Home -> Mailing Lists -> Oracle-L -> Re: what is being audited by the database

Re: what is being audited by the database

From: Ls Cheng <exriscer_at_gmail.com>
Date: Sat, 27 Apr 2019 09:05:52 +0200
Message-ID: <CAJ2-Qb8iraXx+55BfwbY_K73g8b6kK3LZVE7Eyqky-790B4-5Q_at_mail.gmail.com> 








Hi Mark



This is 11.2.0.4. Forget the user_name is not null, I ran the queries
without those predicates. Copy &pasted wrong query to the list!.



It seems that it has something to do with VPD. There are some policies
defined on some tables and the user has EXEMPT ACCESS POLICY so whenever
the user runs queries against tables with policies he gets audited. However
some tables has no policies get audited so the mistery is half soved.



Thanks





<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
Virus-free.


www.avast.com


<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>



On Fri, Apr 26, 2019 at 10:04 PM Powell, Mark <mark.powell2_at_dxc.com> wrote:



>

> Why do you have "where USER_NAME is not null" if you want to see all


> audit rules in effect?

>

> What full version of Oracle is this?

>

> Is Unified Auditing in use?

>

>

>

> Mark Powell

> Database Administration

> (313) 592-5148

>

>

> ------------------------------

> *From:* oracle-l-bounce_at_freelists.org <oracle-l-bounce_at_freelists.org> on

> behalf of Ls Cheng <exriscer_at_gmail.com>

> *Sent:* Friday, April 26, 2019 10:01:58 AM

> *To:* Oracle Mailinglist

> *Subject:* what is being audited by the database

>

> Hi

>

> I have a database which is generating large amount of audit information in

> syslog. audit_trail is set to OS. SELECT statements are being audited, one

> sample audit record

>

> Apr 26 14:54:42 no1b local6:notice

> Oracle Audit[54526112]:

> LENGTH: "272"


> SESSIONID:[8] "99149799"


> ENTRYID:[5] "37831"


> STATEMENT:[5] "82728"


> USERID:[4] "MOON"


> USERHOST:[7] "curve2"

> TERMINAL:[7] "unknown"

> ACTION:[1] "3"


> RETURNCODE:[1] "0"


> OBJ$CREATOR:[4] "MOON"


> OBJ$NAME:[19] "API_Q_POINT"


> OS$USERID:[6] "curve"

> DBID:[10] "3327503583"


>

>

> I checked what is being audited but nothing is being audited.  Ichecked by

> running these queries:

>

> SELECT * FROM DBA_STMT_AUDIT_OPTS where USER_NAME is not null order by

> user_name,audit_option;

> SELECT * FROM DBA_PRIV_AUDIT_OPTS where USER_NAME is not null order by

> user_name,privilege;

> SELECT * FROM DBA_OBJ_AUDIT_OPTS order by owner,object_name,object_type;

> SELECT * FROM ALL_DEF_AUDIT_OPTS;


>

> All of them return cero rows except ALL_DEF_AUDIT_OPTS which shows

>

> ALT AUD COM DEL GRA IND INS LOC REN SEL UPD REF EXE FBK REA


> --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---

> -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/-

>

> Anyone know where else can I check :-?

>

> audit parameters

>

> show parameter audit

>

> NAME                                 TYPE        VALUE


> ------------------------------------ -----------

> ------------------------------

> audit_file_dest                      string

> /u01/app/oracle/admin/AIX112/adump

> audit_sys_operations                 boolean     FALSE

> audit_syslog_level                   string      LOCAL6.NOTICE

> audit_trail                          string      OS

>

> Thank you

>

>

>

>

>

>

> DXC Technology Company - Headquarters: 1775 Tysons Boulevard, Tysons,

> Virginia 22102, USA.

> DXC Technology Company -- This message is transmitted to you by or on

> behalf of DXC Technology Company or one of its affiliates. It is intended

> exclusively for the addressee. The substance of this message, along with

> any attachments, may contain proprietary, confidential or privileged

> information or information that is otherwise legally exempt from

> disclosure. Any unauthorized review, use, disclosure or distribution is

> prohibited. If you are not the intended recipient of this message, you are

> not authorized to read, print, retain, copy or disseminate any part of this

> message. If you have received this message in error, please destroy and

> delete all copies and notify the sender by return e-mail. Regardless of

> content, this e-mail shall not operate to bind DXC Technology Company or

> any of its affiliates to any order or other contract unless pursuant to

> explicit written agreement or government initiative expressly permitting

> the use of e-mail for such purpose. --.

>




<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
Virus-free.


www.avast.com


<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>


--
http://www.freelists.org/webpage/oracle-l


Received on Sat Apr 27 2019 - 09:05:52 CEST












Original text of this message