Re: what is being audited by the database

From: Ls Cheng <exriscer_at_gmail.com>
Date: Wed, 1 May 2019 16:20:24 +0200
Message-ID: <CAJ2-Qb9Dpt5WM+USfiA0D3knzBhtT3d3V+4DvM3CnSzbbbrqyg_at_mail.gmail.com>

Just to confirm that all the extra audit data are gone after disabling the VPD policies so mistery is 100% solved.

<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Virus-free.
www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

On Sat, Apr 27, 2019 at 9:05 AM Ls Cheng <exriscer_at_gmail.com> wrote:

> Hi Mark
>
> This is 11.2.0.4. Forget the user_name is not null, I ran the queries
> without those predicates. Copy &pasted wrong query to the list!.
>
> It seems that it has something to do with VPD. There are some policies
> defined on some tables and the user has EXEMPT ACCESS POLICY so whenever
> the user runs queries against tables with policies he gets audited. However
> some tables has no policies get audited so the mistery is half soved.
>
> Thanks
>
>
>
>
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Virus-free.
> www.avast.com
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
> <#m_-5605919521807787308_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>
> On Fri, Apr 26, 2019 at 10:04 PM Powell, Mark <mark.powell2_at_dxc.com>
> wrote:
>
>>
>> Why do you have "where USER_NAME is not null" if you want to see all
>> audit rules in effect?
>>
>> What full version of Oracle is this?
>>
>> Is Unified Auditing in use?
>>
>>
>>
>> Mark Powell
>> Database Administration
>> (313) 592-5148
>>
>>
>> ------------------------------
>> *From:* oracle-l-bounce_at_freelists.org <oracle-l-bounce_at_freelists.org> on
>> behalf of Ls Cheng <exriscer_at_gmail.com>
>> *Sent:* Friday, April 26, 2019 10:01:58 AM
>> *To:* Oracle Mailinglist
>> *Subject:* what is being audited by the database
>>
>> Hi
>>
>> I have a database which is generating large amount of audit information
>> in syslog. audit_trail is set to OS. SELECT statements are being audited,
>> one sample audit record
>>
>> Apr 26 14:54:42 no1b local6:notice
>> Oracle Audit[54526112]:
>> LENGTH: "272"
>> SESSIONID:[8] "99149799"
>> ENTRYID:[5] "37831"
>> STATEMENT:[5] "82728"
>> USERID:[4] "MOON"
>> USERHOST:[7] "curve2"
>> TERMINAL:[7] "unknown"
>> ACTION:[1] "3"
>> RETURNCODE:[1] "0"
>> OBJ$CREATOR:[4] "MOON"
>> OBJ$NAME:[19] "API_Q_POINT"
>> OS$USERID:[6] "curve"
>> DBID:[10] "3327503583"
>>
>>
>> I checked what is being audited but nothing is being audited. Ichecked
>> by running these queries:
>>
>> SELECT * FROM DBA_STMT_AUDIT_OPTS where USER_NAME is not null order by
>> user_name,audit_option;
>> SELECT * FROM DBA_PRIV_AUDIT_OPTS where USER_NAME is not null order by
>> user_name,privilege;
>> SELECT * FROM DBA_OBJ_AUDIT_OPTS order by owner,object_name,object_type;
>> SELECT * FROM ALL_DEF_AUDIT_OPTS;
>>
>> All of them return cero rows except ALL_DEF_AUDIT_OPTS which shows
>>
>> ALT AUD COM DEL GRA IND INS LOC REN SEL UPD REF EXE FBK REA
>> --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---
>> -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/-
>>
>> Anyone know where else can I check :-?
>>
>> audit parameters
>>
>> show parameter audit
>>
>> NAME TYPE VALUE
>> ------------------------------------ -----------
>> ------------------------------
>> audit_file_dest string
>> /u01/app/oracle/admin/AIX112/adump
>> audit_sys_operations boolean FALSE
>> audit_syslog_level string LOCAL6.NOTICE
>> audit_trail string OS
>>
>> Thank you
>>
>>
>>
>>
>>
>>
>> DXC Technology Company - Headquarters: 1775 Tysons Boulevard, Tysons,
>> Virginia 22102, USA.
>> DXC Technology Company -- This message is transmitted to you by or on
>> behalf of DXC Technology Company or one of its affiliates. It is intended
>> exclusively for the addressee. The substance of this message, along with
>> any attachments, may contain proprietary, confidential or privileged
>> information or information that is otherwise legally exempt from
>> disclosure. Any unauthorized review, use, disclosure or distribution is
>> prohibited. If you are not the intended recipient of this message, you are
>> not authorized to read, print, retain, copy or disseminate any part of this
>> message. If you have received this message in error, please destroy and
>> delete all copies and notify the sender by return e-mail. Regardless of
>> content, this e-mail shall not operate to bind DXC Technology Company or
>> any of its affiliates to any order or other contract unless pursuant to
>> explicit written agreement or government initiative expressly permitting
>> the use of e-mail for such purpose. --.
>>
>
>
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Virus-free.
> www.avast.com
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
> <#m_-5605919521807787308_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>

--
http://www.freelists.org/webpage/oracle-l

Received on Wed May 01 2019 - 16:20:24 CEST

This message: [ Message body ]
Next message: kunwar singh: "Is there a way/hack to allow the query only to run for specified duration in Oracle and kill it."
Previous message: Woodward Informatics Ltd: "AW: NHibernate as ORM"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message