Oh boy. I blanched and cringed when I read: '*' and JAVASYSPRIV. From an O/S level, I don't know how you can do this. In the database, perhaps you can check dependencies: select owner, name, type from dba_dependencies where referenced_name = 'UTL_FILE' And find out how extensively UTL_FILE is used -- perhaps simple code inspection will suffice provided the # of packages referencing UTL_FILE are low. As for JAVASYSPRIVS, you might have a bigger issue: what about other permissions that may be needed, such as lang.runtimePermission or net.Socketpermission, and so forth? Jeff T. -----Original Message----- From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Pakhutkin, Maxim (Max) Sent: Wednesday, January 11, 2006 1:28 PM To: oracle-l@xxxxxxxxxxxxx Subject: RE: tracing oracle filesystem access Sorry, didn't explain myself properly. The utl_file_dir is currently set to be '*'. Some users have JAVASYSPRIV. I would like to restrict that as much as possible. To do this I would like to identify any and all directories and files the database processes access over a period of time. That way I will have a certain degree of confidence that my restriction will not break existing functionality. I hope this is a better explanation. Max. -----Original Message----- From: Thomas Jeff [mailto:jeff.thomas@xxxxxxxxxxx] Sent: Wednesday, January 11, 2006 1:22 PM To: Pakhutkin, Maxim (Max); oracle-l@xxxxxxxxxxxxx Subject: RE: tracing oracle filesystem access Unless I'm missing something, can't you just do a show parameter utl_file_dir in the respective databases to list all directories accessible? As for java, something like this: SELECT kind, grantee, type_schema, type_name, name, action, enabled FROM dba_java_policy Look for a TYPE_NAME = java.io.Filepermission ________________________________ From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Pakhutkin, Maxim (Max) Sent: Wednesday, January 11, 2006 1:08 PM To: oracle-l@xxxxxxxxxxxxx Subject: tracing oracle filesystem access Does anyone know of a way to trace/audit which files and directories oracle accesses either via PL/SQL (utl_file_dir) and java? I'm trying to restrict java access and pl/sql access to the filesystem, but would like to be able to monitor existing access patterns to make sure I will not break any functionality when I apply the restriction. The only way I can think of is by monitoring server processes with truss, but that would be pretty cumbersome. The other way is to somehow put a wrapper around sys.utl_file (but what about java?). Thanks in advance. Max Pakhutkin -- //www.freelists.org/webpage/oracle-l -- //www.freelists.org/webpage/oracle-l