Purpose
This statement is used to configure or delete audit rules for SQL statements.
Note
- When configuring audit rules for SQL statements, you must have the
AUDIT SYSTEMsystem privilege and log in as the ORAAUDITOR user. - After configuring audit rules for SQL statements, they take effect immediately for all sessions.
- You must enable the audit feature by setting the audit_trail system parameter. Otherwise, the audit rules configured by this statement will not take effect.
Limitations and considerations
Before enabling audit, you must unlock the ORAAUDITOR user.
To unlock the ORAAUDITOR user, use the following example:
ALTER USER ORAAUDITOR ACCOUNT UNLOCK;
For more information about audit, see Enable security audit.
Syntax
/* Statement audit */
{AUDIT | NOAUDIT}
{ statement_operation_list | ALL | ALL STATEMENTS }
[BY user_name [, user_name]...]
[BY ACCESS]
[WHENEVER [NOT] SUCCESSFUL]
/* Object audit */
{AUDIT | NOAUDIT}
{ object_operation_list | ALL }
ON { obj_name | DEFAULT }
[WHENEVER [NOT] SUCCESSFUL]
statement_operation_clause:
statement_operation_list
| ALL
| ALL STATEMENTS
statement_operation_list:
statement_operation [statement_operation...]
object_operation_clause:
object_operation_list
| ALL
object_operation_list:
object_operation [object_operation...]
auditing_on_clause:
ON obj_name
| ON DEFAULT
auditing_by_user_clause:
BY user_name [user_name...]
whenever_option:
WHENEVER NOT SUCCESSFUL
| WHENEVER SUCCESSFUL
Parameters
| Parameter | Description |
|---|---|
| statement_operation_list | The list of SQL statement operations to be audited. |
| ALL | Audits all auditable statements. |
| ALL STATEMENTS | Audits all statements. |
| user_name | The list of usernames to be audited, separated by commas. |
| BY ACCESS | Generates a record for each audit operation. |
| WHENEVER NOT SUCCESSFUL | Audits only failed operations. |
| WHENEVER SUCCESSFUL | Audits only successful operations. |
| object_operation_list | The list of object operations to be audited. |
| ALL | Audits all auditable object operations. |
| obj_name | The name of the object to be audited. |
| DEFAULT | Sets the default audit options, which apply to subsequent objects. |
| WHENEVER NOT SUCCESSFUL | Audits only failed operations. |
| WHENEVER SUCCESSFUL | Audits only successful operations |
The following table lists the types of SQL statements that can be audited.
Table 1: Audit statement descriptions
| Audit Statement | Description |
|---|---|
| ALTER SYSTEM | Audits the ALTER SYSTEM statement. |
| CLUSTER | Audits the ADD CLUSTER and REMOVE CLUSTER statements. |
| INDEX | Audits the CREATE INDEX, DROP INDEX, FLASHBACK INDEX, and PURGE INDEX statements. |
| NOT EXISTS | Audits operations that fail due to the nonexistence of an object. |
| OUTLINE | Audits the CREATE OUTLINE, ALTER OUTLINE, and DROP OUTLINE statements. |
| PROCEDURE | Audits the CREATE PROCEDURE, DROP PROCEDURE, CREATE FUNCTION, DROP FUNCTION, CREATE PACKAGE, and DROP PACKAGE statements. |
| PROFILE | Audits the CREATE PROFILE, ALTER PROFILE, and DROP PROFILE statements. |
| ROLE | Audits the CREATE ROLE, ALTER ROLE, DROP ROLE, and SET ROLE statements. |
| SEQUENCE | Audits the CREATE SEQUENCE and DROP SEQUENCE statements. |
| SESSION | Audits login and logout operations. |
| SYNONYM | Audits the CREATE SYNONYM and DROP SYNONYM statements. |
| SYSTEM AUDIT | Audits the AUDIT and NOAUDIT statements. |
| SYSTEM GRANT | Audits the GRANT and REVOKE statements. |
| TABLE | Audits the CREATE TABLE, DROP TABLE, and TRUNCATE TABLE statements. |
| TABLESPACE | Audits the CREATE TABLESPACE, ALTER TABLESPACE, and DROP TABLESPACE statements. |
| TRIGGER | Audits the CREATE TRIGGER, ALTER TRIGGER, and DROP TRIGGER statements. |
| TYPE | Audits the CREATE TYPE, DROP TYPE, CREATE TYPE BODY, and DROP TYPE BODY statements. |
| USER | Audits the CREATE USER, ALTER USER, and DROP USER statements. |
| VIEW | Audits the CREATE VIEW and DROP VIEW statements. |
Table 2: Audit statement descriptions
| Audit Statement | Description |
|---|---|
| ALTER SEQUENCE | Audits the ALTER SEQUENCE statement. |
| ALTER TABLE | Audits the ALTER TABLE statement. |
| COMMENT TABLE | Audits the COMMENT ON TABLE and COMMENT ON VIEW statements. |
| DELETE TABLE | Audits the DELETE FROM TABLE and DELETE FROM VIEW statements. |
| EXECUTE PROCEDURE | Audits the CALL statement. |
| GRANT PROCEDURE | Audits the GRANT obj_privilege ON PROCEDURE | FUNCTION | PACKAGE and REVOKE obj_privilege ON PROCEDURE | FUNCTION | PACKAGE statements. |
| GRANT SEQUENCE | Audits the GRANT obj_privilege ON SEQUENCE and REVOKE obj_privilege ON SEQUENCE statements. |
| GRANT TABLE | Audits the GRANT obj_privilege ON TABLE | VIEW and REVOKE obj_privilege ON TABLE | VIEW statements. |
| GRANT TYPE | Audits the GRANT obj_privilege ON TYPE and REVOKE obj_privilege ON TYPE statements. |
| INSERT TABLE | Audits the INSERT INTO TABLE and INSERT INTO VIEW statements. |
| SELECT SEQUENCE | Audits all statements that contain sequence.CURRVAL or sequence.NEXTVAL. |
| SELECT TABLE | Audits the SELECT TABLE and SELECT VIEW statements. |
| UPDATE TABLE | Audits the UPDATE TABLE and UPDATE VIEW statements. |
Examples
Basic audit configuration
View users:
obclient> SELECT username, account_status FROM dba_users ORDER BY created;The returned result is:
+------------+----------------+ | USERNAME | ACCOUNT_STATUS | +------------+----------------+ | SYS | OPEN | | LBACSYS | LOCKED | | ORAAUDITOR | OPEN | +------------+----------------+ 3 rows in set (0.211 sec)Audit the SELECT table operations of the
SYSuser:obclient> AUDIT SELECT TABLE BY SYS BY ACCESS;Audit only the failed table operations of the
SYSuser:obclient> AUDIT TABLE BY SYS BY ACCESS WHENEVER NOT SUCCESSFUL;
Disable auditing
Disable auditing of table operations for the
SYSuser:obclient> NOAUDIT TABLE BY SYS;Disable auditing of the SELECT table operations for the
SYSuser:obclient> NOAUDIT SELECT TABLE BY SYS;
View the audit configuration
View the statement audit configuration:
obclient> SELECT * FROM DBA_STMT_AUDIT_OPTS;View the object audit configuration:
obclient> SELECT * FROM DBA_OBJ_AUDIT_OPTS;
Configure system parameters
Enable system operation auditing:
obclient> ALTER SYSTEM SET audit_sys_operations = TRUE; -- or obclient> ALTER SYSTEM SET audit_sys_operations = '1';Set the output destination for audit logs:
-- Output to a database table obclient> ALTER SYSTEM SET audit_trail = 'DB'; -- or output to an operating system file obclient> ALTER SYSTEM SET audit_trail = 'OS';