Learn Database Administration from Arvind Toorpu: Search results for Audit

Showing posts sorted by relevance for query Audit. Sort by date Show all posts

Tuesday, November 18, 2014

Oracle audting explained

Oracle AUDIT Explained

Enabling Auditing in Database

You can specify DB,EXTENDED in either of the following ways:

ALTER SYSTEM SET AUDIT_TRAIL=DB, EXTENDED SCOPE=SPFILE;

ALTER SYSTEM SET AUDIT_TRAIL='DB','EXTENDED' SCOPE=SPFILE;

However, do not enclose DB, EXTENDED in quotes, for example:

ALTER SYSTEM SET AUDIT_TRAIL='DB, EXTENDED' SCOPE=SPFILE;

OS Directs all audit records to an operating system file.

Directs audit records to the database audit trail (the SYS.AUD$ table), except for mandatory and SYS audit records, which are always written to the operating system audit trail

The operating system and database audit trails both capture many of the same types of actions.

Operating System Audit Record Equivalent DBA_AUDIT_TRAIL View Column

SESSIONID SESSIONID

ENTRYID ENTRYID

STATEMENT STATEMENTID

USERID USERNAME

USERHOST USERHOST

TERMINAL TERMINAL

ACTION ACTION

SYS$OPTIONS Indicates what audit option was set with AUDIT Or

NOAUDIT, or what privilege was granted or revoked.

RETURNCODE RETURNCODE

OBJ$CREATOR OWNER

OBJ$NAME OBJ_NAME

OBJ$PRIVILEGES OBJ_PRIVILEGE

AUTH$GRANTEE GRANTEE

NEW$OWNER NEW_OWNER

NEW$NAME NEW_NAME

SES$ACTIONS SES_ACTIONS

LOGOFF$PREAD LOGOFF_PREAD

LOGOFF$LWRITE LOGOFF_LWRITE

COMMENT$TEXT COMMENT_TEXT

OS$USERID OS_USERNAME

PRIV$USED PRIV_USED

SES$LABEL CLIENT_ID

SES$TID Does not have an equivalent in the DBA_AUDIT_TRAIL

view, but it does appear in the SYS.AUD$ table

SPARE2 Does not have an equivalent in the DBA_AUDIT_TRAIL

view, but it does appear in the SYS.AUD$ table

If you set AUDIT_SYS_OPERATIONS to TRUE and AUDIT_TRAIL to XML or XML,EXTENDED, then Oracle Database writes SYS audit records operating system files in XML format.

AUDIT_SYSLOG_LEVEL, which writes SYS and standard OS audit records to the system audit log using the SYSLOG utility. This option only applies to UNIX environments.

The XML AUDIT_TRAIL value does not affect syslog audit file. In other words, if you have set the AUDIT_TRAIL parameter to XML, then the syslog audit records will still be in text format, not XML file format.

To write SYS and mandatory audit files to operating system files in XML format: Set AUDIT_TRAIL to XML or XML,EXTENDED, set AUDIT_SYS_OPERATIONS to TRUE, but do not set the AUDIT_SYSLOG_LEVEL parameter.

To write SYS and mandatory audit records to syslog audit files and standard audit

records to XML audit files: Set AUDIT_TRAIL to XML or XML,EXTENDED, set AUDIT_

SYS_OPERATIONS to TRUE, and set the AUDIT_SYSLOG_LEVEL parameter.

If the AUDIT_TRAIL initialization parameter is set to XML (or XML, EXTENDED), then Oracle Database writes audit records to the operating system as XML files. You can use the V$XML_AUDIT_TRAIL view to make XML audit records available to database administrators through a SQL query, providing enhanced usability.

The DBA_COMMON_AUDIT_TRAIL view includes the standard and fine grained audit trails written to database tables, XML-format audit trail records, and the contents of the V$XML_AUDIT_TRAIL dynamic view (standard, fine grained, SYS and mandatory).

#10

Syslog Audit Trail

Potential security vulnerability for the operating system audit trail is that a privileged user, such as a database administrator, can modify or delete database audit records. To minimize this risk, you can use a syslog audit trail. Syslog is a standard protocol on UNIX-based systems for logging information from different components of a network. Applications call the syslog() function to log information to the syslog daemon, which then determines where to log the information. You can configure syslog to log information to a file or to a dedicated host by editing the syslog.conf file. You can also configure syslog to alert a specified set of users when information is logged.

#11

Setting the Size of the Operating System Audit Trail

To control the size of the operating system audit trail, set theDBMS_AUDIT_MGMT.OS_FILE_MAX_SIZE property by using the DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_PROPERTY PL/SQL procedure. Remember that you must have the EXECUTE privilege for the DBMS_AUDIT_MGMT PL/SQL package before you can use it. When the operating system file meets the size limitation you set, Oracle Database stops adding records to the current file and then creates a new operating system file for the subsequent records. For more information about the DBMS_AUDIT_MGMT PL/SQL package.

SETTING THE SIZE OF THE OPERATING SYSTEM AUDIT TRAIL

BEGIN

DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_PROPERTY(

AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_OS,

AUDIT_TRAIL_PROPERTY => DBMS_AUDIT_MGMT.OS_FILE_MAX_SIZE,

AUDIT_TRAIL_PROPERTY_VALUE => 102400);

END;

Note: 1) AUDIT_TRAIL_PROPERTY_VALUE: Sets the maximum size to 102400 kilobytes, that is,

10 MB. The default setting is 10,000 kilobytes (approximately 10 MB). Do not exceed 2 GB.

2) DBMS_AUDIT_MGMT.OS_FILE_MAX_SIZE property, which sets the maximum size. To find the

status of the current property settings, query the PARAMETER_NAME and PARAMETER_VALUE

columns of the DBA_AUDIT_MGMT_CONFIG_PARAMS data dictionary view.

SETTING THE AGE OF THE OPERATING SYSTEM AUDIT TRAIL

BEGIN

DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_PROPERTY(

AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_OS,

AUDIT_TRAIL_PROPERTY => DBMS_AUDIT_MGMT.OS_FILE_MAX_AGE,

AUDIT_TRAIL_PROPERTY_VALUE => 10 );

END;

Note: 1) AUDIT_TRAIL_PROPERTY_VALUE: Sets the maximum age to 10 days. Enter a value

between 1 and 495. The default age is 5 days.

2) DBMS_AUDIT_MGMT.OS_FILE_MAX_AGE property to set the maximum age. To find the status

of the current property setting, query the DBA_AUDIT_MGMT_CONFIG_PARAMS data dictionary

view.

Views

DBA_AUDIT_MGMT_CLEAN_EVENTS Displays the history of purge events. Periodically, as user SYS connected with the SYSDBA privilege, you should delete the contents of this view so that it does not grow too large.

DBA_AUDIT_MGMT_CLEANUP_JOBS Displays the currently configured audit trail purge jobs

DBA_AUDIT_MGMT_CONFIG_PARAMS Displays the currently configured audit trail properties that are used by the DBMS_AUDIT_MGMT PL/SQL package

DBA_AUDIT_MGMT_LAST_ARCH_TS Displays the last archive timestamps that have set for audit trail purges.

#12

Listing Active Object Audit Options for Specific Objects

SELECT * FROM DBA_OBJ_AUDIT_OPTS WHERE OWNER = 'BHUVAN' AND OBJECT_NAME LIKE 'EMP%';

The view returns information about all the audit options for the specified object. The information in the view is interpreted as follows:

* A dash (-) indicates that the audit option is not set.

* The S character indicates that the audit option is set BY SESSION.

* The A character indicates that the audit option is set BY ACCESS.

* Each audit option has two possible settings, WHENEVER SUCCESSFUL and WHENEVER NOT SUCCESSFUL, separated by a slash (/). For example, the DELETE audit option for BHUVAN.emp is set by ACCESS for successful DELETE statements and not set at all for unsuccessful DELETE statements.

#13

Oracle AUDITING VIEWS

DBA_FGA_AUDIT_TRAIL - display the captured audit info (FGA only (F GA_LOG$))

DBA_AUDIT_EXISTS - displays audit trail entries produced by AUDIT EXISTS & AUDIT NOT EXISTS.

DBA_AUDIT_OBJECT -- displays audit trail records for all objects in the database.

DBA_AUDIT_POLICIES -- identify FGA audit policies

DBA_AUDIT_POLICY_COLUMNS - Identify FGA audit policies for columns level in FGA

DBA_AUDIT_SESSION - display session level auditing information

DBA_AUDIT_STATEMENT - display statement level auditing information

DBA_AUDIT_TRAIL - display the captured audit info (Standard auditing only ( AUD$))

DBA_COMMON_AUDIT_TRAIL -- displays the captured audit info for standard & FGA

DBA_OBJ_AUDIT_OPTS -- display any object auditing

DBA_PRIV_AUDIT_OPTS -- display any privilege auditing

DBA_STMT_AUDIT_OPTS -- display any statement auditing

DBA_AUDIT_MGMT_CLEANUP_JOBS - Displays the currently configured audit trail purge jobs

DBA_AUDIT_MGMT_CLEAN_EVENTS -- Displays the history of purge events. Periodically as user SYS connected with the SYSDBA privilege, you should delete the contents of this view so that it does not grow too large.

DBA_AUDIT_MGMT_CONFIG_PARAMS -- displays information about the currently configured audit trail properties that are used by the DBMS_AUDIT_MGMT PL/SQL package.

DBA_AUDIT_MGMT_LAST_ARCH_TS -- Displays the last archive timestamps that have set for audit trail purges.

V$XML_AUDIT_TRAIL -- If you are writing to an XML file, you can query the

#14

Operating System Audit Trail Records: Example

Audit trail:

LENGTH: "349"

SESSIONID:[5] "43464"

ENTRYID:[1] "1"

STATEMENT:[1] "1"

USERID:[6] "DBSNMP"

USERHOST:[7] "SHOBEEN"

TERMINAL:[3] "MAU"

ACTION:[3] "100"

RETURNCODE:[1] "0"

COMMENT$TEXT:[97] "Authenticated by: DATABASE; Client address:

(ADDRESS=(PROTOCOL=tcp)(HOST=192.0.2.4)(PORT=2955))"

OS$USERID:[19] "NT AUTHORITY\SYSTEM"

DBID:[10] "1212547373"

PRIV$USED:[1] "5"

In this example:

■ LENGTH refers to the total number of bytes used in this audit record. This number includes the trailing newline bytes (\n), if any, at the end of the audit record.

■ [] brackets indicate the length of each value for each audit entry. For example, the USERID entry, DBSNMP, is 6 bytes long.

■ SESSIONID indicates the audit session ID number. You can also find the session ID by querying the AUDSID column in the V$SESSION data dictionary view.

■ ENTRYID indicates the current audit entry number, assigned to each audit trail record. The audit ENTRYID sequence number is shared between fine-grained audit records and regular audit records.

■ STATEMENT is a numeric ID assigned to the statement the user runs. It appears for each statement issued during the user session, because a statement can result in multiple audit records.

■ ACTION is a numeric value representing the action the user performed. The corresponding name of the action type is in the AUDIT_ACTIONS table. For example, action 100 refers to LOGON.

■ RETURNCODE indicates if the audited action was successful. 0 indicates success. If the action fails, the return code lists the Oracle Database error number. For example, if you try to drop a non-existent table, the error number is ORA-00903 invalid table name, which in turn translates to 903 in the RETURNCODE setting.

■ COMMENT$TEXT indicates additional comments about the audit record. For example, for LOGON audit records, it can indicate the authentication method. It corresponds to the COMENT_TEXT column of the DBA_COMMON_AUDIT_TRAIL data dictionary view.

■ DBID is a database identifier calculated when the database is created. It corresponds to the DBID column of the V$DATABASE data dictionary view.

■ ECONTEXT_ID indicates the application execution context identifier.

■ PRIVS$USED refers to the privilege that was used to perform an action. To find the privilege, query the SYSTEM_PRIVILEGE_MAP table. For example, privilege 5 refers to -5 in this table, which means CREATE SESSION. PRIVS$USED corresponds to the PRIV_USED column in the DBA_COMMON_AUDIT_TRAIL, which lists the privilege by name. Other possible values are as follows:

■ SCN (for example, SCN:8934328925) indicates the System Change Number (SCN). Use this value if you want to perform a flashback query to find the value of a setting (for example, a column) at a time in the past. For example, to find the value of the ORDER_TOTAL column of the OE.ORDERS table based on the SCN number, use the following SELECT statement:

SELECT ORDER_TOTAL FROM OE.ORDERS AS OF SCN = 8934328925

WHERE ORDER_TOTAL = 86;

■ SES_ACTIONS indicates the actions that took place during the session. This field is present only if the event was audited with the BY SESSION clause. Because this field does not explain in detail the actions that occurred during the session, you should configure the audit event with the BY ACCESS clause. The SES_ACTIONS field contains 16 characters. Positions 14, 15, and 16 are reserved for future use. In the first 12 characters, each position indicates the result of an action. They are: ALTER, AUDIT, COMMENT, DELETE, GRANT, INDEX, INSERT, LOCK, RENAME, SELECT, UPDATE, and FLASHBACK. For example, if the user had successfully run the ALTER statement, the SES_ACTIONS setting is as follows: S--------------- The S, in the first position (for ALTER), indicates success. Had the ALTER statement failed, the letter F would have appeared in its place. If the action resulted in both a success and failure, then the letter is B.

■ SES$TID indicates the ID of the object affected by the audited action.

■ SPARE2 indicates whether the user modified SYS.AUD$ table. 0 means the user modified SYS.AUD$; otherwise, the value is NULL.

Some reference Sites :

http://www.oradba.ch/2011/05/database-audit-and-audit-trail-purging/
https://docs.oracle.com/cd/B19306_01/server.102/b14200/statements_4007.htm

Wednesday, December 10, 2014

Audit failed logon attempts - Oracle

How to audit failed logon attempts

Oracle Audit -- failed connection
Background:
In some situation DBA team wants to audit failed logon attempts when "unlock account" requirement becomes frequently and user cannot figure out who from where is using incorrect password to cause account get locked.

Audit concern:
Oracle auditing may add extra load and require extra operation support. For this situation DBA only need audit on failed logon attempts and do not need other audit information. Failed logon attempt is only be able to track through Oracle audit trail, logon trigger does not apply to failure logon attempts

Hint: The setting here is suggested to use in a none production system. Please evaluate all concern and load before use it in production.

Approach:
1. Turn on Oracle audit function by set init parameter:
               audit_trail=DB
Note:
database installed by manual script, the audit function may not turn on:
database installed by dbca, the default audit function may already turn on:
Check:

SQL> show parameter audit_trail
NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
audit_trail                          string      NONE

Turn on Oracle audit
a. If database use spfile
SQL> alter system set audit_trail=DB scope=spfile ;
System altered.

b. if database use pfile, modify init<Sid>.ora directly.

Restart database
SQL> shutdown immediate
Database closed.
Database dismounted.
ORACLE instance shut down.

SQL> startup ;
ORACLE instance started.

2. Turn off Oracle default audit
Privilege audit information stored in dba_priv_audit_opts;
Note: Oracle 11g has couple of audit turned on default when the audit_trail is set. It will just utilize more resources that you might not want.
Oracle 10g, audit options is setup by explicit command (we can audit these options back any time).

Generate a script to turn off default privilege audit which we don't need here.
SQL> SELECT 'noaudit '|| privilege||';' from dba_priv_audit_opts where user_name is NULL;
'NOAUDIT'||PRIVILEGE||';'
-------------------------------------------------
noaudit ALTER SYSTEM;
noaudit AUDIT SYSTEM;
noaudit CREATE SESSION;
noaudit CREATE USER;
noaudit ALTER USER;
noaudit DROP USER;
noaudit CREATE ANY TABLE;
noaudit ALTER ANY TABLE;
noaudit DROP ANY TABLE;
noaudit CREATE PUBLIC DATABASE LINK;
noaudit GRANT ANY ROLE;
noaudit ALTER DATABASE;
noaudit CREATE ANY PROCEDURE;
noaudit ALTER ANY PROCEDURE;
noaudit DROP ANY PROCEDURE;
noaudit ALTER PROFILE;
noaudit DROP PROFILE;
noaudit GRANT ANY PRIVILEGE;
noaudit CREATE ANY LIBRARY;
noaudit EXEMPT ACCESS POLICY;
noaudit GRANT ANY OBJECT PRIVILEGE;
noaudit CREATE ANY JOB;
noaudit CREATE EXTERNAL JOB;
23 rows selected.

-- run above commands

3. Turn on audit on failed connection
SQL> AUDIT CONNECT WHENEVER NOT SUCCESSFUL;

Audit succeeded.

SQL> SELECT PRIVILEGE,SUCCESS,FAILURE FROM dba_priv_audit_opts;

PRIVILEGE                                SUCCESS    FAILURE
---------------------------------------- ---------- ----------
CREATE SESSION                           NOT SET    BY ACCESS

4. Retrieve information
Note: audit information is stored on sys.aud$. There multiple views Oracle provide to help you read sys.aud$. Logon failed information can be retrieve from dba_audit_session

SQL>   select os_username, username, userhost, to_char(timestamp,'mm/dd/yyyy hh24:mi:ss') logon_time, action_name, returncode from dba_audit_session;

OS_USERNAME                    USERNAME                       USERHOST                                           TIMESTAMP           ACTION_NAME                  RETURNCODE
------------------------------ ------------------------------ -------------------------------------------------- ------------------- ---------------------------- ----------
Arvind                    machine1
HOME-Arvind                                       12/06/2014 13:40:12 LOGON                              1017
Arvind                    machine1
HOME-lArvind                                       12/06/2014 13:40:25 LOGON                              1017
Arvind                   machine1
HOME-Arvind                                       12/06/2014 15:31:29 LOGON                              1017
Arvind                   machine1
HOME-Arvind                                       12/06/2014 15:31:38 LOGON                              1017
4 rows selected.

Note: RETURNCODE is the ORA error code return to user.
ORA-1017 is incorrect password
ORA-28000 is account locked
ORA-1045 is missing connect privilege

------------------------------------------------------------
Up here, we be able to audit who is the bad boy causing account locked.

Turning off the audit:
If you no longer need the audit on failed attempts, run this command to turn off
SQL> noaudit CONNECT;

Noaudit succeeded.

SQL> SELECT PRIVILEGE,SUCCESS,FAILURE FROM dba_priv_audit_opts;

no rows selected

Oracle use system tablespace for sys.aud$. For enhancement, you may consider to move sys.aud$ to separate tablespace.

6. Move sys.aud$ out of system tablespace.
Oracle 11g provide package dbms_audit_mgmt.set_audit_trail_location to relocate the aud$ table.
SQL> SELECT table_name, tablespace_name FROM dba_tables WHERE table_name ='AUD$';
TABLE_NAME                     TABLESPACE_NAME
----------------------------- ------------------------------
AUD$                           SYSTEM

Following example shows how to move sys.aud$ from system tablespace to user_data1 tablespace.

SQL> exec DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_LOCATION(audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD, audit_trail_location_value => 'USER_DATA1');

PL/SQL procedure successfully completed.

SQL> SELECT table_name, tablespace_name FROM dba_tables WHERE table_name ='AUD$';

TABLE_NAME                     TABLESPACE_NAME
------------------------------ ------------------------------
AUD$                           USER_DATA1

7. Clean up AUD$

You can simply run delete or truncate command

delete from sys.AUD$;
truncate table sys.AUD$;

Monday, March 17, 2014

Purging a Database Audit Trail AUD$

Purging a Subset of Records from the Database Audit Trail
You can manually remove records from the database audit trail tables. This method can be useful if you want to remove a specific subset of records. You can use this method if the database audit trail table is in any tablespace, including the SYSTEM tablespace.
For example, to delete audit records that were created later than the evening of February 28, 2009 but before March 28, 2009, enter the following statement:
```
DELETE FROM SYS.AUD$
   WHERE NTIMESTAMP# > TO_TIMESTAMP ('28-FEB-09 09.07.59.907000 PM') AND
   NTIMESTAMP# < TO_TIMESTAMP ('28-MAR-09 09.07.59.907000 PM');
```
Alternatively, to delete all audit records from the audit trail, enter the following statement:
```
DELETE FROM SYS.AUD$;
```
Only the user SYS or a user to whom SYS granted the DELETE privilege on SYS.AUD$ can delete records from the database audit trail.

Note:
If the audit trail is full and connections are being audited (that is, if the AUDIT SESSION statement is set), then typical users cannot connect to the database because the associated audit record for the connection cannot be inserted into the audit trail. In this case, connect as SYS with the SYSDBA privilege, and make space available in the audit trail. Remember that operations by SYS are not recorded in the standard audit trail, but they are audited if you set the AUDIT_SYS_OPERATIONS parameter to TRUE.
After you delete the rows from the database audit trail table, the freed space is available for reuse by that table. (The SYS.AUD$ table is allocated only as many extents as are necessary to maintain current audit trail records.) You do not need to do anything to make this space available to the table for reuse. If you want to use this space for another table, then follow these steps:

Move the AUD$ table to an auto segment space managed tablespace.
For example:
```
BEGIN
  DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_LOCATION
   (audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_DB_STD,
   audit_trail_location_value => 'USERS');
END;
/
```
```
 
```

Run the following statements:

ALTER TABLE SYSTEM.AUD$ ENABLE ROW MOVEMENT;
ALTER TABLE SYSTEM.AUD$ SHRINK SPACE CASCADE;

If you must move the AUD$ table back to the SYSTEM tablespace, then run the following statement:

BEGIN
 DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_LOCATION
  (audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_DB_STD,
  audit_trail_location_value => 'SYSTEM');
END;
/

If you want to both delete all the rows from the database audit trail table and free the used space for other tablespace objects, use the TRUNCATE TABLE statement. For example:

TRUNCATE TABLE SYS.AUD$;

Note:

SYS.AUD$ and SYS.FGA_LOG$ are the only SYS objects that can ever be directly modified.

Reference :

http://docs.oracle.com/cd/E11882_01/network.112/e16543/auditing.htm#DBSEG473

http://www.oracle-base.com/articles/11g/auditing-enhancements-11gr2.php

Thursday, July 7, 2016

Enable Database Auditing in oracle

ENABLE AUDITING IN ORACLE DATABASE

Enabling Auditing in Oracle Database

Auditing in Oracle Database helps track and monitor database activities, which is essential for security and compliance. By default, auditing is disabled, but you can enable it and configure its settings based on your requirements.

1. Understanding Auditing Parameters

To begin with, check the current auditing configuration using SQL*Plus:

sql
    SQL> SHOW PARAMETER AUDIT

Expected Output:


NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest                      string      C:\ORACLE\PRODUCT\10.2.0\ADMIN
                                                 \DB10G\ADUMP
audit_sys_operations                 boolean     FALSE
audit_trail                          string      NONE

2. Auditing Parameters and Their Values

The AUDIT_TRAIL parameter controls the type of auditing and can be set to one of the following values:

NONE: Auditing is disabled.
db: Auditing is enabled, with records stored in the database audit trail (SYS.AUD$).
db,extended: As db, but includes SQL_BIND and SQL_TEXT columns in the audit records.
xml: Auditing is enabled, with records stored as XML files in the operating system.
xml,extended: As xml, but includes SQL_BIND and SQL_TEXT columns.
OS: Auditing is enabled, with records directed to the operating system’s audit trail.

3. Enabling Auditing in the Database

To enable auditing and store audit records in the database audit trail, follow these steps:

Set the AUDIT_TRAIL Parameter:
Execute the following command to set the parameter:
```
sql
```
This command updates the AUDIT_TRAIL parameter in the server parameter file (SPFILE).

SQL> ALTER SYSTEM SET audit_trail=db SCOPE=SPFILE;

Restart the Database:

For the changes to take effect, restart the database:

sql:SQL> SHUTDOWN
Database closed.
Database dismounted.
ORACLE instance shut down.

SQL> STARTUP
ORACLE instance started.

Total System Global Area  289406976 bytes
Fixed Size                  1248600 bytes
Variable Size              71303848 bytes
Database Buffers          213909504 bytes
Redo Buffers                2945024 bytes
Database mounted.
Database opened.

Note: The auditing changes will only take effect after restarting the database.

4. Verifying Auditing Configuration

After the restart, confirm that the auditing settings are applied:

sql
    SQL> SHOW PARAMETER AUDIT