Difference between revisions of "Auditing"
From dbawiki
(→Show the audit trail (12c)) |
|||
| Line 1: | Line 1: | ||
| − | [https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrl-state=s135vnnwx_87&_afrLoop=562289631709984#aref_section324 Master note on Oracle Auditing] | + | * [https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrl-state=s135vnnwx_87&_afrLoop=562289631709984#aref_section324 Master note on Oracle Auditing] |
| + | * [https://docs.oracle.com/database/121/DBSEG/E48135-11.pdf Oracle Database Security Guide 12c] | ||
===Has your database migrated to Unified Auditing?=== | ===Has your database migrated to Unified Auditing?=== | ||
<pre> | <pre> | ||
Revision as of 16:57, 9 October 2015
Contents
- 1 Has your database migrated to Unified Auditing?
- 2 Show the audit trail (12c)
- 3 Disable unified auditing
- 4 12c auditing is protected
- 5 Manage the audit trail (12c)
- 6 Check whether audit trail cleanup has been initialised
- 6.1 Check audit settings
- 6.2 When was audit trail last purged?
- 6.3 Set a date to purge to
- 6.4 Recheck
- 6.5 Run the audit cleanup
- 6.6 Which tablespace is the standard auditing table (AUD$) going to?
- 6.7 Move the standard audit trail (AUD$) to a different tablespace
- 6.8 Move the unified audit trail to a different tablespace
Has your database migrated to Unified Auditing?
SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';
Show the audit trail (12c)
set lines 2000 col dbusername for a32 col event_timestamp for a23 col sql_text for a200 select dbusername , event_timestamp , sql_text from unified_audit_trail
Disable unified auditing
select policy_name, enabled_opt from audit_unified_enabled_policies /
POLICY_NAME ENABLED_ ------------------------------ -------- ORA_SECURECONFIG BY
noaudit policy ORA_SECURECONFIG;
Noaudit succeeded.
12c auditing is protected
The Unified Audit Trail is well protected. Not even SYS can mess with it.
select table_name from dba_tables where owner='AUDSYS';
TABLE_NAME
--------------------------------------------------------------------------------------------------------------------------------
CLI_SWP$4f81f886$1$1
SYS@RMANV12> truncate table audsys."CLI_SWP$4f81f886$1$1";
truncate table audsys."CLI_SWP$4f81f886$1$1"
*
ERROR at line 1:
ORA-55941: DML and DDL operations are not allowed on table "AUDSYS"."CLI_SWP$4f81f886$1$1"
SYS@RMANV12> drop user audsys cascade;
drop user audsys cascade
*
ERROR at line 1:
ORA-28050: specified user or role cannot be dropped
Manage the audit trail (12c)
The only way to work with the audit trail is with the DBMS_AUDIT_MGMT package.
Before the audit trail can be purged, you must initialise it. This is a one-off execution of the init_cleanup procedure.
SYS@RMANV12> BEGIN
DBMS_AUDIT_MGMT.init_cleanup(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_ALL,
default_cleanup_interval => 12 /* hours */);
END;
/
PL/SQL procedure successfully completed.
Check whether audit trail cleanup has been initialised
SET SERVEROUTPUT ON
BEGIN
IF DBMS_AUDIT_MGMT.is_cleanup_initialized(DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD) THEN
DBMS_OUTPUT.put_line('YES');
ELSE
DBMS_OUTPUT.put_line('NO');
END IF;
END;
/
Check audit settings
SELECT * FROM dba_audit_mgmt_config_params;
When was audit trail last purged?
COLUMN audit_trail FORMAT A20 COLUMN last_archive_ts FORMAT A40 SELECT * FROM dba_audit_mgmt_last_arch_ts; no rows selected
Set a date to purge to
Setup to purge anything older than 90 days before today
BEGIN
DBMS_AUDIT_MGMT.set_last_archive_timestamp(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD,
last_archive_time => SYSTIMESTAMP-90);
END;
/
Recheck
COLUMN audit_trail FORMAT A20 COLUMN last_archive_ts FORMAT A40 SELECT * FROM dba_audit_mgmt_last_arch_ts; AUDIT_TRAIL RAC_INSTANCE LAST_ARCHIVE_TS -------------------- ------------ ---------------------------------------- STANDARD AUDIT TRAIL 0 08-NOV-14 06.24.44.000000 PM +00:00
Run the audit cleanup
begin
dbms_audit_mgmt.clean_audit_trail ( audit_trail_type => dbms_audit_mgmt.audit_trail_aud_std
, use_last_arch_timestamp => true
);
end;
or
begin
dbms_audit_mgmt.clean_audit_trail ( audit_trail_type => dbms_audit_mgmt.audit_trail_unified
, use_last_arch_timestamp => true
);
end;
Which tablespace is the standard auditing table (AUD$) going to?
select string_value from dam_config_param$ where audit_trail_type# = 1 and param_id = 22;
or
select table_name, tablespace_name from dba_tables where table_name IN ('AUD$', 'FGA_LOG$') order by table_name;
Move the standard audit trail (AUD$) to a different tablespace
Can move both the standard and the fine-grained access (fga) audit trail in one go by specifying "audit_trail_db_std" as audit_trail_type.
begin
dbms_audit_mgmt.set_audit_trail_location ( audit_trail_type => dbms_audit_mgmt.audit_trail_aud_std
, audit_trail_location_value => 'AUDIT_DT'
);
end;
/
Move the unified audit trail to a different tablespace
begin
dbms_audit_mgmt.set_audit_trail_location ( audit_trail_type => dbms_audit_mgmt.audit_trail_unified
, audit_trail_location_value => 'AUDIT_DT'
);
end;
/
