Auditing Oracle Database Vault

A Auditing Oracle Database Vault

You can audit activities in Oracle Database Vault, such as changes to policy configurations.

About Auditing in Oracle Database Vault
All activities in Oracle Database Vault can be audited, including Database Vault administrator activities.
Oracle Database Vault Specific Audit Events
Oracle Database Vault traditional (non-unified) audit events track activities such as whether an action attempted on a realm was successful.
Archiving and Purging the Oracle Database Vault Audit Trail
If you have not migrated to unified auditing, you should periodically archive and purge the Oracle Database Vault audit trail.
Oracle Database Vault Predefined Unified Audit Policies
Oracle Database provides two predefined unified audit policies for Oracle Database Vault: ORA_DV_SCHEMA_CHANGES and ORA_DV_DEFAULT_PROTECTION.

A.1 About Auditing in Oracle Database Vault

All activities in Oracle Database Vault can be audited, including Database Vault administrator activities.

Auditing Oracle Database Vault Using Unified Auditing
Oracle recommends that you migrate all your Oracle Database Vault audit policies to unified auditing.
Auditing Oracle Database Vault Using Traditional Auditing
Traditional auditing is desupported, but traditional audit settings in an upgraded database can be used with some limitations.

Parent topic: Auditing Oracle Database Vault

A.1.1 Auditing Oracle Database Vault Using Unified Auditing

Oracle recommends that you migrate all your Oracle Database Vault audit policies to unified auditing.

To create new audit policies in Oracle Database Vault, you must use unified auditing. Traditional auditing is no longer supported as of Oracle Database 23ai for new audit settings, though the current existing traditional audit settings are still honored.

The unified audit trail will capture Oracle Database Vault unified audit policy records, as well as mandatory Oracle Database Vault audits.

In addition to this functionality, unified auditing provides the following two predefined policies that are designed for commonly used Database Vault auditing needs:

ORA_DV_SCHEMA_CHANGES (previously called ORA_DV_AUDPOL) audits Oracle Database Vault DVSYS and LBACSYS schema objects.
ORA_DV_DEFAULT_PROTECTION (previously called ORA_DV_AUDPOL2) audits the Oracle Database Vault default realms and command rules.

In a new Oracle Database installation, the ORA_DV_SCHEMA_CHANGES and ORA_DV_DEFAULT_PROTECTION policies are enabled by default. In an upgraded Oracle database, these policies are not enabled by default.

When you use unified auditing, the auditing features in the Database Vault APIs (the audit_options parameter) are no longer effective. You should archive and then purge these audit records. From then on, you can manage Database Vault audit policies through the unified audit policy SQL statements.

All configuration changes made to Database Vault are mandatorily audited and these audit records are written to the unified audit trail, including actions of unprivileged users who attempt to modify Database Vault policies.

To learn how to create unified audit policies, including finding examples of Oracle Database Vault unified audit policies, see Oracle Database Security Guide.

Related Topics

Archiving and Purging the Oracle Database Vault Audit Trail

Parent topic: About Auditing in Oracle Database Vault

A.1.2 Auditing Oracle Database Vault Using Traditional Auditing

Traditional auditing is desupported, but traditional audit settings in an upgraded database can be used with some limitations.

The traditional audit settings are controlled through the audit_options parameter when you create or modify realms, rule sets, and factors. The audit indicates if the user's action succeeded (that is, the policy enabled the user to accomplish a task) or if the user's action failed (the policy was violated). Database Vault APIs use this parameter to collect audit records and write these audit records to the Oracle Database Vault data dictionary views and reports. Though traditional auditing is desupported starting in Oracle Database release 23ai, any current existing Oracle Database Vault traditional audit settings that you have will still be honored. However, you cannot create new traditional audit settings. You can delete existing traditional audit settings. For example, suppose you created a realm in an earlier release and this realm uses traditional auditing. If you want to update the audit settings for the realm, then the only option available for the audit_options parameter is the OFF option. To track auditing for the realm, create a unified audit policy. If you do not update the audit_options parameter, that is, if you do not update the realm, or if you use NULL or the same audit_options setting as the current existing setting when updating the realm, then the traditional audit settings defined by audit_options will remain as is and continue to work.

When you install a new database and configure it to use Oracle Database Vault, then by default it uses unified auditing only. If you have upgraded from a previous release, then Database Vault uses the auditing that was available from that release.

See Oracle Database Security Guide for more information about how the desupport of traditional auditing works.

Related Topics

Archiving and Purging the Oracle Database Vault Audit Trail

Parent topic: About Auditing in Oracle Database Vault

A.2 Oracle Database Vault Specific Audit Events

Oracle Database Vault traditional (non-unified) audit events track activities such as whether an action attempted on a realm was successful.

Oracle Database Vault Policy Audit Events
Oracle Database Vault uses audit events to track configuration activities, using traditional, non-unified auditing.
Oracle Database Vault Audit Trail Record Format
The DVSYS.AUDIT_TRAIL$ table stores traditional audit trail records.

Parent topic: Auditing Oracle Database Vault

A.2.1 Oracle Database Vault Policy Audit Events

Oracle Database Vault uses audit events to track configuration activities, using traditional, non-unified auditing.

These activities are as follows:

Realm Audit. You can audit both successful and failed actions, based on the auditing option that you set when you created the realm. The exception to this is actions performed by the schema owner.
Rule Set Audit. Audits the rule set processing results. You can audit both successful and failed processing. Realm authorizations can be managed using rule sets. You can audit the rule set processing results. Factor assignments and secure application roles audits can be managed using a rule set.
Factor Audit. You can audit both successful and failed factor processing. For failed factor processing, you can audit on all or any of the following events: Retrieval Error, Retrieval Null, Validation Error, Validation False, Trust Level Null, or Trust Level Less Than Zero.
Oracle Label Security Session Initialization Failed. Audits instances where the Oracle Label Security session fails to initialize.
Oracle Label Security Attempt to Upgrade Session Label Failed. Audits instances where the Oracle Label Security component prevents a session from setting a label that exceeds the maximum session label.

A.2.2 Oracle Database Vault Audit Trail Record Format

The DVSYS.AUDIT_TRAIL$ table stores traditional audit trail records.

Starting in Oracle Database 23ai, traditional auditing is desupported. However, traditional audit settings that are currently in place will still be honored. The audit_options settings from realms, rule sets, or factors from a previous release will continue to write to the DVSYS.AUDIT_TRAIL$ table.

Users who have been granted the DV_OWNER, DV_ADMIN, DV_SECANALYST or DV_MONITOR role can directly query the DVSYS.AUDIT_TRAIL$ table.

Table A-1 describes the format of the DVSYS.AUDIT_TRAIL$ table.

Table A-1 Oracle Database Vault Audit Trail Format

Column	Datatype	Null	Description
`ID#`	`NUMBER`	`NOT NULL`	Numeric identifier for the audit record
`OS_USERNAME`	`VARCHAR2(255)`	`NULL`	Operating system login user name of the user whose actions were audited
`USERNAME`	`VARCHAR2(30)`	`NULL`	Name of the database user whose actions were audited
`USERHOST`	`VARCHAR2(128)`	`NULL`	Client computer name
`TERMINAL`	`VARCHAR2(255)`	`NULL`	Identifier for the user's terminal
`TIMESTAMP`	`DATE`	`NULL`	Date and time of creation of the audit trail entry (in the local database session time zone)
`OWNER`	`VARCHAR2(30)`	`NULL`	Creator of the object affected by the action, always `DVSYS` (because `DVSYS` is where objects are created)
`OBJ_NAME`	`VARCHAR2(128)`	`NULL`	Name of the object affected by the action. Expected values are: `ROLE$` `REALM$` `CODE$` `FACTOR$`
`ACTION`	`NUMBER`	`NOT NULL`	Numeric action type code. The corresponding name of the action type is in the `ACTION_NAME` column. See Table 24-3 for a list of the expected `ACTION` and `ACTION_NAME` values.
`ACTION_NAME`	`VARCHAR2(128)`	`NULL`	Name of the action type corresponding to the numeric code in the `ACTION` column
`ACTION_OBJECT_ID`	`NUMBER`	`NULL`	The unique identifier of the record in the table specified under `OBJ_NAME`. For realms, this field contains a list of comma-separated values of all realm IDs that have the Audit on Failure audit option.
`ACTION_OBJECT_NAME`	`VARCHAR2(128)`	`NULL`	The unique name or natural key of the record in the table specified under `OBJ_NAME`. For realms, this field contains a list of comma-separated values of all realm names that have the Audit on Failure audit option.
`ACTION_COMMAND`	`VARCHAR2(4000)`	`NULL`	The SQL text of the command procedure that was run that resulted in the audit event being triggered
`AUDIT_OPTION`	`VARCHAR2(4000)`	`NULL`	The labels for all audit options specified in the record that resulted in the audit event being triggered. For example, a factor set operation that is supposed to audit on get failure and get `NULL` would indicate these two options.
`RULE_SET_ID`	`NUMBER`	`NULL`	The unique identifier of the rule set that was executing and caused the audit event to trigger
`RULE_SET_NAME`	`VARCHAR2(30)`	`NULL`	The unique name of the rule set that was executing and caused the audit event to trigger
`RULE_ID`	`NUMBER`	`NULL`	Not used
`RULE_NAME`	`VARCHAR2(30)`	`NULL`	Not used
`FACTOR_CONTEXT`	`VARCHAR2(4000)`	`NULL`	An XML document that contains all of the factor identifiers for the current session at the point when the audit event was triggered
`COMMENT_TEXT`	`VARCHAR2(4000)`	`NULL`	Text comment on the audit trail entry, providing more information about the statement audited
`SESSIONID`	`NUMBER`	`NOT NULL`	Numeric identifier for each Oracle session
`ENTRYID`	`NUMBER`	`NOT NULL`	Same as the value in the `ID#` column
`STATEMENTID`	`NUMBER`	`NOT NULL`	Numeric identifier for the statement invoked that caused the audit event to be generated. This is empty for most Oracle Database Vault events.
`RETURNCODE`	`NUMBER`	`NOT NULL`	Oracle error code generated by the action. The error code for a statement or procedure invoked that caused the audit event to be generated. This is empty for most Oracle Database Vault events.
`EXTENDED_TIMESTAMP`	`TIMESTAMP(6) WITH TIME ZONE`	`NULL`	Time stamp of creation of the audit trail entry (time stamp of user login for entries) in UTC (Coordinated Universal Time) time zone
`PROXY_SESSIONID`	`NUMBER`	`NULL`	Proxy session serial number, if an enterprise user has logged in through the proxy mechanism
`GLOBAL_UID`	`VARCHAR2(32)`	`NULL`	Global user identifier for the user, if the user has logged in as an enterprise user
`INSTANCE_NUMBER`	`NUMBER`	`NULL`	Instance number as specified by the `INSTANCE_NUMBER` initialization parameter
`OS_PROCESS`	`VARCHAR2(16)`	`NULL`	Operating system process identifier of the Oracle process
`CREATED_BY`	`VARCHAR2(30)`	`NULL`	Database login user name of the user whose actions were audited
`CREATE_DATE`	`DATE`	`NULL`	Date on which the action occurred, based on the `SYSDATE` date
`UPDATED_BY`	`VARCHAR2(30)`	`NULL`	Same as `CREATED_BY` column value
`UPDATE_DATE`	`DATE`	`NULL`	Same as `UPDATED_BY` column value

Parent topic: Oracle Database Vault Specific Audit Events

A.3 Archiving and Purging the Oracle Database Vault Audit Trail

If you have not migrated to unified auditing, you should periodically archive and purge the Oracle Database Vault audit trail.

About Archiving and Purging the Oracle Database Vault Audit Trail
In a traditional, non-unified auditing environment, you can archive the Oracle Database Vault audit trail by exporting the DVSYS.AUDIT_TRAIL$ table to a dump file.
Archiving the Oracle Database Vault Audit Trail
You can use SQL*Plus and Oracle Data Pump to archive the Oracle Database Vault audit trail from the root or a PDB.
Purging the Oracle Database Vault Audit Trail
You can purge the (traditional, non-unified auditing) Oracle Database Vault audit trail from the root or a PDB.

Parent topic: Auditing Oracle Database Vault

A.3.1 About Archiving and Purging the Oracle Database Vault Audit Trail

In a traditional, non-unified auditing environment, you can archive the Oracle Database Vault audit trail by exporting the DVSYS.AUDIT_TRAIL$ table to a dump file.

You should periodically archive and then purge the audit trail to prevent it from growing too large.

If you choose to migrate to unified auditing, then use this procedure to archive and purge the Database Vault audit trail records after you complete the migration. When unified auditing begins to collect records, then the new records will be available for viewing from the UNIFIED_AUDIT_TRAIL, AUDSYS.DV$CONFIGURATION_AUDIT, and AUDSYS.DV$ENFORCEMENT_AUDIT data dictionary views.

Parent topic: Archiving and Purging the Oracle Database Vault Audit Trail

A.3.2 Archiving the Oracle Database Vault Audit Trail

You can use SQL*Plus and Oracle Data Pump to archive the Oracle Database Vault audit trail from the root or a PDB.

Use this procedure to archive the traditional, non-unified audit trail in Oracle Database Vault.

As user SYS with the SYSDBA administrative privilege, log in to the root or to the PDB.
Ensure that the user who will perform archiving has the appropriate privileges.
For example:
```
GRANT CREATE ANY DIRECTORY, EXP_FULL_DATABASE, UNLIMITED TABLESPACE TO psmith;
```
Connect to the root or the PDB as a user who has been granted the DV_OWNER or DV_AUDIT_CLEANUP role.

Ensure that the user who will perform archiving has the appropriate privileges.

GRANT CREATE ANY DIRECTORY, EXP_FULL_DATABASE, UNLIMITED TABLESPACE TO user_name;

Connect to the root or the PDB as a user who has been granted the DV_OWNER or DV_AUDIT_CLEANUP role.
Archive the Oracle Database Vault audit trail into a new table in an appropriate schema.
For example:
```
CREATE TABLE psmith.dv_audit_trail nologging \
AS SELECT * FROM DVSYS.AUDIT_TRAIL$;
```
If the schema is already protected by a realm, then ensure that you or the user performing the export operation has been granted the appropriate authorization to use Oracle Data Pump in a Database Vault environment.
For example, to authorize user psmith to perform Data Pump operations on their own schema:
```
EXEC DBMS_MACADM.AUTHORIZE_DATAPUMP_USER('PSMITH', 'PSMITH');
```
Connect to the root or the PDB as the Data Pump user.

Create a directory for the Database Vault audit trail.

CREATE DIRECTORY dv_audit_dir AS 'dv_audit_trail_directory';

Exit SQL*Plus.
```
EXIT
```

Using Data Pump, export the Database Vault audit trail into the directory object that you just created.

expdp psmith directory=dv_audit_dir tables=psmith.dv_audit_trail \
dumpfile=dv_audit.dmp log=dv_audit_exp.log

Connect to the root or the PDB as a user who has been granted the DV_OWNER role.

If you have not done so, then create a realm around the schema that now contains the Database Vault audit trail.

Create the realm. For example:

BEGIN
 DBMS_MACADM.CREATE_REALM(
  realm_name    => 'DV Audit Trail Realm', 
  description   => 'Realm to protect the DV audit trail', 
  enabled       => DBMS_MACUTL.G_YES, 
  audit_options => DBMS_MACUTL.G_REALM_AUDIT_ON,
  realm_type    => DBMS_MACADM.MANDATORY_REALM);
END; 
/

Add the schema that contains to audit trail to this realm. For example:

BEGIN
 DBMS_MACADM.ADD_OBJECT_TO_REALM(
  realm_name   => 'DV Audit Trail Realm', 
  object_owner => 'psmith', 
  object_name  => '%', 
  object_type  => '%'); 
END;
/

Authorize a trusted user for this realm.

BEGIN
 DBMS_MACADM.ADD_AUTH_TO_REALM(
  realm_name  => 'DV Audit Trail Realm', 
  grantee     => 'PSMITH',
  auth_options => DBMS_MACUTL.G_REALM_AUTH_OWNER);
END;
/

A.3.3 Purging the Oracle Database Vault Audit Trail

You can purge the (traditional, non-unified auditing) Oracle Database Vault audit trail from the root or a PDB.

As user who has been granted the DV_OWNER role or the DV_AUDIT_CLEANUP role, log in to the root or to the PDB.
Purge the Database Vault audit trail.
```
DELETE FROM DVSYS.AUDIT_TRAIL$;
```

Related Topics

DV_AUDIT_CLEANUP Audit Trail Cleanup Role

Parent topic: Archiving and Purging the Oracle Database Vault Audit Trail

A.4 Oracle Database Vault Predefined Unified Audit Policies

Oracle Database provides two predefined unified audit policies for Oracle Database Vault: ORA_DV_SCHEMA_CHANGES and ORA_DV_DEFAULT_PROTECTION.

ORA_DV_SCHEMA_CHANGES audits Oracle Database Vault DVSYS and LBACSYS schema objects. See Oracle Database Security Guide for detailed information about this predefined policy.
ORA_DV_DEFAULT_PROTECTION audits the Oracle Database Vault default realms and command rules. See Oracle Database Security Guide for detailed information about this predefined policy.

You can find the definitions of these policies by querying the AUDIT_UNIFIED_POLICIES data dictionary view. For the policy_name parameter, specify ORA_DV_SCHEMA_CHANGES or ORA_DV_DEFAULT_PROTECTION.

Parent topic: Auditing Oracle Database Vault