B Oracle Audit Vault and Database Firewall Database Schemas
Learn about the Oracle Audit Vault and Database Firewall schemas.
B.1 About Oracle Audit Vault and Database Firewall Schemas
Oracle Audit Vault and Database Firewall has internal data warehouse schemas that manage the audit data collected from the targets.
The data warehouse schemas collect the data from the Oracle Audit Vault and Database Firewall collection agents, organize it, and then provide it in report format.
To create custom reports using tools like Oracle Business Intelligence Publisher and the Oracle Business Intelligence Suite:
-
You must understand the structure of the data warehouse schema
AVSYS
, which this appendix describes. -
You must understand the structure of the audit events provided by the supported targets—Oracle Database, Microsoft SQL Server, Sybase Adaptive Server Enterprise (ASE), and IBM DB2.
You can create these kinds of custom reports:
-
Activity reports
-
Event reports
-
Alert reports
-
Entitlement reports
The data that you need to create the other kinds of reports is in the AVSYS
schema.
See Also:
B.2 Metadata for Activity Reports
The metadata for activity reports captures data such as connect strings and creation times.
This section describes the metadata that you need to create activity reports:
Table B-1 describes the AVSYS.SECURED_TARGET
table, which has one row for each target. Columns are in alphabetical order.
Table B-1 AVSYS.SECURED_TARGET Table
Column | Data Type | Description |
---|---|---|
|
|
'Y' if target is active, 'N' otherwise. |
|
|
String that identifies target when you try to connect it to the system. |
|
|
Creation time of the connection between target and the system. |
|
|
Description of target. |
|
|
ID number of firewall policy associated with target, if any; otherwise |
|
|
ID of the target. |
|
|
Name of target. |
|
|
ID number of type of target. This value must be in |
|
|
Oracle AVDF user that is authorized to transfer events from an Audit Vault Agent to an Audit Vault Server. |
Table B-2 describes the AVSYS.SECURED_TARGET_TYPE
table, which has one row for each target type. Columns are in alphabetical order.
Table B-2 AVSYS.SECURED_TARGET_TYPE Table
Column | Data Type | Description |
---|---|---|
|
|
ID number of Oracle Database Firewall type. |
|
|
ID number of target type. |
|
|
Name of target type. |
Table B-3 describes the AVSYS.AUDIT_TRAIL
table, which has one row for each audit trail. Columns are in alphabetical order.
Table B-3 AVSYS.AUDIT_TRAIL Table
Column | Data Type | Description |
---|---|---|
|
|
ID number of this audit trail. |
|
|
Type of this audit trail (for example, |
|
|
(Currently unavailable functionality) |
|
|
Name of agent host for this audit trail. |
|
|
|
|
|
ID number of source of this audit trail. |
|
|
Name of type of target for this audit trail. This value must be in |
B.3 Data for Event Reports
The metadata for event reports captures data such as actions taken or alerts raised.
This section describes the data that you need to create event reports.
Table B-4 describes the AVSYS.EVENT_LOG
table, which has one row for each audit event. Columns are in alphabetical order.
Table B-4 AVSYS.EVENT_LOG Table
Column | Data Type | Description |
---|---|---|
|
|
Action taken for the event— |
|
|
0 if no alert was raised for the event, 1 otherwise. Default: 0 |
|
|
ID of the audit trail from which the event was collected. |
|
|
Time when the event was recorded in Oracle AVDF repository. |
|
|
Name of client host where the user started the action. |
|
|
Client identifier of the user whose actions were audited |
|
|
Internet protocol (IP) address of |
|
|
Client program where the event occurred. |
|
|
Global ID number of cluster where the event occurred. |
|
|
Type number of cluster where the event occurred (identifies type of statements in cluster). |
|
|
Action performed in the event (for example, |
|
|
Command parameters that caused the event. |
|
|
Text of command that caused the event (which can be, for example, a SQL or PL/SQL statement). |
|
|
Transaction log data (before and after values) in |
|
|
Error code of an action. |
|
|
Error message of an action. |
|
|
Name of the event, exactly as in the audit trail. |
|
|
Status of the event— |
|
|
Time when the event occurred. If the event has more than one time stamp (for example, an event start time stamp and an event end time stamp), then the collector plug-in must assign a time stamp to this field. If this field contains |
|
|
Stores fields that cannot be accommodated in core or large fields (such as name-value pairs, separated by delimiters). |
|
|
Version of grammar that the Database Firewall used when it detected the event. This version is internal to the Database Firewall and not related to the database version. |
|
|
Cause of the event, as recorded in the log: |
|
|
Opaque internal log file ID. |
|
|
Uniquely identifies a record in an audit trail. During the recovery process, Oracle AVDF uses this field to filter duplicate records. The collector plug-in provides the marker field, which is typically a concatenated subset of the fields of an audit record. For example, in Oracle database, the session ID and entry ID (a unique identifier within a session) define a marker. |
|
|
This is an internal column. If its value is not |
|
|
Name of user who logged into the operating system that generated the audit record. If the user logged into the operating system as |
|
|
Operating system user name that executed the SQL command |
|
|
Name of policy file that the Database Firewall used when it detected the event. |
Oracle AVDF 20.3 and later |
|
Name of policy file that the Database Firewall used when it detected the event. In case of audit data collected by the Agent, the policy name contains the audit policies that caused the current event. |
|
|
ID number of audit record for the event. |
|
|
Name of target where event occurred. |
|
|
Type of target where event occurred. |
|
|
Name of database service to which the client session connects. |
|
|
Name of object on which the action was performed. For example, if the user selected from a table, then this field contains the name of the table. |
|
|
Name of owner of target on which the action was performed. For example, if the user selected from a table owned by user |
|
|
Type of target object on which the action was performed. For example, if the user selected from a table, then this field contains |
|
|
Name of the terminal (for example, Unix terminal) that was the source of the event |
|
|
The severity of the threat detected by the Database Firewall. This field may have
one of the values: The threat severity differentiates the importance of each event. This is defined in the Database Firewall policy. You can choose the value for each rule that triggers the event. The Database Firewall policy auditor can apply their own judgement when choosing the value assigned to each rule. This severity level later appears in the reports if the statement is logged. Note: In Oracle AVDF release 20.5 and prior, the
pre-defined Database Firewall policy does not define the threat
severity value. In the reports it would appear as
|
|
|
Name of user who performed the action in the application or system that generated the audit record. If this field contains |
Oracle AVDF 20.3 and later |
|
Audit types for Oracle Database target:
|
Oracle AVDF 20.3 and later |
|
Application context information. |
Oracle AVDF 20.4 and later |
|
The name of the DB2 database that contains the audit records. |
Oracle AVDF 20.4 and later |
|
The name of the instance which hosts the DB2 database. |
|
|
The ID of the audit trail. |
|
|
The location of the audit trail. For example: Audit Table or Audit File. |
|
|
PDB name of the CDB target. |
|
|
Number of rows returned (Database Firewall). |
|
|
The type of the target. For example: database or operating system. |
|
|
ID of the target. |
B.4 Data for Alert Reports
The metadata for alert reports captures data such as alert definitions and alert IDs.
This section describes the data that you need to create alert reports:
Table B-5 describes the AVSYS.ALERT_STORE
table, which has one row for each alert instance. Columns are in alphabetical order.
Table B-5 AVSYS.ALERT_STORE Table
Column | Data Type | Description |
---|---|---|
|
|
ID number of definition of this alert. |
|
|
ID number of alert instance. |
|
|
Name of this alert in alert definition. |
|
|
Alert owner (same as alert definition owner). |
|
|
Alert severity—1=Warning, 2=Critical. |
|
|
Alert status— |
|
|
Time when alert instance was raised. |
|
|
|
|
|
List of addresses for "cc" field of email about this alert instance. |
|
|
Message in email about this alert instance. |
|
|
Indicates if email was sent for this alert instance. |
|
|
Time when email about this alert instance was sent. |
|
|
List of addresses for "to" field of email about this alert instance. |
|
|
Information lifecycle management (ILM) string for partition. |
|
|
Time of first event that triggered this alert instance. |
Table B-6 describes the AVSYS.ALERT_EVENT_MAP
table, which maps each alert instance to its related events. When an alert instance is related to multiple events, each event has a different RECORD_ID
. Columns are in alphabetical order.
Table B-6 AVSYS.ALERT_EVENT_MAP Table
Column | Data Type | Description |
---|---|---|
|
|
ID of alert instance. |
|
|
Alert owner, same as alert definition owner. |
|
|
Time of event that triggered this alert instance. |
|
|
ILM string for partition. |
|
|
Time of first event that triggered this alert instance. If this alert instance is related to only one event, then this value is the same as the value of |
|
|
Record ID of the event related to this alert instance. |
|
|
The ID of the target. |
|
|
The name of the target. |
|
|
The user name of the event. |
Table B-7 describes the AVSYS.ALERT_NOTE
table, which stores notes for alert instances. Each alert instance can have multiple notes. Columns are in alphabetical order.
Table B-7 AVSYS.ALERT_NOTE Table
Column | Data Type | Description |
---|---|---|
|
|
ID of this note. |
|
|
ID of alert instance associated with this note. |
|
|
Header of this note. |
|
|
ILM string for partition. |
|
|
Content of this note. |
|
|
User who created this note. |
|
|
Owner of this note, same as alert definition. |
|
|
Time when this note was created. |
|
|
Time of first event that triggered this alert instance. |
B.5 Data for Entitlement Reports
The metadata for entitlement reports captures data such as package, role, and schema entitlements.
This section describes the data that you need to create entitlement reports:
Note:
In each of the preceding table names, "UE" means "User Entitlement."
Table B-8 describes the AVSYS.UE_DBA_APPLICATION_ROLES
table, which stores information about roles granted to Oracle Database packages. Columns are in alphabetical order.
Table B-8 AVSYS.UE_DBA_APPLICATION_ROLES
Column | Data Type | Description |
---|---|---|
|
|
Name of Oracle Database package to which role was granted |
|
|
Role granted to package |
|
|
Schema to which package belongs |
|
|
Snapshot ID |
Table B-9 describes the AVSYS.UE_DBA_COL_PRIVS
table, which stores information about privileges granted to users on individual columns of Oracle Database tables. Columns are in alphabetical order.
Table B-9 AVSYS.UE_DBA_COL_PRIVS
Column | Data Type | Description |
---|---|---|
|
|
For Oracle Database 12c, whether the user is common to a CDB and PDB:
|
|
|
For Oracle Database 12c, the container (CDB) identifier. |
|
|
Name of column on which privilege was granted |
|
|
Whether the privilege was granted with the |
|
|
User to whom the column privilege was granted |
|
|
User who granted the column privilege to |
|
|
Column privilege owner |
|
|
Column privilege |
|
|
Snapshot ID |
|
|
Name of Oracle Database table to which column belongs |
Table B-10 describes the AVSYS.UE_DBA_PROFILES
table, which stores information about Oracle Database profiles. Columns are in alphabetical order.
Table B-10 AVSYS.UE_DBA_PROFILES
Column | Data Type | Description |
---|---|---|
|
|
For Oracle Database 12c, whether the user is common to a CDB and PDB:
|
|
|
For Oracle Database 12c, the container (CDB) identifier. |
|
|
Profile limit |
|
|
Profile name |
|
|
Resource name |
|
|
Resource type |
|
|
Snapshot ID |
Table B-11 describes the AVSYS.UE_DBA_ROLES
table, which stores information about Oracle Database roles. The table has one row for each role. Columns are in alphabetical order.
Table B-11 AVSYS.UE_DBA_ROLES
Column | Data Type | Description |
---|---|---|
|
|
Authentication mechanism for this user:
|
|
|
For Oracle Database 12c, whether the user is common to a CDB and PDB:
|
|
|
For Oracle Database 12c, the container (CDB) identifier. |
|
|
Whether the role requires a password— |
|
|
Name of the role |
|
|
Snapshot ID |
Table B-12 describes the AVSYS.UE_DBA_ROLE_PRIVS
table, which stores information about the roles granted to users and roles. Columns are in alphabetical order.
Table B-12 AVSYS.UE_DBA_ROLE_PRIVS
Column | Data Type | Description |
---|---|---|
|
|
For Oracle Database 12c, whether the user is common to a CDB and PDB:
|
|
|
For Oracle Database 12c, the container (CDB) identifier. |
|
|
Whether the privilege was granted with the |
|
|
Whether the role is the default role for the user— |
|
|
Name of the role granted to the user or role |
|
|
Name of the user or role to which the |
|
|
Snapshot ID |
Table B-13 describes the AVSYS.UE_DBA_SYS_PRIVS
table, which stores information about the system privileges granted to users and roles. Columns are in alphabetical order.
Table B-13 AVSYS.UE_DBA_SYS_PRIVS
Column | Data Type | Description |
---|---|---|
|
|
For Oracle Database 12c, whether the user is common to a CDB and PDB:
|
|
|
For Oracle Database 12c, the container (CDB) identifier. |
|
|
Whether the privilege was granted with the |
|
|
Name of the user or role to whom the system privilege was granted |
|
|
System privilege |
|
|
Snapshot ID |
Table B-14 describes the AVSYS.UE_DBA_TAB_PRIVS
table, which stores information about the privileges granted to users on objects. Columns are in alphabetical order.
Table B-14 AVSYS.UE_DBA_TAB_PRIVS
Column | Data Type | Description |
---|---|---|
|
|
For Oracle Database 12c, whether the user is common to a CDB and PDB:
|
|
|
For Oracle Database 12c, the container (CDB) identifier. |
|
|
Whether the privilege was granted with the |
|
|
User to whom the privilege was granted |
|
|
User who granted the privilege to |
|
|
Whether the privilege was granted with the |
|
|
Owner of the object |
|
|
Privilege on the object |
|
|
Snapshot ID |
|
|
Name of the object on which privilege was granted |
|
|
Object type (table, view, sequence, etc.) |
Table B-15 describes the AVSYS.UE_DBA_USERS
table, which has a row for every Oracle Database user. Columns are in alphabetical order.
Table B-15 AVSYS.UE_DBA_USERS
Column | Data Type | Description |
---|---|---|
|
|
User account status, which is one of these:
|
|
|
Authentication mechanism for this user:
|
|
|
For Oracle Database 12c, whether the user is common to a CDB and PDB:
|
|
|
For Oracle Database 12c, the container (CDB) identifier. |
|
|
Date when user account was created |
|
|
Default tablespace for user |
|
|
Indicates whether editions have been enabled for the corresponding user ( |
|
|
Date when user account expires or expired |
|
|
External name of user |
|
|
Initial resource consumer group |
|
|
For Oracle Database 12c, time when user last logged on |
|
|
Date when user account was locked |
|
|
For Oracle Database 12c, whether user was created, and is maintained, by Oracle-supplied scripts. A value of |
|
|
User profile |
|
|
For Oracle Database 12c, whether this user can connect only through a proxy |
|
|
Snapshot ID |
|
|
Temporary tablespace for user |
|
|
Oracle Database user name |
Table B-16 describes the AVSYS.UE_ROLE_SYS_PRIVS
table, which stores information about system privileges granted to roles. Columns are in alphabetical order.
Table B-16 AVSYS.UE_ROLE_SYS_PRIVS
Column | Data Type | Description |
---|---|---|
|
|
For Oracle Database 12c, whether the user is common to a CDB and PDB:
|
|
|
Whether the privilege was granted with the |
|
|
System privilege granted to the role |
|
|
Name of role |
|
|
Snapshot ID |
Table B-17 describes the AVSYS.UE_ROLE_TAB_PRIVS
table, which stores information about the table privileges granted to roles. Columns are in alphabetical order.
Table B-17 AVSYS.UE_ROLE_TAB_PRIVS
Column | Data Type | Description |
---|---|---|
|
|
Name of column on which privilege was granted |
|
|
For Oracle Database 12c, whether the user is common to a CDB and PDB:
|
|
|
Whether the privilege was granted with the |
|
|
Table privilege owner |
|
|
Table privilege |
|
|
Role to which table privilege was granted |
|
|
Name of Oracle Database table on which privilege was granted |
|
|
Snapshot ID |
Table B-18 describes the AVSYS.UE_SYS_DBA_OPER_USERS
table, which stores information about all users in the password file. Columns are in alphabetical order.
Table B-18 AVSYS.UE_SYS_DBA_OPER_USERS
Column | Data Type | Description |
---|---|---|
|
|
For Oracle Database 12c, the container (CDB) identifier. |
|
|
Snapshot ID |
|
|
Whether the user can connect to the database with the |
|
|
Whether the user can connect to the database with the |
|
|
Whether the user can connect to the database with the |
|
|
Whether the user can connect to the database with the |
|
|
Whether the user can connect to the database with the |
|
|
Whether the user can connect to the database with the |
|
|
User name in the password file |
B.6 Data for SPA Reports
The metadata for stored Stored Procedure Auditing (SPA) reports captures data such as target IDs and object IDs.
This section describes data that you need to create custom Stored Procedure Auditing (SPA) reports:
Table B-19 describes the AVSYS.SPA_OBJECTS
table, which stores summary data about stored procedure objects.
Table B-19 AVSYS.SPA_OBJECTS
Column | Data Type | Description |
---|---|---|
|
|
Unique identifier for the object |
|
|
The target source of database objects |
|
|
The subtype of the object |
|
|
The class of the object |
|
|
The name of the object |
|
|
Comma-separated database users that modified the object |
|
|
The date and time when the object was changed |
|
|
The hash of the object (signature change means object change) |
|
|
The most recent type of the change |
|
|
Keeps the number of "new" edit records is for this object |
|
|
Keeps the number of "modify" edit records is for this object |
|
|
Keeps the number of "delete" edit records is for this object |
|
|
The summary of the changes |
|
|
The date and time when the record was updated by the Database Firewall software |
Table B-20 describes the AVSYS.SPA_EDITS
table, which stores data about, and the content of, stored procedure edits.
Table B-20 AVSYS.SPA_EDITS
Column | Data Type | Description |
---|---|---|
|
|
Unique identifier for the object |
|
|
Foreign key that references the |
|
|
The hash of the object (signature change means object change) |
|
|
The new content of the object |
|
|
The type of the change |
|
|
The database user that modified the object |
|
|
The date and time when the object was changed |
|
|
The date and time when the change was detected on the controller |
B.7 Data for Database Firewall Reports
The metadata for custom Database Firewall reports captures data such as target databases and types of statements included.
This section describes data that you need to create custom Database Firewall reports:
Table B-21 describes the AVSYS.FW_CLUSTERS
table, which provides summary data on cluster traffic to target databases, and gives an example statement that would appear in a given cluster.
Table B-21 AVSYS.FW_CLUSTER
Column | Data Type | Description |
---|---|---|
|
|
Cluster global identifier |
|
|
The target database for this cluster |
|
|
Version number of the Database Firewall grammar |
|
|
Database type of the cluster. See Also: Table B-2 for meaning. |
|
|
Type of statements included in the cluster |
|
|
Cluster path representation |
|
|
An example statement in the cluster |
Table B-22 describes the AVSYS.FW_CLUSTER_COMPONENTS
table, which provides cluster data broken down into cluster components. This data may be used, for example, to report on clusters related to a specific database table or table column.
Table B-22 AVSYS.FW_CLUSTER_COMPONENT
Column | Data Type | Description |
---|---|---|
|
|
Foreign key that references the ID column of the |
|
|
Index of the component (starts with 1) |
|
|
Component type may be one of: |
|
|
The component string |
|
|
Component usage may be one of: |