Oracle ACFS Audit Events

O Oracle ACFS Audit Events

Oracle ACFS audit events include events such as ACFS_SEC_PREPARE and ACFS_SEC_REALM_CREATE.

Note:

Oracle Automatic Storage Management Cluster File System (Oracle ACFS) or Oracle Advanced Cluster File System was deprecated in Oracle AVDF release 20.7 and is desupported in 20.8.

This appendix maps audit event names used in the Oracle ACFS to their equivalent values in the Source Event, Command Class, Target Object, Associate Object fields and the Status of the event occurred on target object in the Oracle Audit Vault and Database Firewall audit record.

Target Object can be either a Security Object, for example: Realm, Rules, Rulesets, and so on, or, a File System Object like File or Dir.

Event or Command Class can be of the following types.

For security objects CREATE, MODIFY, DELETE and so on. For example, if a realm is getting created, realm is target object and ACFS_SEC_REALM_CREATE is the event which is being mapped to the command class CREATE (selected from a set given by Oracle Audit Vault and Database Firewall).
For file system objects READ, WRITE, OPEN, DELETE and so on. For example, if a file is being read, file is target object, and ACFS_EVENT_READ_OP is event which is being mapped to command class READ (selected from set given by Oracle Audit Vault and Database Firewall).

Associate Objects are the objects which are associated while an event is performed on a Target Object. For example, in Security commands where we add files to the realm as follows: Target object- realm, Event- ACFS_SEC_REALM_ADD (MODIFY), Associate object- file. Another example would be where a file is being read by a user: Target object- file, Event- ACFS_AUDIT_READ_OP (READ), Associate objects- realms.

The Status column specifies whether the command class executed on the target object succeeded or not.

See Also:

Oracle Audit Vault and Database Firewall Database Schemas for Oracle Audit Vault and Database Firewall data warehouse details that may be useful in designing your own reports.

Table O-1 lists the Oracle ACFS Security Objects audit events and the equivalent Oracle Audit Vault and Database Firewall events.

Table O-1 Oracle ACFS Security Objects Audit Events

Source Event	Command Class	Target Object	Associate Objects	Status
`ACFS_SEC_PREPARE`	`ENABLE`	Mount Point	Security	`SUCCESS`
`ACFS_SEC_REALM_CREATE`	`CREATE`	Realm name	None	`SUCCESS`
`ACFS_SEC_REALM_DESTROY`	`DELETE`	Realm name	None	`SUCCESS`
`ACFS_SEC_REALM_ADD`	`MODIFY`	Realm name	`file/user/group/command` rule name	`SUCCESS`
`ACFS_SEC_REALM_DELETE`	`MODIFY`	Realm name	`file/user/group/command` rule name	`SUCCESS`
`ACFS_SEC_RULESET_CREATE`	`CREATE`	Ruleset name	None	`SUCCESS`
`ACFS_SEC_RULESET_DESTROY`	`DELETE`	Ruleset name	None	`SUCCESS`
`ACFS_SEC_RULESET_EDIT`	`MODIFY`	Ruleset name	Rulename	`SUCCESS`
`ACFS_SEC_RULE_CREATE`	`CREATE`	Rule name	None	`SUCCESS`
`ACFS_SEC_RULE_DESTROY`	`DELETE`	Rule name	None	`SUCCESS`
`ACFS_SEC_RULE_EDIT`	`MODIFY`	Rule name	None	`SUCCESS`
`ACFS_SEC_CLONE`		Realm/Ruleset/Rule name	Mntpt1/Mntpt2	`SUCCESS`
`ACFS_SEC_SAVE`	`BACKUP`	Mount Point	None	`SUCCESS`
`ACFS_SEC_LOAD`	`RESTORE`	Mount Point	None	`SUCCESS`
`ACFS_ENCR_SET`	`SET`	Mount Point	AES-128/192/256	`SUCCESS`
`ACFS_ENCR_VOL_REKEY`	`REKEY`	Mount Point	AES-128/192/256	`SUCCESS`
`ACFS_ENCR_FS_ON`	`ENABLE`	MountPoint	Encryption	`SUCCESS`
`ACFS_ENCR_FS_OFF`	`DISABLE`	Mount Point	Encryption	`SUCCESS`
`ACFS_ENCR_FILE_REKEY`	`REKEY`	File name	AES-128/192/256	`SUCCESS`
`ACFS_ENCR_FILE_ON`	`ENABLE`	File name	None	`SUCCESS`
`ACFS_ENCR_FILE_OFF`	`DISABLE`	File name	None	`SUCCESS`
`ACFS_AUDIT_ENABLE`	`ENABLE`	Mount Point	Audit	`SUCCESS`
`ACFS_AUDIT_DISABLE`	`DISABLE`	Mount Point	Audit	`SUCCESS`
`ACFS_AUDIT_PURGE`	`PURGE`	Mount Point	Audit trail	`SUCCESS`
`ACFS_AUDIT_AUTO_PURGE`	`PURGE`	Mount Point	Audit trail	`SUCCESS`
`ACFS_AUDIT_READ`	`READ`	Mount Point	Audit trail	`SUCCESS`
`ACFS_AUDIT_ARCHIVE`	`ARCHIVE`	Acfsutil command	None	`SUCCESS`
`ACFS_AUDIT_SIZE`	`AUDIT`	Acfsutil command	None	`SUCCESS`
`ACFS_AUDIT_FAILURE`	`AUDIT`	Acfsutil command	None	`FAILURE`
`ACFS_SEC_ADMIN_PRIV`	`AUTHORIZE`	Acfsutil command	None	`FAILURE`
`ACFS_SEC_ADMIN_AUTH_FAIL`	`AUTHORIZE`	Acfsutil command	None	`FAILURE`
`ACFS_SYS_ADMIN_PRIV`	`AUTHORIZE`	Acfsutil command	None	`FAILURE`
`ACFS_AUDIT_MGR_PRIV`	`AUTHORIZE`	Acfsutil command	None	`FAILURE`
`ACFS_AUDITOR_PRIV`	`AUTHORIZE`	Acfsutil command	None	`FAILURE`
`ACFS_INSUFFICIENT_PRIV`	`AUTHORIZE`	Acfsutil command	None	`FAILURE`
`ACFS_ENCR_WALLET_AUTH_FAIL`	`AUTHORIZE`	Acfsutil command	None	`FAILURE`
`ACFS_SEC_CMD_FAIL`	`AUTHORIZE`	Acfsutil command	None	`FAILURE`

Table O-2 lists the Oracle ACFS File System Objects audit events and the equivalent Oracle Audit Vault and Database Firewall events.

Table O-2 Oracle ACFS File System Objects Audit Events

Source Event	Command Class	Target Object	Associate Objects	Status
`ACFS_AUDIT_READ_OP`	`READ`	File name	Realms and command rules	`ACFS_REALM_VIOLATION = FAILURE` `ACFS_REALM_AUTH = SUCCESS`
`ACFS_AUDIT_WRITE_OP`	`WRITE`	File name	Realms and command rules	`ACFS_REALM_VIOLATION = FAILURE` `ACFS_REALM_AUTH = SUCCESS`
`ACFS_AUDIT_DELETE_OP`	`DELETE`	File name	Realms and command rules	`ACFS_REALM_VIOLATION = FAILURE` `ACFS_REALM_AUTH = SUCCESS`
`ACFS_AUDIT_OPEN_OP`	`OPEN`	File name	Realms and command rules	`ACFS_REALM_VIOLATION = FAILURE` `ACFS_REALM_AUTH = SUCCESS`
`ACFS_AUDIT_RENAME_OP`	`RENAME`	File name	Realms and command rules	`ACFS_REALM_VIOLATION = FAILURE` `ACFS_REALM_AUTH = SUCCESS`
`ACFS_AUDIT_CREATEFILE_OP`	`CREATE`	File name	Realms and command rules	`ACFS_REALM_VIOLATION = FAILURE` `ACFS_REALM_AUTH = SUCCESS`
`ACFS_AUDIT_MAKEDIR_OP`	`CREATE`	Directory name	Realms and command rules	`ACFS_REALM_VIOLATION = FAILURE` `ACFS_REALM_AUTH = SUCCESS`
`ACFS_AUDIT_READDIR_OP`	`READ`	Directory name	Realms and command rules	`ACFS_REALM_VIOLATION = FAILURE` `ACFS_REALM_AUTH = SUCCESS`
`ACFS_AUDIT_OVERWRITE_OP`	`WRITE`	File name	Realms and command rules	`ACFS_REALM_VIOLATION = FAILURE` `ACFS_REALM_AUTH = SUCCESS`
`ACFS_AUDIT_TRUNCATE_OP`	`TRUNCATE`	File name	Realms and command rules	`ACFS_REALM_VIOLATION = FAILURE` `ACFS_REALM_AUTH = SUCCESS`
`ACFS_AUDIT_MMAPREAD_OP`	`READ`	File name	Realms and command rules	`ACFS_REALM_VIOLATION = FAILURE` `ACFS_REALM_AUTH = SUCCESS`
`ACFS_AUDIT_MMAPWRITE_OP`	`WRITE`	File name	Realms and command rules	`ACFS_REALM_VIOLATION = FAILURE` `ACFS_REALM_AUTH = SUCCESS`
`ACFS_AUDIT_EXTEND_OP`	`WRITE`	File name	Realms and command rules	`ACFS_REALM_VIOLATION = FAILURE` `ACFS_REALM_AUTH = SUCCESS`
`ACFS_AUDIT_CHOWN_OP`	`CHOWN`	File name/Directory name	Realms and command rules	`ACFS_REALM_VIOLATION = FAILURE` `ACFS_REALM_AUTH = SUCCESS`
`ACFS_AUDIT_CHGRP_OP`	`CHGRP`	File name/Directory name	Realms and command rules	`ACFS_REALM_VIOLATION = FAILURE` `ACFS_REALM_AUTH = SUCCESS`
`ACFS_AUDIT_CHMOD_OP`	`CHMOD`	File name/Directory name	Realms and command rules	`ACFS_REALM_VIOLATION = FAILURE` `ACFS_REALM_AUTH = SUCCESS`
`ACFS_AUDIT_SYMLINK_OP`	`SYMLINK`	File name/Directory name	Realms and command rules	`ACFS_REALM_VIOLATION = FAILURE` `ACFS_REALM_AUTH = SUCCESS`
`ACFS_AUDIT_LINKFILE_OP`	`LINK`	File name/Directory name	Realms and command rules	`ACFS_REALM_VIOLATION = FAILURE` `ACFS_REALM_AUTH = SUCCESS`

Related Topics

Behavior Changes, Deprecation, and Desupport Notices in Oracle Audit Vault and Database Firewall 20.7