Auditing Enhancements (DBMS_AUDIT_MGMT) in Oracle Database 11g Release 2
Oracle 11g Release 1 turned on auditng by default for the first time. Oracle 11g Release 2 now allows better management of the audit trail using theDBMS_AUDIT_MGMT package.- Moving the Database Audit Trail to a Different Tablespace
- Controlling the Size and Age of the OS Audit Trail
- Purging Audit Trail Records
Related articles.
- Fine Grained Auditing (9i)
- Auditing in Oracle 10g Release 2
- Fine Grained Auditing Enhancements (10g)
- Uniform Audit Trail (10g)
- Audit Trail Contents (10g)
Moving the Database Audit Trail to a Different Tablespace
TheSET_AUDIT_TRAIL_LOCATION procedure allows you to alter the location of the standard and/or fine-grained database audit trail. It does not currently allow the alteration of the OS audit trail, although the documentation suggests this may happen in future. The procedure accepts two parameters.AUDIT_TRAIL_TYPE: They type of audit trail that is to be moved.AUDIT_TRAIL_LOCATION_VALUE: The tablespace the audit trail tables should be moved to.
AUDIT_TRAIL_TYPE parameter is specified using one of three constants.DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD: Standard audit trail (AUD$).DBMS_AUDIT_MGMT.AUDIT_TRAIL_FGA_STD: Fine-grained audit trail (FGA_LOG$).DBMS_AUDIT_MGMT.AUDIT_TRAIL_DB_STD: Both standard and fine-grained audit trails.
CONN / AS SYSDBA
SELECT table_name, tablespace_name
FROM dba_tables
WHERE table_name IN ('AUD$', 'FGA_LOG$')
ORDER BY table_name;
TABLE_NAME TABLESPACE_NAME
------------------------------ ------------------------------
AUD$ SYSTEM
FGA_LOG$ SYSTEM
SQL>
Next, create a new tablespace to hold the audit trail.Then we move the standard audit trail to the new tablespace.CREATE TABLESPACE audit_aux DATAFILE '/u01/app/oracle/oradata/DB11G/audit_aux01.dbf' SIZE 1M AUTOEXTEND ON NEXT 1M;
BEGIN
DBMS_AUDIT_MGMT.set_audit_trail_location(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD,
audit_trail_location_value => 'AUDIT_AUX');
END;
/
BEGIN
DBMS_AUDIT_MGMT.set_audit_trail_location(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_FGA_STD,
audit_trail_location_value => 'AUDITORIA');
END;
/
PL/SQL procedure successfully completed.
SQL>
-- Check locations.
SELECT table_name, tablespace_name
FROM dba_tables
WHERE table_name IN ('AUD$', 'FGA_LOG$')
ORDER BY table_name;
TABLE_NAME TABLESPACE_NAME
------------------------------ ------------------------------
AUD$ AUDIT_AUX
FGA_LOG$ SYSTEM
SQL>
Next we move the fine-grained audit trail.
BEGIN
DBMS_AUDIT_MGMT.set_audit_trail_location(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_FGA_STD,
audit_trail_location_value => 'AUDIT_AUX');
END;
/
PL/SQL procedure successfully completed.
SQL>
-- Check locations.
SELECT table_name, tablespace_name
FROM dba_tables
WHERE table_name IN ('AUD$', 'FGA_LOG$')
ORDER BY table_name;
TABLE_NAME TABLESPACE_NAME
------------------------------ ------------------------------
AUD$ AUDIT_AUX
FGA_LOG$ AUDIT_AUX
SQL>
Finally, we move them both back to their original location in a single step.
BEGIN
DBMS_AUDIT_MGMT.set_audit_trail_location(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_DB_STD,
audit_trail_location_value => 'SYSTEM');
END;
/
PL/SQL procedure successfully completed.
SQL>
-- Check locations.
SELECT table_name, tablespace_name
FROM dba_tables
WHERE table_name IN ('AUD$', 'FGA_LOG$')
ORDER BY table_name;
TABLE_NAME TABLESPACE_NAME
------------------------------ ------------------------------
AUD$ SYSTEM
FGA_LOG$ SYSTEM
SQL>
The AUDIT_AUX tablespace is no longer used so we can drop it.The time it takes to move the audit trail tables depends on the amount of data currently in the audit trail tables, and the resources available on your system.DROP TABLESPACE audit_aux;
Controlling the Size and Age of the OS Audit Trail
TheSET_AUDIT_TRAIL_PROPERTY procedure allows you to set the maximum size and/or age of the OS audit trail files. The procedure can set parameters for several purposes, but I will restrict the discussion to only those relevant to this section. A full list of the constants available can be found here.The procedure accepts three parameters.
AUDIT_TRAIL_TYPE: The type of audit trail to be modified (AUDIT_TRAIL_OS,AUDIT_TRAIL_XMLorAUDIT_TRAIL_FILES).AUDIT_TRAIL_PROPERTY: The name of the property to be set (OS_FILE_MAX_SIZEorOS_FILE_MAX_AGE).AUDIT_TRAIL_PROPERTY_VALUE: The required value for the property.
DBA_AUDIT_MGMT_CONFIG_PARAMS view.These defaults mean that OS and XML audit trail files will grow to a maximum of 10,000Kb, at which point a new file will be created. In addition, files older than 5 days will not be written to any more, even if they are below the maximum file size. Instead, a new file will be created and written to. Here are some examples of changing the settings.COLUMN parameter_name FORMAT A30 COLUMN parameter_value FORMAT A20 COLUMN audit_trail FORMAT A20 SELECT * FROM dba_audit_mgmt_config_params WHERE parameter_name LIKE 'AUDIT FILE MAX%'; PARAMETER_NAME PARAMETER_VALUE AUDIT_TRAIL ------------------------------ -------------------- -------------------- AUDIT FILE MAX SIZE 10000 OS AUDIT TRAIL AUDIT FILE MAX SIZE 10000 XML AUDIT TRAIL AUDIT FILE MAX AGE 5 OS AUDIT TRAIL AUDIT FILE MAX AGE 5 XML AUDIT TRAIL SQL>
-- Set the Maximum size of OS audit files to 15,000Kb.
BEGIN
DBMS_AUDIT_MGMT.set_audit_trail_property(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_OS,
audit_trail_property => DBMS_AUDIT_MGMT.OS_FILE_MAX_SIZE,
audit_trail_property_value => 15000);
END;
/
SELECT *
FROM dba_audit_mgmt_config_params
WHERE parameter_name LIKE 'AUDIT FILE MAX%';
PARAMETER_NAME PARAMETER_VALUE AUDIT_TRAIL
------------------------------ -------------------- --------------------
AUDIT FILE MAX SIZE 15000 OS AUDIT TRAIL
AUDIT FILE MAX SIZE 10000 XML AUDIT TRAIL
AUDIT FILE MAX AGE 5 OS AUDIT TRAIL
AUDIT FILE MAX AGE 5 XML AUDIT TRAIL
SQL>
-- Set the Maximum age of XML audit files to 10 days.
BEGIN
DBMS_AUDIT_MGMT.set_audit_trail_property(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_XML,
audit_trail_property => DBMS_AUDIT_MGMT.OS_FILE_MAX_AGE,
audit_trail_property_value => 10);
END;
/
SELECT *
FROM dba_audit_mgmt_config_params
WHERE parameter_name LIKE 'AUDIT FILE MAX%';
PARAMETER_NAME PARAMETER_VALUE AUDIT_TRAIL
------------------------------ -------------------- --------------------
AUDIT FILE MAX SIZE 15000 OS AUDIT TRAIL
AUDIT FILE MAX SIZE 10000 XML AUDIT TRAIL
AUDIT FILE MAX AGE 5 OS AUDIT TRAIL
AUDIT FILE MAX AGE 10 XML AUDIT TRAIL
SQL>
The CLEAR_AUDIT_TRAIL_PROPERTY procedure can be used to remove the size and age restrictions, or reset them to the default values. Setting the USE_DEFAULT_VALUES parameter value to FALSE removes the restrictions, while setting it to TRUE returns the restriction to the default value.-- Reset the max size default values for both OS and XML audit file. BEGIN DBMS_AUDIT_MGMT.clear_audit_trail_property( audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_FILES, audit_trail_property => DBMS_AUDIT_MGMT.OS_FILE_MAX_SIZE, use_default_values => TRUE ); END; / SELECT * FROM dba_audit_mgmt_config_params WHERE parameter_name LIKE 'AUDIT FILE MAX%'; PARAMETER_NAME PARAMETER_VALUE AUDIT_TRAIL ------------------------------ -------------------- -------------------- AUDIT FILE MAX SIZE 10000 OS AUDIT TRAIL AUDIT FILE MAX SIZE 10000 XML AUDIT TRAIL AUDIT FILE MAX AGE 5 OS AUDIT TRAIL AUDIT FILE MAX AGE 10 XML AUDIT TRAIL SQL> -- Remove the max age restriction for both OS and XML audit file. BEGIN DBMS_AUDIT_MGMT.clear_audit_trail_property( audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_FILES, audit_trail_property => DBMS_AUDIT_MGMT.OS_FILE_MAX_AGE, use_default_values => FALSE ); END; / SELECT * FROM dba_audit_mgmt_config_params WHERE parameter_name LIKE 'AUDIT FILE MAX%'; PARAMETER_NAME PARAMETER_VALUE AUDIT_TRAIL ------------------------------ -------------------- -------------------- AUDIT FILE MAX SIZE 10000 OS AUDIT TRAIL AUDIT FILE MAX SIZE 10000 XML AUDIT TRAIL AUDIT FILE MAX AGE NOT SET OS AUDIT TRAIL AUDIT FILE MAX AGE NOT SET XML AUDIT TRAIL SQL> -- Reset the max age default values for both OS and XML audit file. BEGIN DBMS_AUDIT_MGMT.clear_audit_trail_property( audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_FILES, audit_trail_property => DBMS_AUDIT_MGMT.OS_FILE_MAX_AGE, use_default_values => TRUE ); END; / SELECT * FROM dba_audit_mgmt_config_params WHERE parameter_name LIKE 'AUDIT FILE MAX%'; PARAMETER_NAME PARAMETER_VALUE AUDIT_TRAIL ------------------------------ -------------------- -------------------- AUDIT FILE MAX SIZE 10000 OS AUDIT TRAIL AUDIT FILE MAX SIZE 10000 XML AUDIT TRAIL AUDIT FILE MAX AGE 5 OS AUDIT TRAIL AUDIT FILE MAX AGE 5 XML AUDIT TRAIL SQL>
Purging Audit Trail Records
As with previous versions, you can manually delete records from theAUD$ and FGA_LOG$ tables and manually delete OS audit files from the file system, but DBMS_AUDIT_MGMT package gives you some new and safer mechanisms for maintaining the audit trail.Note. If you are using Oracle Audit Vault, use that to manage your audit trail, not this functionality.
Initializing the Management Infrastructure
Before you can purge the database audit trail you must perform a one-time initialization of the audit management infrastructure. This is done using theINIT_CLEANUP procedure. The procedure accepts two parameters.AUDIT_TRAIL_TYPE: The audit trail to be initialized (Constants).DEFAULT_CLEANUP_INTERVAL: The default interval in hours, after which the cleanup procedure should be called again (1-999).
- It claims that initializing the database audit trails move the
AUD$andFGA_LOG$tables from the SYSTEM tablespace to the SYSAUX tablespace, unless they have already been moved out of the SYSTEM tablespace. This doesn't seem to be the case as the example below will show. Even though it doesn't happen automatically, it makes sense to move the audit tables into the SYSAUX tablespace or their own dedicated tablespace. - It claims it is not necessary to initialize the OS audit trails, yet in the example below you can clearly see the default cleanup intervals being set by the initialization process.
COLUMN parameter_name FORMAT A30
COLUMN parameter_value FORMAT A20
COLUMN audit_trail FORMAT A20
SELECT * FROM dba_audit_mgmt_config_params;
PARAMETER_NAME PARAMETER_VALUE AUDIT_TRAIL
------------------------------ -------------------- --------------------
DB AUDIT TABLESPACE SYSTEM STANDARD AUDIT TRAIL
DB AUDIT TABLESPACE SYSTEM FGA AUDIT TRAIL
AUDIT FILE MAX SIZE 10000 OS AUDIT TRAIL
AUDIT FILE MAX SIZE 10000 XML AUDIT TRAIL
AUDIT FILE MAX AGE 5 OS AUDIT TRAIL
AUDIT FILE MAX AGE 5 XML AUDIT TRAIL
DB AUDIT CLEAN BATCH SIZE 10000 STANDARD AUDIT TRAIL
DB AUDIT CLEAN BATCH SIZE 10000 FGA AUDIT TRAIL
OS FILE CLEAN BATCH SIZE 1000 OS AUDIT TRAIL
OS FILE CLEAN BATCH SIZE 1000 XML AUDIT TRAIL
SQL>
BEGIN
DBMS_AUDIT_MGMT.init_cleanup(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_ALL,
default_cleanup_interval => 12 /* hours */);
END;
/
PL/SQL procedure successfully completed.
SQL>
SELECT * FROM dba_audit_mgmt_config_params;
PARAMETER_NAME PARAMETER_VALUE AUDIT_TRAIL
------------------------------ -------------------- --------------------
DB AUDIT TABLESPACE SYSTEM STANDARD AUDIT TRAIL
DB AUDIT TABLESPACE SYSTEM FGA AUDIT TRAIL
AUDIT FILE MAX SIZE 10000 OS AUDIT TRAIL
AUDIT FILE MAX SIZE 10000 XML AUDIT TRAIL
AUDIT FILE MAX AGE 5 OS AUDIT TRAIL
AUDIT FILE MAX AGE 5 XML AUDIT TRAIL
DB AUDIT CLEAN BATCH SIZE 10000 STANDARD AUDIT TRAIL
DB AUDIT CLEAN BATCH SIZE 10000 FGA AUDIT TRAIL
OS FILE CLEAN BATCH SIZE 1000 OS AUDIT TRAIL
OS FILE CLEAN BATCH SIZE 1000 XML AUDIT TRAIL
DEFAULT CLEAN UP INTERVAL 12 OS AUDIT TRAIL
PARAMETER_NAME PARAMETER_VALUE AUDIT_TRAIL
------------------------------ -------------------- --------------------
DEFAULT CLEAN UP INTERVAL 12 STANDARD AUDIT TRAIL
DEFAULT CLEAN UP INTERVAL 12 FGA AUDIT TRAIL
DEFAULT CLEAN UP INTERVAL 12 XML AUDIT TRAIL
Notice that the 'DB AUDIT TABLESPACE' for the database audit trails are unchanged and the 'DEFAULT CLEAN UP INTERVAL' for all four audit trails has been set.The current initialization status of a specific audit trail can be checked using the
IS_CLEANUP_INITIALIZED.
SET SERVEROUTPUT ON
BEGIN
IF DBMS_AUDIT_MGMT.is_cleanup_initialized(DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD) THEN
DBMS_OUTPUT.put_line('YES');
ELSE
DBMS_OUTPUT.put_line('NO');
END IF;
END;
/
YES
PL/SQL procedure successfully completed.
SQL>
To deconfigure the audit management infrastructure run the DEINIT_CLEANUP procedure.
BEGIN
DBMS_AUDIT_MGMT.deinit_cleanup(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_ALL);
END;
/
Timestamp Management
The next thing to consider before purging the audit trail is how much data you wish to purge. TheDBMS_AUDIT_MGMT package allows us to purge all the records, or all the records older than a specific timestamp. The timestamp in question is specified individually for each audit trail using the SET_LAST_ARCHIVE_TIMESTAMP procedure, which accepts three parameters.AUDIT_TRAIL_TYPE: The audit trail whose timestamp is to be set (Constants). Only individual audit trails are valid, not the constants that specify multiples.LAST_ARCHIVE_TIME: Records or files older than this time will be deleted.RAC_INSTANCE_NUMBER: Optionally specify the RAC node for OS audit trails. If unset it assumes the current instance.
DBA_AUDIT_MGMT_LAST_ARCH_TS view.
BEGIN
DBMS_AUDIT_MGMT.set_last_archive_timestamp(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD,
last_archive_time => SYSTIMESTAMP-5);
END;
/
COLUMN audit_trail FORMAT A20
COLUMN last_archive_ts FORMAT A40
SELECT * FROM dba_audit_mgmt_last_arch_ts;
AUDIT_TRAIL RAC_INSTANCE LAST_ARCHIVE_TS
-------------------- ------------ ----------------------------------------
STANDARD AUDIT TRAIL 0 13-DEC-09 01.57.54.000000 PM +00:00
SQL>
The timestamps for each audit trail can be cleared to allow a complete purge using the CLEAR_LAST_ARCHIVE_TIMESTAMP procedure.
BEGIN
DBMS_AUDIT_MGMT.clear_last_archive_timestamp(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD);
END;
/
Manual Purge
TheCLEAN_AUDIT_TRAIL procedure is the basic mechanism for manually purging the audit trail. It accepts two parameters.AUDIT_TRAIL_TYPE: The audit trail to be purged (Constants).USE_LAST_ARCH_TIMESTAMP: Set to FALSE to purge all records/files, or TRUE to only purge records/files older than the timestamp specified for the audit trail.
SELECT * FROM dba_audit_mgmt_last_arch_ts;
AUDIT_TRAIL RAC_INSTANCE LAST_ARCHIVE_TS
-------------------- ------------ ----------------------------------------
STANDARD AUDIT TRAIL 0 13-DEC-09 01.57.54.000000 PM +00:00
SQL>
SELECT COUNT(*) FROM aud$;
COUNT(*)
----------
2438
SQL>
BEGIN
DBMS_AUDIT_MGMT.clean_audit_trail(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD,
use_last_arch_timestamp => TRUE);
END;
/
PL/SQL procedure successfully completed.
SELECT COUNT(*) FROM aud$;
COUNT(*)
----------
76
SQL>
Automated Purging
TheCREATE_PURGE_JOB procedure allows you to schedule a job to call the CLEAN_AUDIT_TRAIL procedure. When creating a purge job you can specify 4 parameters.AUDIT_TRAIL_TYPE: The audit trail to be purged by the scheduled job (Constants).AUDIT_TRAIL_PURGE_INTERVAL: The interval in hours between purges.AUDIT_TRAIL_PURGE_NAME: A name for the purge job.USE_LAST_ARCH_TIMESTAMP: Set to FALSE to purge all records/files, or TRUE to only purge records/files older than the timestamp specified for the audit trail.
DBA_SCHEDULER_JOBS view.
BEGIN
DBMS_AUDIT_MGMT.create_purge_job(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_ALL,
audit_trail_purge_interval => 24 /* hours */,
audit_trail_purge_name => 'PURGE_ALL_AUDIT_TRAILS',
use_last_arch_timestamp => TRUE);
END;
/
PL/SQL procedure successfully completed.
SQL>
SELECT job_action
FROM dba_scheduler_jobs
WHERE job_name = 'PURGE_ALL_AUDIT_TRAILS';
JOB_ACTION
--------------------------------------------------------------------------------
BEGIN DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL(15, TRUE); END;
SQL>
The job can be disabled and enabled using the SET_PURGE_JOB_STATUS procedure.
BEGIN
DBMS_AUDIT_MGMT.set_purge_job_status(
audit_trail_purge_name => 'PURGE_ALL_AUDIT_TRAILS',
audit_trail_status_value => DBMS_AUDIT_MGMT.PURGE_JOB_DISABLE);
DBMS_AUDIT_MGMT.set_purge_job_status(
audit_trail_purge_name => 'PURGE_ALL_AUDIT_TRAILS',
audit_trail_status_value => DBMS_AUDIT_MGMT.PURGE_JOB_ENABLE);
END;
/
The interval of the purge job can be altered using the SET_PURGE_JOB_INTERVAL procedure.
BEGIN
DBMS_AUDIT_MGMT.SET_PURGE_JOB_INTERVAL(
audit_trail_purge_name => 'PURGE_ALL_AUDIT_TRAILS',
audit_trail_interval_value => 48);
END;
/
Purge jobs are removed using the DROP_PURGE_JOB procedure.
BEGIN
DBMS_AUDIT_MGMT.drop_purge_job(
audit_trail_purge_name => 'PURGE_ALL_AUDIT_TRAILS');
END;
/
There are two things to note about the automated functionality.- If purge jobs use the last archived timestamp and you do not manually move this timestamp forward, the job will run and have nothing to purge. You should reset the timestamp using
DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMPwhen you have made an archive of the audit information, that way your audit information is secure and the job can purge the excess data. - The purge job functionality is simply a wrapper over the
DBMS_SCHEDULERpackage to make automating purge jobs easier.
BEGIN
DBMS_SCHEDULER.create_job (
job_name => 'audit_last_archive_time',
job_type => 'PLSQL_BLOCK',
job_action => 'BEGIN
DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP(DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD, TRUNC(SYSTIMESTAMP)-90);
DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP(DBMS_AUDIT_MGMT.AUDIT_TRAIL_FGA_STD, TRUNC(SYSTIMESTAMP)-90);
DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP(DBMS_AUDIT_MGMT.AUDIT_TRAIL_OS, TRUNC(SYSTIMESTAMP)-90);
DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP(DBMS_AUDIT_MGMT.AUDIT_TRAIL_XML, TRUNC(SYSTIMESTAMP)-90);
END;',
start_date => SYSTIMESTAMP,
repeat_interval => 'freq=daily; byhour=0; byminute=0; bysecond=0;',
end_date => NULL,
enabled => TRUE,
comments => 'Automatically set audit last archive time.');
END;
/
No hay comentarios:
Publicar un comentario