Skip Headers
Oracle® Database Firewall Administration Guide
Release 5.0

Part Number E18695-08
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

B Oracle Database Firewall Database Schema

This appendix contains:

About the Oracle Database Firewall Schema

The Oracle Database Firewall tables are stored in the SECURELOG schema. This schema contains a set of logically related tables, which are described in this appendix.

Summary Tables

This section contains:

About the Summary Tables

The summary tables store general information about the data that is being monitored, such as the names of the users logging in, the monitored databases, user sessions, database traffic, events, and so on.

applied_baselines Table

Table B-1 provides the name of the policy that is currently used for while traffic is being captured.

Table B-1 applied_baselines Table

Column Datatype NULL Description

baseline_id

INTEGER

NOT NULL

Unique ID of this record

name

VARCHAR2(1024)

NOT NULL

Name of the baseline (also available from traffic_summaries view (Table B-13))

database_id

INTEGER

NOT NULL

ID of the protected database in the protected_databases table (Table B-6)


database_user_addresses Table

Table B-2 provides IP addresses that are expected to be used by a user who has accessed the protected database.

Table B-2 database_user_addresses Table

Column Datatype NULL Description

address_id

INTEGER

NOT NULL

ID of the address record in this table

user_id

INTEGER

NULL

ID of the database user in the database_users table (Table B-3)

address

VARCHAR2(30)

NULL

Expected IP address of the user (possible one of many)


database_users Table

Table B-3 records each user who has accessed a protected database.

Table B-3 database_users Table

Column Datatype NULL Description

user_id

INTEGER

NOT NULL

ID of the user record in this table

user_name

VARCHAR2(255)

NULL

Name of the user who started the session (also available from traffic_summaries view Table B-13)

database_id

INTEGER

NULL

ID of the protected database in the protected_databases table (Table B-6)

terminated_at

TIMESTAMP

NULL

Time that the session was ended

is_admin

CHAR (ONLY:'0','1')

NOT NULL

Set to 1 if the user is an administrator of the database

is_predefined

CHAR (ONLY:'0','1')

NOT NULL

Set to 1 if the user is a predefined user of the database (that is, automatically created when the protected_databases table (Table B-6) was created)


dictionary Table

Table B-4 provides a set of mappings from coded values to meaningful text. This table is useful in generating understandable text in a report, without hard-coding the values into the report query. The tables throughout this appendix use values listed in this table. For example, several tables have a column entitled cluster_type. The values possible for the cluster_type column are listed in the dictionary table.

Table B-4 dictionary Table

Column Datatype NULL Description

category

VARCHAR2(30)

NOT NULL

Name of item. Possible values:

  • dialect (database product)

  • event_action

  • log_action

  • logging_code

  • threat_severity

  • cluster_type

  • doa_object_type

  • doa_object_subtype

  • doa_object_class

  • doa_edit_type

  • database_event_type

  • record_type

  • response_status

  • log_cause

  • event_action_code

  • session_data_origin

value

INTEGER

NOT NULL

Value of the item listed in the category column. For example, if the category is dialect and the database product listed is Oracle, then the value listed here is 2.

name

VARCHAR2(100)

NULL

Description of value listed in the value column. For example, if the category is dialect and the value is 2, then the name listed here is Oracle.


protected_database_addresses Table

Table B-5 provides address and port details for each protected database.

Table B-5 protected_database_addresses Table

Column Datatype NULL Description

address_id

INTEGER

NOT NULL

Unique ID of this record

address

VARCHAR2(255)

NOT NULL

IP address of the protected database

port_number

INTEGER

NOT NULL

Port number used to access the protected database

database_id

INTEGER

NULL

ID of the protected database in the protected_databases table (Table B-6)


protected_databases Table

Table B-6 provides details about each protected database.

Table B-6 protected_databases Table

Column Datatype NULL Description

database_id

INTEGER

NOT NULL

Unique ID of the database

name

VARCHAR2(250)

NOT NULL

Name of the database

dialect

SMALLINT

NOT NULL

SQL dialect:

  • 1 - Microsoft SQL Server

  • 2 - Oracle

  • 5 - Sybase

  • 7 - IBM DB2 (Linux, UNIX, Windows)

description

VARCHAR2(250)

NULL

Description of the database

is_sox_database

CHAR (ONLY:'0','1')

NOT NULL

Set to 1 if SOX reports can be produced from the database (also available from traffic_summaries view (Table B-13))

is_pci_database

CHAR (ONLY:'0','1')

NOT NULL

Set to 1 if PCI reports can be produced from the database (also available from traffic_summaries view (Table B-13))

is_dpa_database

CHAR (ONLY:'0','1')

NOT NULL

Set to 1 if DPA reports can be produced from the database (also available from traffic_summaries view (Table B-13))

is_glba_database

CHAR (ONLY:'0','1')

NOT NULL

Set to 1 if GLBA reports can be produced from the database (also available from traffic_summaries view (Table B-13))

is_hipaa_database

CHAR (ONLY:'0','1')

NOT NULL

Set to 1 if HIPAA reports can be produced from the database (also available from traffic_summaries view (Table B-13))


sources Table

Table B-7 provides details about the source of an event: either the relevant hardware (or virtual) device for events that apply system-wide, or the monitoring enforcement point for events detected by monitoring.

Table B-7 sources Table

Column Datatype NULL Description

id

INTEGER

NOT NULL

Unique ID of the source of the event, which can be an appliance (physical server), in the case of syslog messages, or the enforcement point (in the case of database traffic related events, or enforcement point related syslog messages).

time

TIMESTAMP

NOT NULL

Time that the source of the event was added to the database

name

VARCHAR2(30)

NOT NULL

Short name of the source of the event

is_hardware

CHAR (ONLY:'0','1')

NULL

Set to 1 if the source of the event is a syslog source other than an enforcement point


summary_clusters Table

Table B-8 provides information about individual clusters for the purpose of reporting. As well as providing a unique identity to each cluster, this table provides an example statement that would appear in the cluster.

Table B-8 summary_clusters Table

Column Datatype NULL Description

cluster_id

INTEGER

NOT NULL

Source ID of the binary data

grammar_version

INTEGER

NOT NULL

Grammar-specific version number

dialect

SMALLINT

NOT NULL

SQL dialect:

  • 1 - Microsoft SQL Server

  • 2 - Oracle

cluster_type

SMALLINT

NOT NULL

Type of statements included in the cluster:

  • 0 - Composite

  • 1 - Data manipulation

  • 2 - Data definition

  • 3 - Data control

  • 4 - Procedural statement

  • 5 - Data manipulation

  • 6 - Transaction

  • 7 - Transaction composite

  • 8 - Invalid

See also traffic_summaries view (Table B-13)

representation

CLOB

NOT NULL

String representation of cluster (path). Not used

cluster_example

CLOB

NULL

An example of a statement in the cluster (also available from traffic_summaries view (Table B-13)


summary_records Table

Table B-9 provides primary information collected in the traffic log, as an hourly summary of the count of occurrences of each cluster.

Table B-9 summary_records Table

Column Datatype NULL Description

summary_id

INTEGER

NOT NULL

Unique ID of the summary record

session_id

INTEGER

NOT NULL

ID of the session in the summary_sessions table

attribute_set_id

INTEGER

NOT NULL

Set with session attributes

cluster_id

INTEGER

NOT NULL

ID of the cluster in the summary_clusters table (Table B-9); also available from traffic_summaries view (Table B-13)

attribute_id

INTEGER

NULL

ID of the attribute in the summary_statement_attributes table (Table B-11).

grammar_version

INTEGER

NOT NULL

Grammar-specific version number

response_status

INTEGER

NOT NULL

Response code of the statement for database response monitoring:

  • 0 - Undefined

  • 1 - Unknown

  • 2 - Login success

  • 3 - Login fail

  • 4 - Statement success

  • 5 - Statement fail

See also traffic_summaries view (Table B-13)

time

TIMESTAMP

NOT NULL

Time that the SQL statement was captured by the Database Firewall (also available from traffic_summaries view (Table B-13))

threat_severity

INTEGER

NOT NULL

Threat severity of the statements:

  • 0 - Unassigned

  • 1 - Insignificant

  • 2 - Minor

  • 3 - Moderate

  • 4 - Major

  • 5 - Catastrophic

See also traffic_summaries view (Table B-13)

logging_code

SMALLINT

NOT NULL

Logging level of the statements:

  • 0 - Unassigned

  • 1 - Never

  • 2 - Sample

  • 3 - Always

  • 4 - Once

  • 5 - Unique

See also traffic_summaries view (Table B-13)

action_code

SMALLINT

NOT NULL

Action level of the statements:

  • 1 - Known blocked

  • 2 - Known warned

  • 3 - Unseen blocked

  • 4 - Unseen warned

See also traffic_summaries view (Table B-13)

statement_count

INTEGER

NULL

Number of statements that have the same characteristics, as listed above (also available from traffic_summaries view (Table B-13))


summary_sessions Table

A new session is started when a client application successfully logs into a database. This session lasts for as long as the connection exists (often, until the application logs out from the database, although the session may terminate in a less controlled way). Sessions are associated with a client application, and with the authentication or identification information (primarily the user name) used to establish the connection. A simple client application creates a single session, or in some cases, one session after another. More complex applications may have many simultaneously active sessions.

Note:

This table does not record each session. Instead, a new record is added when one or more of the fields (source_id, client, user_id, baseline_id, and dialect_version) is different from an existing record.

Table B-10 provides details about each database session, typically identified by the source address of the session.

Table B-10 summary_sessions Table

Column Datatype NULL Description

session_id

INTEGER

NOT NULL

Unique ID of the database session

source_id

INTEGER

NULL

ID of the sources in the sources table (also available from traffic_summaries view Table B-13)

client

VARCHAR2(30)

NULL

IP address of the database client (also available from traffic_summaries view Table B-13)

user_id

INTEGER

NULL

ID of the user who started the session (Table B-3)

baseline_id

INTEGER

NULL

ID of the policy in the applied_baselines table (Table B-1)

dialect_version

VARCHAR2(20)

NULL

Not used

application_name

VARCHAR2(255)

NULL

Name of the client program used in this session

os_user_name

VARCHAR2(255)

NULL

Operating system user name


summary_statement_attributes Table

Table B-11 stores statement attribute values that can be summarized from the summary_records table.

Table B-11 summary_statement_attributes Table

Column Datatype NULL Description

id

INTEGER

NULL

ID of each record in this table

hash

INTEGER

NULL

Result of the CRC32 (Cyclic Redundancy Check) of the concatenation of all attribute values. This is for internal use only to enable fast searching.

f5_response_code

VARCHAR2(4000)

NULL

HTTP response code

Note: This and the remaining fields in this table are relevant to the F5 BIG-IP ASM integration only. See Chapter 11, "Using Oracle Database Firewall with BIG-IP ASM," for more information.

f5_method

VARCHAR2(4000)

NULL

HTTP request method

f5_protocol

VARCHAR2(4000)

NULL

Request protocol

f5_uri

VARCHAR2(4000)

NULL

Requested resource

f5_ip

VARCHAR2(15)

NULL

Web client IP address

f5_web_application_name

VARCHAR2(64)

NULL

Web application name

f5_unit_hostname

VARCHAR2(64)

NULL

Name of the WAF box

f5_management_ip_address

VARCHAR2(15)

NULL

IP address of the WAF management interface

f5_policy_name

VARCHAR2(128)

NULL

WAF policy name

f5_x_forwarded_for_header_value

VARCHAR2(4000)

NULL

List of IP addresses provided by X-FORWARDED-FOR field in HTTP request

f5_request_blocked

CHAR (ONLY:'0','1')

NULL

Set to 1 if the http request was blocked

f5_web_username

VARCHAR2(128)

NULL

Name of the Web user

f5_referer

VARCHAR2(4000)

NULL

HTTP referrer

f5_web_host

VARCHAR2(256)

NULL

Web application server name

f5_user_agent

VARCHAR2(1024)

NULL

IHTTP user agent

f5_cardinal_ip

VARCHAR2(15)

NULL

IP address of the client that initiated the HTTP request. It is either the client IP address of the HTTP connection over which the request was issued, or if the HTTP header record "X-FORWARDED-FOR" is present, then it's value is used.

f5_primary_violation

VARCHAR2(64)

NULL

Violation from attr_f5_violations that have the highest priority

f5_match_result

VARCHAR2(4000)

NULL

One of the following:

  • 1 - PolicyConflict

  • 2 - PolicyConfirmed

  • 3 - WAFBlocked

  • 4 - NoMatchDataMasked

  • 5 - NoMatch


traffic_events Table

Table B-12 provides details about events that have been transmitted, or potentially transmitted, over syslog by the enforcement point. These events ares primarily alerts from monitoring.

Table B-12 traffic_events Table

Column Datatype NULL Description

event_id

INTEGER

NOT NULL

Unique ID of the traffic event

source_id

INTEGER

NOT NULL

ID of the source event in the sources table "sources Table")

time

TIMESTAMP

NOT NULL

Time of the event

cluster_id

INTEGER

NULL

ID of the cluster

action

INTEGER

NULL

Action level of the cluster that the statement belongs to:

  • 0 - Unassigned

  • 1 - Block

  • 2 - Warn

  • 3 - Pass

threat_severity

INTEGER

NULL

Threat severity of the cluster:

  • 0 - Unassigned

  • 1 - Insignificant

  • 2 - Minor

  • 3 - Moderate

  • 4 - Major

  • 5 - Catastrophic

log_level

INTEGER

NULL

Logging level of the cluster:

  • 0 - Unassigned

  • 1 - Never

  • 2 - Sample

  • 3 - Always

  • 4 - Once

  • 5 - Unique

db_client

VARCHAR2(30)

NULL

IP address of the database client that sent the statement

db_server

VARCHAR2(30)

NULL

IP address of the database server

db_user

VARCHAR2(255)

NULL

Name of the database user who sent the statement

web_user

VARCHAR2(255)

NULL

Name of the Web user (available only in WAF alerts)

web_application

VARCHAR2(255)

NULL

Web application name (available only in WAF alerts)

http_protocol

VARCHAR2(255)

NULL

Request protocol (available only in WAF alerts):

  • http

  • https

http_method

VARCHAR2(255)

NULL

HTTP request method (available only in WAF alerts). For example, POST, GET, and so on

http_uri

VARCHAR2(255)

NULL

Requested resource (available only in WAF alerts). For example: faq.asp

http_query_string

VARCHAR2(2048)

NULL

Request. for example, GET parameters: action=save

http_referrer

VARCHAR2(255)

NULL

HTTP referrer (available only in WAF alerts). For example: http://192.0.2.220

http_host

VARCHAR2(255)

NULL

Web application server name (available only in WAF alerts). Can be an IP address (for example, 192.0.2.220)

http_user_agent

VARCHAR2(255)

NULL

HTTP user agent (available only in WAF alerts). For example, Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1

http_response_code

VARCHAR2(30)

NULL

HTTP response code (available only in WAF alerts)

http_request

VARCHAR2(2048)

NULL

Full HTTP request. Includes POST data (available only in WAF alerts)

waf_host_name

VARCHAR2(255)

NULL

Name of the WAF appliance (available only in WAF alerts)

waf_management_ip

VARCHAR2(30)

NULL

IP address of the WAF management interface (available only in WAF alerts)

waf_policy_name

VARCHAR2(255)

NULL

WAF policy name (available only in WAF alerts)

waf_policy_date

TIMESTAMP

NULL

The time when the WAF policy was applied (available only in WAF alerts)

waf_support_id

VARCHAR2(255)

NULL

Unique ID of the event in the WAF system (available only in WAF alerts)

waf_request_blocked

VARCHAR2(30)

NULL

TRUE if the http request was blocked (available only in WAF alerts)

waf_session_cookies

VARCHAR2(512)

NULL

Contains all the session cookies sent with the HTTP request (available only in WAF alerts)

primary_violation

VARCHAR2(255)

NULL

Violation with the highest priority (available only in WAF alerts)

cardinal_ip

VARCHAR2(30)

NULL

IP address of attacker

match_result

INTEGER

NULL

One of the following (which are available only in WAF alerts):

  • 1 - Confirmed

  • 2 - Not confirmed

  • 3 - Not proven

statement_id

INTEGER

NULL

Unique ID of the statement (sequential number)

statement

VARCHAR2(2048)

NULL

SQL statement string (may be truncated)


traffic_summaries View

Table B-13 provides a view to data in other tables.

Table B-13 traffic_summaries View

Column Datatype NULL Description

db_name

VARCHAR2(250)

NOT NULL

Name of the protected database:

  • Microsoft SQL Server

  • Oracle

  • Sybase ASE

  • Sybase SQL Anywhere

  • DB2/LUW (Linux, UNIX, Windows)

dialect

SMALLINT

NOT NULL

SQL dialect used by the database:

  • 1 - Microsoft SQL Server

  • 2 - Oracle

  • 5 - Sybase ASE

  • 6 - Sybase SQL Anywhere

  • 8 - DB2/LUW (Linux, UNIX, Windows)

is_sox_database

CHAR (ONLY:'0','1')

NOT NULL

Set to 1 if SOX reports can be produced from the database (from protected_databases (Table B-6))

is_pci_database

CHAR (ONLY:'0','1')

NOT NULL

Set to 1 if PCI reports can be produced from the database (from protected_databases (Table B-6))

is_dpa_database

CHAR (ONLY:'0','1')

NOT NULL

Set to 1 if DPA reports can be produced from the database (from protected_databases (Table B-6))

is_glba_database

CHAR (ONLY:'0','1')

NOT NULL

Set to 1 if GLBA reports can be produced from the database (from protected_databases (Table B-6))

is_hipaa_database

CHAR (ONLY:'0','1')

NOT NULL

Set to 1 if HIPAA reports can be produced from the database (from protected_databases (Table B-6))

baseline_name

VARCHAR2(1024)

NOT NULL

Name of the baseline

grammar_version

INTEGER

NOT NULL

Grammar version

client

VARCHAR2(30)

NULL

IP address of the database client

user_name

VARCHAR2(255)

NULL

Name of the database user

dialect_version

VARCHAR2(20)

NULL

Not used

source_id

INTEGER

NULL

ID of the source in the sources table (Table B-7)

application_name

VARCHAR2(255)

NULL

The application name used as a client software in this session

os_user_name

VARCHAR2(255)

NULL

Operating system user name

cluster_example

CLOB

NULL

An example statement in the cluster

time

TIMESTAMP

NOT NULL

Time of the statement count

cluster_id

INTEGER

NOT NULL

ID of the cluster (from summary_records table (Table B-9))

threat_severity

INTEGER

NOT NULL

Threat severity of the statements:

  • 0 - Unassigned

  • 1 - Insignificant

  • 2 - Minor

  • 3 - Moderate

  • 4 - Major

  • 5 - Catastrophic

logging_code

SMALLINT

NOT NULL

Logging level of the statements:

  • 0 - Unassigned

  • 1 - Never

  • 2 - Sample

  • 3 - Always

  • 4 - Once

  • 5 - Unique

action_code

SMALLINT

NOT NULL

Action level of the statements:

  • 1 - Known blocked

  • 2 - Known warned

  • 3 - Unseen blocked

  • 4 - Unseen warned

cluster_type

SMALLINT

NOT NULL

Type of statements included in the cluster:

  • 0 - Composite

  • 1 - Data manipulation

  • 2 - Data definition

  • 3 - Data control

  • 4 - Procedural statement

  • 5 - Data manipulation

  • 6 - Transaction

  • 7 - Transaction composite

  • 8 - Invalid

response_status

INTEGER

NOT NULL

Response code of the statement:

  • 0 - Undefined

  • 1 - Unknown

  • 2 - Login success

  • 3 - Login fail

  • 4 - Statement success

  • 5 - Statement fail

statement_count

INTEGER

NULL

Number of SQL statements that have the same characteristics, as listed in this table


Relationship Diagram of the Summary Tables

Figure B-1 illustrates the relationships between the summary database tables.

Figure B-1 Relationship Diagram of the Summary Tables

Description of Figure B-1 follows
Description of "Figure B-1 Relationship Diagram of the Summary Tables"

Log Forensic Tables

This section contains:

About the Forensic Tables

The forensic tables contain information about all the SQL statements that Oracle Database Firewall logs. Because the amount of data can be large, Oracle Database Firewall enables you to query the log files through the Administration Console. It stores these log files in the two tables described in this section, traffic_log_queries and traffic_log_query_results.

To search through the log files:

  1. Log in to the standalone Database Firewall or Management Server Administration Console.

    See "Logging in to the Administration Console" for more information.

  2. Select the Reporting tab.

  3. In the Traffic Log menu, select either Search Log or Log Search Results.

    See Oracle Database Firewall Security Management Guide for more information about accessing the traffic log.

In addition to these two tables, for each search, Oracle Database Firewall creates a new table. This table is derived from traffic_log_query_results and has a name in form of traffic_log_query_results_id where id is the identifier of the search. This table is deleted when the entry in the traffic_log_queries table for a given search is deleted.

traffic_log_queries Table

Table B-14 provides the properties of each log search, such as the period that the log search covers and the filter settings. Each use of Search Log in the reporting page of the Administration Console adds a new row to the table. See Table B-15 for more information about the meaning of each field.

Table B-14 traffic_log_queries Table

Column Datatype NULL Description

id

INTEGER

NOT NULL

Unique ID for the query

title

VARCHAR2(100)

NULL

The title of the report

started_at

TIMESTAMP

NULL

The time when the query was started

finished_at

TIMESTAMP

NULL

The time when the query was finished

aborted_at

TIMESTAMP

NULL

The time when the user cancelled the query

deleted_at

TIMESTAMP

NULL

The time when the query was deleted

results_table

VARCHAR2(30)

NULL

The name of the results table: traffic_log_query_results_id, where id is an integer that specifies the ID of the search (see Table B-15)

time_from

TIMESTAMP

NOT NULL

The begin of the data time range to be extracted (filtering)

time_to

TIMESTAMP

NOT NULL

The end of the data time range to be extracted (filtering)

real_time_from

INTERVAL DAY(3) TO SECOND(2)

NULL

The beginning of the time range relative to end of the time range

real_time_from

INTERVAL DAY(3) TO SECOND(2)

NULL

The ending of the time range relative to arbitrary time

filter

CLOB

NULL

Filter to reduce the number of entries

records_limit

INTEGER

NULL

Specifies the maximum number of records that should be extracted (filtering) (NULL is not recommended.)

records_count

INTEGER

NULL

Records how many records were found and displayed in the Administration Console

searched_files

INTEGER

NULL

Records how many files have already been searched and displayed in the Administration Console

total_files

INTEGER

NULL

Records how many files are be searched and displayed in the Administration Console

status

VARCHAR2(255)

NULL

Status for the search


traffic_log_query_results Table

Table B-15 provides a template for traffic_log_query_results_id, where id is an integer that specifies the ID of the search. The table stores the results of a log search and contains one row for each SQL statement retrieved. The table traffic_log_query_results_id is created automatically when a log search is performed, and is deleted when the user deletes the log search.

Table B-15 traffic_log_query_results Table

Column Datatype NULL Description

id

INTEGER

NOT NULL

ID of this result set

query_id

INTEGER

NULL

ID of the query used to define this result set

logfile_id

INTEGER

NULL

ID of the log file containing this particular statement.

statement_id

INTEGER

NULL

ID of the statement or event

record_type

SMALLINT

NOT NULL

Type of the record:

  • 1 - Statement record

  • 2 - Session record

source_name

VARCHAR2(30)

NULL

Name of the device that collected the log file

origin

VARCHAR2(255)

NULL

Origin of the record. Can be one of the following:

  • dbfw

  • f5

  • dbfw,f5

protected_database

VARCHAR2(250)

NULL

Name of the protected database

database_dialect

SMALLINT

NOT NULL

The database type (dialect) of the protected database:

  • 1 - Microsoft SQL Server

  • 2 - Oracle

  • 5 - Sybase

  • 7 - IBM DB2 (Linux, UNIX, Windows)

user_name

VARCHAR2(255)

NULL

Database user name associated with the statement

user_name_origin

SMALLINT

NULL

Origin of the database user name:

  • 0 - Undefined

  • 1 - Generated

  • 2 - Network

  • 3 - DB query

raw_user_name

VARCHAR2(255)

NULL

The database user name that was used at the time Oracle Database Firewall applied the statement policy

session_seq

INTEGER

NULL

Internal session sequence number

client_ip

VARCHAR2(30)

NULL

IP address of the database client that sent the statement

client_port

INTEGER

NULL

Port number of the database client that sent the statement

server_ip

VARCHAR2(30)

NULL

IP address of the database server that received the statement

server_port

INTEGER

NULL

Port number of the database server that received the statement

baseline

VARCHAR2(1024)

NULL

Name of the policy used when the statement was recorded

traffic_source

VARCHAR2(30)

NULL

Source of the traffic:

  • network

  • local agent

dialect_version

VARCHAR2(20)

NULL

Internal version or revision of the grammar implementation

statement

CLOB

NOT NULL

Statement text captured by the system

time

TIMESTAMP

NOT NULL

Time when the statement was captured by the system

threat_severity

INTEGER

NOT NULL

Threat severity of the statement:

  • 0 - Unassigned

  • 1 - Insignificant

  • 2 - Minor

  • 3 - Moderate

  • 4 - Major

  • 5 - Catastrophic

logging_code

SMALLINT

NOT NULL

Logging level of the statement:

  • 0 - Unassigned

  • 1 - Never

  • 2 - Sample

  • 3 - Always

  • 4 - Once

  • 5 - Unique

log_cause

SMALLINT

NOT NULL

Reason for logging the statement:

  • 0 - Undefined

  • 1 - Cluster

  • 2 - Novelty

  • 3 - Baseline anomaly

  • 4 - Invalid SQL

  • 5 - WAF

  • 6 - Login

  • 7 - Logout

action_code

SMALLINT

NOT NULL

Action level of the statement:

  • 1 - Known blocked

  • 2 - Known warned

  • 3 - Unseen blocked

  • 4 - Unseen warned

event_action_code

SMALLINT

NULL

Alert criterion that caused the statement to be logged:

  • 0 - Undefined

  • 1 - No alert

  • 2 - Always alert

  • 3 - Alert on success

  • 4 - Alert on failure

  • 5 - Block

freq_code

INTEGER

NOT NULL

Number of the statements that this record represents.

  • In log all mode, the value is 1, because each statement is logged separately.

  • In log unique mode, the value is 1, because only the first occurrence with the unique combination of user name, IP address and cluster is logged.

  • In log sample mode, the value can be greater than 1.

cluster_id

INTEGER

NOT NULL

Global ID of the cluster associated with the statement

cluster_type

INTEGER

NOT NULL

Type or class of statement included in the cluster:

  • 0 - Composite

  • 1 - Data manipulation

  • 2 - Data definition

  • 3 - Data control

  • 4 - Procedural statement

  • 5 - Data manipulation

  • 6 - Transaction

  • 7 - Transaction composite

  • 8 - Invalid

grammar_version

INTEGER

NOT NULL

Grammar-specific version number

response_code

INTEGER

NULL

Response code returned by the database server

response_text

CLOB

NULL

Error message returned by a database query failure

response_detailed_status

CLOB

NULL

Detailed text of the response returned by the database server

failure_count

INTEGER

NULL

Number of subsequent failed statements

response_time

TIMESTAMP

NULL

Time that Oracle Database Firewall captures the statement response

response_status

INTEGER

NULL

Status of the response:

  • 0 - Undefined

  • 1 - Unknown

  • 2 - Login success

  • 3 - Login fail

  • 4 - Statement success

  • 5 - Statement fail

transaction_time

DOUBLE PRECISION

NULL

Difference between response time and request time

application_name

VARCHAR2(255)

NULL

Name of the client application connected to the database

application_name_origin

SMALLINT

NULL

Origin of the application:

  • 0 - Undefined

  • 1 - Generated

  • 2 - Network

  • 3 - DB query

os_user_name

VARCHAR2(255)

NULL

Operating system user name that executed the statement

os_user_name_origin

SMALLINT

NULL

Origin of the operating system user:

  • 0 - Undefined

  • 1 - Generated

  • 2 - Network

  • 3 - DB query

attr_f5_request

CLOB

NULL

Full HTTP request, including POST data

Note: This and the remaining fields in this table are relevant to the F5 BIG-IP ASM integration only. See Appendix 11, "Using Oracle Database Firewall with BIG-IP ASM," for more information.

attr_f5_headers

CLOB

NULL

HTTP request

attr_f5_response_code

CLOB

NULL

HTTP response code

attr_f5_method

CLOB

NULL

HTTP request method

attr_f5_protocol

CLOB

NULL

Request protocol

attr_f5_uri

CLOB

NULL

Requested resource

attr_f5_query_string

CLOB

NULL

Part of the URL containing request parameters sent using the GET method

attr_f5_ip

VARCHAR2(15)

NULL

Web client IP address

attr_f5_web_application_name

VARCHAR2(64)

NULL

Web application name

attr_f5_violations

CLOB

NULL

Identified WAF violations

attr_f5_unit_hostname

VARCHAR2(64)

NULL

Name of the WAF box

attr_f5_management_ip_address

VARCHAR2(15)

NULL

IP address of the WAF management interface

attr_f5_policy_name

VARCHAR2(128)

NULL

WAF policy name

attr_f5_policy_apply_date

TIMESTAMP

NULL

The time when the policy was applied

attr_f5_x_forwarded_for_header_value

CLOB

NULL

List of IP addresses provided by X-FORWARDED-FOR field in HTTP request.

attr_f5_support_id

VARCHAR2(20)

NULL

Unique ID of the event in the WAF system

attr_f5_request_blocked

CHAR (ONLY:'0','1')

NULL

Set to 1 if the HTTP request was blocked

attr_f5_web_username

VARCHAR2(128)

NULL

Name of the Web user

attr_f5_authentication_method

CLOB

NULL

Session authentication method

attr_f5_referer

CLOB

NULL

HTTP referrer

attr_f5_web_host

VARCHAR2(256)

NULL

Web application server name

attr_f5_user_agent

VARCHAR2(1024)

NULL

HTTP user agent

attr_f5_cardinal_ip

VARCHAR2(15)

NULL

IP address derived from attr_f5_ip and attr_f5_x_forwarded_for_header_value

attr_f5_primary_violation

VARCHAR2(64)

NULL

Violation from attr_f5_violations that have the highest priority

attr_f5_session_cookies

CLOB

NULL

Contains all the session cookies sent with the HTTP request

attr_f5_match_result

CLOB

 

Match result may be one of:

  • PolicyConflict

  • PolicyConfirmed

  • WAFBlocked

  • NoMatchDataMasked

  • NoMatch

attr_f5_match_tokens

CLOB

NULL

List of matched tokens


Stored Procedure and User Role Audit Tables

This section contains:

About the Stored Procedure and User Role Audit Tables

The database object auditing tables contain information about the stored procedures and user roles collected by the stored procedure auditing and user role auditing functions.

To find reports that describe the information captured in the Stored Procedure and User Role Audit tables:

  1. Log in to the standalone Database Firewall or Management Server Administration Console.

    See "Logging in to the Administration Console" for more information.

  2. Select the Reporting tab.

  3. Do one of the following:

doa_approved_edits Table

Table B-16 provides details about each set of changes to an object (stored procedure or user role) that have been approved. This information is used for user role auditing and stored procedure auditing.

Table B-16 doa_approved_edits Table

Column Datatype NULL Description

id

INTEGER

NOT NULL

Unique ID of the monitoring point auditing this object

source_id

INTEGER

NOT NULL

ID of the enforcement point monitoring the object

database_id

INTEGER

NULL

ID of the protected database

object_type

INTEGER

NOT NULL

Object type:

  • 0 - Undefined

  • 1 - Stored procedure

  • 2 - User

object_subtype

INTEGER

NOT NULL

Object subtype:

  • 0 - Undefined

  • 1 - Procedure

  • 2 - Function

  • 3 - Trigger

  • 4 - Package

  • 5 - Package body

  • 6 - Java source

  • 7 - Extended procedure

  • 8 - Scalar function

  • 9 - Inline table function

  • 10 - Replication filter

  • 11 - Table function

object_class

INTEGER

NOT NULL

Object class:

  • 0 - Undefined

  • 1 - System

  • 2 - User

name

VARCHAR2(1024)

NOT NULL

Name of the object

tags

VARCHAR2(2048)

NULL

Tags associated with the object

changes_summary

VARCHAR2(255)

NULL

Contains a summary of the set of changes approved (for example: 3 modifications). This is a copy of the value from doa_pending_approvals (Table B-20).

changed_by

VARCHAR2(2048)

NULL

Comma-separated list of the names of the database users who were responsible for the modifications (copy of the value from doa_pending_approvals (Table B-20

last_changed_at

VARCHAR2(2048)

NULL

The date and time when the object was changed

detected_at

TIMESTAMP

NOT NULL

The date and time when the change was detected on the Management Server

approved_by

VARCHAR2(255)

NOT NULL

The name of the Administration Console user who approved the set of changes

approved_at

TIMESTAMP

NOT NULL

The date and time when the changes were approved

user_comment

CLOB

NOT NULL

Comment added by the user when the changes were approved


doa_approved_objects Table

Table B-17 provides a summary of the last set of changes to an object (stored procedure or user role) that have been approved. This information is used for user role auditing and stored procedure auditing.

Table B-17 doa_approved_objects Table

Column Datatype NULL Description

id

INTEGER

NOT NULL

Unique ID of the object

source_id

INTEGER

NOT NULL

ID of the enforcement point monitoring the object

database_id

INTEGER

NULL

ID of the protected database

object_type

INTEGER

NOT NULL

Object type:

  • 0 - Undefined

  • 1 - Stored procedure

  • 2 - User

object_subtype

INTEGER

NOT NULL

Object subtype:

  • 0 - Undefined

  • 1 - Procedure

  • 2 - Function

  • 3 - Trigger

  • 4 - Package

  • 5 - Package body

  • 6 - Java source

  • 7 - Extended procedure

  • 8 - Scalar function

  • 9 - Inline table function

  • 10 - Replication filter

  • 11 - Table function

object_class

INTEGER

NOT NULL

Object class:

  • 0 - Undefined

  • 1 - System

  • 2 - User

name

VARCHAR2(1024)

NOT NULL

Name of the object

tags

VARCHAR2(2048)

NULL

Tags associated with the object

signature

VARCHAR2(40)

NULL

Hash of the object (base64) (signature change means object change)

changes_summary

VARCHAR2(255)

NULL

Summary of the changes

changed_by

VARCHAR2(2048)

NULL

Database users who modified the object

changed_at

TIMESTAMP

NULL

Time when the object was changed

approved_by

VARCHAR2(255)

NOT NULL

The name of the Administration Console user who approved the last set of changes

approved_at

TIMESTAMP

NOT NULL

The date and time when the changes were approved

content

CLOB

NULL

Current approved content of the object


doa_edit_comments Table

Table B-18 provides details about each comment added when approving changes. This information is used for user role auditing and stored procedure auditing.

Table B-18 doa_edit_comments Table

Column Datatype NULL Description

id

INTEGER

NOT NULL

Unique ID of the comment

approval_id

INTEGER

NOT NULL

ID of the pending approval in the doa_pending_approvals table (Table B-20)

user_comment

CLOB

NOT NULL

The comment text

created_by

VARCHAR2(255)

NOT NULL

The name of the Administration Console user who added the comment

created_at

TIMESTAMP

NOT NULL

The date and time that the comment was created


doa_edits Table

Table B-19 provide details about all approved objects. This information is used for stored procedure auditing and user role auditing.

Table B-19 doa_edits Table

Column Datatype NULL Description

id

INTEGER

NOT NULL

Unique ID of the object (stored procedure or user role)

approval_id

INTEGER

NOT NULL

ID of the pending approval in the doa_pending_approvals table (Table B-20)

signature

VARCHAR2(40)

NULL

The hash of the object (signature change means object change)

content

CLOB

NULL

New content of the object

edit_type

SMALLINT

NOT NULL

Type of change:

  • 1 - New

  • 2 - Modify

  • 3 - Delete

changed_by

VARCHAR2(255)

NULL

Name of the database user who modified the object

changed_at

TIMESTAMP

NULL

The date and time when the object was changed

detected_at

TIMESTAMP

NULL

The date and time when the change was detected on the Management Server


doa_pending_approvals Table

Table B-20 provides a summary of the changes to an object (stored procedure or user role) that are pending approval. This information is used for User Role Auditing and Stored Procedure Auditing.

Table B-20 doa_pending_approvals Table

Column Datatype NULL Description

id

INTEGER

NOT NULL

Unique ID of the object

source_id

INTEGER

NOT NULL

ID of the enforcement point monitoring the object

database_id

INTEGER

NULL

ID of the protected database

object_type

INTEGER

NOT NULL

Object type:

  • 0 - Undefined

  • 1 - Stored procedure

  • 2 - User

object_subtype

INTEGER

NOT NULL

Object subtype:

  • 0 - Undefined

  • 1 - Procedure

  • 2 - Function

  • 3 - Trigger

  • 4 - Package

  • 5 - Package body

  • 6 - Java source

  • 7 - Extended procedure

  • 8 - Scalar function

  • 9 - Inline table function

  • 10 - Replication filter

  • 11 - Table function

object_class

INTEGER

NOT NULL

Object class:

  • 0 - Undefined

  • 1 - System

  • 2 - User

name

VARCHAR2(1024)

NOT NULL

Name of the object

tags

VARCHAR2(2048)

NULL

Tags associated with the object

is_declined

CHAR (ONLY:'0','1')

NULL

Set to 1 if the change must not be approved in bulk operation (default is FALSE)

is_updated

CHAR (ONLY:'0','1')

NULL

Set to 1 if the change has been updated by the Management Server after being previously declined. (To decline this pending approval, set is_declined to 1 and is_updated to 0.)

changed_by

VARCHAR2(2048)

NULL

Comma-separated list of the names of the database users who have modified the object since the previous approval

last_changed_at

TIMESTAMP

NULL

The date and time of the last change to the object

last_signature

VARCHAR2(40)

NULL

The hash of the object (signature change means object change)

last_edit_type

SMALLINT

NOT NULL

Last type of change:

  • 0 - Undefined

  • 1 - New

  • 2 - Modify

  • 3 - Delete

  • 4 - Unchanged

edit_cnt_new

INTEGER

NULL

Specifies the number of new changes of type new

edit_cnt_modify

INTEGER

NULL

Specifies the number of new changes of type modify

edit_cnt_delete

INTEGER

NULL

Specifies the number of new changes of type delete

changes_summary

VARCHAR2(255)

NULL

Contains a summary of the above changes (for example,3 modifications)

updated_at

TIMESTAMP

NOT NULL

Specifies the date and time that the record was last updated in the Database Firewall


doa_tag_definitions Table

Table B-21 contains the definitions of tags that may be applied to stored procedures or user roles.

Table B-21 doa_tag_definitions Table

Column Datatype NULL Description

id

INTEGER

NOT NULL

Unique ID for the definition

object_type

INTEGER

NOT NULL

Type of the object that will have the tag applied:

  • 0 - Undefined

  • 1 - Stored procedure

  • 2 - User

dialect

SMALLINT

NOT NULL

Database type (dialect) of the database:

  • 1 - Microsoft SQL Server

  • 2 - Oracle

  • 5 - Sybase ASE

  • 7 - IBM DB2 (Linux, UNIX, Windows)

key

VARCHAR2(255)

NOT NULL

ID of the tag definition. It should be unique within type and dialect

pattern

VARCHAR2(2048)

NULL

Regular expression that will be matched against the object content to apply the tag

tag

VARCHAR2(255)

NULL

Tag that will be applied

is_enabled

CHAR (ONLY:'0','1')

NOT NULL

Set to 1 if the tag definition can be used

is_predefined

CHAR (ONLY:'0','1')

NOT NULL

Set to 1 if the tag definition was supplied with the product