Enable=enable-disable-options
Enables security auditing for the specified audit event classes.
To enable alarms and audits for all events, specify the All
option. You can also selectively enable alarms and audits for
one or more classes that are currently disabled. You must specify
at least one class when you specify the Enable qualifier.
When you specify audit classes with the Enable qualifier, the
audit events you specify are immediately enabled, so that audit
events of currently attached users are recorded in the security
audit journal and alarms are sent to security-enabled terminals,
as specified.
With the Enable and Disable qualifiers, you can specify one or
more of the following six valid class options: All, Daccess,
Daccess=object-type, Identifier=(identifier-list), Protection,
and Rmu. If you specify more than one class, separate the classes
with commas, and enclose the list of classes within parentheses.
The following list provides a description of each option:
o All
Enables or disables all possible audit event classes.
o Daccess
Enables or disables DACCESS (discretionary access) audit
events.
A DACCESS audit event occurs whenever a user issues a command
that causes a check to be made for the existence of the
appropriate privilege in an access privilege set (APS). To
monitor access to a particular database object or group of
objects, use the Daccess=object-type option to specify that a
DACCESS audit record be produced whenever an attempt is made
to access the object.
Specifying the general Daccess option enables or disables the
general DACCESS audit event type. If DACCESS event auditing is
enabled and started for specific objects, auditing takes place
immediately after you issue the RMU Set Audit command with
the Enable=Daccess qualifier. Auditing starts for any users
specified in the Identifier=(identifier-list) option who are
attached to the database when the command is issued.
o Daccess=object-type[=(object name)]/Privileges=(privilege-
list)
Allows you to audit access to database objects by users in the
Identifier=(identifier-list) option with the privileges you
specify.
A DACCESS type event record indicates the command issued, the
privilege used by the process issuing the command, and whether
the attempt to access the object was successful.
The object-type option enables or disables DACCESS auditing
for the specified object type. You can specify one or more
object types in an RMU Set Audit command. The three valid
object types are:
- DATABASE
When you specify the DATABASE object type, you must use the
Privileges qualifier to specify one or more privileges to
be audited for the database. Do not specify an object name
with the DATABASE object type.
- TABLE
Specify the TABLE option for both tables and views. When
you specify the TABLE object type, you must specify one or
more table names with the object name parameter. You must
also use the Privileges qualifier to specify one or more
privileges to be audited for the specified tables.
- COLUMN
When you specify the COLUMN object type, you must specify
one or more column names with the object name parameter.
Specify the table name that contains the column by using
the following syntax:
table-name.column-name
If you specify more than one column, separate the list
of table-name.column-names with commas, and enclose the
list within parentheses. You must also use the Privileges
qualifier to specify one or more privileges to be audited
for the specified columns.
The object name parameter enables or disables DACCESS auditing
for the specified object or objects. If you specify more than
one object name, separate the object names with commas, and
enclose the list of object names within parentheses.
If you specify one or more object names, you must select one
or more privileges to audit. Use the Privileges=privilege-list
qualifier to select the privileges that are to be audited for
each of the objects in the object name list when the selected
objects are accessed. The privileges that can be specified
with the Privileges qualifier are listed in DACCESS Privileges
for Database Objects.
Privilege names SUCCESS and FAILURE can be used as a
convenient way to specify that all successful or failed
accesses to that object for all privileges should be audited.
The privilege name All can be used with the Enable or Disable
qualifier to turn on or turn off auditing for all privileges
applicable to the object.
If you specify a privilege that does not apply to an object,
Oracle Rdb allows it, but will not produce any auditing for
that privilege. You can specify only SQL privileges with the
Privileges=(privilege-list) qualifier. The privileges that
can be specified for each Oracle Rdb object type are shown
in DACCESS Privileges for Database Objects. The Relational
Database Operator (RDO) privileges that correspond to
the SQL privileges are included in DACCESS Privileges for
Database Objects to help RDO users select the appropriate SQL
privileges for auditing.
Table 13 DACCESS Privileges for Database Objects
SQL RDO
Privilege Privilege Database Table/ViColumn
ALTER CHANGE Y Y N
CREATE DEFINE Y Y N
DBADM ADMINISTRATOR Y N N
DBCTRL CONTROL Y Y N
DELETE ERASE N Y N
DISTRIBTRAN DISTRIBTRAN Y N N
DROP DELETE Y Y N
INSERT WRITE N Y N
REFERENCES REFERENCES N Y Y
SECURITY SECURITY Y N N
SELECT READ Y Y N
UPDATE MODIFY N Y Y
SUCCESS SUCCESS Y Y Y
FAILURE FAILURE Y Y Y
ALL ALL Y Y Y
o Identifier=(identifier-list)
Enables or disables auditing of user access to objects listed
in the Enable=Daccess=object-type qualifier. If you do not
specify this option, no users are audited for the DACCESS
event. Any user whose identifier you specify is audited for
accessing the database objects with the privileges specified.
You can specify wildcard characters within the identifiers
to identify groups of users. The [*,*] identifier indicates
public, and causes all users to be audited. If you specify a
nonexistent identifier, you receive an error message.
The order of identifiers in the identifier list is not
significant. A user is audited if he or she holds any of the
identifiers specified in the identifier list.
You can specify user identification code (UIC) identifiers,
general identifiers, and system-defined identifiers in the
identifier list. For more information on identifiers, see the
Oracle Rdb Guide to Database Design and Definition.
If you specify more than one identifier, separate the
identifiers with commas, and enclose the identifier list
within parentheses. UIC identifiers with commas such as
[RDB,JONES] must be enclosed within quotation marks as
follows:
IDENTIFIER=(INTERACTIVE,"[RDB,JONES]",SECRETARIES)
When you use Identifier=(identifier-list) to specify one or
more identifiers to be audited, those identifiers are audited
whenever they access any object for which auditing has been
enabled.
o Protection
Allows you to audit changes made to access privilege sets
for database objects by means of the SQL GRANT and REVOKE
statements.
o Rmu
Audits the use of Oracle RMU commands by users with the
privilege to use them.