Audit DDL only

Dear DBAs,
is there a way to use audit trail, instead of using triggers, to be able to audit only the DDL statements for a specific user ?
Thx in advance

Dear Pavan/Sybran,
I would like to thank you first for your quick reply.
I know so much about what you are saying and the documents you gave, but your solutions was to ruun the AUDIT statement and adding each system privilege (related to the DDL).
what i'm thinking of, instead of listing all DDL statemments, a way to start auditing DDL statements using this kind of statement:
AUDIT ALL DDL BY user
is it possible?

Similar Messages

  • Oracle Golden Gate - Extract DDL only

    Hi.  We are working on a golden gate proof of concept.  The way our configuration is set up, we want to pull changes from our standby to keep load low on the primary.  This will require us to extract ddl changes from the primary, so my current plan is to put the dml on a 5 minute delay, and get the ddl immediately from the primary.  I am running into two issues, one I cannot figure out the setting to get DDL only from the primary (right now I am getting both ddl and dml from the primary), and 2, I get the following error  when retrieving data from the standby:  2015-04-16 20:08:40 ERROR OGG-00303 Oracle GoldenGate Capture for Oracle, ext1.prm: Invalid destination "+DATA/dgdemo/archivelog" specified for TRANLOGOPTION ALTARCHIVELOGDEST option, and I also get an error when I do do specify an archivelog destination.  Can anyone point me to the appropriate settings.  Below is the parameter file:
    extract ext1
    userid ggate password ggate
    --TRANLOGOPTIONS ASMUSER sys@ASM ASMPASSWORD password
    TRANLOGOPTIONS DBLOGREADER
    TRANLOGOPTIONS DBLOGREADERBUFSIZE 2597152,ASMBUFSIZE 28000
    TRANLOGOPTIONS ARCHIVEDLOGONLY
    TRANLOGOPTIONS ALTARCHIVELOGDEST primary "+DATA/dgdemo/archivelog" RECURSIVE
    discardfile ./dirrpt/ext1.dsc,purge
    reportcount every 15 minutes, rate
    exttrail ./dirdat/t1
    table SCOTT.*;

    OGG does not support ALTARCHIVELOGDEST parameter in ALO mode till OGG version 12c.
    Does GoldenGate Parameter ALTARCHIVELOGDEST Support ASM Diskgroups ? (Doc ID 1393059.1)
    Also In order to run Extract in the ALO mode when archived logs are stored in ASM,  the original database configuration must have complete file specification  in  log_archive_dest_n setting. Incomplete file specification leads ASM to ignore  log_archive_format. An Incomplete file spec only contain the diskgroup name  like +ASMDISK1.
    Users should ensure log_archive_dest is set using complete file  specification. In that case, log_archive_format is honored by ASM, and  Extract will work correctly.
    For example:
    alter diskgroup asmdisk2 add directory '+ASMDISK2/archivedir';

  • Extract DDL ONLY !

    Does somone know what parameter needs to be added to extract to enable DDL ONLY ?
    I don't wan't and DML's extracted.
    Thanks a lot !

    DDL for whom or what? In other words, what scope?
    http://docs.oracle.com/cd/E35209_01/doc.1121/e29797.pdf
    Look for Understanding DDL scopes

  • Auditing DDL and DML statements of selective IP addresses....

    Hi all,
    DB : 11.2.0.2 64 bit
    OS : RHEL 5.7 64bit
    Hi all,
    I want to audit all DDL and DML statements for some selective IP Addresses or hostnames.
    I read about Fine Grained Audit. I got the following code to enable auditing of nondatabase user's actions(Application users).
    created policy for client identifier.......
    BEGIN
    DBMS_FGA.ADD_POLICY(OBJECT_SCHEMA => 'OE',
    OBJECT_NAME => 'ORDERS',
    POLICY_NAME => 'ORDERS_FGA_POL',
    AUDIT_CONDITION => 'SYS_CONTEXT(''USERENV'', ''CLIENT_IDENTIFIER'') = ''Robert''',
    HANDLER_SCHEMA => NULL,
    HANDLER_MODULE => NULL,
    ENABLE => True,
    STATEMENT_TYPES => 'INSERT,UPDATE,DELETE,SELECT',
    AUDIT_TRAIL => DBMS_FGA.DB + DBMS_FGA.EXTENDED,
    AUDIT_COLUMN_OPTS => DBMS_FGA.ANY_COLUMNS);
    END;
    But I want to audit all DDL and DML statements for a particular schema say ABC from selective IP addresses or hostnames so how can I do this?
    Pl suggest.....
    Regards,
    Andy.

    Hi,
    You could :
    1. create a function, say myfunction, returning 1 if you want to audit, 0 otherwise
    This function would test sys_context('userenv','ip_address') within the desired IP address to be audited
    2. create your fga on the objects you want to audit adding the clause audit_condition=>'myfunction=1'
    Nicolas.

  • Is the Database Vault portion of Audit Vault only for the Audit Vault DB?

    Hi all, first of thanks in advance.
    I am doing a bit of research in order to fulfill some security system requirements for an upcoming project. In summary the requirement states that DBAs should not have the ability to view personal health information stored in the database.
    My initial thought was to use Oracle Label Security but recall that SYS is exempt from the OLS policies. Next I looked into Oracle Database Vault and the product appears to meet the requirements. However another part of the requirement states that we must prevent undetectable data tampering - which to me sounds like we need to have an auditing product in place not only to audit access and data changes but also to make sure that audit logs can't be tampered with. It seems like Oracle Audit Vault should meet the requirement. When looking into Audit Vault it mentions it comes with Oracle Database Vault and there is some wording which makes me believe that the Oracle Database Vault component is only for the Audit Vault database. Short of installing the product I thought I would post a message to see if my assumption is correct.
    If the assumption is correct it sounds like we would need to purchase both Audit Vault and Database Vault to fully meet the requirement. Can anyone think of any reason we need to include OLS as well?
    Once again, thanks in advance.
    Cheers,
    Eric

    I imagine you are dealing with the HIPAA compliance requirements and facing the same issue faced by many others.
    To audit who has viewed data ... SELECT statements ... you can use Fine Grained Auditing (FGA).
    To meet the government's auditing requirements, as well as those for hospital accreditation Audit Vault will do the trick.
    Keeping DBAs out of the data can be done by a number of means but the issue often comes down to the applications you have purchased and the quality of the vendors. One major source of hospital software in the US, for example, has installed thousands of systems with the exact same password for the schema owner ... and that schema owner has DBA privs.
    So before your run too far down the road of closing the back door ... make sure the front door isn't wide open.

  • Capturing DDL only for 'ADDING and DELETING' a column

    Hi
    Source Oracle 11.2
    GG Version: 11.2
    I am configuring the replication between oracle-oracle and regarding DDL replication ,for few tables , in addition to the DML replication , i want to capture only the DDL's related to the structure changes to the table (only adding or deleting a column) and noting else for ddl. For this ,  is the below command sufficient for my requirement or do i need to have the 'exculde' parameter specifying all those that needs to be excluded.If anything else needs to be configured , please let me know .
    DDL INCLUDE MAPPED include optype 'alter'
    Thanks in advance.

    Appreciate if someone can throw some light on this  as i am a bit confused after reading the doc.
    Thanks

  • User audit enabled - Only log off

    Hai all,
    10.2.0.5 on solaris 10
    I enabled audit for a user as below
    audit username by access;
    When I query dba_audi_trail, I can see only actions (LOG_OFF) stored in the action_name column of dba_audit_trail.
    Any idea

    Are you talking about " audit session by username by access" ?? the statement you mentioned doesnt exist, and if you mean what i mentioned, try logging in with the username after you logout , you should see logon value in action_name column and action value should be 100, assuming its was also in 10g because i work on 11g. Also you should see logoff_time when you logout but null value when you login.
    Regards
    Karan

  • Privilege to view Package DDL only

    Hello Friends,
    I need your help on GRANTS.
    Oracle version: Oracle 11G R2
    OS: AIX
    I have three users in a database. Among these three users, two users, say USR1 and USER2 are having all database objects which is needed for my application and poses all system privileges equivalent to a DBA role.
    The 3rd one I have created is a READ user. I want this user to view only source code of PACKAGES AND PACKAGES BODY objects of only USR1, not USR2. Also, I have more than thousand packages/package bodies in USR1. READ should not be able to CREATE or compile a procedure, just simply be able to view the source code.
    FYI, GRANT EXECUTE enables me to see PACKAGE specific only, not PACKAGE BODY.
    Which privilege should I grant to READ user to achieve this security?
    Please help.

    AshishGautam wrote:
    Hello Friends,
    I need your help on GRANTS.
    Oracle version: Oracle 11G R2
    OS: AIX
    I have three users in a database. Among these three users, two users, say USR1 and USER2 are having all database objects which is needed for my application and poses all system privileges equivalent to a DBA role.
    The 3rd one I have created is a READ user. I want this user to view only source code of PACKAGES AND PACKAGES BODY objects of only USR1, not USR2. Also, I have more than thousand packages/package bodies in USR1. READ should not be able to CREATE or compile a procedure, just simply be able to view the source code.
    FYI, GRANT EXECUTE enables me to see PACKAGE specific only, not PACKAGE BODY.
    Which privilege should I grant to READ user to achieve this security?
    Please help.CREATE OR REPLACE PROCEDURE READ_MY_SOURCE ...
    -- which SELECT TEXT FROM USER_SOURCE ORDER BY LINE
    have this procedure owned be both USR1 & USER2
    GRANT EXECUTE ON USR1.READ_MY_SOURCE TO READ;
    GRANT EXECUTE ON USR2.READ_MY_SOURCE TO READ;

  • Audition is only app that won't work

    I am running OSX 10.8.3 and just got the creative cloud. I formerly had Adobe Audition trial, but uninstalled it around 2 months ago. Adobe App manager says Audition has been installed, but I can't locate it on my machine. Thoughts?
    Thanks in advance.

    Figured it out. Used supplied uninstallers and re-installed. Good now.

  • How to extract Index DDLs only

    Hi Guys,
    I have a requirement to extract only the indexes defined in the database and move it to another file group in the database, I am unable to extract the indexes alone in the management studio, is there a way to do this with some tool.
    With regards,
    Gopinath. 
    With regards, Gopinath.

    You can also try PowerShell
    https://sqlpowershell.wordpress.com/2013/04/24/powersql-generate-only-index-script-of-all-tables-or-specific-tables/
    Save the below PowerShell script in F:\PowerSQL\IndexScript.ps1
    PARAM
    $server = $(read-host “Server”),
    $instance = $(read-host “Instance – Default”),
    $database = $(read-host “Database”),
    $schema = $(read-host “schema (default schema dbo)”),
    $tables = $(read-host “Tables (*)”)
    $path = “sqlserver:\sql\$server\$instance\databases\$database\tables”
    IF ($tables -eq ‘*’)
    $tableset= gci -path $path | select-object name
    foreach($t in $tableset)
    $path1 = $path+”\dbo.”+$t.name+”\indexes\”
    gci -path $path1 | %{$_.Script() | out-file f:\PowerSQL\index.txt -append; “GO `r`n ” | out-file f:\PowerSQL\index.txt -append; $_.Name;}
    ELSE
    { $tableset =get-childitem $path -ErrorAction stop | where-object {$_.name -like “$tables”}
    foreach($t in $tableset)
    $path = $path+”\dbo.”+$t.name+”\indexes\”
    gci -path $path | %{$_.Script() | out-file f:\PowerSQL\index.txt -append; “GO `r`n “| out-file f:\PowerSQL\index.txt -append; $_.Name;}
    Load the module SQLPS and run the IndexScript.PS1 by passing parameters
    PS F:\Powersql> sqlps
    Microsoft SQL Server PowerShell
    Version 10.50.1600.1
    Microsoft Corp. All rights reserved.
    PS SQLSERVER:\> F:\PowerSQL\IndexScript.ps1
    Server: ABCDSP18
    Instance - Default: default
    Database: Power
    schema (default schema dbo): dbo
    Tables (*): *
    Output will be saved in 
    f:\PowerSQL\index.txt
    --Prashanth

  • Audit Logs only show ID essadmin

    We have a planning application with two databases. There are times that I'd like to know who kicked off a business rule or loaded data. When I view the application log, every entry is made with the essadmin ID. Is there any other kind of auditing we can do?

    Hi,
    When planning communicates with essbase it uses the admin account that is defined in the datasource setup.
    To find out who ran business rules and at what time etc then have a look for hbrlaunch.log, if you are on windows it will be in C:\windows\system32
    Cheers
    John
    http://john-goodwin.blogspot.com/

  • Audition only opens the first 20mins59secs of an 6 hours long audio

    I have a video of a 6 hours long conference, and I exported it to AIFF format from final cut. When I open it with Quicktime 7, it appears the exact correct length, but when I open it in Audition, it only opens the first 20mins59secs. I tried opening it with Quicktime X, it also only shows the first 20 mins 59 secs of the audio.
    Anyone has the same experience or knows the reason? Is it a bug or some setting I'm missing?
    I'm using Audition 5.5 on a Mac, running OS X Lion 10.7.2.

    What are the specs of your AIFF file?  That is, bit depth, sample rate, and channels?
    6 hours is 21600 seconds...
    At 2 channels, 16-bit, 44100 Hz, that should be 3810240000 bytes, or 3.54 GB which is beyond the 2 GB limit for AIFF files.
    I'm willing to bet that Final Cut doesn't have robust bounds checking when exporting AIFF files.  You might be able to read the damaged file more sensibly if you choose a different File Importer in Audition, to do that, choose something other than "All Supported Media" in the File Open dialog:
    I'd first try choosing libsndfile to open the file and see if that works.  If that doesn't, choose QuickTime to open the AIFF file.
    If neither of those methods work, you can always use the File > Import > Raw Data... command to open the file.  You'll need to tell it what the format is in, and you'll need to remove the samples at the beginning of the file which are actually the header (interpreted as raw audio data though).
    Once open in Audition,  save as a file format that can handle more than 2 GB like WAV.  If your file is over 4 GB, use our Wave exporter, but you'll want to choose RF64 in the options which can be more than 4 GB.

  • Audition only recording left channel?

    Hi Guys,
    I'm recording some records and while looking at the wav form I noticed that audition was only recording the left cahnnel but in stereo (both channels) I've looked at everything else and audition has got to be it. Recording is fine using Cool edit 2.0 but in audition 3 this is happening? Any info out there on this?
    Also, in my recording travels. I tried recording through USB but found that the wave file looked somewhat compressed and unnatural. Looks great through a soundcard but through usb it looked very strange. is this natural?
    George

    Check in the Audio hardware Setup page that you have correctly selected the stereo input. The drop down list that Audition usually list the Mono inputs first ie. 01M, 02M etc.. You need to look further down the list and select the appropriate stereo inputs usually numbered 01S, 02S etc. depending on your audio interface.

  • Audit : to trace who did truncate of the table  possible ?

    Hi,
    Yesterday some one has truncated the table data, any idea we can find out who did it? please see the configurations of my database.
    BANNER
    Oracle8i Enterprise Edition Release 8.1.7.4.0 - Production
    PL/SQL Release 8.1.7.4.0 - Production
    CORE 8.1.7.0.0 Production
    TNS for HPUX: Version 8.1.7.4.0 - Production
    NLSRTL Version 3.4.1.0.0 - Production
    SQL> !uname -a
    HP-UX db05 B.11.11 U 9000/800 1440856852 unlimited-user license
    SQL> show parameter audit;
    NAME TYPE VALUE
    audit_file_dest string ?/rdbms/audit
    audit_trail string NONE
    transaction_auditing boolean TRUE
    SQL>
    -rw-r----- 1 oracle dba 2547 Aug 4 11:30 ora_26430.aud
    -rw-r----- 1 oracle dba 4777 Aug 4 11:40 ora_1097.aud
    -rw-r----- 1 oracle dba 3410 Aug 4 11:50 ora_8746.aud
    -rw-r----- 1 oracle dba 2746 Aug 4 12:01 ora_14307.aud
    -rw-r----- 1 oracle dba 2062 Aug 4 12:01 ora_14435.aud
    -rw-r----- 1 oracle dba 4105 Aug 4 12:10 ora_18744.aud
    -rw-r----- 1 oracle dba 2052 Aug 4 12:20 ora_23523.aud
    -rw-r----- 1 oracle dba 4119 Aug 4 12:30 ora_28396.aud
    -rw-r----- 1 oracle dba 3411 Aug 4 12:40 ora_3120.aud
    -rw-r----- 1 oracle dba 3412 Aug 4 12:50 ora_9679.aud
    -rw-r----- 1 oracle dba 2737 Aug 4 13:10 ora_22368.aud
    -rw-r----- 1 oracle dba 1368 Aug 4 13:20 ora_28745.aud
    -rw-r----- 1 oracle dba 4094 Aug 4 13:30 ora_3831.aud
    -rw-r----- 1 oracle dba 4103 Aug 4 13:34 ora_6515.aud

    No, at this point because you did not have auditing turned on you cannot get the information desired. In my opinion you should configure all production databases to audit all DDL operations since you should create only once and reuse many times so auditing DDL should not generate much data.
    The TRUNCATE command is a general exception to the above since for work/reporting tables I would espect that the table would be cleared out every time it is used but I would also expect the clearing user to be an application user which executes a stored procedure to perform the truncate and these are easy to filter out of any reports you run and to report on the use of the truncate procedure by any user other than the expected username.
    If you set up auditing be sure to set up a purge at the same time.
    IMHO -- Mark D Powell --

  • Auditing Grant activities

    Objective
    =========
    I want to audit any grants made on my database objects. In addition to the basic information(timestamp, grantor, DB object, machine name, IP address etc.), I want to track the level of access granted (insert, delete, update, select) and the grantee.
    Current Solution
    ================
    1. Going forward - for new tables, I can execute "AUDIT GRANT TABLE BY ACCESS"
    2. For existing tables - I have to execute "AUDIT GRANT ON tablename BY ACCESS" for every single table
    For #2, I can generate a script off of SYS.ALL_OBJECTS
    Questions
    =========
    1. Is there a simpler way of achieving the objective?
    2. The OBJ_PRIVILEGE column in SYS.DBA_AUDIT_TRAIL has Y in certain positions, depending on which access was granted. I can run tests and figure out which ones correspond to insert/delete/update/select but is there a comprehensive list to explain which position corresponds to which access?
    Thanks for all your help!
    CK

    Not off the top of my head. We only audit DDL and access by an emergency ID so the obj_privilege column is always null in my current data.
    If I wanted to know what the 'Y' values related to I would probably read the source for the audit views in $ORACLE_HOME/rdbms/cataudit.sql. That would be my suggestion to you.
    Let me know what you find. I am going to be tied up for the next few days and my list of things to check out grows every day or two so much of it falls by the wayside.
    HTH -- Mark D Powell --

Maybe you are looking for

  • Element Entry not showing up for new option in a plan after Open Enrollment

    I had to add a new option in a plan. I have defined the option, added it to the plan. I setup 2 standard rates for this option; one non-tax and the other taxable. This is an odd example because 1 certain employee falls under Group Health Employee plu

  • After hard reset of time capsule, airport utility cannot setup again. "an unexpected error occurred. try again"

    After starting airport utility, it searches and i select my time capsule. AU grinds for a minute and comes back with "An unexpected error occured. Try again."

  • Save as PDF in Print / Fax / 10.3.9 Panther

    Hi all, I am stuck on a problem. I can't get my emac to show "save as PDF" in anything but Grey on my print window. I trashed com.apple.print.custompresets.plist from a forum I found, nice group by the way.I have also ran repair disc permissions in m

  • Dividin an Int into Digits

    Hey i a trying to divide an integer that i am reading from he keyboard IE: 459874 into an array of integers int Array[]={4,5,9,8,7,4} Is there a native function in java that might allow me to do that? Or am i gona have to read into a string and then

  • HELP!!! Boot Camp Disaster

    hey you guys, i recently got a macbook pro and i tried to install the boot camp program. everything ran fine, but when i ran the xp installation cd, it wouldn't let me hit enter to continue the install. i tried to hit f3 to quit, but no response. i e