AUDITING

Below are the  auditing views mostly used:

1)DBA_STMT_AUDIT_OPTS :: Describes current system auditing options across the system and by user
2)DBA_PRIV_AUDIT_OPTS :: Describes current system privileges being audited across the system and by user
3)DBA_OBJ_AUDIT_OPTS  :: Describes auditing options on all objects

Below are queries for checking the auditing information ::

STATEMENT AUDITING:  The DBA_STMT_AUDIT_OPTS shows grant for specific statements( e.g. alter table, grant table).

Query to check if any statement level auditing is enabled in the database:

col user_name format a10
col audit_option format a16
col timest format a13
col userid format a8 trunc
col obn format a10 trunc
col name format a13 trunc
col sessionid format 99999
col entryid format 999
col owner format a10
col object_name format a10
col object_type format a6
col priv_used format a15 trunc
set pause 'Return...'

select * from sys.dba_stmt_audit_opts;

OBJECT AUDITING : The DBA_OBJ_AUDIT_OPTS shows specific privileges for specific objects (e.g. grant table)

query to check if any auditing enabled at table level :

select owner, object_name, object_type, 

       alt,aud,com,del,gra,ind,ins,loc,ren,sel,upd,ref,exe 

from sys.dba_obj_audit_opts 

where  

   alt !='-/-' or aud !='-/-' or com !='-/-' 

or del !='-/-' or gra !='-/-' or ind !='-/-' 

or ins !='-/-' or loc !='-/-' or ren !='-/-' 

or sel !='-/-' or upd !='-/-' or ref !='-/-' or exe !='-/-' 

/  

OWNER              OBJECT_NAME          OBJECT ALT       AUD       COM       DEL       GRA       IND       INS       LOC       REN       SEL       UPD       REF EXE

------------------ -------------------- ------ --------- --------- --------- --------- --------- --------- --------- --------- --------- --------- --------- --- 

SCHEMA1            TABLENAME1           TABLE  S/S       S/S       S/S       S/S       S/S       S/S       S/S       S/S       S/S       S/S       S/S       -/- -/-

SCHEMA2            TABLENAME2           TABLE  S/S       S/S       S/S       S/S       S/S       S/S       S/S       S/S       S/S       S/S       S/S       -/- -/-

SCHEMA3            TABLENAME3           TABLE  S/S       S/S       S/S       S/S       S/S       S/S       S/S       S/S       S/S       S/S       S/S       -/- -/-

SCHEMA4            TABLENAME4           TABLE  S/S       S/S       S/S       S/S       S/S       S/S       S/S       S/S       S/S       S/S       S/S       -/- -/-

Note :: The AUDIT statement only specifies auditing options; it does not enable auditing as a whole. To turn auditing on and control whether Oracle generates audit records based on the audit options currently set, set the parameter AUDIT_TRAIL in the database's parameter file

How to enable auditing for a table :

ENABLING STATEMENT PRIVILEGE AUDITING 

To audit all successful and unsuccessful connections to and disconnections from the database, regardless of user, BY SESSION (the default and only value for this option), enter the following statement:

AUDIT SESSION;

You can set this option selectively for individual users also, as in the next example:

AUDIT SESSION BY scott, lori;

To audit all successful and unsuccessful uses of the DELETE ANY TABLE system privilege, enter the following statement:

AUDIT DELETE ANY TABLE;

To audit all unsuccessful SELECT, INSERT, and DELETE statements on all tables and unsuccessful uses of the EXECUTE PROCEDURE system privilege, by all database users, and by individual audited statement, issue the following statement:

AUDIT SELECT TABLE, INSERT TABLE, DELETE TABLE,

   EXECUTE PROCEDURE

      BY ACCESS

      WHENEVER NOT SUCCESSFUL;

The AUDIT SYSTEM system privilege is required to set any statement or privilege audit option. Normally, the security administrator is the only user granted this system privilege.

ENABLING OBJECT AUDITING :::

To audit all successful and unsuccessful DELETE statements on the SCOTT.EMP table, BY SESSION (the default value), enter the following statement:

AUDIT DELETE ON scott.emp;

To audit all successful SELECT, INSERT, and DELETE statements on the DEPT table owned by user TIGER, BY ACCESS, enter the following statement:

AUDIT SELECT, INSERT, DELETE

     ON tiger.dept

     BY ACCESS

     WHENEVER SUCCESSFUL;

To set the default object auditing options to audit all unsuccessful SELECT statements, BY SESSION (the default), enter the following statement:

AUDIT SELECT

     ON DEFAULT

     WHENEVER NOT SUCCESSFUL;

A user can set any object audit option for the objects contained in the user's schema. The AUDIT ANY system privilege is required to set an object audit option for an object contained in another user's schema or to set the default object auditing options; normally, the security administrator is the only user granted this system privilege

DISABLING STATEMENT AND PRIVILEGE AUDITING :::

The following statements turn off the corresponding audit options:

NOAUDIT session;

NOAUDIT session BY scott, lori;

NOAUDIT DELETE ANY TABLE;

NOAUDIT SELECT TABLE, INSERT TABLE, DELETE TABLE,

    EXECUTE PROCEDURE;

The following statements turn off all statement (system) and privilege audit options:

NOAUDIT ALL;

NOAUDIT ALL PRIVILEGES;

To disable statement or privilege auditing options, you must have the AUDIT SYSTEM system privilege.

DISABLING OBJECT AUDITING ::: 

The following statements turn off the corresponding auditing options:

NOAUDIT DELETE

   ON emp;

NOAUDIT SELECT, INSERT, DELETE

   ON jward.dept;

Furthermore, to turn off all object audit options on the EMP table, enter the following statement:

NOAUDIT ALL

   ON emp;

DISABLING DEFAULT OBJECT AUDIT OPTIONS :::

To turn off all default object audit options, enter the following statement:

NOAUDIT ALL

   ON DEFAULT;

Note that all schema objects created before this NOAUDIT statement is issued continue to use the default object audit options in effect at the time of their creation, unless overridden by an explicit NOAUDIT statement after their creation.

Archivelog

Most of the High Availability features of Oracle require you to enable ARCHIVELOG mode for your database. When you enable this mode redo logs will be archived instead of overwritten. The archivelogs are stored in a seperate place usually can backed up regularly by your standard filesystem backup system (NetBackup or whatever). Archive logs are utilized by RMAN, Data Guard, Flashback and many others.

ARCHIVELOG mode is a mode that you can put the database in for creating a backup of all transactions that have occurred in the database so that you can recover to any point in time.

Advantages

1. You can perform hot backups (backups when the database is online).
2. The archive logs and the last full backup (offline or online) or an older backup can completely recover the database without losing any data because all changes made in the database are stored in the log file.

Check status of archivelolg mode

SQL> SELECT LOG_MODE FROM SYS.V$DATABASE;

LOG_MODE
------------
NOARCHIVELOG

SQL> archive log list

We can enable archivelog mode by setting log_archive_dest or FRA(flash recovery area)

How to enable archivelog mode

mkdir -p /u01/admin/orcl/arch

Perform clean shut down of database.

SQL>SHUT IMMEDIATE

Edit pfile and below parameter

log_archive_dest='/u01/admin/orcl/arch'

Start database in mount state

SQL> startup mount
ORACLE instance started.

Total System Global Area  184549376 bytes
Fixed Size                  1300928 bytes
Variable Size             157820480 bytes
Database Buffers           25165824 bytes
Redo Buffers                 262144 bytes
Database mounted.

SQL> alter database archivelog;
Database altered.

SQL> alter database open;
Database altered.

LOG_MODE
------------
ARCHIVELOG

SQL> select DEST_NAME,STATUS,DESTINATION from V$ARCHIVE_DEST;

Enabling FRA - FLASH RECOVERY ARE

The name Recovery Area indicates that this is the place to find everything needed to do a successful recovery in case of a damage (or a logical mistake) in the Database Area.

This posting aims to show how deal with the Recovery Area in order to

a) Protect Controlfiles & Online Logfiles
b) ManageBackups
c) Manage Flashback Logs

Enable FRA

SQL> alter system set db_recovery_file_dest_size=10g scope=both;

SQL> alter system set db_recovery_file_dest='/u01/admin/orcl/fra' scope=both;

System altered.

SQL> archive log list;
Database log mode Archive Mode
Automatic archival Enabled
Archive destination USE_DB_RECOVERY_FILE_DEST
Oldest online log sequence 2089
Next log sequence to archive 2091
Current log sequence 2091

flashback : This will contain the file (.flb) containing the flashback logs for database.

archivelog: This will conatin the archivelogs generated in OMF format and a new folder will be creates automatically
for daily archives.

Apart from these folders, few more folders will be created depending upon you put backups in FRA or not.

backupset: This will contain the RMAN backup files.

datafile : This will contain the image copies backups.

autobackup: This will contain the controlfile autobackup.

controlfile: This will contain the controlfile, if you put one of the controlfiles in FRA

onlinelogs : This will contain online redo log member, if one member is put in FRA.

-- Utilisation (MB) du FRA

set lines 100

col name format a60

select

   name,

  floor(space_limit / 1024 / 1024) "Size MB",

  ceil(space_used / 1024 / 1024) "Used MB"

from v$recovery_file_dest;

 -- FRA Occupants

SELECT * FROM V$FLASH_RECOVERY_AREA_USAGE;



-- Location and size of the FRA

show parameter db_recovery_file_dest

-- Size, used, Reclaimable 

SELECT

  ROUND((A.SPACE_LIMIT / 1024 / 1024 / 1024), 2) AS FLASH_IN_GB, 

  ROUND((A.SPACE_USED / 1024 / 1024 / 1024), 2) AS FLASH_USED_IN_GB, 

  ROUND((A.SPACE_RECLAIMABLE / 1024 / 1024 / 1024), 2) AS FLASH_RECLAIMABLE_GB,

  SUM(B.PERCENT_SPACE_USED)  AS PERCENT_OF_SPACE_USED

FROM

  V$RECOVERY_FILE_DEST A,

  V$FLASH_RECOVERY_AREA_USAGE B

GROUP BY

  SPACE_LIMIT, 

  SPACE_USED , 

  SPACE_RECLAIMABLE ;



-- After that you can resize the FRA with:

-- ALTER SYSTEM SET db_recovery_file_dest_size=xxG;



-- Or change the FRA to a new location (new archives will be created to this new location):

-- ALTER SYSTEM SET DB_RECOVERY_FILE_DEST='/u....';

STORAGE MANAGEMENT

logical storage component of Oracle Database i.e. Data Blocks, Extents and Segment

A.     Data Blocks is smallest logical unit to store Oracle Data.
ii) One data block represent specific number of bytes on physical hard disk.
iii) Data Block in Oracle is also called as logical block
iv) Data Block size is usually multiple of operating system block size
v) You can have multiple block sizes with in single database (max. five)
vi) Block Size is specified by initialization parameter DB_BLOCK_SIZE

Data Block Format

a)  Header : contains generic information like block address and type of segment (index,   data..)
b)  Table Directory :contains information about table having rows in that block
c)  Row Directory : contains information about actual row contained in that block
d)  Free Space : available space in data block for additional row or update of row which require    more space.
e) Row Data : contains table or index data.First three component of data block (Header, Table &    Row directory) collectively known as Overhead.

B.      Extentis collection of contiguous data blocks.
ii) One or more extents make up a segment

C.      Segment is set of extents allocated for specific data structure (like table or index).
ii) Various kind of segments are table, index, cluster, rollback, temporary …
iii) Important views for segments are dba_segments, user_segments, all_segments
iv) In a Segment, first block of first extent contains segment header information

CREATE TABLESPACE command creates a dictionary managed tablespace

Here the DEFAULT STORAGE parameter is used to specify the size of extents allocated to segments created within the tablespace.

CREATE TABLESPACE data

DATAFILE '/u01/student/dbockstd/oradata/USER350data01.dbf' SIZE 20M

EXTENT MANAGEMENT DICTIONARY

DEFAULT STORAGE (

INITIAL 128K

NEXT 40K

PCTINCREASE 50

MINEXTENTS 1

MAXEXTENTS 999);

INITIAL specifies the initial extent size (the first extent allocated).

NEXT specifies the size of the next extent (2^nd, 3^rd, etc).

PCTINCREASE refers to the percentage by which each next extent (beginning with the third extend) will grow. The size of each subsequent extent is equal to the size of the previous extent plus this percentage increase.

MINEXTENTS and MAXEXTENTS parameters specify the minimum and maximum number of extents allocated by default to segments that are part of the tablespace.

Locally vs. Dictionary Managed Tablespaces

Metadata regarding extent allocation and unallocated extents are either stored in the data dictionary, or in the tablespace itself. Tablespaces that record extent allocation in the dictionary, are called dictionary managed tablespaces, and tablespaces that record extent allocation in the tablespace header, are called locally managed tablespaces.

Dictionary Managed Tablespaces (DMT):

Oracle use the data dictionary (tables in the SYS schema) to track allocated and free extents for tablespaces that is in "dictionary managed" mode. Free space is recorded in the SYS.FET$ table, and used space in the SYS.UET$ table.

          SQL>CREATE TABLESPACE TS1 DATAFILE ‘/oradata/ts1_01.dbf’ size 50m

                    EXTENT MANAGEMENT DICTIONARY

                    DEFAULT STORAGE(INITIAL 50K NEXT 50K MINEXTENTS 2 MAXEXTENTS 50 PCTINCREASE 0);

SQL> ALTER TABLESPACE TS1

DEFAULT STORAGE (

INITIAL 2M

NEXT 2M

MAXEXTENTS 999 );

                  

Locally Managed Tablespaces (LMT):

SQL>CREATE TABLESPACE TS2 DATAFILE ‘/oradata/ts2_01.dbf’ size 50m

         EXTENT MANAGEMENT LOCAL AUTOALLOCATE;

SQL>CREATE TABLESPACE TS3 DATAFILE ‘/oradata/ts3_01.dbf’ size 50m

          EXTENT MANAGEMENT LOCAL UNIFORM SIZE 128K;

Change normal tablespaces to locally managed :

SQL>SELECT tablespace_name,extent_management FROM dba_tablespaces;

TABLESPACE_NAME                EXTENT_MAN

------------------------------ ----------

SYSTEM                         DICTIONARY

TEMP                           LOCAL

USERS                          DICTIONARY

TAB                            DICTIONARY

IDX                            DICTIONARY

SYSAUX                         LOCAL

UNDO                           LOCAL

SQL>execute DBMS_SPACE_ADMIN.TABLESPACE_MIGRATE_TO_LOCAL ('USERS');
PL/SQL procedure successfully completed.

Change normal tablespaces to dictionary managed :

SQL>SELECT tablespace_name,extent_management FROM dba_tablespaces;

TABLESPACE_NAME                EXTENT_MAN

------------------------------ ----------

SYSTEM                         DICTIONARY

TEMP                           LOCAL

USERS                          LOCAL

TAB                            DICTIONARY

IDX                            DICTIONARY

SYSAUX                         LOCAL

UNDO                           LOCAL

SQL>execute DBMS_SPACE_ADMIN.TABLESPACE_MIGRATE_FROM_LOCAL ('USERS');
PL/SQL procedure successfully completed.

Using the Data Dictionary to Manage Storage

Periodically you will need to obtain information from the data dictionary about storage parameter settings. The following views are useful.

·         DBA_EXTENTS – information on space allocation for segments.

·         DBA_SEGMENTS – stores information on segments.

·         DBA_TABLESPACES – a row is added when a tablespace is created.

·         DBA_DATA_FILES – a row is added for each datafile in the database.

·         DBA_FREE_SPACE – shows the space in each datafile that is free.