Oracle Label Security Administrator's Guide Release 2 (9.2) Part Number A96578-01 |
|
The Oracle9i audit facility lets you hold database users accountable for the operations they perform. It can track specific database objects, operations, users, and privileges. Oracle Label Security supplements this by tracking use of its own administrative operations and policy privileges. It provides the SA_AUDIT_ADMIN package to set and change the policy auditing options.
This chapter explains how to use Oracle Label Security auditing. It contains these topics:
Oracle Label Security auditing supplements standard Oracle9i auditing by tracking use of its own administrative operations, and use of the policy privileges. You can use either the SA_AUDIT_ADMIN package or Oracle Policy Manager to set and change the auditing options for an Oracle Label Security policy.
When you create a new policy, a label column for that policy is added to the database audit trail. The label column is created regardless of whether auditing is enabled or disabled, and independent of whether database auditing or operating system auditing is used. Whenever a record is written to the audit table, each policy provides a label for that record to indicate the session label. The administrator can create audit views to display these labels. Note that in the audit table, the label does not control access to the row; instead, it simply records the sensitivity of the row.
The auditing options which you specify apply only to subsequent sessions, not to the current session. You can specify audit options even if auditing is disabled; no overhead is created simply by making these specifications. When you do enable Oracle Label Security auditing, the options come into effect, and overhead is created beyond that created by standard Oracle9i auditing.
Note that Oracle Label Security does not provide labels for audit data written to the operating system audit trial. All Oracle Label Security audit records are written directly to the database audit trail, even if operating system auditing is enabled. If auditing is disabled, then no Oracle Label Security audit records are generated.
For Oracle Label Security to generate audit records, you must first enable systemwide auditing by setting the Oracle9i AUDIT_TRAIL initialization parameter in the database's parameter file. The parameter can be set to one of the following values:
After you have edited the parameter file, restart the database instance to enable or disable database auditing as specified.
Set the AUDIT_TRAIL parameter before you set audit options. If you do not set this parameter, you are still able to set audit options, however audit records are not written to the database until the parameter is set and the database instance is restarted.
See Also:
For information about enabling and disabling systemwide auditing, setting audit options, and managing the audit trail, see Oracle9i Database Administrator's Guide For information about editing initialization parameters, see Oracle9i Database Reference For details about systemwide AUDIT and NOAUDIT functioning, see Oracle9i SQL Reference |
After you have enabled systemwide auditing, you can use SA_AUDIT_ADMIN procedures to enable or disable Oracle Label Security auditing. To use Oracle Label Security auditing, you must have the policy_DBA role.
The AUDIT and NOAUDIT options are as follows:
Table 10-1 Auditing Options for Oracle Label SecurityUse the AUDIT procedure to enable policy-specific auditing.
Syntax:
PROCEDURE AUDIT ( policy_name IN VARCHAR2, users IN VARCHAR2 DEFAULT NULL, option IN VARCHAR2 DEFAULT NULL, type IN VARCHAR2 DEFAULT NULL, success IN VARCHAR2 DEFAULT NULL);
Parameter | Description | Default Behavior |
---|---|---|
policy_name |
Required. Specifies the name of an existing policy. Auditing of each policy is independent of all others.) |
None |
users |
Optional. A comma-separated list of user names to audit. If not specified, all users are audited. |
All users |
option |
Optional. A comma-separated list of options to be audited. See Table 10-1. If not specified, all default options (that is, options not including privileges) are audited. Audit options for privileged operations should be set explicitly by specifying the PRIVILEGES option, which sets audit options for all privileges. |
All options |
type |
Optional. BY ACCESS or BY SESSION. If not specified, audit records are written by session. |
BY SESSION |
success |
Optional. SUCCESSFUL or NOT SUCCESSFUL. If not specified, audit is written for both. |
SUCCESSFUL and NOT SUCCESSFUL |
If the administrator does not specify any audit options, then all options except the privilege-related ones are audited. Auditing of privileges must be specified explicitly. For example, if the administrator enters
SA_AUDIT_ADMIN.AUDIT ('HR');
then default auditing options are set for the HR policy. When the administrator enables auditing, it will be performed on all users by session, whether successful or not.
When you set auditing parameters and options, the new values apply only to subsequent sessions, not to the current session.
Consider also a case in which one AUDIT call (with no users specified) enables auditing for APPLY operations for all users, and then a second call enables auditing of REMOVE operations for a specific user. For example:
SA_AUDIT_ADMIN.AUDIT ('HR', NULL, 'APPLY'); SA_AUDIT_ADMIN.AUDIT ('HR', 'SCOTT', 'REMOVE');
In this case, SCOTT is audited for both APPLY and REMOVE operations.
To disable policy-specific auditing, use the SA_AUDIT_ADMIN.NOAUDIT procedure.
Syntax:
PROCEDURE NOAUDIT ( policy_name IN VARCHAR2, users IN VARCHAR2 DEFAULT NULL, option IN VARCHAR2 DEFAULT NULL);
Parameter | Description | Default Behavior |
---|---|---|
policy_name |
Required. Specifies the name of an existing policy. |
None |
users |
Optional. A comma-separated list of user names to audit. If not specified, auditing is disabled for all users. |
All users |
option |
Optional. A comma-separated list of options to be disabled. See Table 10-1. If not specified, all default options are disabled. Privileges must be disabled explicitly. |
All options |
You can disable auditing for all enabled options, or only for a subset of enabled options. All auditing for the specified options is disabled for all specified users (or all users, if the users parameter is NULL). For example, the following statement disables auditing of the APPLY and REMOVE operations for users John, Mary, and Scott:
SA_AUDIT_ADMIN.NOAUDIT ('HR', 'JOHN, MARY, SCOTT', 'APPLY, REMOVE');
Consider also a case in which one AUDIT call enables auditing for a specific user, and a second call (with no user specified) enables auditing for all users. For example:
SA_AUDIT_ADMIN.AUDIT ('HR', 'SCOTT'); SA_AUDIT_ADMIN.AUDIT ('HR');
In this case, a subsequent call to NOAUDIT with no users specified (such as the following)
SA_AUDIT_ADMIN.NOAUDIT ('HR');
does not reverse the auditing which was set for SCOTT explicitly in the first call. Auditing thus continues to be performed on SCOTT. In this way, even if NOAUDIT is set for all users, Oracle Label Security still audits any users for whom auditing was explicitly set.
Auditing of privileged operations must be specified explicitly. If you execute NOAUDIT with no options, Oracle Label Security will nonetheless continue to audit privileged operations. For example, if auditing is enabled and you enter
SA_AUDIT_ADMIN.NOAUDIT ('HR');
then auditing will continue to be performed on the privileged operations (such as WRITEDOWN).
NOAUDIT parameters and options which you set apply only to subsequent sessions, not to current sessions.
If you try to enable an audit option which has already been set, or if you try to disable an audit option which has not been set, Oracle Label Security processes the statement without indicating an error. An attempt to specify an invalid option results in an error message.
This section describes the view which displays the Oracle Label Security auditing options and privileges.
The DBA_SA_AUDIT_OPTIONS view contains the following columns:
Name Null? Type ----------------------------------------- -------- ------------ POLICY_NAME NOT NULL VARCHAR2(30) USER_NAME NOT NULL VARCHAR2(30) APY VARCHAR2(3) REM VARCHAR2(3) SET_ VARCHAR2(3) PRV VARCHAR2(3)
Output is similar to the following:
POLICY_NAME | USER_NAME | APY | REM | SET | PRV |
---|---|---|---|---|---|
HR |
SCOTT |
-/- |
-/- |
-/- |
A/A |
HR |
LBACSYS |
S/S |
S/S |
S/S |
-/- |
This section describes procedures available to manage policy label auditing:
Use the AUDIT_LABEL procedure to record policy labels during auditing. It causes the user's session label to be stored in the audit table.
Syntax:
PROCEDURE AUDIT_LABEL ( policy_name IN VARCHAR2);
Parameter | Description | Default |
---|---|---|
policy_name |
Required. Specifies the name of an existing policy. |
None |
Use the NOAUDIT_LABEL procedure to disable auditing of policy labels.
Syntax:
PROCEDURE NOAUDIT_LABEL ( policy_name IN VARCHAR2);
Parameter | Description | Default |
---|---|---|
policy_name |
Required. Specifies the name of an existing policy. |
None |
Use the AUDIT_LABEL_ENABLED function to show whether labels are being recorded in audit records for the policy.
Syntax:
FUNCTION AUDIT_LABEL_ENABLED (policy_name IN VARCHAR2) RETURN boolean;
This section contains these topics:
The CREATE_VIEW procedure creates an audit trail view named DBA_policyname_AUDIT_TRAIL, which contains the specified policy's label column as well as all the entries in the audit trail written on behalf of this policy. If the view name exceeds the database limit of 30 characters, the user can optionally specify a shorter view name.
Syntax:
PROCEDURE CREATE_VIEW ( policy_name IN VARCHAR2); view_name IN VARCHAR2 DEFAULT NULL);
where policy_name specifies the name of an existing policy
The DROP_VIEW procedure drops the audit trail view for the specified policy.
Syntax:
PROCEDURE DROP_VIEW ( policy_name IN VARCHAR2); view_name IN VARCHAR2 DEFAULT NULL);
where policy_name specifies the name of a policy. View_name is an optional parameter which can have a maximum of 14 characters.
This section contains these topics:
Before setting any audit options, you must devise an auditing strategy which monitors events of interest, without recording extraneous events. You should periodically review this strategy, because applications, user base, configurations, and other external factors can change.
The Oracle Label Security options, and those provided by the Oracle9i audit facility, might not directly address all of your specific or application-dependent auditing requirements. However, through use of database triggers, you can audit specific events and record specific information that you cannot audit and record using the more generic audit facility.
See Also:
For more information about using triggers for auditing, see Oracle9i Database Concepts |
Consider auditing any operations that require Oracle Label Security privileges. Because these privileges perform sensitive operations, and because their abuse could jeopardize security, you should closely monitor their dissemination and use.
|
Copyright © 2000, 2002 Oracle Corporation. All Rights Reserved. |
|