Oracle SA_AUDIT_ADMIN
Version 20c

General Information
Library Note Morgan's Library Page Header
Which has the higher priority in your organization: Deploying a new database or securing the ones you already have? Looking for a website, and resources, dedicated solely to securing Oracle databases? Check out DBSecWorx.
Purpose This package configures auditing for labels and policies specific to Oracle Label Security and, in addition, creates an auditing-related view.
AUTHID DEFINER
Dependencies
DBMS_ASSERT LBAC_CACHE LBAC_UTL
DBMS_STANDARD LBAC_SERVICES OLS$POL
LBAC$USER_LIBT LBAC_STANDARD OLS_DIP_NTFY
Documented Yes
First Available 10.1
Security Model Owned by LBACSYS with no privileges granted.

To use this package a schema must be granted the policy_DBA role.
Source {ORACLE_HOME}/rdbms/admin/prvtolsdd.plb
Subprograms
 
AUDIT
Enables policy-specific auditing. Audit records capture Oracle OLS administrative actions and the use of Oracle Label Security privileges
that were used during logons, DML executions, and trusted stored procedure invocations
sa_audit_admin.audit(
policy_name  IN VARCHAR2,
users        IN VARCHAR2 DEFAULT NULL,
audit_option IN VARCHAR2 DEFAULT NULL,
audit_type   IN VARCHAR2 DEFAULT NULL,  -- options 'BY ACCESS' or 'BY SESSION'
success      IN VARCHAR2 DEFAULT NULL); -- options 'SUCCESSFUL' or 'NOT SUCCESSFUL'

Audit Options
Option Description
APPLY Audits application of specified Oracle Label Security policies to tables and schemas
PRIVILEGES Audits use of all policy-specific privileges
REMOVE Audits removal of specified Oracle Label Security policies from tables and schemas
SET Audits the setting of user authorizations, and user and program privileges
exec sa_audit_admin.audit('DATA_ACCESS');
 
AUDIT_LABEL
Records policy labels during auditing sa_audit_admin.audit_label(policy_name IN VARCHAR2);
exec sa_audit_admin.audit_label('DATA_ACCESS');
 
AUDIT_LABEL_ENABLED
Returns a flag indicating whether labels are being recorded in audit records for the policy sa_audit_admin.audit_label_enabled(policy_name IN VARCHAR2) RETURN BOOLEAN;
BEGIN
  IF sa_audit_admin.audit_label_enabled('DATA_ACCESS') THEN
    dbms_output.put_line('T');
  ELSE
    dbms_output.put_line('F');
  END IF;
END;
/

SELECT COUNT(*)
FROM ols_admin.ols_aud$;
 
AUDIT_LABEL_ENABLED_SQL
Undocumented but identical in function to AUDIT_LABEL_ENABLED, above, except that it returns an integer value and the function can be incorporated into SQL statements sa_audit_admin.audit_label_enabled_sql(policy_name IN VARCHAR2)
RETURN BINARY_INTEGER;
SELECT sa_audit_admin.audit_label_enabled_sql('DATA_ACCESS')
FROM dual;
 
CREATE_VIEW
Creates an audit trail view named DBA_policyname_AUDIT_TRAIL but the user can optionally specify a different name sa_audit_admin.create_view(
policy_name IN VARCHAR2,
view_name   IN VARCHAR2 DEFAULT NULL);
exec sa_audit_admin.create_view('DATA_ACCESS', 'OLS_AUD$_DAP');
 
DROP_VIEW
Drops the OLS auditing view sa_audit_admin.drop_view(
policy_name IN VARCHAR2,
view_name   IN VARCHAR2 DEFAULT NULL);
exec sa_audit_admin.drop_view('DATA_ACCESS', 'OLS_AUD$_DAP');
 
NOAUDIT
Disables Oracle Label Security policy specific auditing

A list of audit options is associated with the AUDIT procedure above
sa_audit_admin.noaudit(
policy_name  IN VARCHAR2,
users        IN VARCHAR2 DEFAULT NULL,
audit_option IN VARCHAR2 DEFAULT NULL
exec sa_audit_admin.noaudit('DATA_ACCESS');
 
NOAUDIT_LABEL
Disables the auditing of policy labels sa_audit_admin.noaudit_label();
exec sa_audit_admin.noaudit_label('DATA_ACCESS');

Related Topics
LBAC_EXP
LBAC_POLICY_ADMIN
LBAC_SESSION
LBAC_STANDARD
LBAC_SYSDBA
OLS$DATAPUMP
OLS_DIP_NTFY
OLS_ENFORCEMENT
OLS_UTIL_WRAPPER
Oracle Label Security (OLS)
SA_COMPONENTS
SA_LABEL_ADMIN
SA_POLICY_ADMIN
SA_SYSDBA
SA_USER_ADMIN
TO_LABEL_LIST

Morgan's Library Page Footer
This site is maintained by Dan Morgan. Last Updated: This site is protected by copyright and trademark laws under U.S. and International law. © 1998-2019 Daniel A. Morgan All Rights Reserved
  DBSecWorx