Custom Audit Events
You can define a database audit policy for auditing system commands, users, objects, and so on. However, the database audit policy does not inherently support several Oracle Database Vault events.
Oracle Database Vault defines custom events that you can choose to audit. This enables you to audit events not protected by the database audit policy. For example, if the run-time access control processing of retrieving the identifier for a factor fails, the audit options for the factor may dictate that this event be audited.
The following list describes some of the custom audit events:
■ Session Initialization Audit Initialization Failed: The security administrator can audit instances where the access control session fails to initialize.
■ Command Rule Audit: Command rules allow or disallow SQL statements based on rule sets. The security administrator may choose to audit the rule set processing results. Both successful and failed processing can be audited.
■ Factor Assignment Audit: A factor can have an associated rule set that is used to assign an identity to the factor at run time. The security administrator may choose to audit the rule set processing results. Both successful and failed processing can be audited.
■ Factor Evaluation Audit: The security administrator may choose to audit instances where a factor identity cannot be resolved and assigned (such as No data found or Too many rows). Both successful and failed retrievals can be audited.
■ Oracle Label Security Attempt to Upgrade Session Label Failed: The security administrator can audit instances where the Oracle Label Security component prevents a session from setting a label that exceeds the maximum session label.
■ Oracle Label Security Session Initialization Failed: The security administrator can audit instances where the Oracle Label Security session fails to initialize.
■ Realm Authorization Audit: Realm authorizations can be managed using rule sets. The security administrator can audit the rule set processing results.
■ Realm Violation Audit: A realm violation occurs when the database account, performing an action on a realm object, is not authorized to perform that action in the realm. The security administrator can choose to audit realm violations.
■ Secure Role Audit: Secure application roles can be set based on rule sets. The security administrator can choose to audit the associated rule set processing.
The Oracle Database Vault custom audit event records are stored in the AUDIT_
TRAIL$ table, which is part of the DVSYS schema. These audit records are not part of the typical Oracle Database audit trail. You can define an archiving policy for this audit trail.
Table A–2 describes the format of the audit trail.
See Also:
■ "Audit Options" on page 4-6 (for factors)
■ "Audit Options" on page 6-3 (for rule sets)
■ Defining Realm Authorization in Chapter 3, "Configuring Realms"
■ Chapter 9, "Generating Oracle Database Vault Reports" for information about viewing the audit reports
Custom Audit Events
Table A–2 Audit Trail Format
Parameter Type Description
OS_USERNAME VARCHAR2(255) Operating system login user name of the user whose actions were audited
USERNAME VARCHAR2(30) Name of the database user whose actions were audited
USERHOST VARCHAR2(128) Client computer name
TERMINAL VARCHAR2(255) Identifier for the user's terminal
TIMESTAMP DATE Date and time of creation of the audit trail entry (in the local database session time zone)
OWNER VARCHAR2(30) Creator of the object affected by the action, always DVSYS (because DVSYS is where objects are created) OBJ_NAME VARCHAR2(128) Name of the object affected by the action. Expected
values are:
■ ROLE$
■ REALM$
■ CODE$
■ FACTOR$
ACTION NUMBER Numeric action type code. The corresponding name of the action type is in the ACTION_NAME column.
Expected ACTION and ACTION_NAME values are:
■ 10000: Factor Evaluation Audit
■ 10001: Factor Assignment Audit
■ 10002: Factor Expression Audit
■ 10003: Realm Violation Audit
■ 10004: Realm Authorization Audit
■ 10005: Command Authorization Audit
■ 10006: Secure Role Audit
■ 10007: Access Control Session Initialization Audit
■ 10008: Access Control Command Authorization Audit
■ 10009: Oracle Label Security Session Initialization Audit
■ 10010: Oracle Label Security Attempt to Upgrade Label Audit
ACTION_NAME VARCHAR2(128) Name of the action type corresponding to the numeric code in the ACTION column. You can extend the audit trail to include your own ACTION_
NAME text, based on the audit events passed.
ACTION_OBJECT_
ID
NUMBER The unique identifier of the record in the table specified under OBJ_NAME.
ACTION_OBJECT_
NAME
VARCHAR2(128) The unique name or natural key of the record in the table specified under OBJ_NAME
SQL_TEXT VARCHAR2(2000) The SQL text of the command procedure that was executed that resulted in the audit event being triggered
Custom Audit Events
AUDIT_OPTION VARCHAR2(4000) The labels for all audit options specified in the record that resulted in the audit event being triggered. For example, a factor set operation that is supposed to audit on get failure and get NULL would indicate these two options.
RULE_SET_ID NUMBER The unique identifier of the rule set that was executing and caused the audit event to trigger RULE_SET_NAME VARCHAR2(30) The unique name of the rule set that was executing
and caused the audit event to trigger
RULE_ID NUMBER The unique identifier of the rule that was executing and caused the audit event to trigger
RULE_NAME VARCHAR2(30) The unique name of the rule that was executing and caused the audit event to trigger
FACTOR_CONTEXT VARCHAR2(4000) An XML document that contains all of the factor identifiers for the current session at the point when the audit event was triggered
COMMENT_TEXT VARCHAR2(4000) Text comment on the audit trail entry, providing more information about the statement audited SESSIONID NUMBER Numeric identifier for each Oracle session STATEMENTID NUMBER Numeric identifier for the statement invoked that
caused the audit event to be generated. This is empty for most Oracle Database Vault events.
RETURNCODE NUMBER Oracle error code generated by the action. The error code for a statement or procedure invoked that caused the audit event to be generated. This is empty for most Oracle Database Vault events.
CLIENT_ID NUMBER Client identifier for the Oracle session that triggered the audit event.
EXTENDED_
TIMESTAMP
TIMESTAMP(6) WITH TIME ZONE
Time stamp of creation of the audit trail entry (time stamp of user login for entries) in UTC (Coordinated Universal Time) time zone.
PROXY_
SESSIONID
NUMBER Proxy session serial number, if an enterprise user has logged in through the proxy mechanism.
GLOBAL_UID VARCHAR2(32) Global user identifier for the user, if the user has logged in as an enterprise user
INSTANCE_
NUMBER
NUMBER Instance number as specified by the INSTANCE_
NUMBER initialization parameter
OS_PROCESS VARCHAR2(16) Operating system process identifier of the Oracle process
Table A–2 (Cont.) Audit Trail Format
Parameter Type Description