Just Another Law-Abiding Citizen: Fine-Grained Auditing

Tuesday, April 26, 2011

Fine-Grained Auditing

Someone recently asked about Oracle fine-grained auditing (FGA) and how to apply it to a situation in which "everyone except Joe in HR gets audited".
Here is the sample solution I provided (where the table owner FGATEST is the user that won't get audited):

conn / as sysdba
create user fgatest identified by fgatest;
grant connect, resource, dba to fgatest;

connect fgatest/fgatest
create table foobar (fooid number, bar varchar2(30));
grant select, insert, update, delete on foobar to PUBLIC;


BEGIN
  dbms_fga.add_policy(
  object_schema => 'FGATEST',
  object_name => 'FOOBAR',
  policy_name => 'FOOBAR_AUD',
  audit_condition => 'sys_context(''userenv'',''session_user'') != ''FGATEST''' ,
  statement_types => 'SELECT,INSERT,UPDATE,DELETE');
end;
/

insert into foobar select 1, sys_context('userenv','current_user') from dual;
insert into foobar select 2, sys_context('userenv','session_user') from dual;
select * from foobar;

select username from dba_users where account_status='OPEN';
conn tst/tst
insert into foobar select 3, sys_context('userenv','current_user') from dual;
insert into foobar select 4, sys_context('userenv','current_user') from dual;

The script creates the FGATEST user, table, and FGA policy, then adds rows as both FGATEST and TST. Our expectation is that the inserts and selects performed by FGATEST won't be audited, but the ones performed by TST will. Let's check it out:

conn / as sysdba
select db_user, os_user, object_schema, object_name, sql_text from dba_fga_audit_trail;

DB_USER              OS_USER              OBJECT_SCHEMA        OBJECT_NAME          SQL_TEXT
-------------------- -------------------- -------------------- -------------------- ----------------------------------------
TST                  BARCLAY\kengel       FGATEST              FOOBAR               insert into foobar select 3,
                                                                                    sys_context('userenv','current_user')
                                                                                    from dual

TST                  BARCLAY\kengel       FGATEST              FOOBAR               insert into foobar select 4,
                                                                                    sys_context('userenv','current_user')
                                                                                    from dual

TST                  BARCLAY\kengel       FGATEST              FOOBAR               select * from foobar

No comments:

Post a Comment

Pondering...

I hope I shall possess firmness and virtue enough to maintain what I consider the most enviable of all titles, the character of an honest man. - George Washington

Differences in political opinions are as unavoidable as, to a certain point, they may perhaps be necessary; but it is exceedingly to be regretted that subjects cannot be discussed with temper on the one hand, or decisions submitted to without having the motives, which led to them, improperly implicated on the other; and this regret borders on chagrin when we find that men of abilities, zealous patriots, having the same general objects in view, and the same upright intentions to prosecute them, will not exercise more charity in deciding on the opinions and actions of one another. - George Washington

A sound mind in a sound body is a short but full description of a happy state in this world. - John Locke

However [political parties] may now and then answer popular ends, they are likely in the course of time and things, to become potent engines, by which cunning, ambitious, and unprincipled men will be enabled to subvert the power of the people and to usurp for themselves the reins of government, destroying afterwards the very engines which have lifted them to unjust dominion. - George Washington, Farewell Address

A state that dwarfs its men in order that they may be more docile instruments in its hands even for beneficial purposes, will find that with small men no great things can really be accomplished. -- John Stuart Mill

Fine art and pizza delivery, what we do falls neatly in between! - David Letterman

Wait a tic ... blimey, this redistribution of wealth is trickier than I thought.
- Dennis Moore

Rabbit: Luckiest of all signs, you are also talented and articulate. Affectionate, yet shy, you seek peace throughout your life. - Chinese Zodiac

In other words, to disagree well you must first understand well. You have to read deeply, listen carefully, watch closely. You need to grant your adversary moral respect; give him the intellectual benefit of doubt; have sympathy for his motives and participate empathically with his line of reasoning. And you need to allow for the possibility that you might yet be persuaded of what he has to say. - Bret Stephens

Just Another Law-Abiding Citizen

Tuesday, April 26, 2011

Fine-Grained Auditing

No comments:

About Me

Search This Blog

Pondering...

Blog Archive