Hey all,
In 11.2.0.3, my security sweep listed some entries from DBA_AUDIT_TRAIL
on one test database where the offending statement was a SELECT from a
table in another schema or across a database link. In either case, the
return code was "0" (success). The audit entries for the local SELECTs
have a priv used of "SELECT ANY TABLE", while the ones against the DB
link are null. Here's what I'm auditing in this particular DB:
SELECT 'PRIV' aud_view, privilege, success, failure FROM
sys.dba_priv_audit_opts
UNION ALL
SELECT 'STMT', audit_option, success, failure FROM
sys.dba_stmt_audit_opts
UNION ALL
SELECT 'OBJ', owner||'.'||object_name, 'S', 'F' FROM dba_obj_audit_opts
ORDER BY 1,2;
AUD_ PRIVILEGE SUCCESS FAILURE
---- ---------------------------------------- ---------- ----------
PRIV ALTER ANY PROCEDURE BY ACCESS BY ACCESS
PRIV ALTER ANY TABLE BY ACCESS BY ACCESS
PRIV ALTER DATABASE BY ACCESS BY ACCESS
PRIV ALTER PROFILE BY ACCESS BY ACCESS
PRIV ALTER SYSTEM BY ACCESS BY ACCESS
PRIV ALTER USER BY ACCESS BY ACCESS
PRIV AUDIT SYSTEM BY ACCESS BY ACCESS
PRIV CREATE ANY JOB BY ACCESS BY ACCESS
PRIV CREATE ANY LIBRARY BY ACCESS BY ACCESS
PRIV CREATE ANY PROCEDURE BY ACCESS BY ACCESS
PRIV CREATE ANY TABLE BY ACCESS BY ACCESS
PRIV CREATE EXTERNAL JOB BY ACCESS BY ACCESS
PRIV CREATE PUBLIC DATABASE LINK BY ACCESS BY ACCESS
PRIV CREATE SESSION NOT SET BY ACCESS
PRIV CREATE USER BY ACCESS BY ACCESS
PRIV DROP ANY PROCEDURE BY ACCESS BY ACCESS
PRIV DROP ANY TABLE BY ACCESS BY ACCESS
PRIV DROP PROFILE BY ACCESS BY ACCESS
PRIV DROP USER BY ACCESS BY ACCESS
PRIV EXEMPT ACCESS POLICY BY ACCESS BY ACCESS
PRIV GRANT ANY OBJECT PRIVILEGE BY ACCESS BY ACCESS
PRIV GRANT ANY PRIVILEGE BY ACCESS BY ACCESS
PRIV GRANT ANY ROLE BY ACCESS BY ACCESS
STMT ALTER ANY PROCEDURE BY ACCESS BY ACCESS
STMT ALTER ANY TABLE BY ACCESS BY ACCESS
STMT ALTER DATABASE BY ACCESS BY ACCESS
STMT ALTER PROFILE BY ACCESS BY ACCESS
STMT ALTER SEQUENCE BY ACCESS BY ACCESS
STMT ALTER SYSTEM BY ACCESS BY ACCESS
STMT ALTER TABLE BY ACCESS BY ACCESS
STMT ALTER USER BY ACCESS BY ACCESS
STMT CREATE ANY JOB BY ACCESS BY ACCESS
STMT CREATE ANY LIBRARY BY ACCESS BY ACCESS
STMT CREATE ANY PROCEDURE BY ACCESS BY ACCESS
STMT CREATE ANY TABLE BY ACCESS BY ACCESS
STMT CREATE EXTERNAL JOB BY ACCESS BY ACCESS
STMT CREATE PUBLIC DATABASE LINK BY ACCESS BY ACCESS
STMT CREATE SESSION NOT SET BY ACCESS
STMT CREATE USER BY ACCESS BY ACCESS
STMT DATABASE LINK BY ACCESS BY ACCESS
STMT DIRECTORY BY ACCESS BY ACCESS
STMT DROP ANY PROCEDURE BY ACCESS BY ACCESS
STMT DROP ANY TABLE BY ACCESS BY ACCESS
STMT DROP PROFILE BY ACCESS BY ACCESS
STMT DROP USER BY ACCESS BY ACCESS
STMT EXEMPT ACCESS POLICY BY ACCESS BY ACCESS
STMT GRANT ANY OBJECT PRIVILEGE BY ACCESS BY ACCESS
STMT GRANT ANY PRIVILEGE BY ACCESS BY ACCESS
STMT GRANT ANY ROLE BY ACCESS BY ACCESS
STMT GRANT DIRECTORY BY ACCESS BY ACCESS
STMT GRANT PROCEDURE BY ACCESS BY ACCESS
STMT GRANT SEQUENCE BY ACCESS BY ACCESS
STMT GRANT TABLE BY ACCESS BY ACCESS
STMT GRANT TYPE BY ACCESS BY ACCESS
STMT INDEX BY ACCESS BY ACCESS
STMT PROCEDURE BY ACCESS BY ACCESS
STMT PROFILE BY ACCESS BY ACCESS
STMT PUBLIC DATABASE LINK BY ACCESS BY ACCESS
STMT PUBLIC SYNONYM BY ACCESS BY ACCESS
STMT ROLE BY ACCESS BY ACCESS
STMT SEQUENCE BY ACCESS BY ACCESS
STMT SYNONYM BY ACCESS BY ACCESS
STMT SYSTEM AUDIT BY ACCESS BY ACCESS
STMT SYSTEM GRANT BY ACCESS BY ACCESS
STMT TABLE BY ACCESS BY ACCESS
STMT TABLESPACE BY ACCESS BY ACCESS
STMT TRIGGER BY ACCESS BY ACCESS
STMT TYPE BY ACCESS BY ACCESS
STMT USER BY ACCESS BY ACCESS
STMT VIEW BY ACCESS BY ACCESS
Note that there are no audits on any objects, so I'm not sure why this
is being audited. The offending user does have the SELECT ANY TABLE
priv, but I can't determine why successful SELECTs are being audited,
given the above output.
This isn't the first time I've come across this, but it will be the last
where I haven't documented it...
Thanks!
Rich
