| Lesson 6 || Auditing the use of privileges |
| Objective || Audit the use of a specific Oracle privilege. |
Auditing the Use of Privileges
Because one of the main roles of auditing is to allow you to audit the security of your database, Oracle gives you the option of auditing the use of specific Oracle privileges.
Auditing specific system privileges
In the earlier lesson on auditing SQL statements, you learned about some of the ways to audit the use of system privileges.
When you choose to audit
TABLE statements, Oracle will create an audit trail for the
CREATE TABLE, DROP TABLE, and
TRUNCATE TABLE statements.
You can track when these statements are executed, which in turn will indicate if the user had the appropriate system privileges to execute the statements.
You can also audit specific system privileges by indicating a specific system privilege as the option with the
AUDIT statement, as with the statement
AUDIT DELETE ANY TABLE
If a user issues a SQL statement that invokes the
DELETE ANY TABLE system privilege with this type of auditing turned on, Oracle will write a record to the audit log.
Keep in mind that this record will be written only if the specific privilege of
DELETE ANY TABLE is invoked by the user. If a user has
DELETE privileges on a specific table in a schema, those privileges will be used,
DELETE ANY TABLE system privilege will not be invoked.
You can use a few keyword shortcuts to audit system privileges. These keywords can be used with the
command to turn on auditing for a number of privileges. The shortcuts are as follows:
CONNECT audits the
CREATE SESSION privilege.
RESOURCE audits the
ALTER SESSION, CREATE CLUSTER, CREATE DATABASE LINK, CREATE PROCEDURE, CREATE ROLLBACK SEGMENT, CREATE SEQUENCE, CREATE SYNONYM,
CREATE TABLE, CREATE TABLESPACE, and
CREATE VIEW privileges.
DBA audits the
AUDIT SYSTEM, CREATE PUBLIC DATABASE LINK, CREATE PUBLIC SYNONYM, CREATE ROLE, and
CREATE USER privileges.
ALL PRIVILEGES audits the use of all system privileges.
In the next lesson, you will learn how to audit access to specific database objects.