Oracle9i SQL Reference Release 2 (9.2) Part Number A96540-02 |
|
|
View PDF |
Use the AUDIT
statement to:
See Also:
|
To audit occurrences of a SQL statement, you must have AUDIT
SYSTEM
system privilege.
To audit operations on a schema object, the object you choose for auditing must be in your own schema or you must have AUDIT
ANY
system privilege. In addition, if the object you choose for auditing is a directory object, even if you created it, then you must have AUDIT
ANY
system privilege.
To collect auditing results, you must set the initialization parameter AUDIT_TRAIL
to DB. You can specify auditing options regardless of whether auditing is enabled. However, Oracle does not generate audit records until you enable auditing.
See Also:
Oracle9i Database Reference for information on the |
audit::=
Use the sql_statement_clause
to audit SQL statements.
Specify a statement option to audit specific SQL statements.
For each audited operation, Oracle produces an audit record containing this information:
Oracle writes audit records to the audit trail, which is a database table containing audit records. You can review database activity by examining the audit trail through data dictionary views.
See Also:
|
Specify a system privilege to audit SQL statements that are authorized by the specified system privilege.
Rather than specifying many individual system privileges, you can specify the roles CONNECT
, RESOURCE
, and DBA
. Doing so is equivalent to auditing all of the system privileges granted to those roles.
Oracle also provides two shortcuts for specifying groups of system privileges and statement options at once:
Specify ALL
to audit all statements options shown in Table 12-1 but not the additional statement options shown in Table 12-2.
Specify ALL
PRIVILEGES
to audit system privileges.
See Also:
|
Specify the auditing_by_clause
to audit only those SQL statements issued by particular users. If you omit this clause, then Oracle audits all users' statements.
Use this clause to restrict auditing to only SQL statements issued by the specified users.
Use this clause to restrict auditing to only SQL statements issued by the specified proxies.
See Also:
Oracle9i Database Concepts for more information on proxies and their use of the database |
Specify user
to indicate auditing of statements executed on behalf of a particular user. ANY
indicates auditing of statements executed on behalf of any user.
Use the schema_object_clause
to audit operations on schema objects.
Specify the particular operation for auditing. Table 12-3 shows each object option and the types of objects to which it applies. The name of each object option specifies a SQL statement to be audited. For example, if you choose to audit a table with the ALTER
option, then Oracle audits all ALTER TABLE
statements issued against the table. If you choose to audit a sequence with the SELECT
option, then Oracle audits all statements that use any of the sequence's values.
Specify ALL
as a shortcut equivalent to specifying all object options applicable for the type of object.
The auditing_on_clause
lets you specify the particular schema object to be audited.
See Also:
"Auditing Queries on a Table: Example", "Auditing Inserts and Updates on a Table: Example", and "Auditing Operations on a Sequence: Example" |
Specify the schema containing the object chosen for auditing. If you omit schema
, then Oracle assumes the object is in your own schema.
Specify the name of the object to be audited. The object must be a table, view, sequence, stored procedure, function, package, materialized view, or library.
You can also specify a synonym for a table, view, sequence, procedure, stored function, package materialized view, or user-defined type.
Specify ON
DEFAULT
to establish the specified object options as default object options for subsequently created objects. Once you have established these default auditing options, any subsequently created object is automatically audited with those options. The default auditing options for a view are always the union of the auditing options for the view's base tables. You can see the current default auditing options by querying the ALL_DEF_AUDIT_OPTS
data dictionary view.
If you change the default auditing options, then the auditing options for previously created objects remain the same. You can change the auditing options for an existing object only by specifying the object in the ON clause of the AUDIT
statement.
The ON
DIRECTORY
clause lets you specify the name of a directory chosen for auditing.
Specify BY
SESSION
if you want Oracle to write a single record for all SQL statements of the same type issued and operations of the same type executed on the same schema objects in the same session.
Specify BY
ACCESS
if you want Oracle to write one record for each audited statement and operation.
If you specify statement options or system privileges that audit data definition language (DDL) statements, then Oracle automatically audits by access regardless of whether you specify the BY
SESSION
clause or BY
ACCESS
clause.
For statement options and system privileges that audit SQL statements other than DDL, you can specify either BY
SESSION
or BY
ACCESS
. BY
SESSION
is the default.
Specify WHENEVER
SUCCESSFUL
to audit only SQL statements and operations that succeed.
Specify WHENEVER
NOT
SUCCESSFUL
to audit only statements and operations that fail or result in errors.
If you omit this clause, then Oracle performs the audit regardless of success or failure.
To choose auditing for every SQL statement that creates, alters, drops, or sets a role, regardless of whether the statement completes successfully, issue the following statement:
AUDIT ROLE;
To choose auditing for every statement that successfully creates, alters, drops, or sets a role, issue the following statement:
AUDIT ROLE WHENEVER SUCCESSFUL;
To choose auditing for every CREATE
ROLE
, ALTER
ROLE
, DROP
ROLE
, or SET
ROLE
statement that results in an Oracle error, issue the following statement:
AUDIT ROLE WHENEVER NOT SUCCESSFUL;
To choose auditing for any statement that queries or updates any table, issue the following statement:
AUDIT SELECT TABLE, UPDATE TABLE;
To choose auditing for statements issued by the users hr
and oe
that query or update a table or view, issue the following statement:
AUDIT SELECT TABLE, UPDATE TABLE BY hr, oe;
To choose auditing for statements issued using the DELETE
ANY
TABLE
system privilege, issue the following statement:
AUDIT DELETE ANY TABLE;
To choose auditing for statements issued using the CREATE
ANY
DIRECTORY
system privilege, issue the following statement:
AUDIT CREATE ANY DIRECTORY;
To choose auditing for CREATE
DIRECTORY
(and DROP
DIRECTORY
) statements that do not use the CREATE
ANY
DIRECTORY
system privilege, issue the following statement:
AUDIT DIRECTORY;
To choose auditing for every statement that reads files from the bfile_dir
directory, issue the following statement:
AUDIT READ ON DIRECTORY bfile_dir;
To choose auditing for every SQL statement that queries the employees
table in the schema hr
, issue the following statement:
AUDIT SELECT ON hr.employees;
To choose auditing for every statement that successfully queries the employees
table in the schema hr
, issue the following statement:
AUDIT SELECT ON hr.employees WHENEVER SUCCESSFUL;
To choose auditing for every statement that queries the employees
table in the schema hr
and results in an Oracle error, issue the following statement:
AUDIT SELECT ON hr.employees WHENEVER NOT SUCCESSFUL;
To choose auditing for every statement that inserts or updates a row in the customers
table in the schema oe
, issue the following statement:
AUDIT INSERT, UPDATE ON oe.customers;
To choose auditing for every statement that performs any operation on the employees_seq
sequence in the schema hr
, issue the following statement:
AUDIT ALL ON hr.employees_seq;
The preceding statement uses the ALL
shortcut to choose auditing for the following statements that operate on the sequence:
ALTER
SEQUENCE
AUDIT
GRANT
CURRVAL
or NEXTVAL
The following statement specifies default auditing options for objects created in the future:
AUDIT ALTER, GRANT, INSERT, UPDATE, DELETE ON DEFAULT;
Any objects created later are automatically audited with the specified options that apply to them, if auditing has been enabled:
ALTER
, GRANT
, INSERT
, UPDATE
, or DELETE
statements issued against the table.GRANT
, INSERT
, UPDATE
, or DELETE
statements issued against the view.ALTER
or GRANT
statements issued against the sequence.ALTER
or GRANT
statements issued against it.