Overview

Data encryption and access control greatly reduce security risks. However, OceanBase Database still needs to record the behaviors of authorized users to prevent risks due to the leakage of user logon information or the abuse of access permissions. Security audit is an effective tool for tracking user behaviors. It allows enterprises to meet higher data security and compliance requirements.

Limitations

OceanBase Database supports security audit only in Oracle mode.

Concepts

• Audit is performed in the unit of tenants. Tenant A can initiate an audit on user operations in tenant A, and this audit does not take effect on other tenants.

• Audit must be performed by the ORAAUDITOR user, which complies with the requirement of separation of powers.

• The audit content and syntax are basically consistent with the audit requirements of Oracle. Unified audit is not supported.

• Audit results can be saved in a disk file or an internal database table.

• Audit types can be set based on SQL statements and data objects.

• Audit data cannot be deleted.

Audit process

Security audit works after an SQL statement is executed but before the return of data packets. The audit process is divided into the following steps:

1. Check whether the current user is auditable based on the tenant, username, and parameters.

2. Parse auditable operations specified in SQL statements. An SQL statement can contain multiple operations. For example, insert into t1 select * from t2, t3 contains the following three operations: (insert, t1), (select, t2), and (select t3).

3. Check whether each operation hits an audit rule.

4. Generate an audit record for each operation that hit an audit rule. Save the audit records in internal tables or files based on the parameters.

References

For more information about audit operations, see the following topics:

• Enable security audit
• Set and view audit rules
• View audit records