L Oracle ACFS Audit Events

This appendix maps audit event names used in the Oracle ACFS to their equivalent values in the Source Event, Command Class, Target Object, Associate Object fields and the Status of the event occurred on target object in the Oracle AVDF audit record.

Target Object can be either a Security Object, for example: Realm, Rules, Rulesets, and so on, or, a File System Object like File or Dir.

Event or Command Class can be of the following types.

  • For security objects CREATE, MODIFY, DELETE and so on. For example, if a realm is getting created, realm is target object and ACFS_SEC_REALM_CREATE is the event which is being mapped to the command class CREATE (selected from a set given by Oracle AVDF).

  • For filesystem object READ, WRITE, OPEN, DELETE and so on. For example, if a file is being read, file is target object, and ACFS_EVENT_READ_OP is event which is being mapped to command class READ (selected from set given by Oracle AVDF).

Associate Objects are the objects which are associated while an event is performed on a Target Object. For example, in Security commands where we add files to the realm as follows: Target object- realm, Event- ACFS_SEC_REALM_ADD (MODIFY), Associate object- file. Another example would be where a file is being read by a user: Target object- file, Event- ACFS_AUDIT_READ_OP (READ), Associate objects- realms.

The Status column specifies whether the command class executed on the target object succeeded or not.

See also "Oracle Audit Vault and Database Firewall Database Schemas" for Oracle AVDF data warehouse details that may be useful in designing your own reports.

Table L-1 lists the Oracle ACFS Security Objects audit events and the equivalent Oracle AVDF events.

Table L-1 Oracle ACFS Security Objects Audit Events

Source Event Command Class Target Object Associate Objects Status

ACFS_SEC_PREPARE

ENABLE

MountPoint

Security

SUCCESS

ACFS_SEC_REALM_CREATE

CREATE

Realm name

None

SUCCESS

ACFS_SEC_REALM_DESTROY

DELETE

Realm name

None

SUCCESS

ACFS_SEC_REALM_ADD

MODIFY

Realm name

file/user/group/command rule name

SUCCESS

ACFS_SEC_REALM_DELETE

MODIFY

Realm name

file/user/group/command rule name

SUCCESS

ACFS_SEC_RULESET_CREATE

CREATE

Ruleset name

None

SUCCESS

ACFS_SEC_RULESET_DESTROY

DELETE

Ruleset name

None

SUCCESS

ACFS_SEC_RULESET_EDIT

MODIFY

Ruleset name

Rulename

SUCCESS

ACFS_SEC_RULE_CREATE

CREATE

Rule name

None

SUCCESS

ACFS_SEC_RULE_DESTROY

DELETE

Rule name

None

SUCCESS

ACFS_SEC_RULE_EDIT

MODIFY

Rule name

None

SUCCESS

ACFS_SEC_CLONE

 

Realm/Ruleset/Rule name

Mntpt1/Mntpt2

SUCCESS

ACFS_SEC_SAVE

BACKUP

MountPoint

None

SUCCESS

ACFS_SEC_LOAD

RESTORE

MountPoint

None

SUCCESS

         

ACFS_ENCR_SET

SET

MountPoint

AES-128/192/256

SUCCESS

ACFS_ENCR_VOL_REKEY

REKEY

MountPoint

AES-128/192/256

SUCCESS

ACFS_ENCR_FS_ON

ENABLE

MountPoint

Encryption

SUCCESS

ACFS_ENCR_FS_OFF

DISABLE

MountPoint

Encryption

SUCCESS

ACFS_ENCR_FILE_REKEY

REKEY

Filename

AES-128/192/256

SUCCESS

ACFS_ENCR_FILE_ON

ENABLE

Filename

None

SUCCESS

ACFS_ENCR_FILE_OFF

DISABLE

Filename

None

SUCCESS

ACFS_AUDIT_ENABLE

ENABLE

MountPoint

Audit

SUCCESS

ACFS_AUDIT_DISABLE

DISABLE

MountPoint

Audit

SUCCESS

ACFS_AUDIT_PURGE

PURGE

MountPoint

Audit trail

SUCCESS

ACFS_AUDIT_AUTO_PURGE

PURGE

MountPoint

Audit trail

SUCCESS

ACFS_AUDIT_READ

READ

MountPoint

Audit trail

SUCCESS

ACFS_AUDIT_ARCHIVE

ARCHIVE

Acfsutil command

 

SUCCESS

ACFS_AUDIT_SIZE

AUDIT

Acfsutil command

 

SUCCESS

ACFS_AUDIT_FAILURE

AUDIT

Acfsutil command

 

FAILURE

ACFS_SEC_ADMIN_PRIV

AUTHORIZE

Acfsutil command

 

FAILURE

ACFS_SEC_ADMIN_AUTH_FAIL

AUTHORIZE

Acfsutil command

 

FAILURE

ACFS_SYS_ADMIN_PRIV

AUTHORIZE

Acfsutil command

 

FAILURE

ACFS_AUDIT_MGR_PRIV

AUTHORIZE

Acfsutil command

 

FAILURE

ACFS_AUDITOR_PRIV

AUTHORIZE

Acfsutil command

 

FAILURE

ACFS_INSUFFICIENT_PRIV

AUTHORIZE

Acfsutil command

 

FAILURE

ACFS_ENCR_WALLET_AUTH_FAIL

AUTHORIZE

Acfsutil command

 

FAILURE

ACFS_SEC_CMD_FAIL

AUTHORIZE

Acfsutil command

 

FAILURE


Table L-2 lists the Oracle ACFS File System Objects audit events and the equivalent Oracle AVDF events.

Table L-2 Oracle ACFS File System Objects Audit Events

Source Event Command Class Target Object Associate Objects Status

ACFS_AUDIT_READ_OP

READ

Filename

Realms and command rules

ACFS_REALM_VIOLATION = FAILURE

ACFS_REALM_AUTH = SUCCESS

ACFS_AUDIT_WRITE_OP

WRITE

Filename

Realms and command rules

ACFS_REALM_VIOLATION = FAILURE

ACFS_REALM_AUTH = SUCCESS

ACFS_AUDIT_DELETE_OP

DELETE

Filename

Realms and command rules

ACFS_REALM_VIOLATION = FAILURE

ACFS_REALM_AUTH = SUCCESS

ACFS_AUDIT_OPEN_OP

OPEN

Filename

Realms and command rules

ACFS_REALM_VIOLATION = FAILURE

ACFS_REALM_AUTH = SUCCESS

ACFS_AUDIT_RENAME_OP

RENAME

Filename

Realms and command rules

ACFS_REALM_VIOLATION = FAILURE

ACFS_REALM_AUTH = SUCCESS

ACFS_AUDIT_CREATEFILE_OP

CREATE

Filename

Realms and command rules

ACFS_REALM_VIOLATION = FAILURE

ACFS_REALM_AUTH = SUCCESS

ACFS_AUDIT_MAKEDIR_OP

CREATE

DirName

Realms and command rules

ACFS_REALM_VIOLATION = FAILURE

ACFS_REALM_AUTH = SUCCESS

ACFS_AUDIT_READDIR_OP

READ

DirName

Realms and command rules

ACFS_REALM_VIOLATION = FAILURE

ACFS_REALM_AUTH = SUCCESS

ACFS_AUDIT_OVERWRITE_OP

WRITE

Filename

Realms and command rules

ACFS_REALM_VIOLATION = FAILURE

ACFS_REALM_AUTH = SUCCESS

ACFS_AUDIT_TRUNCATE_OP

TRUNCATE

Filename

Realms and command rules

ACFS_REALM_VIOLATION = FAILURE

ACFS_REALM_AUTH = SUCCESS

ACFS_AUDIT_MMAPREAD_OP

READ

Filename

Realms and command rules

ACFS_REALM_VIOLATION = FAILURE

ACFS_REALM_AUTH = SUCCESS

ACFS_AUDIT_MMAPWRITE_OP

WRITE

Filename

Realms and command rules

ACFS_REALM_VIOLATION = FAILURE

ACFS_REALM_AUTH = SUCCESS

ACFS_AUDIT_EXTEND_OP

WRITE

Filename

Realms and command rules

ACFS_REALM_VIOLATION = FAILURE

ACFS_REALM_AUTH = SUCCESS

ACFS_AUDIT_CHOWN_OP

CHOWN

Filename/DirName

Realms and command rules

ACFS_REALM_VIOLATION = FAILURE

ACFS_REALM_AUTH = SUCCESS

ACFS_AUDIT_CHGRP_OP

CHGRP

Filename/DirName

Realms and command rules

ACFS_REALM_VIOLATION = FAILURE

ACFS_REALM_AUTH = SUCCESS

ACFS_AUDIT_CHMOD_OP

CHMOD

Filename/DirName

Realms and command rules

ACFS_REALM_VIOLATION = FAILURE

ACFS_REALM_AUTH = SUCCESS

ACFS_AUDIT_SYMLINK_OP

SYMLINK

Filename/DirName

Realms and command rules

ACFS_REALM_VIOLATION = FAILURE

ACFS_REALM_AUTH = SUCCESS

ACFS_AUDIT_LINKFILE_OP

LINK

Filename/DirName

Realms and command rules

ACFS_REALM_VIOLATION = FAILURE

ACFS_REALM_AUTH = SUCCESS