Skip Headers

Oracle Label Security Administrator's Guide
Release 2 (9.2)

Part Number A96578-01
Go To Documentation Library
Home
Go To Product List
Book List
Go To Table Of Contents
Contents
Go To Index
Index

Master Index

Feedback

Go to previous page Go to next page

10
Auditing Under Oracle Label Security

The Oracle9i audit facility lets you hold database users accountable for the operations they perform. It can track specific database objects, operations, users, and privileges. Oracle Label Security supplements this by tracking use of its own administrative operations and policy privileges. It provides the SA_AUDIT_ADMIN package to set and change the policy auditing options.

This chapter explains how to use Oracle Label Security auditing. It contains these topics:

Overview of Oracle Label Security Auditing

Oracle Label Security auditing supplements standard Oracle9i auditing by tracking use of its own administrative operations, and use of the policy privileges. You can use either the SA_AUDIT_ADMIN package or Oracle Policy Manager to set and change the auditing options for an Oracle Label Security policy.

When you create a new policy, a label column for that policy is added to the database audit trail. The label column is created regardless of whether auditing is enabled or disabled, and independent of whether database auditing or operating system auditing is used. Whenever a record is written to the audit table, each policy provides a label for that record to indicate the session label. The administrator can create audit views to display these labels. Note that in the audit table, the label does not control access to the row; instead, it simply records the sensitivity of the row.

The auditing options which you specify apply only to subsequent sessions, not to the current session. You can specify audit options even if auditing is disabled; no overhead is created simply by making these specifications. When you do enable Oracle Label Security auditing, the options come into effect, and overhead is created beyond that created by standard Oracle9i auditing.

Note that Oracle Label Security does not provide labels for audit data written to the operating system audit trial. All Oracle Label Security audit records are written directly to the database audit trail, even if operating system auditing is enabled. If auditing is disabled, then no Oracle Label Security audit records are generated.

Enabling Systemwide Auditing: AUDIT_TRAIL Initialization Parameter

For Oracle Label Security to generate audit records, you must first enable systemwide auditing by setting the Oracle9i AUDIT_TRAIL initialization parameter in the database's parameter file. The parameter can be set to one of the following values:

DB

Enables database auditing and directs all audit records to the database audit trail. This approach is recommended by Oracle Corporation.

Note that even with AUDIT_TRAIL set to DB, some records are always sent to the operating system audit trail. These include STARTUP and SHUTDOWN statements, as well as CONNECT AS SYSOPER or SYSDBA.

OS

Enables operating system auditing. This directs most of your Oracle9i audit records to the operating system, rather than to the database; the records will not contain Oracle Label Security labels. By contrast, any Oracle Label Security auditing will go to the database, with labels.

If you set AUDIT_TRAIL to OS, the Oracle Label Security-specific audit records are written to the database audit trail and the other Oracle9i audit records are written to the operating system audit trail (with no policy column in the operating system data).

NONE

Disables auditing. This is the default.



After you have edited the parameter file, restart the database instance to enable or disable database auditing as specified.

Set the AUDIT_TRAIL parameter before you set audit options. If you do not set this parameter, you are still able to set audit options, however audit records are not written to the database until the parameter is set and the database instance is restarted.

See Also:

For information about enabling and disabling systemwide auditing, setting audit options, and managing the audit trail, see Oracle9i Database Administrator's Guide

For information about editing initialization parameters, see Oracle9i Database Reference

For details about systemwide AUDIT and NOAUDIT functioning, see Oracle9i SQL Reference



Enabling Oracle Label Security Auditing with SA_AUDIT_ADMIN

After you have enabled systemwide auditing, you can use SA_AUDIT_ADMIN procedures to enable or disable Oracle Label Security auditing. To use Oracle Label Security auditing, you must have the policy_DBA role.

Auditing Options for Oracle Label Security

The AUDIT and NOAUDIT options are as follows:

Table 10-1 Auditing Options for Oracle Label Security
Option Description

APPLY

Audits application of specified Oracle Label Security policies to tables and schemas

REMOVE

Audits removal of specified Oracle Label Security policies from tables and schemas

SET

Audits the setting of user authorizations, and user and program privileges

PRIVILEGES

Audits use of all policy-specific privileges

Enabling Oracle Label Security Auditing with SA_AUDIT_ADMIN.AUDIT

Use the AUDIT procedure to enable policy-specific auditing.

Syntax:

PROCEDURE AUDIT (
     policy_name     IN VARCHAR2,
     users           IN VARCHAR2 DEFAULT NULL,
     option          IN VARCHAR2 DEFAULT NULL,
     type            IN VARCHAR2 DEFAULT NULL,
     success         IN VARCHAR2 DEFAULT NULL);
Parameter Description Default Behavior

policy_name

Required. Specifies the name of an existing policy. Auditing of each policy is independent of all others.)

None

users

Optional. A comma-separated list of user names to audit. If not specified, all users are audited.

All users

option

Optional. A comma-separated list of options to be audited. See Table 10-1.

If not specified, all default options (that is, options not including privileges) are audited. Audit options for privileged operations should be set explicitly by specifying the PRIVILEGES option, which sets audit options for all privileges.

All options

type

Optional. BY ACCESS or BY SESSION. If not specified, audit records are written by session.

BY SESSION

success

Optional. SUCCESSFUL or NOT SUCCESSFUL. If not specified, audit is written for both.

SUCCESSFUL and NOT SUCCESSFUL



If the administrator does not specify any audit options, then all options except the privilege-related ones are audited. Auditing of privileges must be specified explicitly. For example, if the administrator enters

SA_AUDIT_ADMIN.AUDIT ('HR');

then default auditing options are set for the HR policy. When the administrator enables auditing, it will be performed on all users by session, whether successful or not.

When you set auditing parameters and options, the new values apply only to subsequent sessions, not to the current session.

Consider also a case in which one AUDIT call (with no users specified) enables auditing for APPLY operations for all users, and then a second call enables auditing of REMOVE operations for a specific user. For example:

SA_AUDIT_ADMIN.AUDIT ('HR', NULL, 'APPLY');
SA_AUDIT_ADMIN.AUDIT ('HR', 'SCOTT', 'REMOVE');

In this case, SCOTT is audited for both APPLY and REMOVE operations.

Disabling Oracle Label Security Auditing with SA_AUDIT_ADMIN.NOAUDIT

To disable policy-specific auditing, use the SA_AUDIT_ADMIN.NOAUDIT procedure.

Syntax:

PROCEDURE NOAUDIT (
     policy_name     IN VARCHAR2,
     users           IN VARCHAR2 DEFAULT NULL,
     option          IN VARCHAR2 DEFAULT NULL);
Parameter Description Default Behavior

policy_name

Required. Specifies the name of an existing policy.

None

users

Optional. A comma-separated list of user names to audit. If not specified, auditing is disabled for all users.

All users

option

Optional. A comma-separated list of options to be disabled. See Table 10-1. If not specified, all default options are disabled. Privileges must be disabled explicitly.

All options



You can disable auditing for all enabled options, or only for a subset of enabled options. All auditing for the specified options is disabled for all specified users (or all users, if the users parameter is NULL). For example, the following statement disables auditing of the APPLY and REMOVE operations for users John, Mary, and Scott:

SA_AUDIT_ADMIN.NOAUDIT ('HR', 'JOHN, MARY, SCOTT', 'APPLY, REMOVE');

Consider also a case in which one AUDIT call enables auditing for a specific user, and a second call (with no user specified) enables auditing for all users. For example:

SA_AUDIT_ADMIN.AUDIT ('HR', 'SCOTT');
SA_AUDIT_ADMIN.AUDIT ('HR');

In this case, a subsequent call to NOAUDIT with no users specified (such as the following)

SA_AUDIT_ADMIN.NOAUDIT ('HR');

does not reverse the auditing which was set for SCOTT explicitly in the first call. Auditing thus continues to be performed on SCOTT. In this way, even if NOAUDIT is set for all users, Oracle Label Security still audits any users for whom auditing was explicitly set.

Auditing of privileged operations must be specified explicitly. If you execute NOAUDIT with no options, Oracle Label Security will nonetheless continue to audit privileged operations. For example, if auditing is enabled and you enter

SA_AUDIT_ADMIN.NOAUDIT ('HR');

then auditing will continue to be performed on the privileged operations (such as WRITEDOWN).

NOAUDIT parameters and options which you set apply only to subsequent sessions, not to current sessions.

If you try to enable an audit option which has already been set, or if you try to disable an audit option which has not been set, Oracle Label Security processes the statement without indicating an error. An attempt to specify an invalid option results in an error message.

Examining Audit Options with the DBA_SA_AUDIT_OPTIONS View

This section describes the view which displays the Oracle Label Security auditing options and privileges.

The DBA_SA_AUDIT_OPTIONS view contains the following columns:

Name                                      Null?    Type
----------------------------------------- -------- ------------
POLICY_NAME                               NOT NULL VARCHAR2(30)
USER_NAME                                 NOT NULL VARCHAR2(30)
APY                                                VARCHAR2(3)
REM                                                VARCHAR2(3)
SET_                                               VARCHAR2(3)
PRV                                                VARCHAR2(3)

Output is similar to the following:

Table 10-2 DBA_SA_AUDIT_OPTIONS Sample Output
POLICY_NAME USER_NAME APY REM SET PRV

HR

SCOTT

-/-

-/-

-/-

A/A

HR

LBACSYS

S/S

S/S

S/S

-/-



See Also:

Oracle9i Database Administrator's Guide



Managing Policy Label Auditing

This section describes procedures available to manage policy label auditing:

Policy Label Auditing with SA_AUDIT_ADMIN.AUDIT_LABEL

Use the AUDIT_LABEL procedure to record policy labels during auditing. It causes the user's session label to be stored in the audit table.

Syntax:

PROCEDURE AUDIT_LABEL (
     policy_name     IN VARCHAR2);
Parameter Description Default

policy_name

Required. Specifies the name of an existing policy.

None



Disabling Policy Label Auditing with SA_AUDIT_ADMIN.NOAUDIT_LABEL

Use the NOAUDIT_LABEL procedure to disable auditing of policy labels.

Syntax:

PROCEDURE NOAUDIT_LABEL (
     policy_name     IN VARCHAR2);
Parameter Description Default

policy_name

Required. Specifies the name of an existing policy.

None



Finding Label Audit Status with AUDIT_LABEL_ENABLED

Use the AUDIT_LABEL_ENABLED function to show whether labels are being recorded in audit records for the policy.

Syntax:

FUNCTION AUDIT_LABEL_ENABLED (policy_name IN VARCHAR2)
     RETURN boolean;

Creating and Dropping an Audit Trail View for Oracle Label Security

This section contains these topics:

Creating a View with SA_AUDIT_ADMIN.CREATE_VIEW

The CREATE_VIEW procedure creates an audit trail view named DBA_policyname_AUDIT_TRAIL, which contains the specified policy's label column as well as all the entries in the audit trail written on behalf of this policy. If the view name exceeds the database limit of 30 characters, the user can optionally specify a shorter view name.

Syntax:

PROCEDURE CREATE_VIEW (
     policy_name     IN VARCHAR2);
     view_name       IN VARCHAR2    DEFAULT NULL);

where policy_name specifies the name of an existing policy

Dropping the View with SA_AUDIT_ADMIN.DROP_VIEW

The DROP_VIEW procedure drops the audit trail view for the specified policy.

Syntax:

PROCEDURE DROP_VIEW (
     policy_name     IN VARCHAR2);
     view_name       IN VARCHAR2    DEFAULT NULL);

where policy_name specifies the name of a policy. View_name is an optional parameter which can have a maximum of 14 characters.

Oracle Label Security Auditing Tips

This section contains these topics:

Strategy for Setting SA_AUDIT_ADMIN Options

Before setting any audit options, you must devise an auditing strategy which monitors events of interest, without recording extraneous events. You should periodically review this strategy, because applications, user base, configurations, and other external factors can change.

The Oracle Label Security options, and those provided by the Oracle9i audit facility, might not directly address all of your specific or application-dependent auditing requirements. However, through use of database triggers, you can audit specific events and record specific information that you cannot audit and record using the more generic audit facility.

See Also:

For more information about using triggers for auditing, see Oracle9i Database Concepts



Auditing Privileged Operations

Consider auditing any operations that require Oracle Label Security privileges. Because these privileges perform sensitive operations, and because their abuse could jeopardize security, you should closely monitor their dissemination and use.


Go to previous page Go to next page
Oracle
Copyright © 2000, 2002 Oracle Corporation.

All Rights Reserved.
Go To Documentation Library
Home
Go To Product List
Book List
Go To Table Of Contents
Contents
Go To Index
Index

Master Index

Feedback