Preliminary understanding of Oracle FGA fine grained Audit
- 2020-12-21 18:13:31
- OfStack
Fine-grained auditing (FGA), introduced in Oracle 9i, can record SCN number and row-level changes to rebuild old data, but they can only be used for select statements and not for DML, such as update, insert, and delete statements. Thus, for the previous versions of the Oracle database 10g, using triggers was the only reliable way to track initial user changes at the row level, although it was not an attractive option
FGA is enhanced in Oracle10g to support select operations as well as DML operations. In Oracle 10g,
Auditing has grown from a mere "action recorder" to a "fact recorder mechanism" that captures user behavior at a very detailed level, which eliminates the need for manual, trigger-based auditing. It also combines standard auditing with TRACKING for FGA, which makes it easier to track database access regardless of how it was generated
Through fine-grained audits we can record:
◆ Visits to a table were made between 9 am and 6 PM or on Saturday and Sunday
◆ Some IP address outside the company network is used
◆ Select or update a specific column
◆ Uses a specific value for this column
The audit is actually a session of server process doing 1 recursive SQL operation rather than relying on some background process, as observed from the 10046 event.
FGA is enhanced in Oracle10g to support select operations as well as DML operations. In Oracle 10g,
Auditing has grown from a mere "action recorder" to a "fact recorder mechanism" that captures user behavior at a very detailed level, which eliminates the need for manual, trigger-based auditing. It also combines standard auditing with TRACKING for FGA, which makes it easier to track database access regardless of how it was generated
Through fine-grained audits we can record:
◆ Visits to a table were made between 9 am and 6 PM or on Saturday and Sunday
◆ Some IP address outside the company network is used
◆ Select or update a specific column
◆ Uses a specific value for this column
The audit is actually a session of server process doing 1 recursive SQL operation rather than relying on some background process, as observed from the 10046 event.