Practice:Demonstrating Oracle AUDIT Concepts and Procedures

This practice uses common UNIX and NT Oracle utilities to practice enabling AUDIT on a database.  You will:

• See the procedure to enable and disable Oracle AUDIT on a database.
• Understand the SQL commands used to audit a specific user schema object.
• Investigate how to configure Audit to extend auditing into modified or new schema objects..

ASSUMPTIONS

• This practice will reference SQL commands that function equally on UNIX operating systems, and the NT operating system, using SQL*Plus.
• Results may vary slightly according to your Oracle environment.
• Utilize the RealPlayer Demonstration in conjunction with this Practice, to further illustrate and guide this activity.
• Login to your sqlplus session using the SYSTEM user object and the current password.

INSTRUCTIONS

1. UNIX: Open a shell, login, locate and edit the initSID.ora file for your database: NT: Use Window’ File Manager to locate the initSID.ora file for your database.

#audit_trail = true        # save,  original line audit_trail = true         #activated for demonstration, rjm  

Locate the line above, make a full copy of the line in the next newline, then uncomment (remove the # symbol) from the line.  Edit comments to reflect your reasons for the change.  Save the modified file, then shutdown/startup the instance.  Audit is now active on your database instance. 2. UNIX: Open a shell, login, create a SQLPlus session with the SYSTEM connection. NT: Create an SQLPlus session with SYSTEM connection.

sqlplus /nolog   SQL> audit select any table by scott;   Audit succeeded.   SQL> noaudit select any table by scott;   Noaudit succeeded.   SQL> audit all by scott;   Audit succeeded.   SQL> noaudit all by scott;   Noaudit succeeded.   SQL>

Now, all SELECT activity by the user Scott will be recorded in the audit trail, for our review later. The NOAUDIT command following disables this selective monitoring once we have accumulated sufficient data to analyze.  The next commands will begin monitoring on ALL database activity for the user Scott, and then disables that same type of monitoring. 3. UNIX: Open a shell, login, create a SQLPlus session with SYSTEM connection: NT: Create a SQLPlus session with SYSTEM connection:

sqlplus /nolog   SQL> audit insert on default;   Audit succeeded.   SQL> audit delete on default;   Audit succeeded.   SQL> audit update on default;   Audit succeeded.   SQL> noaudit insert on default;   Noaudit succeeded.   SQL> noaudit delete on default;   Noaudit succeeded.   SQL> noaudit update on default;   Noaudit succeeded.   SQL>

These commands will extend INSERT, DELETE, UPDATE auditing to include future new or modified schema objects. The second set of NOAUDIT commands disable those same audit actions.