Because we set up fine-grained access control in our VPD example earlier in this chapter to
prevent unauthorized use of the SALARY column, we need to double-check our policy functions
to make sure that SALARY information is still being restricted correctly. Fine-grained auditing,
along with standard auditing, is a good way to ensure that our authorization policies are set up
correctly in the first place.
Auditing-Related Data Dictionary Views
Table 9-20 contains the data dictionary views related to auditing.
340 Oracle Database 11g DBA Handbook
Protecting the Audit Trail
The audit trail itself needs to be protected, especially if non-system users must access the table
SYS.AUD$. The built-in role DELETE_ANY_CATALOG is one of the ways that non-SYS users can
have access to the audit trail (for example, to archive and truncate the audit trail to ensure that it
does not impact the space requirements for other objects in the SYS tablespace).
To set up auditing on the audit trail itself, connect as SYSDBA and run the following command:
SQL> audit all on sys.aud$ by access;
Audit succeeded.
Now, all actions against the table SYS.AUD$, including select, insert, update, and delete,
will be recorded in SYS.AUD$ itself. But, you may ask, what if someone deletes the audit records
identifying access to the table SYS.AUD$? The rows in the table are deleted, but then another
row is inserted, recording the deletion of the rows.
Pages:
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557