L Oracle ACFS Audit Events

This append ix maps audit event names used in the Oracle ACFS to their equivalent values in the Source Event, Command Class, Target Object, Associate Object fields and the Status of the event occurred on target object in the Oracle AVDF audit record.

Target Object can be either a Security Object, for example: Realm, Rules, Rulesets, and so on, or, a File System Object like File or Dir.

Event or Command Class can be of the following types.

For security objects CREATE, MODIFY, DELETE and so on. For example, if a realm is getting created, realm is target object and ACFS_SEC_REALM_CREATE is the event which is being mapped to the command class CREATE (selected from a set given by Oracle AVDF).
For filesystem object READ, WRITE, OPEN, DELETE and so on. For example, if a file is being read, file is target object, and ACFS_EVENT_READ_OP is event which is being mapped to command class READ (selected from set given by Oracle AVDF).

Associate Objects are the objects which are associated while an event is performed on a Target Object. For example, in Security commands where we add files to the realm as follows: Target object- realm, Event- ACFS_SEC_REALM_ADD (MODIFY), Associate object- file. Another example would be where a file is being read by a user: Target object- file, Event- ACFS_AUDIT_READ_OP (READ), Associate objects- realms.

The Status column specifies whether the command class executed on the target object succeeded or not.

See also "Oracle Audit Vault and Database Firewall Database Schemas" for Oracle AVDF data warehouse details that may be useful in designing your own reports.

Table L-1 lists the Oracle ACFS Security Objects audit events and the equivalent Oracle AVDF events.

Table L-1 ACFS Security Objects Audit Events

Source Event	Command Class	Target Object	Associate Objects	Status
`ACFS_SEC_PREPARE`	`ENABLE`	MountPoint	Security	`SUCCESS`
`ACFS_SEC_REALM_CREATE`	`CREATE`	Realm name	None	`SUCCESS`
`ACFS_SEC_REALM_DESTROY`	`DELETE`	Realm name	None	`SUCCESS`
`ACFS_SEC_REALM_ADD`	`MODIFY`	Realm name	`file/user/group/command` rule name	`SUCCESS`
`ACFS_SEC_REALM_DELETE`	`MODIFY`	Realm name	`file/user/group/command` rule name	`SUCCESS`
`ACFS_SEC_RULESET_CREATE`	`CREATE`	Ruleset name	None	`SUCCESS`
`ACFS_SEC_RULESET_DESTROY`	`DELETE`	Ruleset name	None	`SUCCESS`
`ACFS_SEC_RULESET_EDIT`	`MODIFY`	Ruleset name	Rulename	`SUCCESS`
`ACFS_SEC_RULE_CREATE`	`CREATE`	Rule name	None	`SUCCESS`
`ACFS_SEC_RULE_DESTROY`	`DELETE`	Rule name	None	`SUCCESS`
`ACFS_SEC_RULE_EDIT`	`MODIFY`	Rule name	None	`SUCCESS`
`ACFS_SEC_CLONE`		Realm/Ruleset/Rule name	Mntpt1/Mntpt2	`SUCCESS`
`ACFS_SEC_SAVE`	`BACKUP`	MountPoint	None	`SUCCESS`
`ACFS_SEC_LOAD`	`RESTORE`	MountPoint	None	`SUCCESS`

`ACFS_ENCR_SET`	`SET`	MountPoint	AES-128/192/256	`SUCCESS`
`ACFS_ENCR_VOL_REKEY`	`REKEY`	MountPoint	AES-128/192/256	`SUCCESS`
`ACFS_ENCR_FS_ON`	`ENABLE`	MountPoint	Encryption	`SUCCESS`
`ACFS_ENCR_FS_OFF`	`DISABLE`	MountPoint	Encryption	`SUCCESS`
`ACFS_ENCR_FILE_REKEY`	`REKEY`	Filename	AES-128/192/256	`SUCCESS`
`ACFS_ENCR_FILE_ON`	`ENABLE`	Filename	None	`SUCCESS`
`ACFS_ENCR_FILE_OFF`	`DISABLE`	Filename	None	`SUCCESS`
`ACFS_AUDIT_ENABLE`	`ENABLE`	MountPoint	Audit	`SUCCESS`
`ACFS_AUDIT_DISABLE`	`DISABLE`	MountPoint	Audit	`SUCCESS`
`ACFS_AUDIT_PURGE`	`PURGE`	MountPoint	Audit trail	`SUCCESS`
`ACFS_AUDIT_AUTO_PURGE`	`PURGE`	MountPoint	Audit trail	`SUCCESS`
`ACFS_AUDIT_READ`	`READ`	MountPoint	Audit trail	`SUCCESS`
`ACFS_AUDIT_ARCHIVE`	`ARCHIVE`	Acfsutil command		`SUCCESS`
`ACFS_AUDIT_SIZE`	`AUDIT`	Acfsutil command		`SUCCESS`
`ACFS_AUDIT_FAILURE`	`AUDIT`	Acfsutil command		`FAILURE`
`ACFS_SEC_ADMIN_PRIV`	`AUTHORIZE`	Acfsutil command		`FAILURE`
`ACFS_SEC_ADMIN_AUTH_FAIL`	`AUTHORIZE`	Acfsutil command		`FAILURE`
`ACFS_SYS_ADMIN_PRIV`	`AUTHORIZE`	Acfsutil command		`FAILURE`
`ACFS_AUDIT_MGR_PRIV`	`AUTHORIZE`	Acfsutil command		`FAILURE`
`ACFS_AUDITOR_PRIV`	`AUTHORIZE`	Acfsutil command		`FAILURE`
`ACFS_INSUFFICIENT_PRIV`	`AUTHORIZE`	Acfsutil command		`FAILURE`
`ACFS_ENCR_WALLET_AUTH_FAIL`	`AUTHORIZE`	Acfsutil command		`FAILURE`
`ACFS_SEC_CMD_FAIL`	`AUTHORIZE`	Acfsutil command		`FAILURE`

Table L-2 lists the Oracle ACFS File System Objects audit events and the equivalent Oracle AVDF events.

Table L-2 ACFS File System Objects Audit Events

Source Event	Command Class	Target Object	Associate Objects	Status
`ACFS_AUDIT_READ_OP`	`READ`	Filename	Realms and command rules	`ACFS_REALM_VIOLATION = FAILURE` `ACFS_REALM_AUTH = SUCCESS`
`ACFS_AUDIT_WRITE_OP`	`WRITE`	Filename	Realms and command rules	`ACFS_REALM_VIOLATION = FAILURE` `ACFS_REALM_AUTH = SUCCESS`
`ACFS_AUDIT_DELETE_OP`	`DELETE`	Filename	Realms and command rules	`ACFS_REALM_VIOLATION = FAILURE` `ACFS_REALM_AUTH = SUCCESS`
`ACFS_AUDIT_OPEN_OP`	`OPEN`	Filename	Realms and command rules	`ACFS_REALM_VIOLATION = FAILURE` `ACFS_REALM_AUTH = SUCCESS`
`ACFS_AUDIT_RENAME_OP`	`RENAME`	Filename	Realms and command rules	`ACFS_REALM_VIOLATION = FAILURE` `ACFS_REALM_AUTH = SUCCESS`
`ACFS_AUDIT_CREATEFILE_OP`	`CREATE`	Filename	Realms and command rules	`ACFS_REALM_VIOLATION = FAILURE` `ACFS_REALM_AUTH = SUCCESS`
`ACFS_AUDIT_MAKEDIR_OP`	`CREATE`	DirName	Realms and command rules	`ACFS_REALM_VIOLATION = FAILURE` `ACFS_REALM_AUTH = SUCCESS`
`ACFS_AUDIT_READDIR_OP`	`READ`	DirName	Realms and command rules	`ACFS_REALM_VIOLATION = FAILURE` `ACFS_REALM_AUTH = SUCCESS`
`ACFS_AUDIT_OVERWRITE_OP`	`WRITE`	Filename	Realms and command rules	`ACFS_REALM_VIOLATION = FAILURE` `ACFS_REALM_AUTH = SUCCESS`
`ACFS_AUDIT_TRUNCATE_OP`	`TRUNCATE`	Filename	Realms and command rules	`ACFS_REALM_VIOLATION = FAILURE` `ACFS_REALM_AUTH = SUCCESS`
`ACFS_AUDIT_MMAPREAD_OP`	`READ`	Filename	Realms and command rules	`ACFS_REALM_VIOLATION = FAILURE` `ACFS_REALM_AUTH = SUCCESS`
`ACFS_AUDIT_MMAPWRITE_OP`	`WRITE`	Filename	Realms and command rules	`ACFS_REALM_VIOLATION = FAILURE` `ACFS_REALM_AUTH = SUCCESS`
`ACFS_AUDIT_EXTEND_OP`	`WRITE`	Filename	Realms and command rules	`ACFS_REALM_VIOLATION = FAILURE` `ACFS_REALM_AUTH = SUCCESS`
`ACFS_AUDIT_CHOWN_OP`	`CHOWN`	Filename/DirName	Realms and command rules	`ACFS_REALM_VIOLATION = FAILURE` `ACFS_REALM_AUTH = SUCCESS`
`ACFS_AUDIT_CHGRP_OP`	`CHGRP`	Filename/DirName	Realms and command rules	`ACFS_REALM_VIOLATION = FAILURE` `ACFS_REALM_AUTH = SUCCESS`
`ACFS_AUDIT_CHMOD_OP`	`CHMOD`	Filename/DirName	Realms and command rules	`ACFS_REALM_VIOLATION = FAILURE` `ACFS_REALM_AUTH = SUCCESS`
`ACFS_AUDIT_SYMLINK_OP`	`SYMLINK`	Filename/DirName	Realms and command rules	`ACFS_REALM_VIOLATION = FAILURE` `ACFS_REALM_AUTH = SUCCESS`
`ACFS_AUDIT_LINKFILE_OP`	`LINK`	Filename/DirName	Realms and command rules	`ACFS_REALM_VIOLATION = FAILURE` `ACFS_REALM_AUTH = SUCCESS`