This topic describes how to enable the auditing feature and set the storage location for auditing records.
In OceanBase Database, auditing-related operations are performed by the built-in ORAAUDITOR user. The password and privileges for this user are specified by the SYS user.
Procedure
Log in to the Oracle-compatible tenant as the
SYSuser and unlock theORAAUDITORuser.obclient> ALTER USER ORAAUDITOR ACCOUNT UNLOCK;Note
By default, the
ORAAUDITORuser is created in OceanBase Database and is locked. You must unlock this user before enabling security auditing.Set the login password for the
ORAAUDITORuser.For security, the login password for the
ORAAUDITORuser must be specified by theSYSuser. If you need to change the password later, set a new one.obclient> ALTER USER ORAAUDITOR IDENTIFIED BY ******;Grant privileges to the
ORAAUDITORuser.By default, the
ORAAUDITORuser has no privileges. To perform security auditing operations, grant theCREATE SESSIONprivilege to theORAAUDITORuser using theGRANTstatement. To allow the user to view auditing records, also grant theSELECT ANY DICTIONARYprivilege.obclient> GRANT CREATE SESSION, SELECT ANY DICTIONARY TO ORAAUDITOR;Enable the auditing feature and set the storage location for auditing records.
Enable the auditing feature by setting the
audit_trailparameter. The setting takes effect immediately. Valid values for this parameter are:NONE: disables auditing (default value).OS: writes auditing records to local disk files.LOG: writes auditing records to the audit log. This value is supported starting from V4.4.2 BP2.DB: writes auditing records to internal tables.DB,EXTENDED/DB_EXTENDED: writes auditing records to internal tables and includes executed SQL statements.
Example:
obclient> ALTER SYSTEM SET audit_trail = 'DB,EXTENDED';For more information about the
audit_trailparameter, see audit_trail.Note
Auditing records can be written to internal tables, local disk files, or audit logs:
- Disk files: Auditing records are asynchronously written to the
directory. The default file is/audit/ /home/admin/oceanbase/audit/observer_xx_xxxxxx.aud. - Audit logs: Auditing records are written to audit log files. Management strategies such as log archiving, compression, rotation, cleanup, and encryption are supported. This feature is available starting with V4.4.2 BP2.
- Internal tables: Audit information is written directly to system tables. The internal table
__all_tenant_security_audit_recordstores audit records. The internal table__all_virtual_audit_operationor__all_virtual_audit_actionstores mappings between audit-relatedIDandNamefields.
Audit log encryption
Note
The audit log encryption feature in Oracle-compatible mode is supported starting from V4.4.2 BP2.
When an Oracle-compatible tenant writes audit records to log files (audit_trail set to LOG), it supports storing archived logs on disk in plaintext or encrypted form. Encryption is implemented using the audit_log_encryption parameter and the audit functions AUDIT_LOG_ENCRYPTION_PASSWORD_SET() and AUDIT_LOG_ENCRYPTION_PASSWORD_GET(). For specific steps, see the configuration documentation at the end of this topic.
References
For more information about security auditing, see:
