Oracle SYS.AUD$ Audit Actions

Question

We are running into tablespace issues as a result of a large SYS.AUD$ table. Upon further investigation, we identified that 99% of the items in this table were SELECT actions

SELECT COUNT(*) from SYS.AUD$ where ACTION# = 3;

334698880

SELECT COUNT(*) FROM SYS.AUD$;

335176012

However, we cannot find WHY these are being logged.

• No system-wide auditing privileges set for SELECT (DBA_PRIV_AUDIT_OPTS)
• No system-wide statement options set for SELECT (DBA_STMT_AUDIT_OPTS)
• No specific objects being tracked (DBA_OBJ_AUDIT_OPTS)

Somehow these settings are being overridden. Any suggestions with regards to places to look?

Answer 1

We have resolved the issue - the log-stamps allowed us to correlate the issue with a scheduled job:

1. Privilege auditing audits statements that use a system privilege - SQL statements that require the audited privilege to succeed are recorded
2. The auditing privilege EXEMPT ACCESS POLICY was enabled system wide
3. The EXEMPT ACCESS POLICY privilege allows a role to execute a SQL command without invoking any policy function that may be associated with the target database object
4. A scheduled job was executing a package that built database objects - this privilege was required to execute the package

The Auditing Section of the Oracle 11g Security Guide was extremely useful in this investigation Oracle 11g Security Guide