','delhi',10000);

1 row created.

SQL> insert into employees values (1002,'anil','noida',12000);

1 row created.

SQL> insert into employees values (1003,'akhilesh','mumbai',15000);

1 row created.

SQL> select * from employees;

ID         NAME                                               LOCATION             SALARY
---------- -------------------------------------------------- -------------------- ----------
1001       prasanta                                           delhi                10000
1002       anil                                               noida                12000
1003       akhilesh                                           mumbai               15000

SQL>
SQL> update employees set name='shubham' where id=1002;

1 row updated.

SQL>
SQL> select * from employees;

ID         NAME                                               LOCATION             SALARY
---------- -------------------------------------------------- -------------------- ----------
1001       prasanta                                           delhi                10000
1002       shubham                                            noida                12000
1003       akhilesh                                           mumbai               15000

SQL> delete from employees where name='shubham';

1 row deleted.

SQL> select * from employees;

ID         NAME                                               LOCATION             SALARY
---------- -------------------------------------------------- -------------------- ----------
1001       prasanta                                           delhi                10000
1003       akhilesh                                           mumbai               15000

SQL> drop table employees;

Table dropped.

SQL>

View Audit Trail:

The audit trail is stored in the table SYS.AUD$. Its contents can be viewed by using following views.

SQL> conn / as sysdba
Connected.
SQL>
SQL> select view_name from dba_views where view_name like 'DBA%AUDIT%' order by view_name;

VIEW_NAME
--------------------------------------------------
DBA_AUDIT_EXISTS
DBA_AUDIT_MGMT_CLEANUP_JOBS
DBA_AUDIT_MGMT_CLEAN_EVENTS
DBA_AUDIT_MGMT_CONFIG_PARAMS
DBA_AUDIT_MGMT_LAST_ARCH_TS
DBA_AUDIT_OBJECT
DBA_AUDIT_POLICIES
DBA_AUDIT_POLICY_COLUMNS
DBA_AUDIT_SESSION
DBA_AUDIT_STATEMENT
DBA_AUDIT_TRAIL
DBA_COMMON_AUDIT_TRAIL
DBA_DV_PATCH_ADMIN_AUDIT
DBA_FGA_AUDIT_TRAIL
DBA_OBJ_AUDIT_OPTS
DBA_OLS_AUDIT_OPTIONS
DBA_PRIV_AUDIT_OPTS
DBA_SA_AUDIT_OPTIONS
DBA_STMT_AUDIT_OPTS
DBA_XS_AUDIT_POLICY_OPTIONS
DBA_XS_AUDIT_TRAIL
DBA_XS_ENABLED_AUDIT_POLICIES

22 rows selected.

SQL>

The three main views are shown below.

DBA_AUDIT_TRAIL - Standard auditing only (from AUD$).
DBA_FGA_AUDIT_TRAIL - Fine-grained auditing only (from FGA_LOG$).
DBA_COMMON_AUDIT_TRAIL - Both standard and fine-grained auditing.

The most basic view of the database audit trail is provided by the DBA_AUDIT_TRAIL view, which contains a wide variety of information. The following query displays the some of the information from the database audit trail.


SQL> col username format a10
SQL> col owner format a10
SQL> col obj_name format a10
SQL> col extended_timestamp format a40
SQL> select username, extended_timestamp, owner, obj_name, action_name from dba_audit_trail where owner='TEST' order by extended_timestamp;

USERNAME   EXTENDED_TIMESTAMP                       OWNER      OBJ_NAME   ACTION_NAME
---------- ---------------------------------------- ---------- ---------- ----------------------------
TEST       05-FEB-24 01.07.16.905791 AM +05:30      TEST       EMPLOYEES  CREATE TABLE
TEST       05-FEB-24 01.09.47.490437 AM +05:30      TEST       EMPLOYEES  INSERT
TEST       05-FEB-24 01.10.17.342274 AM +05:30      TEST       EMPLOYEES  DROP TABLE
TEST       05-FEB-24 01.13.39.197256 AM +05:30      TEST       EMPLOYEES  CREATE TABLE
TEST       05-FEB-24 01.13.54.614288 AM +05:30      TEST       EMPLOYEES  INSERT
TEST       05-FEB-24 01.16.03.815828 AM +05:30      TEST       EMPLOYEES  INSERT
TEST       05-FEB-24 01.16.12.491950 AM +05:30      TEST       EMPLOYEES  INSERT
TEST       05-FEB-24 01.17.32.140431 AM +05:30      TEST       EMPLOYEES  SELECT
TEST       05-FEB-24 01.19.02.985968 AM +05:30      TEST       EMPLOYEES  UPDATE
TEST       05-FEB-24 01.19.08.038888 AM +05:30      TEST       EMPLOYEES  SELECT
TEST       05-FEB-24 01.19.49.859736 AM +05:30      TEST       EMPLOYEES  DELETE
TEST       05-FEB-24 01.19.54.663807 AM +05:30      TEST       EMPLOYEES  SELECT
TEST       05-FEB-24 01.20.14.339060 AM +05:30      TEST       EMPLOYEES  DROP TABLE

13 rows selected.

SQL>

How to enable or disable Unified Auditing in Oracle

I hope my written content will helped you. Your suggestions/feedback are most welcome from orakldba.com. Keep learning… Have a great day!!!
Please comment here for your any query related to above content. You can write to mail me through my Email.

Email :- orakldba@gmail.com
LinkedIn :- https://linkedin.com/in/prasantakirtaniya
Twitter :- https://twitter.com/prasantadba
Facebook Page :- https://www.facebook.com/orakldba
Website :- https://orakldba.com
ACE Profile :- https://ace.oracle.com/apex/ace/profile/prasantakirtaniya

Leave a Comment