A Auditing Policies

This appendix includes the following sections:

Core RDBMS Auditing Policy
Custom Audit Events

A.1 Core RDBMS Auditing Policy

A baseline auditing policy is installed with Oracle Database Vault. This policy includes the access control configuration information stored in the Oracle Database Vault database tables, information stored in the Oracle Catalog (rollback segments, tablespaces, and so on), the use of system privileges, and the Oracle Label Security configuration.

Before you can capture this audit information, you must enable the audit trail by setting the AUDIT_TRAIL initialization parameter to OS. The default setting for AUDIT_TRAIL is NONE, so it is important that you not use the NONE setting. For security reasons, use OS instead. To set this parameter, log on to SQL*Plus with SYSDBA privileges, set AUDIT_TRAIL to OS, and then restart the database. For example:

sqlplus "sys / as sysdba"
Enter password: password
SQL> ALTER SYSTEM SET AUDIT_TRAIL = OS SCOPE=SPFILE;
SQL> SHUTDOWN NORMAL;
SQL> STARTUP;

For more information about the AUDIT_TRAIL parameter, see Oracle Label Security Administrator's Guide and Oracle Database SQL Reference.

Table A-1 shows the audit settings in the Database Vault core RDBMS auditing policy.

Table A-1 Database Vault Audit Policy Settings

Audit Setting Type	Audited Commands (BY ACCESS and on Success or Failure Unless Otherwise Noted)
System Audit Settings/System Privilege Usage	`ALTER ANY` `CREATE ANY` `DELETE ANY` `DROP ANY` `EXECUTE ANY` (whenever not successful) `FORCE ANY` `GRANT ANY` `INSERT ANY` `UPDATE ANY`
System Audit Settings/Object Management	`ALTER DATABASE, PROFILE, ROLLBACK SEGMENT, SESSION, SYSTEM, TABLE, TABLESPACE, USER` `CREATE CLUSTER, DATABASE LINK, INDEXTYPE, LIBRARY, OPERATOR, PUBLIC SYNONYM, PROCEDURE, PROFILE, ROLE, ROLLBACK SEGMENT, SEQUENCE, SESSION, SNAPSHOT, SYNONYM, TABLE, TABLESPACE, TRIGGER, TYPE, USER, VIEW` `TRUNCATE`
System Audit Settings/Intrusive Commands	`ALTER SESSION` `BECOME USER` `CREATE SESSION` `DEBUG CONNECT SESSION` `RESTRICTED SESSION`
System Audit Settings/Administration Commands	`ADMINISTER DATABASE TRIGGER` `BACKUP ANY TABLE` `EXEMPT ACCESS POLICY` `MANAGE TABLESPACE`
System Audit Settings/Audit Commands	`AUDIT ANY` `AUDIT SYSTEM`
System Audit Settings/Access Control	`GRANT ANY PRIVILEGE/ANY OBJECT PRIVILEGE/ROLE` `GRANT DIRECTORY` `GRANT SEQUENCE` `GRANT TABLE` `GRANT TYPE`
User Audit Settings - `DVSYS`/`DVF`	`ADMINISTER DATABASE TRIGGER` `ALTER` `object` `AUDIT SYSTEM` `BECOME USER` `CLUSTER` `COMMENT` `CONTEXT` `CREATE` `object` `DATABASE LINK` `DEBUG` `DIRECTORY` `DROP` `object` `EXECUTE LIBRARY` (`WHENEVER NOT SUCCESSFUL`) `EXECUTE PROCEDURE` (`WHENEVER NOT SUCCESSFUL`) `EXEMPT ACCESS POLICY` `EXEMPT IDENTITY POLICY` `EXPORT FULL DATABASE` `GRANT` `object` `IMPORT FULL DATABASE` `INDEX` `MANAGE SCHEDULER` `MANAGE TABLESPACE` `MATERIALIZED VIEW` `SELECT SEQUENCE` (`WHENEVER NOT SUCCESSFUL`) `SELECT TABLE` (`WHENEVER NOT SUCCESSFUL`)
Object Audit Settings - `DVF`	`AUDIT PACKAGE/PROCEDURE/FUNCTION/SEQUENCE/TABLE` `COMMENT TABLE/VIEW` `DELETE TABLE/VIEW` `EXECUTE PACKAGE/PROCEDURE/FUNCTION` (`WHENEVER NOT SUCCESSFUL`) `GRANT PACKAGE/PROCEDURE/FUNCTION/SEQUENCE/TABLE` `INSERT TABLE/VIEW` `RENAME PACKAGE/PROCEDURE/FUNCTION/SEQUENCE/VIEW/TABLE` `SELECT SEQUENCE/TABLE/VIEW` (`WHENEVER NOT SUCCESSFUL`) `UPDATE TABLE/VIEW`
Object Audit Settings - `DVSYS`	`AUDIT PACKAGE/PROCEDURE/FUNCTION/SEQUENCE/TABLE` `COMMENT TABLE/VIEW` `DELETE TABLE/VIEW` `EXECUTE PACKAGE/PROCEDURE/FUNCTION` (`WHENEVER NOT SUCCESSFUL`) `GRANT PACKAGE/PROCEDURE/FUNCTION/SEQUENCE/TABLE` `INSERT TABLE/VIEW` `RENAME PACKAGE/PROCEDURE/FUNCTION/SEQUENCE/VIEW/TABLE` `SELECT SEQUENCE/TABLE/VIEW` (`WHENEVER NOT SUCCESSFUL`) `UPDATE TABLE/VIEW`
User Audit Settings - `LBACSYS`	`ADMINISTER DATABASE TRIGGER` `ALTER` `object` `AUDIT SYSTEM` `BECOME USER` `CLUSTER` `COMMENT` `CONTEXT` `CREATE` `object` `DATABASE LINK` `DEBUG` `DIRECTORY` `DROP` `object` `EXECUTE LIBRARY` (`WHENEVER NOT SUCCESSFUL`) `EXECUTE PROCEDURE` (`WHENEVER NOT SUCCESSFUL`) `EXEMPT ACCESS POLICY` `EXEMPT IDENTITY POLICY` `EXPORT FULL DATABASE` `GRANT` `object` `IMPORT FULL DATABASE` `INDEX` `MANAGE SCHEDULER` `MANAGE TABLESPACE` `MATERIALIZED VIEW` `SELECT SEQUENCE` (`WHENEVER NOT SUCCESSFUL`) `SELECT TABLE` (`WHENEVER NOT SUCCESSFUL`)
Object Audit Settings - `LBACSYS`	`AUDIT PACKAGE/PROCEDURE/FUNCTION/SEQUENCE/TABLE` `COMMENT TABLE/VIEW` `DELETE TABLE/VIEW` `EXECUTE PACKAGE/PROCEDURE/FUNCTION` (`WHENEVER NOT SUCCESSFUL`) `GRANT PACKAGE/PROCEDURE/FUNCTION/SEQUENCE/TABLE` `INSERT TABLE/VIEW` `RENAME PACKAGE/PROCEDURE/FUNCTION/SEQUENCE/VIEW/TABLE` `SELECT SEQUENCE/TABLE/VIEW` (`WHENEVER NOT SUCCESSFUL`) `UPDATE TABLE/VIEW`

A.2 Custom Audit Events

You can define a database audit policy for auditing system commands, users, objects, and so on. However, the database audit policy does not inherently support several Oracle Database Vault events.

Oracle Database Vault defines custom events that you can choose to audit. This enables you to audit events not protected by the database audit policy. For example, if the run-time access control processing of retrieving the identifier for a factor fails, the audit options for the factor may dictate that this event be audited.

The following list describes some of the custom audit events:

Session Initialization Audit Initialization Failed: The security administrator can audit instances where the access control session fails to initialize.
Command Rule Audit: Command rules allow or disallow SQL statements based on rule sets. The security administrator may choose to audit the rule set processing results. Both successful and failed processing can be audited.
Factor Assignment Audit: A factor can have an associated rule set that is used to assign an identity to the factor at run time. The security administrator may choose to audit the rule set processing results. Both successful and failed processing can be audited.
Factor Evaluation Audit: The security administrator may choose to audit instances where a factor identity cannot be resolved and assigned (such as No data found or Too many rows). Both successful and failed retrievals can be audited.
Oracle Label Security Attempt to Upgrade Session Label Failed: The security administrator can audit instances where the Oracle Label Security component prevents a session from setting a label that exceeds the maximum session label.
Oracle Label Security Session Initialization Failed: The security administrator can audit instances where the Oracle Label Security session fails to initialize.
Realm Authorization Audit: Realm authorizations can be managed using rule sets. The security administrator can audit the rule set processing results.
Realm Violation Audit: A realm violation occurs when the database account, performing an action on a realm object, is not authorized to perform that action in the realm. The security administrator can choose to audit realm violations.
Secure Role Audit: Secure application roles can be set based on rule sets. The security administrator can choose to audit the associated rule set processing.

See Also:

"Audit Options" (for factors)
"Audit Options" (for rule sets)
Defining Realm Authorization in Chapter 3, "Configuring Realms"
Chapter 9, "Generating Oracle Database Vault Reports" for information about viewing the audit reports

The Oracle Database Vault custom audit event records are stored in the AUDIT_TRAIL$ table, which is part of the DVSYS schema. These audit records are not part of the typical Oracle Database audit trail. You can define an archiving policy for this audit trail.

Table A-2 describes the format of the audit trail.

Table A-2 Audit Trail Format

Parameter	Type	Description
`OS_USERNAME`	`VARCHAR2(255)`	Operating system login user name of the user whose actions were audited
`USERNAME`	`VARCHAR2(30)`	Name of the database user whose actions were audited
`USERHOST`	`VARCHAR2(128)`	Client computer name
`TERMINAL`	`VARCHAR2(255)`	Identifier for the user's terminal
`TIMESTAMP`	`DATE`	Date and time of creation of the audit trail entry (in the local database session time zone)
`OWNER`	`VARCHAR2(30)`	Creator of the object affected by the action, always `DVSYS` (because `DVSYS` is where objects are created)
`OBJ_NAME`	`VARCHAR2(128)`	Name of the object affected by the action. Expected values are: `ROLE$` `REALM$` `CODE$` `FACTOR$`
`ACTION`	`NUMBER`	Numeric action type code. The corresponding name of the action type is in the `ACTION_NAME` column. Expected `ACTION` and `ACTION_NAME` values are: 10000: Factor Evaluation Audit 10001: Factor Assignment Audit 10002: Factor Expression Audit 10003: Realm Violation Audit 10004: Realm Authorization Audit 10005: Command Authorization Audit 10006: Secure Role Audit 10007: Access Control Session Initialization Audit 10008: Access Control Command Authorization Audit 10009: Oracle Label Security Session Initialization Audit 10010: Oracle Label Security Attempt to Upgrade Label Audit
`ACTION_NAME`	`VARCHAR2(128)`	Name of the action type corresponding to the numeric code in the `ACTION` column. You can extend the audit trail to include your own `ACTION_NAME` text, based on the audit events passed.
`ACTION_OBJECT_ID`	`NUMBER`	The unique identifier of the record in the table specified under `OBJ_NAME`.
`ACTION_OBJECT_NAME`	`VARCHAR2(128)`	The unique name or natural key of the record in the table specified under `OBJ_NAME`
`SQL_TEXT`	`VARCHAR2(2000)`	The SQL text of the command procedure that was executed that resulted in the audit event being triggered
`AUDIT_OPTION`	`VARCHAR2(4000)`	The labels for all audit options specified in the record that resulted in the audit event being triggered. For example, a factor set operation that is supposed to audit on get failure and get `NULL` would indicate these two options.
`RULE_SET_ID`	`NUMBER`	The unique identifier of the rule set that was executing and caused the audit event to trigger
`RULE_SET_NAME`	`VARCHAR2(30)`	The unique name of the rule set that was executing and caused the audit event to trigger
`RULE_ID`	`NUMBER`	The unique identifier of the rule that was executing and caused the audit event to trigger
`RULE_NAME`	`VARCHAR2(30)`	The unique name of the rule that was executing and caused the audit event to trigger
`FACTOR_CONTEXT`	`VARCHAR2(4000)`	An XML document that contains all of the factor identifiers for the current session at the point when the audit event was triggered
`COMMENT_TEXT`	`VARCHAR2(4000)`	Text comment on the audit trail entry, providing more information about the statement audited
`SESSIONID`	`NUMBER`	Numeric identifier for each Oracle session
`STATEMENTID`	`NUMBER`	Numeric identifier for the statement invoked that caused the audit event to be generated. This is empty for most Oracle Database Vault events.
`RETURNCODE`	`NUMBER`	Oracle error code generated by the action. The error code for a statement or procedure invoked that caused the audit event to be generated. This is empty for most Oracle Database Vault events.
`CLIENT_ID`	`NUMBER`	Client identifier for the Oracle session that triggered the audit event.
`EXTENDED_TIMESTAMP`	`TIMESTAMP(6) WITH TIME ZONE`	Time stamp of creation of the audit trail entry (time stamp of user login for entries) in UTC (Coordinated Universal Time) time zone.
`PROXY_SESSIONID`	`NUMBER`	Proxy session serial number, if an enterprise user has logged in through the proxy mechanism.
`GLOBAL_UID`	`VARCHAR2(32)`	Global user identifier for the user, if the user has logged in as an enterprise user
`INSTANCE_NUMBER`	`NUMBER`	Instance number as specified by the `INSTANCE_NUMBER` initialization parameter
`OS_PROCESS`	`VARCHAR2(16)`	Operating system process identifier of the Oracle process