Why are SELECTs being audited?

From: Rich J <rjoralist3_at_society.servebeer.com>
Date: Fri, 06 Oct 2017 09:05:31 -0500
Message-ID: <364f4202a3f3f3ccbc198d47609d4c0a_at_society.servebeer.com>

Hey all,

In 11.2.0.3, my security sweep listed some entries from DBA_AUDIT_TRAIL on one test database where the offending statement was a SELECT from a table in another schema or across a database link. In either case, the return code was "0" (success). The audit entries for the local SELECTs have a priv used of "SELECT ANY TABLE", while the ones against the DB link are null. Here's what I'm auditing in this particular DB:

SELECT 'PRIV' aud_view, privilege, success, failure FROM sys.dba_priv_audit_opts
UNION ALL
SELECT 'STMT', audit_option, success, failure FROM sys.dba_stmt_audit_opts
UNION ALL
SELECT 'OBJ', owner||'.'||object_name, 'S', 'F' FROM dba_obj_audit_opts ORDER BY 1,2;

AUD_ PRIVILEGE                                SUCCESS    FAILURE


---- ---------------------------------------- ---------- ----------


PRIV ALTER ANY PROCEDURE                      BY ACCESS  BY ACCESS
PRIV ALTER ANY TABLE                          BY ACCESS  BY ACCESS
PRIV ALTER DATABASE                           BY ACCESS  BY ACCESS
PRIV ALTER PROFILE                            BY ACCESS  BY ACCESS
PRIV ALTER SYSTEM                             BY ACCESS  BY ACCESS
PRIV ALTER USER                               BY ACCESS  BY ACCESS
PRIV AUDIT SYSTEM                             BY ACCESS  BY ACCESS
PRIV CREATE ANY JOB                           BY ACCESS  BY ACCESS
PRIV CREATE ANY LIBRARY                       BY ACCESS  BY ACCESS
PRIV CREATE ANY PROCEDURE                     BY ACCESS  BY ACCESS
PRIV CREATE ANY TABLE                         BY ACCESS  BY ACCESS
PRIV CREATE EXTERNAL JOB                      BY ACCESS  BY ACCESS
PRIV CREATE PUBLIC DATABASE LINK              BY ACCESS  BY ACCESS
PRIV CREATE SESSION                           NOT SET    BY ACCESS
PRIV CREATE USER                              BY ACCESS  BY ACCESS
PRIV DROP ANY PROCEDURE                       BY ACCESS  BY ACCESS
PRIV DROP ANY TABLE                           BY ACCESS  BY ACCESS
PRIV DROP PROFILE                             BY ACCESS  BY ACCESS
PRIV DROP USER                                BY ACCESS  BY ACCESS
PRIV EXEMPT ACCESS POLICY                     BY ACCESS  BY ACCESS
PRIV GRANT ANY OBJECT PRIVILEGE               BY ACCESS  BY ACCESS
PRIV GRANT ANY PRIVILEGE                      BY ACCESS  BY ACCESS
PRIV GRANT ANY ROLE                           BY ACCESS  BY ACCESS
STMT ALTER ANY PROCEDURE                      BY ACCESS  BY ACCESS
STMT ALTER ANY TABLE                          BY ACCESS  BY ACCESS
STMT ALTER DATABASE                           BY ACCESS  BY ACCESS
STMT ALTER PROFILE                            BY ACCESS  BY ACCESS
STMT ALTER SEQUENCE                           BY ACCESS  BY ACCESS
STMT ALTER SYSTEM                             BY ACCESS  BY ACCESS
STMT ALTER TABLE                              BY ACCESS  BY ACCESS
STMT ALTER USER                               BY ACCESS  BY ACCESS
STMT CREATE ANY JOB                           BY ACCESS  BY ACCESS
STMT CREATE ANY LIBRARY                       BY ACCESS  BY ACCESS
STMT CREATE ANY PROCEDURE                     BY ACCESS  BY ACCESS
STMT CREATE ANY TABLE                         BY ACCESS  BY ACCESS
STMT CREATE EXTERNAL JOB                      BY ACCESS  BY ACCESS
STMT CREATE PUBLIC DATABASE LINK              BY ACCESS  BY ACCESS
STMT CREATE SESSION                           NOT SET    BY ACCESS
STMT CREATE USER                              BY ACCESS  BY ACCESS
STMT DATABASE LINK                            BY ACCESS  BY ACCESS
STMT DIRECTORY                                BY ACCESS  BY ACCESS
STMT DROP ANY PROCEDURE                       BY ACCESS  BY ACCESS
STMT DROP ANY TABLE                           BY ACCESS  BY ACCESS
STMT DROP PROFILE                             BY ACCESS  BY ACCESS
STMT DROP USER                                BY ACCESS  BY ACCESS
STMT EXEMPT ACCESS POLICY                     BY ACCESS  BY ACCESS
STMT GRANT ANY OBJECT PRIVILEGE               BY ACCESS  BY ACCESS
STMT GRANT ANY PRIVILEGE                      BY ACCESS  BY ACCESS
STMT GRANT ANY ROLE                           BY ACCESS  BY ACCESS
STMT GRANT DIRECTORY                          BY ACCESS  BY ACCESS
STMT GRANT PROCEDURE                          BY ACCESS  BY ACCESS
STMT GRANT SEQUENCE                           BY ACCESS  BY ACCESS
STMT GRANT TABLE                              BY ACCESS  BY ACCESS
STMT GRANT TYPE                               BY ACCESS  BY ACCESS
STMT INDEX                                    BY ACCESS  BY ACCESS
STMT PROCEDURE                                BY ACCESS  BY ACCESS
STMT PROFILE                                  BY ACCESS  BY ACCESS
STMT PUBLIC DATABASE LINK                     BY ACCESS  BY ACCESS
STMT PUBLIC SYNONYM                           BY ACCESS  BY ACCESS
STMT ROLE                                     BY ACCESS  BY ACCESS
STMT SEQUENCE                                 BY ACCESS  BY ACCESS
STMT SYNONYM                                  BY ACCESS  BY ACCESS
STMT SYSTEM AUDIT                             BY ACCESS  BY ACCESS
STMT SYSTEM GRANT                             BY ACCESS  BY ACCESS
STMT TABLE                                    BY ACCESS  BY ACCESS
STMT TABLESPACE                               BY ACCESS  BY ACCESS
STMT TRIGGER                                  BY ACCESS  BY ACCESS
STMT TYPE                                     BY ACCESS  BY ACCESS
STMT USER                                     BY ACCESS  BY ACCESS
STMT VIEW                                     BY ACCESS  BY ACCESS

Note that there are no audits on any objects, so I'm not sure why this is being audited. The offending user does have the SELECT ANY TABLE priv, but I can't determine why successful SELECTs are being audited, given the above output.

This isn't the first time I've come across this, but it will be the last where I haven't documented it...

Thanks!
Rich

--

http://www.freelists.org/webpage/oracle-l Received on Fri Oct 06 2017 - 16:05:31 CEST

This message: [ Message body ]
Next message: Jeremiah Cetlin Wilton: "Re: Is the AWS support for Oracle enough good?"
Previous message: Juan Carlos Reyes Pacheco: "Re: Is the AWS support for Oracle enough good?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message