Logon events detail in oracle

auditoracle

I want to fetch the oracle user login detail for the month February.
I tried the below query.

select distinct 
    os_username,username,userhost,terminal,timestamp,action_name,logoff_time 
from  dba_audit_session 
where timestamp between '01-FEB-2017' 
                    and '28-FEB-2017' 
order by timestamp;

but I need the IP address as well.
Can anyone help me! how to fetch the user IP address along each user session?

I am stuck here.

I have check dba_audit_trail table as well but didn't help.

I need the below columns:

username,os_user,logon_date,logoff_date,IPADDR, terminal, sessionid,hostname.

Best Answer

According to AskTom, "you can get the client ip address if you audit connect, it is in the comments column of the audit trail, you have to parse it out.". That's from 2003 but I think it is still the case:

select comment$text from sys.aud$

or possibly:

select comment_text from dba_audit_trail;

Related Solutions

Sql-server – Auditing specific database events

SQL Server 2008 (r1) introduced Extended Events and with that came SQL Server Audit and works similar to XEvents to audit events. So it is less intrusive than C2 Auditing and server side traces.

It is very granular and fairly easy to setup. This feature is available in all editions of SQL Server 2008 R2. A good write-up intro/how-to can be found here by Brad McGehee. Thomas LaRock also did a great article on Simple-Talk walking through creating/setting up the audit.

Reading through the articles mentioned above you will note that you can have the events logged to different places (windows app log, file, etc.). From that you can then write PowerShell scripts or T-SQL scripts to alert you of whatever you want. Much more easy than screwing with C2 Audit trace files.

Role audit in Oracle 10g

TL;DR: You cannot audit the roles usage.

You can however use the following views to determine which system privileges, object privileges, and other roles are granted to the roles which are in turn granted to the current user:

ROLE_ROLE_PRIVS describes the roles granted to other roles. Information is provided only about roles to which the user has access.
ROLE_SYS_PRIVS describes system privileges granted to roles. Information is provided only about roles to which the user has access.
ROLE_TAB_PRIVS describes table privileges granted to roles. Information is provided only about roles to which the user has access.

The only complicated thing here is privileges and roles inherited from other roles. If it's not the case for you, and the roles granted to your user have one level of inheritance, i. e. these roles are not children of any other roles, then you can just use the following queries to determine the privileges inherited by a particular user from the roles.

Determine system privileges:

select role, privilege
  from role_sys_privs
  where role in (select granted_role from dba_role_privs 
                   where grantee = 'SPONGEBOB');

      ROLE            PRIVILEGE
----------    -----------------
 INDEX_MGR     CREATE ANY INDEX
 INDEX_MGR       DROP ANY INDEX

Determine object privileges:

select role, owner, table_name, column_name, privilege
  from role_tab_privs
  where role in (select granted_role from dba_role_privs 
                   where grantee = 'SPONGEBOB');

      ROLE     OWNER      TABLE_NAME     PRIVILEGE
----------    ------    ------------    ----------
  HR_QUERY        HR     DEPARTMENTS        SELECT
  HR_QUERY        HR       EMPLOYEES        SELECT

In this example the user SPONGEBOB is assigned two roles INDEX_MGR and HR_QUERY from which he inherits system and object privileges. But what if these roles inherit privileges from other roles? For such case let's implement some more complex model:

APP_USER                  CREATE SESSION
 \
  APP_UNLIM_USER          UNLIMITED TABLESPACE
   \
    INDEX_MGR             CREATE ANY INDEX, DELETE ANY INDEX
            |
        SPONGEBOB
            |
     HR_QUERY             SELECT ON HR.EMPLOYEES, SELECT ON HR.DEPARTMENTS

As you might guess, APP_USER is a role granted to another role APP_UNLIM_USER, which in turn is granted to the role INDEX_MGR. The roles INDEX_MGR and HR_QUERY are granted directly to the user SPONGEBOB. In the diagram, all the privileges granted to the roles are put in front of the roles' names to which they are granted in the corresponding lines, e. g. APP_USER role is granted only CREATE SESSION privilege.

Let's query ROLE_ROLE_PRIVS view described earlier on behalf of the SPONGEBOB user:

select role, granted_role from role_role_privs;

           ROLE       GRANTED_ROLE
---------------    ---------------
      INDEX_MGR     APP_UNLIM_USER
 APP_UNLIM_USER           APP_USER

From the result, you can see that the role inheritance matches the one shown in the diagram. Now, we can use the role names returned by the query to determine what privileges these roles are granted.

First, let's present the roles' names in one column:

select role           from role_role_privs
union
select granted_role   from role_role_privs;

           ROLE
---------------
 APP_UNLIM_USER
       APP_USER
      INDEX_MGR

Then we'll determine which roles are assigned to the user SPONGEBOB directly. As you can see on the diagram above, these are HR_QUERY and INDEX_MGR:

select username, granted_role from user_role_privs;

  USERNAME     GRANTED_ROLE
----------    -------------
 SPONGEBOB         HR_QUERY
 SPONGEBOB        INDEX_MGR

Now, we'll combine the two previous queries together to have all roles' names in one result:

select role         from role_role_privs
union
select granted_role from role_role_privs
union
select granted_role from user_role_privs;

             ROLE
  ---------------
   APP_UNLIM_USER
         APP_USER
         HR_QUERY
        INDEX_MGR

Having obtained all the roles' names, we can now determine which privileges are granted to that roles. (In the examples below I replaced the previous query code with MYROLES for brevity.)

System privileges:

select role, privilege from role_sys_privs where role in (MYROLES);

           ROLE                PRIVILEGE
---------------    ---------------------
      INDEX_MGR           DROP ANY INDEX
       APP_USER           CREATE SESSION
      INDEX_MGR         CREATE ANY INDEX
 APP_UNLIM_USER     UNLIMITED TABLESPACE

Object privileges:

select role, owner, table_name, privilege 
  from role_tab_privs where role in (MYROLES);

     ROLE     OWNER      TABLE_NAME     PRIVILEGE
---------    ------    ------------    ----------
 HR_QUERY        HR     DEPARTMENTS        SELECT
 HR_QUERY        HR       EMPLOYEES        SELECT

Since you now have all the privileges shown in a user-friendly format, you can automatically construct the auditing statements to determine which privileges are actually used. For example, the following query will return you the audit statements which you can use to check what system privileges are used:

select privilege, 'audit ' || privilege || ' by spongebob whenever successful;' stmt
  from role_sys_privs where role in (MYROLES);

                                                                STMT
--------------------------------------------------------------------
              audit DROP ANY INDEX by spongebob whenever successful;
              audit CREATE SESSION by spongebob whenever successful;
            audit CREATE ANY INDEX by spongebob whenever successful;
        audit UNLIMITED TABLESPACE by spongebob whenever successful;

The following query returns the object auditing statements:

select 'audit ' || privilege || ' on ' || owner || '.' || table_name 
       || ' whenever successful;' stmt 
  from role_tab_privs where role in (MYROLES);

                                                STMT
----------------------------------------------------
 audit SELECT on HR.DEPARTMENTS whenever successful;
   audit SELECT on HR.EMPLOYEES whenever successful;

In the same vein, you can construct NOAUDIT statements to stop auditing the privileges.

Best Answer

Related Solutions

Sql-server – Auditing specific database events

Role audit in Oracle 10g

Related Question