HomeOracle Page 2 - Auditing to Secure Oracle Database XE
Privilege Auditing - Oracle
In this conclusion to a ten-part article series on securing Oracle Database XE, you will learn about statement auditing, privilege auditing, and more. This article is excerpted from chapter 31 of the book Beginning PHP and Oracle: From Novice to Professional, written by W. Jason Gilmore and Bob Bryla (Apress; ISBN: 1590597702).
Auditing system privileges using the AUDIT command has the same basic syntax as statement auditing, except that system privileges are specified in the sql_statement_clause instead of statements.
For example, you may wish to grant theALTER TABLESPACEprivilege to all your DBAs but you want to generate an audit record when this happens. The command to enable auditing on this privilege looks similar to statement auditing:
SQL> audit alter tablespace by access whenever successful; Audit succeeded.
Every time theALTER TABLESPACEprivilege is successfully used, a row is added toSYS.AUD$.
Special auditing is available to enable you to track system administrators’ use of theSYSDBAandSYSOPERprivileges. To enable this extra level of auditing, set the initialization parameterAUDIT_SYS_OPERATIONStoTRUE. The audit records are sent to the same location as the operating system audit records; therefore, this location is operating-system-dependent. All SQL statements executed while using one of these privileges, as well as any SQL statements executed as the userSYS, are sent to this operating system audit location.
Schema Object Auditing
Auditing access to various schema objects using the AUDIT command looks similar to statement and privilege auditing:
AUDIT command looks similar to statement and privilege auditing:Auditing access to various schema objects using the AUDIT command looks similar to statement and privilege auditing:
AUDIT schema_object_clause BY {SESSION | ACCESS} WHENEVER [NOT] SUCCESSFUL;
Theschema_object_clause specifies a type of object access and the object being accessed. You can audit 13 different types of operations on specific objects; they are listed in Table 31-15.
Table 31-15. Object Auditing Options
Object Option
Description
ALTER
Alters a table, sequence, or materialized view
AUDIT
Audits commands on any object
COMMENT
Adds comments to tables, views, or materialized views
DELETE
Deletes rows from a table, view, or materialized view
FLASHBACK
Performs flashback operation on a table or view
GRANT
Grants privileges on any type of object
INDEX
Creates an index on a table or materialized view
INSERT
Inserts rows into a table, view, or materialized view
LOCK
Locks a table, view, or materialized view
READ
Performs a read operation on the contents of a DIRECTORYobject
RENAME
Renames a table, view, or procedure
SELECT
Selects rows from a table, view, sequence, or materialized view
UPDATE
Updates a table, view, or materialized view
If you wish to audit allINSERTandUPDATEcommands on theHR.JOBStable, regardless of who is doing the update, every time the action occurs, you can use theAUDITcommand as follows:
SQL> audit insert, update on hr.jobs by access whenever successful; Audit successful.
