You can audit activities in Oracle Database Vault, such as changes to policy configurations, by using the Database Vault APIs or unified auditing PL/SQL statements.
Topics:
Protecting the Unified Audit Trail in an Oracle Database Vault Environment
Oracle Database Audit Settings Created for Oracle Database Vault
All activities in Oracle Database Vault can be audited, including Database Vault administrator activities.
Optionally, you can audit individual policies that you create for realms, rule sets, and factors. The audit indicates if the user's action succeeded (that is, the policy enabled the user to accomplish a task) or if the user's action failed (the policy was violated). These actions are written to audit logs, whose contents you can find either by querying the appropriate data dictionary views, or running the reports described in Chapter 24, "Oracle Database Vault Reports."
All configuration changes made to Database Vault are mandatorily audited, including actions of unprivileged users who attempt to modify Database Vault policies.
When you install a new database and configure it to use Oracle Database Vault, then by default it uses a mixed-mode environment, that is, a mixture of unified auditing and pre-migrated auditing. If you have upgraded from previous release, then Database Vault uses the auditing that was available from that release.
Before you migrate to a full unified auditing environment, you can create audit policies as follows:
Using the Database Vault APIs: That is, you use the DBMS_MACADM PL/SQL package or the Database Vault pages in Enterprise Manager. In this case, the audit records are written to the Database Vault audit trail, which is stored in the DVSYS.AUDIT_TRAIL$ table. You can query the DVSYS.DV$CONFIGURATION_AUDIT and DVSYS.DV$ENFORCEMENT_AUDIT views for these audit records.
Using the unified audit policy PL/SQL statements: These statements are the CREATE AUDIT POLICY, ALTER AUDIT POLICY, DROP AUDIT POLICY, AUDIT, and NO AUDIT statements. They are written to the unified audit trail, which is captured by the UNIFIED_AUDIT_TRAIL, SYS.DV$CONFIGURATION_AUDIT, and SYS.DV$ENFORCEMENT_AUDIT data dictionary views.
When you migrate to unified auditing, then the auditing features in the Database Vault APIs are no longer effective. You should archive and purge these audit records, as described in "Archiving and Purging the Oracle Database Vault Audit Trail". From then on, you can manage Database Vault audit policies through the unified audit policy PL/SQL statements.
Except where noted, the remaining sections of this chapter describe how Database Vault auditing works in a non-unified or mixed mode auditing environment.
See Also:
Oracle Database Security Guide for information about how unified auditing works in Oracle Database Vault and how to create unified audit policies
"Format of the Oracle Database Vault DVSYS.AUDIT_TRAIL$ Audit Trail Records"
The following data dictionary views, which are specific to Database Vault unified auditing:
Oracle Database Upgrade Guide to migrate your database to unified auditing
By default, AUDSYS schema, which contains the unified audit trail, is not protected by a realm.
A realm is not necessary for the AUDSYS schema because the information it contains is internal and cannot be viewed in the same way that other database objects (such as tables or views) can be viewed in a schema. To protect the unified audit trail, create a realm around the AUDIT_ADMIN and AUDIT_VIEWER roles. This way, you can control who can grant these roles.
See Also:
"Creating a Realm"Oracle Database Vault audit events track activities such as whether an action attempted on a realm was successful or not.
Topics:
Oracle Database Vault uses audit events to track configuration activities.
These activities are as follows:
Realm Audit. You can audit both successful and failed actions, based on the auditing option that you set when you created the realm. The exception to this is actions performed by the schema owner.
Rule Set Audit. Audits the rule set processing results. You can audit both successful and failed processing. Realm authorizations can be managed using rule sets. You can audit the rule set processing results. Factor assignments and secure application roles audits can be managed using a rule set.
Factor Audit. You can audit both successful and failed factor processing. For failed factor processing, you can audit on all or any of the following events: Retrieval Error, Retrieval Null, Validation Error, Validation False, Trust Level Null, or Trust Level Less Than Zero.
Oracle Label Security Session Initialization Failed. Audits instances where the Oracle Label Security session fails to initialize.
Oracle Label Security Attempt to Upgrade Session Label Failed. Audits instances where the Oracle Label Security component prevents a session from setting a label that exceeds the maximum session label.
See Also:
"Setting Audit Options for a Factor" (for factors)
Chapter 24, "Oracle Database Vault Reports," for information about viewing the audit reports
If you choose not to use unified auditing, then Oracle Database Vault will write audit records to the AUDIT_TRAIL$ table, which is in the DVSYS schema.
These audit records are not part of the Oracle Database audit trail, and how auditing is enabled in the database has no effect how Oracle Database Vault collects its audit data in the AUDIT_TRAIL$ table. In fact, even if auditing has been disabled in Oracle Database, then the Oracle Database Vault audit functionality continues to write to the AUDIT_TRAIL$ table.
Users who have been granted the DV_OWNER, DV_ADMIN, DV_SECANALYST or DV_MONITOR role can directly query the DVYS.AUDIT_TRAIL$ table.
Table A-1 describes the format of the audit trail, which you must understand if you plan to create custom reports that use the AUDIT_TRAIL$ table.
Table A-1 Oracle Database Vault Audit Trail Format
| Column | Datatype | Null | Description |
|---|---|---|---|
|
|
|
|
Numeric identifier for the audit record |
|
|
|
Operating system login user name of the user whose actions were audited |
|
|
|
|
Name of the database user whose actions were audited |
|
|
|
|
Client computer name |
|
|
|
|
Identifier for the user's terminal |
|
|
|
|
Date and time of creation of the audit trail entry (in the local database session time zone) |
|
|
|
|
Creator of the object affected by the action, always |
|
|
|
|
Name of the object affected by the action. Expected values are:
|
|
|
|
|
|
Numeric action type code. The corresponding name of the action type is in the |
|
|
|
Name of the action type corresponding to the numeric code in the |
|
|
|
|
The unique identifier of the record in the table specified under |
|
|
|
|
The unique name or natural key of the record in the table specified under |
|
|
|
|
The SQL text of the command procedure that was executed that resulted in the audit event being triggered |
|
|
|
|
The labels for all audit options specified in the record that resulted in the audit event being triggered. For example, a factor set operation that is supposed to audit on get failure and get |
|
|
|
|
The unique identifier of the rule set that was executing and caused the audit event to trigger |
|
|
|
|
The unique name of the rule set that was executing and caused the audit event to trigger |
|
|
|
|
Not used |
|
|
|
|
Not used |
|
|
|
|
An XML document that contains all of the factor identifiers for the current session at the point when the audit event was triggered |
|
|
|
|
Text comment on the audit trail entry, providing more information about the statement audited |
|
|
|
|
|
Numeric identifier for each Oracle session |
|
|
|
|
Same as the value in the |
|
|
|
|
Numeric identifier for the statement invoked that caused the audit event to be generated. This is empty for most Oracle Database Vault events. |
|
|
|
|
Oracle error code generated by the action. The error code for a statement or procedure invoked that caused the audit event to be generated. This is empty for most Oracle Database Vault events. |
|
|
|
Time stamp of creation of the audit trail entry (time stamp of user login for entries) in UTC (Coordinated Universal Time) time zone |
|
|
|
|
Proxy session serial number, if an enterprise user has logged in through the proxy mechanism |
|
|
|
|
Global user identifier for the user, if the user has logged in as an enterprise user |
|
|
|
|
Instance number as specified by the |
|
|
|
|
Operating system process identifier of the Oracle process |
|
|
|
|
Database login user name of the user whose actions were audited |
|
|
|
|
Date on which the action occurred, based on the |
|
|
|
|
Same as |
|
|
|
|
Same as |
If you have not migrated to unified auditing, you should periodically archive and purge the Oracle Database Vault audit trail.
Topics:
In a non-unified auditing environment, you can create an archive of the Oracle Database Vault audit trail by exporting the AUDIT_TRAIL$ system table, which is owned by DVSYS, to a dump file.
You should periodically archive and then purge the audit trail to prevent it from growing too large.
If you choose to migrate to unified auditing, then use this procedure to archive and purge the Database Vault audit trail records after you complete the migration. When unified auditing begins to collect records, then the new records will be available for viewing from the UNIFIED_AUDIT_TRAIL, SYS.DV$CONFIGURATION_AUDIT, and SYS.DV$ENFORCEMENT_AUDIT data dictionary views.
You can use SQL*Plus and Oracle Data Pump to archive the Oracle Database Vault audit trail.
Log into the database instance as user SYS with the SYSDBA administrative privilege.
sqlplus sys as sysdba
Enter password: password
Ensure that the user who will perform archiving has the appropriate privileges.
For example:
GRANT CREATE ANY DIRECTORY, EXP_FULL_DATABASE, UNLIMITED TABLESPACE TO psmith;
Connect as a user who has been granted the DV_OWNER or DV_AUDIT_CLEANUP role.
For example:
connect ebrown
Enter password: password
Archive the Oracle Database Vault audit trail into a new table in an appropriate schema.
For example:
CREATE TABLE psmith.dv_audit_trail nologging \ AS SELECT * FROM DVSYS.AUDIT_TRAIL$;
If the schema is already protected by a realm, then ensure that you or the user performing the export operation has been granted the appropriate authorization to use Oracle Data Pump in a Database Vault environment.
For example, to authorize user psmith to perform Data Pump operations on his own schema:
EXEC DBMS_MACADM.AUTHORIZE_DATAPUMP_USER('PSMITH', 'PSMITH');
Connect as the Data Pump user.
For example:
CONNECT psmith
Enter password: password
Create a directory for the Database Vault audit trail.
CREATE DIRECTORY dv_audit_dir AS 'dv_audit_trail_directory';
Exit SQL*Plus.
EXIT
Using Data Pump, export the Database Vault audit trail into the directory object that you just created.
expdp psmith directory=dv_audit_dir tables=psmith.dv_audit_trail \ dumpfile=dv_audit.dmp log=dv_audit_exp.log
Connect to SQL*Plus as a user who has been granted the DV_OWNER role.
sqlplus ebrown
Enter password: password
If you have not done so, then create a realm around the schema that now contains the Database Vault audit trail.
Create the realm. For example:
BEGIN DBMS_MACADM.CREATE_REALM( realm_name => 'DV Audit Trail Realm', description => 'Realm to protect the DV audit trail', enabled => DBMS_MACUTL.G_YES, audit_options => DBMS_MACUTL.G_REALM_AUDIT_FAIL + DBMS_MACUTL.G_REALM_AUDIT_SUCCESS, realm_type => 1); END; /
Add the schema that contains to audit trail to this realm. For example:
BEGIN DBMS_MACADM.ADD_OBJECT_TO_REALM( realm_name => 'DV Audit Trail Realm', object_owner => 'psmith', object_name => '%', object_type => '%'); END; /
Authorize a trusted user for this realm.
BEGIN DBMS_MACADM.ADD_AUTH_TO_REALM( realm_name => 'DV Audit Trail Realm', grantee => 'PSMITH', auth_options => DBMS_MACUTL.G_REALM_AUTH_OWNER); END; /
See Also:
"Using Oracle Data Pump with Oracle Database Vault" for more information about granting users Oracle Data Pump privileges in a Database Vault environment
Oracle Database SQL Language Reference for information about the CREATE DIRECTORY statement
Oracle Database Utilities for information about the Oracle Data Pump expdp utility
Chapter 13, "Oracle Database Vault Realm APIs," for information about the realm-related DBMS_MACADM procedures
You can purge the Oracle Database Vault audit trail in SQL*Plus.
Log into the database instance as a user who has been granted the DV_OWNER role or the DV_AUDIT_CLEANUP role.
For example:
sqlplus psmith
Enter password: password
Note that the DV_OWNER and DV_AUDIT_CLEANUP roles do not allow their grantees to truncate the DVSYS.AUDIT_TRAIL$ system table.
You can query the DBA_ROLE_PRIVS data dictionary view to find the roles that have been granted to a user.
Purge the Database Vault audit trail.
DELETE FROM DVSYS.AUDIT_TRAIL$;
When you install Oracle Database Vault, it creates several AUDIT settings in the database.
However, in a non-unified auditing environment, in order for these audit settings to take place, auditing must be enabled in this database. You can check if auditing is enabled by using the SHOW PARAMETER command to find the value of the AUDIT_TRAIL initialization parameter. By default, auditing is enabled in Oracle Database.
Table A-2 lists the AUDIT settings that Oracle Database Vault adds to the database.
Table A-2 Audit Policy Settings Oracle Database Vault Adds to Oracle Database
| Audit Setting Type | Audited Statements (BY ACCESS and on Success or Failure Unless Otherwise Noted) |
|---|---|
|
System Audit Settings/System Privilege Usage |
|
|
System Audit Settings/Object Management |
|
|
System Audit Settings/Intrusive Commands |
|
|
System Audit Settings/Administration Commands |
|
|
System Audit Settings/Audit Commands |
|
|
System Audit Settings/Access Control |
|
|
User Audit Settings for User Audit Settings for See Table 12-2, "Database Accounts Used by Oracle Database Vault" for more information about these accounts. See also these sections for detailed information on the |
|
|
|
|
|
|