A Oracle Audit Vault and Database Firewall Database Schemas

Learn about the Oracle Audit Vault and Database Firewall schemas.

A.1 About Oracle Audit Vault and Database Firewall Schemas

Oracle Audit Vault and Database Firewall has internal data warehouse schemas that manage the audit data collected from the targets.

The data warehouse schemas collect the data from the Oracle Audit Vault and Database Firewall collection agents, organize it, and then provide it in report format.

To create custom reports using tools like Oracle Business Intelligence Publisher and the Oracle Business Intelligence Suite:

  • You must understand the structure of the data warehouse schema AVSYS, which this appendix describes.

  • You must understand the structure of the audit events provided by the supported targets—Oracle Database, Microsoft SQL Server, Sybase Adaptive Server Enterprise (ASE), and IBM DB2.

You can create these kinds of custom reports:

  • Activity reports

  • Event reports

  • Alert reports

  • Entitlement reports

The data that you need to create the other kinds of reports is in the AVSYS schema.

A.2 Metadata for Activity Reports

The metadata for activity reports captures data such as connect strings and creation times.

This section describes the metadata that you need to create activity reports:

Table A-1 describes the AVSYS.SECURED_TARGET table, which has one row for each target. Columns are in alphabetical order.

Table A-1 AVSYS.SECURED_TARGET Table

Column Data Type Description

ACTIVE

CHAR(1 CHAR)

'Y' if target is active, 'N' otherwise.

CONNECT_STRING

VARCHAR2(4000 BYTE)

String that identifies target when you try to connect it to the system.

CREATION_TIME

TIMESTAMP WITH LOCAL TIME ZONE

Creation time of the connection between target and the system.

DESCRIPTION

VARCHAR2(1024 BYTE)

Description of target.

FIREWALL_POLICY_ID

INTEGER

ID number of firewall policy associated with target, if any; otherwise NULL. Default: NULL

SECURED_TARGET_ID

NUMBER

ID of the target.

SECURED_TARGET_NAME

VARCHAR2(255 BYTE)

Name of target.

SECURED_TARGET_TYPE_ID

NUMBER

ID number of type of target. This value must be in AVSYS.SECURED_TARGET_TYPE.SECURED_TARGET_TYPE_ID (see Table A-2).

SERVER_AUTH_USER

VARCHAR2(255 BYTE)

Oracle AVDF user that is authorized to transfer events from an Audit Vault Agent to an Audit Vault Server.

Table A-2 describes the AVSYS.SECURED_TARGET_TYPE table, which has one row for each target type. Columns are in alphabetical order.

Table A-2 AVSYS.SECURED_TARGET_TYPE Table

Column Data Type Description

FIREWALL_DIALECT

NUMBER(38)

ID number of Oracle Database Firewall type.

SECURED_TARGET_TYPE_ID

NUMBER(38)

ID number of target type.

SECURED_TARGET_TYPE_NAME

VARCHAR2(255 BYTE)

Name of target type.

Table A-3 describes the AVSYS.AUDIT_TRAIL table, which has one row for each audit trail. Columns are in alphabetical order.

Table A-3 AVSYS.AUDIT_TRAIL Table

Column Data Type Description

AUDIT_TRAIL_ID

NUMBER

ID number of this audit trail.

AUDIT_TRAIL_TYPE

VARCHAR2(255 BYTE)

Type of this audit trail (for example, TABLE or DIRECTORY).

COLLECTION_AUTOSTART

CHAR(1 CHAR)

(Currently unavailable functionality)

HOST_NAME

VARCHAR2(255 BYTE)

Name of agent host for this audit trail.

LOCATION

VARCHAR2(4000 BYTE)

SOURCE_ID

NUMBER

ID number of source of this audit trail.

SECURED_TARGET_TYPE_NAME

VARCHAR2(255 BYTE)

Name of type of target for this audit trail. This value must be in AVSYS.SECURED_TARGET_TYPE.SECURED_TARGET_TYPE_NAME (see Table A-2).

A.3 Data for Event Reports

The metadata for event reports captures data such as actions taken or alerts raised.

This section describes the data that you need to create event reports.

Table A-4 describes the AVSYS.EVENT_LOG table, which has one row for each audit event. Columns are in alphabetical order.

Table A-4 AVSYS.EVENT_LOG Table

Column Data Type Description

ACTION_TAKEN

VARCHAR2(255 BYTE)

Action taken for the event—pass, warn, or block.

ALERT_RAISED

NUMBER

0 if no alert was raised for the event, 1 otherwise. Default: 0

AUDIT_TRAIL_ID

NUMBER

ID of the audit trail from which the event was collected.

AV_TIME

TIMESTAMP WITH LOCAL TIME ZONE

Time when the event was recorded in Oracle AVDF repository.

CLIENT_HOST_NAME

VARCHAR2(255 BYTE)

Name of client host where the user started the action.

CLIENT_ID

VARCHAR2(1024 CHAR)

Client identifier of the user whose actions were audited

CLIENT_IP

VARCHAR2(255 BYTE)

Internet protocol (IP) address of CLIENT_HOST_NAME.

CLIENT_PROGRAM

VARCHAR2(255 CHAR)

Client program where the event occurred.

CLUSTER_ID

NUMBER

Global ID number of cluster where the event occurred.

CLUSTER_TYPE

NUMBER

Type number of cluster where the event occurred (identifies type of statements in cluster).

COMMAND_CLASS

VARCHAR2(255 BYTE)

Action performed in the event (for example, SELECT or DELETE). If this field contains NULL, then the audit record is invalid.

COMMAND_PARAM

CLOB

Command parameters that caused the event.

COMMAND_TEXT

CLOB

Text of command that caused the event (which can be, for example, a SQL or PL/SQL statement).

DATA_TRACE

CLOB

Transaction log data (before and after values) in JSON format.

ERROR_CODE

VARCHAR2(30 BYTE)

Error code of an action.

ERROR_MESSAGE

VARCHAR2(1000 BYTE)

Error message of an action.

EVENT_NAME

VARCHAR2(255 BYTE)

Name of the event, exactly as in the audit trail.

EVENT_STATUS

VARCHAR2(30 BYTE)

Status of the event—SUCCESS, FAILURE, or UNKNOWN.

EVENT_TIME

TIMESTAMP WITH LOCAL TIME ZONE

Time when the event occurred. If the event has more than one time stamp (for example, an event start time stamp and an event end time stamp), then the collector plug-in must assign a time stamp to this field. If this field contains NULL, then Oracle AVDF shuts down the collector.

EXTENSION

CLOB

Stores fields that cannot be accommodated in core or large fields (such as name-value pairs, separated by delimiters).

GRAMMAR_VERSION

NUMBER

Version of grammar that the Database Firewall used when it detected the event. This version is internal to the Database Firewall and not related to the database version.

LOG_CAUSE

VARCHAR2(30 BYTE)

Cause of the event, as recorded in the log: undefined, exception, cluster, Database Object, unseen, invalidsql, waf, login, or logout.

LOGFILE_ID

NUMBER

Opaque internal log file ID.

MARKER

VARCHAR2(255 BYTE)

Uniquely identifies a record in an audit trail. During the recovery process, Oracle AVDF uses this field to filter duplicate records. The collector plug-in provides the marker field, which is typically a concatenated subset of the fields of an audit record. For example, in Oracle database, the session ID and entry ID (a unique identifier within a session) define a marker.

MONITORING_POINT_ID

NUMBER

This is an internal column. If its value is not NULL, then the event came from a Database Firewall. If its value is NULL, then the event came from the audit trail whose ID is in AUDIT_TRAIL_ID.

NETWORK_CONNECTION

VARCHAR2(255 BYTE)

Name of user who logged into the operating system that generated the audit record. If the user logged into the operating system as JOHN but performed the action as SCOTT, then this field contains JOHN and the USER_NAME field contains SCOTT.

OSUSER_NAME

VARCHAR2 (255 BYTE)

Operating system user name that executed the SQL command

POLICY_NAME

VARCHAR2(1024 CHAR)

Name of policy file that the Database Firewall used when it detected the event.

POLICY_NAME

Oracle AVDF 20.3 and later

VARCHAR2(4000 CHAR)

Name of policy file that the Database Firewall used when it detected the event.

In case of audit data collected by the Agent, the policy name contains the audit policies that caused the current event.

RECORD_ID

NUMBER

ID number of audit record for the event.

SECURED_TARGET_NAME

VARCHAR2(255 BYTE)

Name of target where event occurred.

SECURED_TARGET_TYPE

VARCHAR2(255 BYTE)

Type of target where event occurred.

SERVICE_NAME

VARCHAR2(255 CHAR)

Name of database service to which the client session connects.

TARGET_OBJECT

VARCHAR2(255 BYTE)

Name of object on which the action was performed. For example, if the user selected from a table, then this field contains the name of the table.

TARGET_OWNER

VARCHAR2(255 BYTE)

Name of owner of target on which the action was performed. For example, if the user selected from a table owned by user JOHN, then this field contains the user name JOHN.

TARGET_TYPE

VARCHAR2(255 BYTE)

Type of target object on which the action was performed. For example, if the user selected from a table, then this field contains TABLE.

TERMINAL

VARCHAR2(255 CHAR)

Name of the terminal (for example, Unix terminal) that was the source of the event

THREAT_SEVERITY

VARCHAR2(30 CHAR)

The severity of the threat detected by the Database Firewall. This field may have one of the values: minimal, minor, moderate, major, or critical.

The threat severity differentiates the importance of each event. This is defined in the Database Firewall policy. You can choose the value for each rule that triggers the event. The Database Firewall policy auditor can apply their own judgement when choosing the value assigned to each rule. This severity level later appears in the reports if the statement is logged.

Note: In Oracle AVDF release 20.5 and prior, the pre-defined Database Firewall policy does not define the threat severity value. In the reports it would appear as undefined.

USER_NAME

VARCHAR2(255 BYTE)

Name of user who performed the action in the application or system that generated the audit record. If this field contains NULL, then the audit record is invalid.

AUDIT_TYPE

Oracle AVDF 20.3 and later

VARCHAR2(255 CHAR)

Audit types for Oracle Database target:

  • Standard
  • FineGrainedAudit
  • XS
  • Database Vault
  • Label Security
  • RMAN_AUDIT
  • Datapump
  • Direct path API

APPLICATION_CONTEXT

Oracle AVDF 20.3 and later

VARCHAR2(4000 BYTE)

Application context information.

DATABASE_NAME

Oracle AVDF 20.4 and later

VARCHAR2(255 CHAR)

The name of the DB2 database that contains the audit records.

INSTANCE_NAME

Oracle AVDF 20.4 and later

VARCHAR2(255 CHAR)

The name of the instance which hosts the DB2 database.

AUDIT_TRAIL_ID

NUMBER

The ID of the audit trail.

LOCATION

VARCHAR2(30 CHAR)

The location of the audit trail. For example: Audit Table or Audit File.

REPOSITORY_NAME

VARCHAR2(255 CHAR)

PDB name of the CDB target.

ROW_COUNT

NUMBER

Number of rows returned (Database Firewall).

SECURED_TARGET_CLASS

VARCHAR2(30 CHAR)

The type of the target. For example: database or operating system.

SECURED_TARGET_ID

NUMBER NOT NULL

ID of the target.

A.4 Data for Alert Reports

The metadata for alert reports captures data such as alert definitions and alert IDs.

This section describes the data that you need to create alert reports:

Table A-5 describes the AVSYS.ALERT_STORE table, which has one row for each alert instance. Columns are in alphabetical order.

Table A-5 AVSYS.ALERT_STORE Table

Column Data Type Description

ALERT_DEFINITION_ID

NUMBER

ID number of definition of this alert.

ALERT_ID

NUMBER

ID number of alert instance.

ALERT_NAME

VARCHAR2(255)

Name of this alert in alert definition.

ALERT_OWNER

VARCHAR2(30)

Alert owner (same as alert definition owner).

ALERT_SEVERITY

NUMBER

Alert severity—1=Warning, 2=Critical.

ALERT_STATUS

VARCHAR2(255)

Alert status—OPEN or CLOSED.

AV_ALERT_TIMESTAMP

TIMESTAMP WITH LOCAL TIME ZONE

Time when alert instance was raised.

CLEARED_TIMESTAMP

TIMESTAMP WITH LOCAL TIME ZONE

EMAIL_CC_LIST

VARCHAR2(4000 BYTE)

List of addresses for "cc" field of email about this alert instance.

EMAIL_MESSAGE

VARCHAR2(4000 BYTE)

Message in email about this alert instance.

EMAIL_STATUS

VARCHAR2(30 BYTE)

Indicates if email was sent for this alert instance.

EMAIL_TIMESTAMP

TIMESTAMP WITH LOCAL TIME ZONE

Time when email about this alert instance was sent.

EMAIL_TO_LIST

VARCHAR2(4000 BYTE)

List of addresses for "to" field of email about this alert instance.

ILM_TARGET

VARCHAR2(12)

Information lifecycle management (ILM) string for partition.

OLDEST_EVENT_TIMESTAMP

TIMESTAMP WITH LOCAL TIME ZONE

Time of first event that triggered this alert instance.

Table A-6 describes the AVSYS.ALERT_EVENT_MAP table, which maps each alert instance to its related events. When an alert instance is related to multiple events, each event has a different RECORD_ID. Columns are in alphabetical order.

Table A-6 AVSYS.ALERT_EVENT_MAP Table

Column Data Type Description

ALERT_ID

NUMBER

ID of alert instance.

ALERT_OWNER

VARCHAR2(30)

Alert owner, same as alert definition owner.

EVENT_TIMESTAMP

TIMESTAMP WITH LOCAL TIME ZONE

Time of event that triggered this alert instance.

ILM_TARGET

VARCHAR2(12)

ILM string for partition.

OLDEST_EVENT_TIMESTAMP

TIMESTAMP WITH LOCAL TIME ZONE

Time of first event that triggered this alert instance. If this alert instance is related to only one event, then this value is the same as the value of EVENT_TIMESTAMP.

RECORD_ID

NUMBER

Record ID of the event related to this alert instance.

SECURED_TARGET_ID

NUMBER NOT NULL

The ID of the target.

SECURED_TARGET_NAME

VARCHAR2(255 CHAR) NOT NULL

The name of the target.

USER_NAME

VARCHAR2(255 CHAR)

The user name of the event.

Table A-7 describes the AVSYS.ALERT_NOTE table, which stores notes for alert instances. Each alert instance can have multiple notes. Columns are in alphabetical order.

Table A-7 AVSYS.ALERT_NOTE Table

Column Data Type Description

ALERT_ID

NUMBER

ID of this note.

ALERT_NOTE_ID

NUMBER

ID of alert instance associated with this note.

HEADER

VARCHAR2(4000 BYTE)

Header of this note.

ILM_TARGET

VARCHAR2(12)

ILM string for partition.

NOTE

CONTAINER VARCHAR2(30)

Content of this note.

NOTE_CREATOR

VARCHAR2(30)

User who created this note.

NOTE_OWNER

VARCHAR2(30)

Owner of this note, same as alert definition.

NOTE_TIMESTAMP

TIMESTAMP WITH LOCAL TIME ZONE

Time when this note was created.

OLDEST_EVENT_TIMESTAMP

TIMESTAMP WITH LOCAL TIME ZONE

Time of first event that triggered this alert instance.

A.5 Data for Entitlement Reports

The metadata for entitlement reports captures data such as package, role, and schema entitlements.

This section describes the data that you need to create entitlement reports:

Note:

In each of the preceding table names, "UE" means "User Entitlement."

Table A-8 describes the AVSYS.UE_DBA_APPLICATION_ROLES table, which stores information about roles granted to Oracle Database packages. Columns are in alphabetical order.

Table A-8 AVSYS.UE_DBA_APPLICATION_ROLES

Column Data Type Description

PACKAGE

VARCHAR2 (30)

Name of Oracle Database package to which role was granted

ROLE

VARCHAR2 (30)

Role granted to package

SCHEMA

VARCHAR2 (30)

Schema to which package belongs

SNAPSHOT_ID

NUMBER

Snapshot ID

Table A-9 describes the AVSYS.UE_DBA_COL_PRIVS table, which stores information about privileges granted to users on individual columns of Oracle Database tables. Columns are in alphabetical order.

Table A-9 AVSYS.UE_DBA_COL_PRIVS

Column Data Type Description

COMMON

VARCHAR2 (3)

For Oracle Database 12c, whether the user is common to a CDB and PDB:

  • Y - user is common to both

  • N - user is local to PDB

  • Null - database is not a CDB or PDB

CONTAINER

VARCHAR2 (30)

For Oracle Database 12c, the container (CDB) identifier.

COLUMN_NAME

VARCHAR2 (30)

Name of column on which privilege was granted

GRANTABLE

VARCHAR2 (3)

Whether the privilege was granted with the GRANTABLE option—YES or NO

GRANTEE

VARCHAR2 (30)

User to whom the column privilege was granted

GRANTOR

VARCHAR2 (30)

User who granted the column privilege to GRANTEE

OWNER

VARCHAR2 (30)

Column privilege owner

PRIVILEGE

VARCHAR2 (40)

Column privilege

SNAPSHOT_ID

NUMBER

Snapshot ID

TABLE_NAME

VARCHAR2 (30)

Name of Oracle Database table to which column belongs

Table A-10 describes the AVSYS.UE_DBA_PROFILES table, which stores information about Oracle Database profiles. Columns are in alphabetical order.

Table A-10 AVSYS.UE_DBA_PROFILES

Column Data Type Description

COMMON

VARCHAR2 (3)

For Oracle Database 12c, whether the user is common to a CDB and PDB:

  • Y - user is common to both

  • N - user is local to PDB

  • Null - database is not a CDB or PDB

CONTAINER

VARCHAR2 (30)

For Oracle Database 12c, the container (CDB) identifier.

LIMIT

VARCHAR2 (40)

Profile limit

PROFILE

VARCHAR2 (30)

Profile name

RESOURCE_NAME

VARCHAR2 (32)

Resource name

RESOURCE_TYPE

VARCHAR2 (8)

Resource type

SNAPSHOT_ID

NUMBER

Snapshot ID

Table A-11 describes the AVSYS.UE_DBA_ROLES table, which stores information about Oracle Database roles. The table has one row for each role. Columns are in alphabetical order.

Table A-11 AVSYS.UE_DBA_ROLES

Column Data Type Description

AUTHENTICATION_TYPE

VARCHAR2 (8)

Authentication mechanism for this user:

  • EXTERNAL - CREATE USER user1 IDENTIFIED EXTERNALLY

  • GLOBAL - CREATE USER user2 IDENTIFIED GLOBALLY

  • PASSWORD - CREATE USER user3 IDENTIFIED BY user3

COMMON

VARCHAR2 (3)

For Oracle Database 12c, whether the user is common to a CDB and PDB:

  • Y - user is common to both

  • N - user is local to PDB

  • Null - database is not a CDB or PDB

CONTAINER

VARCHAR2 (30)

For Oracle Database 12c, the container (CDB) identifier.

PASSWORD_REQUIRED

VARCHAR2 (8)

Whether the role requires a password—YES or NO

ROLE

VARCHAR2 (30)

Name of the role

SNAPSHOT_ID

NUMBER

Snapshot ID

Table A-12 describes the AVSYS.UE_DBA_ROLE_PRIVS table, which stores information about the roles granted to users and roles. Columns are in alphabetical order.

Table A-12 AVSYS.UE_DBA_ROLE_PRIVS

Column Data Type Description

COMMON

VARCHAR2 (3)

For Oracle Database 12c, whether the user is common to a CDB and PDB:

  • Y - user is common to both

  • N - user is local to PDB

  • Null - database is not a CDB or PDB

CONTAINER

VARCHAR2 (30)

For Oracle Database 12c, the container (CDB) identifier.

ADMIN_OPTION

VARCHAR2 (3)

Whether the privilege was granted with the ADMIN option—YES or NO

DEFAULT_ROLE

VARCHAR2 (3)

Whether the role is the default role for the user—YES or NO

GRANTED_ROLE

VARCHAR2 (30)

Name of the role granted to the user or role

GRANTEE

VARCHAR2 (30)

Name of the user or role to which the GRANTED_ROLE was granted

SNAPSHOT_ID

NUMBER

Snapshot ID

Table A-13 describes the AVSYS.UE_DBA_SYS_PRIVS table, which stores information about the system privileges granted to users and roles. Columns are in alphabetical order.

Table A-13 AVSYS.UE_DBA_SYS_PRIVS

Column Data Type Description

COMMON

VARCHAR2 (3)

For Oracle Database 12c, whether the user is common to a CDB and PDB:

  • Y - user is common to both

  • N - user is local to PDB

  • Null - database is not a CDB or PDB

CONTAINER

VARCHAR2 (30)

For Oracle Database 12c, the container (CDB) identifier.

ADMIN_OPTION

VARCHAR2 (3)

Whether the privilege was granted with the ADMIN option—YES or NO

GRANTEE

VARCHAR2 (30)

Name of the user or role to whom the system privilege was granted

PRIVILEGE

VARCHAR2 (40)

System privilege

SNAPSHOT_ID

NUMBER

Snapshot ID

Table A-14 describes the AVSYS.UE_DBA_TAB_PRIVS table, which stores information about the privileges granted to users on objects. Columns are in alphabetical order.

Table A-14 AVSYS.UE_DBA_TAB_PRIVS

Column Data Type Description

COMMON

VARCHAR2 (3)

For Oracle Database 12c, whether the user is common to a CDB and PDB:

  • Y - user is common to both

  • N - user is local to PDB

  • Null - database is not a CDB or PDB

CONTAINER

VARCHAR2 (30)

For Oracle Database 12c, the container (CDB) identifier.

GRANTABLE

VARCHAR2 (3)

Whether the privilege was granted with the GRANTABLE option—YES or NO

GRANTEE

VARCHAR2 (30)

User to whom the privilege was granted

GRANTOR

VARCHAR2 (30)

User who granted the privilege to GRANTEE

HIERARCHY

VARCHAR2 (3)

Whether the privilege was granted with the HIERARCHY option—YES or NO

OWNER

VARCHAR2 (30)

Owner of the object

PRIVILEGE

VARCHAR2 (40)

Privilege on the object

SNAPSHOT_ID

NUMBER

Snapshot ID

TABLE_NAME

VARCHAR2 (30)

Name of the object on which privilege was granted

TYPE

VARCHAR2 (24)

Object type (table, view, sequence, etc.)

Table A-15 describes the AVSYS.UE_DBA_USERS table, which has a row for every Oracle Database user. Columns are in alphabetical order.

Table A-15 AVSYS.UE_DBA_USERS

Column Data Type Description

ACCOUNT_STATUS

VARCHAR2 (32)

User account status, which is one of these:

  • OPEN

  • EXPIRED

  • EXPIRED(GRACE)

  • LOCKED(TIMED)

  • LOCKED

  • EXPIRED & LOCKED(TIMED)

  • EXPIRED(GRACE) & LOCKED(TIMED)

  • EXPIRED & LOCKED

  • EXPIRED(GRACE) & LOCKED

AUTHENTICATION_TYPE

VARCHAR2 (8)

Authentication mechanism for this user:

  • EXTERNAL - CREATE USER user1 IDENTIFIED EXTERNALLY

  • GLOBAL - CREATE USER user2 IDENTIFIED GLOBALLY

  • PASSWORD - CREATE USER user3 IDENTIFIED BY user3

COMMON

VARCHAR2 (3)

For Oracle Database 12c, whether the user is common to a CDB and PDB:

  • Y - user is common to both

  • N - user is local to PDB

  • Null - database is not a CDB or PDB

CONTAINER

VARCHAR2 (30)

For Oracle Database 12c, the container (CDB) identifier.

CREATED

TIMESTAMP (0) WITH LOCAL TIME ZONE

Date when user account was created

DEFAULT_TABLESPACE

VARCHAR2 (30)

Default tablespace for user

EDITIONS_ENABLED

VARCHAR2 (1)

Indicates whether editions have been enabled for the corresponding user (Y or N)

EXPIRY_DATE

TIMESTAMP (0) WITH LOCAL TIME ZONE

Date when user account expires or expired

EXTERNAL_NAME

VARCHAR2 (4000)

External name of user

INITIAL_RSRC_CONSUMER_GROUP

VARCHAR2 (30)

Initial resource consumer group

LAST_LOGON

TIMESTAMP (9) WITH LOCAL TIME ZONE

For Oracle Database 12c, time when user last logged on

LOCK_DATE

TIMESTAMP (0) WITH LOCAL TIME ZONE

Date when user account was locked

ORACLE_MAINTAINED

CHAR (1)

For Oracle Database 12c, whether user was created, and is maintained, by Oracle-supplied scripts. A value of Y means that user must not be changed in any way except by running an Oracle-supplied script.

PROFILE

VARCHAR2 (30)

User profile

PROXY_ONLY_CONNECT

CHAR (1)

For Oracle Database 12c, whether this user can connect only through a proxy

SNAPSHOT_ID

NUMBER

Snapshot ID

TEMPORARY_TABLESPACE

VARCHAR2 (30)

Temporary tablespace for user

USERNAME

VARCHAR2 (30)

Oracle Database user name

Table A-16 describes the AVSYS.UE_ROLE_SYS_PRIVS table, which stores information about system privileges granted to roles. Columns are in alphabetical order.

Table A-16 AVSYS.UE_ROLE_SYS_PRIVS

Column Data Type Description

COMMON

VARCHAR2 (3)

For Oracle Database 12c, whether the user is common to a CDB and PDB:

  • Y - user is common to both

  • N - user is local to PDB

  • Null - database is not a CDB or PDB

ADMIN_OPTION

VARCHAR2 (3)

Whether the privilege was granted with the ADMIN option—YES or NO

PRIVILEGE

VARCHAR2 (40)

System privilege granted to the role

ROLE

VARCHAR2 (30)

Name of role

SNAPSHOT_ID

NUMBER

Snapshot ID

Table A-17 describes the AVSYS.UE_ROLE_TAB_PRIVS table, which stores information about the table privileges granted to roles. Columns are in alphabetical order.

Table A-17 AVSYS.UE_ROLE_TAB_PRIVS

Column Data Type Description

COLUMN_NAME

VARCHAR2 (30)

Name of column on which privilege was granted

COMMON

VARCHAR2 (3)

For Oracle Database 12c, whether the user is common to a CDB and PDB:

  • Y - user is common to both

  • N - user is local to PDB

  • Null - database is not a CDB or PDB

GRANTABLE

VARCHAR2 (3)

Whether the privilege was granted with the GRANTABLE option—YES or NO

OWNER

VARCHAR2 (30)

Table privilege owner

PRIVILEGE

VARCHAR2 (40)

Table privilege

ROLE

VARCHAR2 (30)

Role to which table privilege was granted

TABLE_NAME

VARCHAR2 (30)

Name of Oracle Database table on which privilege was granted

UE_SNAPSHOT_SNAPSHOT_ID

NUMBER

Snapshot ID

Table A-18 describes the AVSYS.UE_SYS_DBA_OPER_USERS table, which stores information about all users in the password file. Columns are in alphabetical order.

Table A-18 AVSYS.UE_SYS_DBA_OPER_USERS

Column Data Type Description

CONTAINER

VARCHAR2 (30)

For Oracle Database 12c, the container (CDB) identifier.

SNAPSHOT_ID

NUMBER

Snapshot ID

SYSASM

VARCHAR2 (5)

Whether the user can connect to the database with the SYSASM privilege—TRUE or FALSE.

SYSBACKUP

VARCHAR2 (5)

Whether the user can connect to the database with the SYSBACKUP privilege—TRUE or FALSE.

SYSDBA

VARCHAR2 (5)

Whether the user can connect to the database with the SYSDBA privilege—TRUE or FALSE.

SYSDG

VARCHAR2 (5)

Whether the user can connect to the database with the SYSDG privilege—TRUE or FALSE.

SYSKM

VARCHAR2 (5)

Whether the user can connect to the database with the SYSKM privilege—TRUE or FALSE.

SYSOPER

VARCHAR2 (8)

Whether the user can connect to the database with the SYSOPER privilege—TRUE or FALSE.

USERNAME

VARCHAR2 (30)

User name in the password file

A.6 Data for SPA Reports

The metadata for stored Stored Procedure Auditing (SPA) reports captures data such as target IDs and object IDs.

This section describes data that you need to create custom Stored Procedure Auditing (SPA) reports:

Table A-19 describes the AVSYS.SPA_OBJECTS table, which stores summary data about stored procedure objects.

Table A-19 AVSYS.SPA_OBJECTS

Column Data Type Description

ID

INTEGER

Unique identifier for the object

SECURED_TARGET_ID

INTEGER

The target source of database objects

OBJECT_SUBTYPE

VARCHAR2(40 BYTE)

The subtype of the object

OBJECT_CLASS

VARCHAR2(40 BYTE)

The class of the object

NAME

VARCHAR2 (1024 CHAR)

The name of the object

CHANGED_BY

VARCHAR2 (2048 CHAR)

Comma-separated database users that modified the object

LAST_CHANGED_AT

TIMESTAMP WITH LOCAL TIME ZONE

The date and time when the object was changed

LAST_SIGNATURE

VARCHAR2 (40 BYTE)

The hash of the object (signature change means object change)

LAST_EDIT_TYPE

VARCHAR2 (40 BYTE)

The most recent type of the change

EDIT_CNT_NEW

INTEGER

Keeps the number of "new" edit records is for this object

EDIT_CNT_MODIFY

INTEGER

Keeps the number of "modify" edit records is for this object

EDIT_CNT_DELETE

INTEGER

Keeps the number of "delete" edit records is for this object

CHANGES_SUMMARY

VARCHAR2(255 CHAR)

The summary of the changes

UPDATED_AT

TIMESTAMP WITH LOCAL TIME ZONE

The date and time when the record was updated by the Database Firewall software

Table A-20 describes the AVSYS.SPA_EDITS table, which stores data about, and the content of, stored procedure edits.

Table A-20 AVSYS.SPA_EDITS

Column Data Type Description

ID

INTEGER

Unique identifier for the object

OBJECT_ID

INTEGER

Foreign key that references the ID column of the AVSYS.SPA_OBJECTS table

SIGNATURE

VARCHAR2 (40 BYTE)

The hash of the object (signature change means object change)

CONTENT

CLOB

The new content of the object

EDIT_TYPE

VARCHAR2 (40 BYTE)

The type of the change

CHANGED_BY

VARCHAR2 (255 CHAR)

The database user that modified the object

CHANGED_AT

TIMESTAMP WITH LOCAL TIME ZONE

The date and time when the object was changed

DETECTED_AT

TIMESTAMP WITH LOCAL TIME ZONE

The date and time when the change was detected on the controller

A.7 Data for Database Firewall Reports

The metadata for custom Database Firewall reports captures data such as target databases and types of statements included.

This section describes data that you need to create custom Database Firewall reports:

Table A-21 describes the AVSYS.FW_CLUSTERS table, which provides summary data on cluster traffic to target databases, and gives an example statement that would appear in a given cluster.

Table A-21 AVSYS.FW_CLUSTER

Column Data Type Description

ID

NUMBER

Cluster global identifier

SECURED_TARGET_ID

INTEGER

The target database for this cluster

GRAMMAR_VERSION

INTEGER

Version number of the Database Firewall grammar

FIREWALL_DIALECT

SMALLINTEGER

Database type of the cluster.

See Also:

Table A-2 for meaning.

CLUSTER_TYPE

VARCHAR2 (40 BYTE)

Type of statements included in the cluster

REPRESENTATION

CLOB

Cluster path representation

CLUSTER_EXAMPLE

CLOB

An example statement in the cluster

Table A-22 describes the AVSYS.FW_CLUSTER_COMPONENTS table, which provides cluster data broken down into cluster components. This data may be used, for example, to report on clusters related to a specific database table or table column.

Table A-22 AVSYS.FW_CLUSTER_COMPONENT

Column Data Type Description

CLUSTER_ID

INTEGER

Foreign key that references the ID column of the AVSYS.FW_CLUSTERS table

COMPONENT_INDEX

INTEGER

Index of the component (starts with 1)

COMPONENT_TYPE

VARCHAR2(50 BYTE)

Component type may be one of: 'keyword', 'column', 'table', 'procedure', 'cluster_set', 'function', '_'

COMPONENT_VALUE

VARCHAR2(4000 CHAR)

The component string

COMPONENT_USAGE

VARCHAR2(50 BYTE)

Component usage may be one of: NULL,'read', 'write', 'define', 'call', 'control'