Type -- --- SESSION_ID NOT NULL NUMBER TIMESTAMP DATE DB_USER VARCHAR230 OS_USER VARCHAR2255 USERHOST VARCHAR2128 CLIENT_ID VARCHAR264 EXT_NAME VARCHAR24000 OBJECT_SCHEMA VARCH
Trang 1Argument Description
STATEMENT_TYPES One or more of SELECT, INSERT, UPDATE, or DELETE to define
which statement types should be audited Default is SELECT only AUDIT_TRAIL Controls whether to write out the actual SQL statement and its
bind variables to the FGA audit trail The default is to do so AUDIT_COLUMN_OPTS Determines whether to audit if a statement addresses any or
all of the columns listed in the AUDIT_COLUMNS argument Options are DBMS_FGA.ANY_COLUMNS, the default, or DBMS_FGA_ALL_COLUMNS.
The other DBMS_FGA procedures are to enable, disable, or drop FGA policies
To see the results of fine-grained auditing, query the DBA_FGA_AUDIT_TRAIL view:
SQL> describe dba_fga_audit_trail;
Name Null? Type
-
SESSION_ID NOT NULL NUMBER
TIMESTAMP DATE
DB_USER VARCHAR2(30)
OS_USER VARCHAR2(255)
USERHOST VARCHAR2(128)
CLIENT_ID VARCHAR2(64)
EXT_NAME VARCHAR2(4000)
OBJECT_SCHEMA VARCHAR2(30)
OBJECT_NAME VARCHAR2(128)
POLICY_NAME VARCHAR2(30)
SCN NUMBER
SQL_TEXT NVARCHAR2(2000)
SQL_BIND NVARCHAR2(2000)
COMMENT$TEXT VARCHAR2(4000)
STATEMENT_TYPE VARCHAR2(7)
EXTENDED_TIMESTAMP TIMESTAMP(6) WITH TIME ZONE
PROXY_SESSIONID NUMBER
GLOBAL_UID VARCHAR2(32)
INSTANCE_NUMBER NUMBER
OS_PROCESS VARCHAR2(16)
TRANSACTIONID RAW(8)
STATEMENTID NUMBER
ENTRYID NUMBER
This procedure call will create a policy POL1 that will record all SELECT statements that read the SALARY column of the HR.EMPLOYEES table, if at least one of the rows retrieved is in department 80:
SQL> execute
dbms_fga.add_policy(-> object_schema=dbms_fga.add_policy(->'HR',-
object_schema=>'HR',-> object_name=object_schema=>'HR',->'EMPLOYEES',-
object_name=>'EMPLOYEES',-> policy_name=object_name=>'EMPLOYEES',->'POL1',-
policy_name=>'POL1',-> audit_condition=policy_name=>'POL1',->'department_id=80',-
audit_condition=>'department_id=80',-> audit_column=audit_condition=>'department_id=80',->'SALARY');
In addition to the DBA_AUDIT_TRAIL view, which shows the results of standard database auditing, and the DBA_FGA_AUDIT_TRAIL view, which shows the results of
Trang 2fine-grained auditing, the DBA_COMMON_AUDIT_TRAIL view shows audit events
from both types of auditing
EXAM TIP Which views show the audit trail? DBA_AUDIT_TRIAL is used
for standard database auditing; DBA_FGA_AUDIT_TRAIL is used for
fine-grained auditing; while DBA_COMMON_AUDIT_TRAIL is used for both To
see the results of auditing with triggers, you must create your own views that
address your own tables
Exercise 6-6: Use Standard Database Auditing In this exercise you will
enable standard database auditing and see the results, using either Database Control
or SQL*Plus If you use Database Control, be sure to click the SHOW SQL button
whenever possible to see the SQL statements being generated
1 Connect to your database as user SYSTEM and create a user and a table to be
used for the exercise:
create user auditor identified by oracle;
create table system.audi as select * from all_users;
grant create session, select any table to auditor;
grant select on audi to auditor;
2 Enable auditing of AUDITOR’s use of SELECT ANY PRIVILEGE, and of all
accesses to the table AUDI With SQL*Plus:
audit select any table by access;
audit all on system.audi by access;
With Database Control, this can be done from the Audit Settings window.
3 Connect to the database as user SYS This is necessary, as this step involves
restarting the instance Set the audit trail destination to DB and enable
auditing of privileged users, and bounce the instance Using SQL*Plus:
alter system set audit_trail='DB_EXTENDED' scope=spfile;
alter system set audit_sys_operations=true scope =spfile;
startup force;
Using Database Control, a possible navigation path from the database home
page is to take the Server tab, and then the Audit Settings link in the Security
section Clicking the link labeled Audit Trail in the Configuration section will
take you to a window where you can modify the parameter settings in the
spfile Alternatively, go directly to the Initialization Parameters window from
the Server tab by taking the Initialization Parameters link in the Database
Configuration section
Set the two parameters in the spfile, and then from the database home page
shut down and restart the database
4 While connected as SYS, all statements will be audited Run this statement:
select count(*) from system.audi;
Trang 35 If using Linux or Unix, identify the location of the system audit trail by querying the parameter AUDIT_FILE_DEST This will be used for the auditing
of SYS operations, irrespective of the setting for AUDIT_DEST With SQL*Plus:
select value from v$parameter where name='audit_file_dest';
Using an operating system utility, navigate to this directory and open the most
recently created file
If using Microsoft Windows, open the Application Log in the Event Viewer
Either way, you will see the SELECT statement that you executed as SYS, with details of the operating system user and hostname
6 Connect to the database as AUDITOR, and run these queries:
select count(*)from system.audi;
select count(*) from system.product_user_profile;
7 As user SYSTEM, run this query to see the audit events:
select sql_text,priv_used,action_name from dba_audit_trail where username='AUDITOR';
Note that the lowest possible privilege is used: access to the AUDI table was
through the SELECT object privilege, not through the much more powerful (SELECT ANY TABLE) system privilege that was needed to get to PRODUCT_ USER_PROFILE
8 Tidy up:
drop user auditor;
drop table system.audi;
Two-Minute Drill
Create and Manage Database User Accounts
• Users connect to a user account, which is coupled with a schema
• All users must be authenticated before they can connect
• A user must have a quota on a tablespace before they create any objects
• A user who owns objects cannot be dropped, unless the CASCADE keyword
is used
Grant and Revoke Privileges
• By default, a user can do nothing You can’t even log on
• Direct privileges are always enabled
• A revocation of a system privilege does not cascade; a revocation of an object privilege does
Trang 4Create and Manage Roles
• Roles are not schema objects
• Roles can contain both system and object privileges, and other roles
• A role can be enabled or disabled for a session
Create and Manage Profiles
• Profiles can manage passwords and resource limits
• Password limits are always enforced; resource limits are dependent on an
instance parameter
• Every user is associated with a profile, which by default is the DEFAULT profile
Database Security and Principle of Least Privilege
• Everything not specifically permitted should be forbidden
• The database administrator and the system administrator should not be the
same person
• Privileges granted to the PUBLIC role must be monitored
• Security-critical instance parameters must be monitored and cannot be
changed without restarting the instance
Work with Standard Database Auditing
• Database auditing can be oriented toward privileges, commands, or objects
• Audit records can be directed toward a database table or an operating system file
• Database audit records are stored in the SYS.AUD$ data dictionary table
• Fine-grained auditing can be directed toward particular rows and columns
• Auditing can also be implemented with database triggers
Self Test
1 How can you permit users to connect without requiring them to authenticate
themselves? (Choose the best answer.)
A Grant CREATE SESSION to PUBLIC
B Create a user such as this, without a password:
CREATE USER ANON IDENTIFIED BY ‘';
C Create a profile that disables password authentication and assign it to the
users
D You cannot do this because all users must be authenticated
Trang 52 You create a user with this statement:
create user jon identified by oracle default tablespace example;
What more must be done before he can create a table in the EXAMPLE
tablespace? (Choose all correct answers.)
A Nothing more is necessary
B Give him a quota on EXAMPLE
C Grant him the CREATE TABLE privilege
D Grant him the CREATE SESSION privilege
E Grant him the MANAGE TABLESPACE privilege
3 If a user owns tables in a tablespace, what will be the effect of attempting to reduce their quota on the tablespace to zero? (Choose the best answer.)
A The tables will survive, but INSERTs will fail
B The tables will survive but cannot get bigger
C The attempt will fail unless the tables are dropped first
D The tables will be dropped automatically if the CASCADE keyword is used
4 If you create a user without specifying a temporary tablespace, what temporary tablespace will be assigned? (Choose the best answer.)
A You must specify a temporary tablespace
B SYSTEM
C TEMP
D The database default temporary tablespace
E The user will not have a temporary tablespace
5 You issue these commands:
a grant select on hr.regions to jon;
b grant all on hr.regions to jon;
c grant dba to jon;
d grant select on hr.regions to public;
Which grants could be revoked to prevent JON from seeing the contents of
HR.REGIONS? (Choose all correct answers.)
A a, b, c, and d
B a, c, and d
C b, c, and d
D c and d
E a, b, and c
6 Which of these statements about system privileges are correct? (Choose all correct answers.)
A Only the SYS and SYSTEM users can grant system privileges
Trang 6B If a system privilege is revoked from you, it will also be revoked from all
users to whom you granted it
C If a system privilege is revoked from you, it will not be revoked from all
users to whom you granted it
D CREATE TABLE is a system privilege
E CREATE ANY TABLE is a system privilege
7 Study this script (line numbers have been added):
1 create role hr_role identified by pass;
2 grant create table to hr_role;
3 grant select table to hr_role;
4 grant connect to hr_role;
Which line will cause an error? (Choose the best answer.)
A Line 1, because only users, not roles, have passwords
B Line 2, because only users, not roles, can create and own tables
C Line 3, because SELECT TABLE is not a privilege
D Line 4, because a role cannot have a system privilege in addition to table
privileges
8 Which of these statements is incorrect regarding roles? (Choose the best
answer.)
A You can grant object privileges and system privileges and roles to a role
B A role cannot have the same name as a table
C A role cannot have the same name as a user
D Roles can be enabled or disabled within a session
9 You have created a profile with LIMIT SESSIONS_PER_USER 1 and granted
it to a user, but you find that they are still able to log on several times
concurrently Why could this be? (Choose the best answer.)
A The user has been granted CREATE SESSION more than once
B The user has been granted the DBA role
C The RESOURCE_LIMIT parameter has not been set
D The RESOURCE_MANAGER_PLAN parameter has not been set
10 Which of these can be controlled by a password profile? (Choose all correct
answers.)
A Two or more users choosing the same password
B Preventing the reuse of a password by the same user
C Forcing a user to change password
D Enabling or disabling password file authentication
Trang 711 Under what circumstances should you set the REMOTE_LOGIN_PASSWORDFILE
instance parameter to EXCLUSIVE? (Choose two correct answers.)
A You need a SYSDBA connection when you are logged on to a machine other than the server
B You want to disable operating system authentication
C You want to add users to the password file
D You want to prevent other users from being added to the password file
12 If you execute this command as user SYSTEM, it will fail Why? (Choose the
best answer.)
alter system set audit_sys_operations=false;
A The parameter can only be changed by the SYS user
B The parameter can only be adjusted in NOMOUNT or MOUNT mode, and SYSTEM can only connect when the database is OPEN
C The principle of “separation of duties” means that only the system administrator, not the database administrator, can change this parameter
D The parameter is a static parameter
13 What conditions must hold before a database session can create a file stored
by the operating system of the server? (Choose three correct answers.)
A The session must be connected to a database account with execute permission on the package UTL_FILE
B The session must be connected to a database account with execute permission on the package DBMS_OUTPUT
C The parameter UTL_FILE_DIR must have been set
D The parameter DB_WRITER_PROCESSES must be set to greater than zero
E The parameter DB_CREATE_FILE_DEST must be set
F The operating system account under which the Oracle instance is running must have write permission on the directory that will store the file
14 If you want a block of PL/SQL code to run whenever certain data is accessed
with a SELECT statement, what auditing technique could you use? (Choose the best answer.)
A Database auditing
B Fine-grained auditing
C Database triggers
D You cannot do this
15 What is necessary to audit actions done by a user connected with the SYSDBA
privilege? (Choose the best answer.)
A Set the AUDIT_SYS_OPERATIONS instance parameter to TRUE
B Use database auditing to audit use of the SYSDBA privilege
Trang 8C Set the REMOTE_LOGIN_PASSWORDFILE instance parameter to NONE,
so that SYSDBA connections can only be made with operating system
authentication Then set the AUDIT_TRIAL parameter to OS, and make
sure that the DBA does not have access to it
D This is not possible: any user with SYSDBA privilege can always bypass the
auditing mechanisms
16 Where can you see the results of standard database auditing? (Choose all
correct answers.)
A In the DBA_AUDIT_TRAIL view, if the AUDIT_TRAIL parameter is set to DB
B In the DBA_COMMON_AUDIT_TRAIL view, if the AUDIT_TRAIL
parameter is set to DB
C In the operating system audit trail, if the AUDIT_TRAIL parameter is set to OS
D In the operating system audit trail, if the AUDIT_TRAIL parameter is set
to XML
17 You issue this statement:
audit select on hr.emp by access;
but when you issue the command:
select * from hr.emp where employee_id=0;
no audit record is generated Why might this be? (Choose the best answer.)
A You are connected as SYS, and the parameter AUDIT_SYS_OPERATIONS is
set to FALSE
B The AUDIT_TRAIL parameter is set to NONE
C The statement did not access any rows; there is no row with EMPLOYEE_
ID equal to zero
D The instance must be restarted before any change to auditing comes into
effect
Self Test Answers
1 þ D All users must be authenticated.
ý A, B, C A is wrong because while this will give all users permission to
connect, they will still have to authenticate B is wrong because a NULL is
not acceptable as a password C is wrong because a profile can only manage
passwords, not disable them
2 þ B, C, and D All these actions are necessary.
ý A and E A is wrong because without privileges and quota, JON cannot
connect and create a table E is wrong because this privilege lets you manage a
tablespace, not create objects in it
Trang 93 þ B It will not be possible to allocate further extents to the tables.
ý A, C, and D A is wrong because inserts will succeed as long as there is space in the extents already allocated C is wrong because there is no need to drop the tables D is wrong because CASCADE cannot be applied to a quota
command
4 þ D There is always a database-wide default, which (by default) is SYSTEM
In many cases, it will have been set to TEMP
ý A, B, C, and E A is wrong because there is a default B is wrong because the default may not be SYSTEM (though it is by default) C is wrong because while TEMP is a frequently used default, it may not be E is wrong because all
user accounts must have a temporary tablespace
5 þ A, B, and C Any of these will prevent the access.
ý D and E D is wrong because the grants in (a) and (b) will remain in
effect Note that ALL is implemented as a set of grants (or revokes) of each
privilege, so it is not necessary to grant or revoke SELECT as well as ALL E is
wrong because the grant to PUBLIC in (d) will remain in effect
6 þ C, D, and E C is correct because the revocation of a system privilege does not cascade D and E are correct because any action that updates the data
dictionary is a system privilege
ý A and B A is wrong because system privileges can be granted by any user who has been granted the privilege WITH ADMIN OPTION B is wrong
because the revocation of a system privilege does not cascade
7 þ C There is no such privilege as SELECT TABLE; it is granted implicitly
with CREATE TABLE
ý A, B, and D A is wrong because roles can be password protected B is
wrong because even though tables must be owned by users, permission to
create them can be granted to a role D is wrong because a role can have any
combination of object and system privileges
8 þ B Roles are not schema objects, and so can have the same names as tables.
ý A, C, and D A is wrong because roles can have any combination of system, object, and role privileges C is wrong because roles cannot have the same names as users D is wrong because roles can be enabled and disabled at
any time
9 þ C The RESOURCE_LIMIT parameter will default to FALSE, and without
this resource limits are not enforced
ý A, B, and D A is wrong because this privilege controls whether users can connect to the account at all, not how many times B is wrong because no role can exempt a user from profile limits D is wrong because this parameter
controls which Resource Manager plan is active, which is not relevant to whether resource limits are enforced
Trang 1010 þ B and C These are both password limits.
ý A and D A is wrong because this cannot be prevented by any means D is
wrong because profiles only apply to password authentication; password file
authentication is managed separately
11 þ A and C Password file authentication is necessary if SYSDBA connections
need to be made across a network, and if you want to grant SYSDBA or
SYSOPER to any other database users
ý B and D B is wrong because operating system authentication can never
be disabled D is wrong because EXCLUSIVE doesn’t exclude users; it means
one password file per instance
12 þ D No matter who you are connected as, the parameter is static and will
therefore require a SCOPE=SPFILE clause when changing it
ý A, B, and C A is wrong because SYSTEM can adjust the parameter (as can
anyone to whom the ALTER SYSTEM privilege has been granted) B is wrong
because the parameter can be changed in any mode—if the SCOPE is SPFILE
C is wrong because the system administrator cannot change parameters: only
a database administrator can do this
13 þ A, C, and F The necessary conditions are that the session must be able to
execute the UTL_FILE procedures, and that the UTL_FILE_DIR parameter must
point to a directory on which the Oracle user has the necessary permissions
ý B, D, and E B is wrong because DBMS_OUTPUT is used to write to the
user process, not to the operating system D is wrong because DB_WRITER_
PROCESSES controls the number of database writers E is wrong because
DB_CREATE_FILE_DEST sets a default location for datafiles
14 þ B A fine-grained auditing policy can nominate a PL/SQL function to run
whenever the audit condition is violated
ý A, C, and D A is wrong because database auditing can do no more than
record events C is wrong because database triggers can only be defined for
DML and not for SELECT statements D is wrong because FGA can indeed do
this
15 þ A Setting this parameter is all that is necessary, though on Unix and
Linux you may want to adjust AUDIT_FILE_DEST as well
ý B, C, and D B is wrong because this is a privilege whose use cannot be
audited, because it can apply before the database is open C is wrong because
the method of gaining SYSDBA access is not relevant to whether it is audited
D is wrong because SYS cannot bypass this audit technique.
16 þ A, B, C, and D These are all correct.
ý None