You can troubleshoot Oracle Database Vault by using tools such as trace files or checking certain Oracle Database Vault reports.
Topics:
Trace files are generated by the database. They can capture important information to help you debug errors.
Topics:
About Using Trace Files to Diagnose Oracle Database Vault Events
Types of Oracle Database Vault Trace Events That You Can and Cannot Track
Performance Effect of Enabling Oracle Database Vault Trace Files
Example: Low Level Oracle Database Vault Realm Violations in a Trace File
You can monitor the Oracle Database Vault database instance for server and background process events by enabling and checking the database instance trace files.
Trace files reveal the Oracle Database Vault policy authorization success and failures. They are useful for providing information to help resolve bug and other issues that may occur.
To set tracing for Oracle Database Vault, you must have the DV_ADMIN role. To perform the configuration, you use either of the ALTER SESSION SET EVENTS or ALTER SYSTEM SET EVENTS SQL statements.
See Also:
Oracle Database Administrator's Guide for more information about how to manage trace filesTable E-1 describes the types of activities that you can track with trace files.
Table E-1 Contents of Oracle Database Vault Trace Files
| Database Vault Feature | Description |
|---|---|
|
Realm authorizations |
The trace file tracks cases of realm authorization with a rule set and realm authorization to a role. See "Example: Low Level Oracle Database Vault Realm Violations in a Trace File" for examples of this type of trace file. |
|
Rule set evaluations |
The trace file includes information about a rule set evaluation from a realm authorization, for a command rule, the CONNECT command rule, and from a factor. |
|
Oracle Data Pump authorization |
The trace file includes Database Vault Data Pump authorization results and other user, object, and SQL text information. |
|
Oracle Scheduler job authorization |
The trace file includes the Database Vault Oracle Scheduler job authorization results, job name, job owner, current statement, and so on. |
|
Object privilege bypass |
The trace file tracks both direct grants and grants through a role. This type of trace is useful for cases where mandatory realms are not enabled, which enables users who have an object privilege to access realm protected objects. |
|
Factor loading |
The trace file tracks the expression and value for each factor loaded. |
|
Others |
Object owner bypassed realm protection and other Database Vault failed and succeeded operations |
You can use the several levels for Oracle Database Vault trace events.
These levels are as follows:
Low prints the information for all failed Oracle Database Vault authorizations to a trace file. This type of trace file includes failed realm authorizations, failed factor loading, failed rule set evaluating, and so on. It has a low impact on Oracle Database performance.
High prints trace records that include both successful and failed authorizations. Because this type of tracing tracks all the authorizations, the overhead is larger than that of the low level tracing. In addition, the trace files are usually larger.
Highest prints the PL/SQL stack and function call stack to a trace file, as well as what is traced at level high (as described in Table E-1). It has the highest impact on Oracle Database performance.
Be careful about enabling trace files.
Doing so can increase the overhead of the database instance operation, which could decrease performance.
You can use the ALTER SESSION or ALTER SYSTEM SQL statements to enable Oracle Database Vault trace events.
Topics:
You can use the ALTER SESSION SET EVENTS SQL statement to enable trace events for the current database session.
Log into the database instance as a user who has been granted the DV_ADMIN role and the ALTER SESSION system privilege.
For example:
sqlplus leo_dvowner
Enter password: password
Connected.
Enter the ALTER SESSION SET EVENTS SQL statement to set the tracing to low, high, or highest, as described in "Levels of Oracle Database Vault Trace Events".
To turn on tracing for failed operations that have a low impact, enter one of the following statements:
ALTER SESSION SET EVENTS 'TRACE[DV] DISK=LOW'; ALTER SESSION SET EVENTS '47998 TRACE NAME CONTEXT FOREVER, LEVEL 1';
To turn on tracing for both failed and successful operations that have a high impact, enter one of the following statements:
ALTER SESSION SET EVENTS 'TRACE[DV] DISK=HIGH'; ALTER SESSION SET EVENTS '47998 TRACE NAME CONTEXT FOREVER, LEVEL 3';
To turn on tracing for both failed and successful operations with a function and PL/SQL call stack that has the highest impact, enter one of the following statements:
ALTER SESSION SET EVENTS 'TRACE[DV] DISK=HIGHEST'; ALTER SESSION SET EVENTS '47998 TRACE NAME CONTEXT FOREVER, LEVEL 4';
You can use the ALTER SYSTEM SET EVENTS SQL statement to enable Database Vault trace events for all database sessions.
Log into the database instance as a user who has been granted the DV_ADMIN role and the ALTER SYSTEM system privilege.
For example:
sqlplus leo_dvowner
Enter password: password
Connected.
Enter the ALTER SYSTEM SET EVENTS SQL statement, using the syntax that is shown in Step 2 in "Enabling Trace Events for the Current Database Session".
For example:
ALTER SYSTEM SET EVENTS 'TRACE[DV] DISK=LOW';
Restart the database.
For example:
SHUTDOWN IMMEDIATE STARTUP
Another way that you can enable trace events for all database sessions is to add the following line to the init.ora file, and then restart the database:
event="47998 trace name context forever, level [trace_level]"
Replace trace_level with one of the following values:
1 for the lowest level of tracing
3 for the high level
4 for the highest level
For example:
event="47998 trace name context forever, level [1]"
You should be aware of how enabling trace events is affected in a multitenant environment.
Trace events for the current session: In a multitenant environment, running the ALTER SESSION SET EVENTS SQL statement from either the root or a pluggable database (PDB) enables tracing for the current user session. If you switch from one PDB to another PDB (by using the ALTER SESSION SET CONTAINER statement), then tracing is still enabled for the new PDB. You cannot enable tracing for a single PDB in a multitenant container database (CDB); it applies to all PDBs and the root. Remember that must have the ALTER SESSION SET CONTAINER system privilege to move from one PDB to another.
Trace events for all database sessions: In a multitenant environment, running the ALTER SYSTEM SET EVENTS statement from either the root or a specific PDB enables tracing for all PDBs in the container database.
You can find Oracle Database vault trace file data by using the Linux grep command or by using the ADR Command Interpreter (ADRCI) command-line utility.
Topics:
Using the Linux grep Command to Search Trace Files for Strings
Using the ADR Command Interpreter (ADRCI) Utility to QueryTrace Files
You can find the full directory location of trace files by querying the V$DIAG_INFO dynamic view.
Query the V$DIAG_INFO dynamic view as follows:
SELECT VALUE FROM V$DIAG_INFO WHERE NAME = 'Default Trace File'; VALUE -------------------------------------------------------------------------------- /u01/app/oracle/product/12.1.0/log/diag/rdbms/orcl/orcl/trace/orcl_ora_7174.trc
To query or process the trace files, you can use the Linux grep command to search for strings.
For example, to find the trace files that show realm authorization failures, enter the following command:
grep 'Result=Realm Authorization Failed' *.trc
You can query trace files by using the ADR Command Interpreter (ADRCI) command-line utility.
To use the ADRCI utility to find trace file information, use the SHOW command.
For example, to use ADRCI to find the trace files, enter the SHOW TRACEFILE command:
adrci --To start ACRCI from the command line
adrci> show tracefile
diag/rdbms/orcl/orcl/trace/orcl_m002_14551.trc
diag/rdbms/orcl/orcl/trace/orcl_tmon_13450.trc
diag/rdbms/orcl/orcl/trace/orcl_vktm_963.trc
diag/rdbms/orcl/orcl/trace/alert_orcl.log
...
To find the number of all trace incidents:
adrci> show incident ADR Home = /u01/app/oracle/product/12.1.0/log/diag/rdbms/orcl/orcl: ************************************************************************* 234 rows fetched
The following ADRCI command returns a list of all trace files whose name contains the word ora:
adrci> show tracefile %ora% /u01/app/oracle/product/12.1.0/log/diag/rdbms/orcl/orcl/trace/orcl_ora_18841.trc /u01/app/oracle/product/12.1.0/log/diag/rdbms/orcl/orcl/trace/orcl_ora_12017.trc /u01/app/oracle/product/12.1.0/log/diag/rdbms/orcl/orcl/trace/orcl_ora_19372.trc /u01/app/oracle/product/12.1.0/log/diag/rdbms/orcl/orcl/trace/orcl_ora_12221.trc /u01/app/oracle/product/12.1.0/log/diag/rdbms/orcl/orcl/trace/orcl_ora_1600.trc ...
The following ADRCI command searches for trace files that contain the phrase Realm Authorization Failed:
adrci> show trace %trc -xp "[payload like '%Realm Authorization Failed%']"
See Also:
Oracle Database Utilities for detailed information about the ADRCI utility
Oracle Database Administrator's Guide for information about viewing reports with the ADRCI utility
Example E-1 shows trace file data for low level realm violations.
Example E-1 Low Level Oracle Database Vault Realm Violations in a Trace File
*** 2010-02-05 18:35:31.438
*** SESSION ID:(34.559) 2010-02-05 18:35:31.438
*** CLIENT ID:() 2010-02-05 18:35:31.438
*** SERVICE NAME:(SYS$USERS) 2010-02-05 18:35:31.438
*** MODULE NAME:(SQL*Plus) 2010-02-05 18:35:31.438
*** ACTION NAME:() 2010-02-05 18:35:31.438
Result=Realm Authorization Failed
Realm_Name=realm 3 Required_Auth_Level=0
Current_User=116
Object_Owner=U1 Object_Name=T1 Object_Type=TABLE
SQL_Text=INSERT INTO U1.T1 VALUES(30)
Result=Realm Authorization Failed
Realm_Name=realm 3 Required_Auth_Level=0
Current_User=116
Object_Owner=U1 Object_Name=T1 Object_Type=TABLE
SQL_Text=DELETE FROM U1.T1
Result=Realm Authorization Failed
Realm_Name=realm 3 Required_Auth_Level=0
Current_User=116
Object_Owner=U1 Object_Name=T3 Object_Type=TABLE
SQL_Text=CREATE TABLE U1.T3(C INT)
*** 2010-02-05 18:35:34.465
Result=Realm Authorization Failed
Realm_Name=realm 3 Required_Auth_Level=0
Current_User=116
Object_Owner=U1 Object_Name=T1 Object_Type=TABLE
SQL_Text=INSERT INTO U1.T1 VALUES(30)
Result=Realm Authorization Failed
Realm_Name=realm 3 Required_Auth_Level=0
Current_User=116
Object_Owner=U1 Object_Name=T1 Object_Type=TABLE
SQL_Text=DELETE FROM U1.T1
Example E-2 shows how Database Vault authorization can appear in a trace file with high level trace enabled.
Example E-2 High Level Trace Enabled for Oracle Database Vault Authorization
Result= Realm Authorization Passed
Reason=Current user is the object owner
Current_User=70 Command=SELECT
Object_Owner=LBACSYS Object_Name=LBAC$AUDIT Object_Type=TABLE
Result= Realm Authorization Passed
Reason=Current user is the object owner
Current_User=70 Command=SELECT
Object_Owner=LBACSYS Object_Name=LBAC$AUDIT Object_Type=TABLE
Result= Realm Authorization Passed
Reason=Current user is the object owner
Current_User=70 Command=SELECT
Object_Owner=LBACSYS Object_Name=LBAC$POL Object_Type=TABLE
Result= Realm Authorization Passed
Reason=Current user is the object owner
Current_User=70 Command=SELECT
Object_Owner=LBACSYS Object_Name=LBAC$USER_LOGON Object_Type=VIEW
……
Result= Realm Authorization Passed
Reason=Current user is the object owner
Current_User=70 Command=SELECT
Object_Owner=LBACSYS Object_Name=LBAC$POL Object_Type=TABLE
Result=Set Factor Value
Factor_Name=Sensitive_Treatments Factor_Expression=/SURGERY/PSYCHOLOGICAL
Result=Set Factor Value
Factor_Name=Database_Instance Factor_Expression=UPPER(SYS_CONTEXT('USERENV','INSTANCE')) Factor_Value=1
Result=Set Factor Value
Factor_Name=Client_IP Factor_Expression=UPPER(SYS_CONTEXT('USERENV','IP_ADDRESS')) Factor_Value=
Result=Set Factor Value
Factor_Name=Authentication_Method Factor_Expression=UPPER(SYS_CONTEXT('USERENV','AUTHENTICATION_METHOD')) Factor_Value=PASSWORD
……
*** ACTION NAME:() 2010-02-05 18:47:19.540
Result=Rule Set Evaluation Failed
Command=SELECT RuleSet_ID=2 RuleSet_Name=Disabled
Current_User=SYSTEM
Object_Owner=U1 Object_Name=T1 Object_Type=TABLE
SQL_Text=SELECT * FROM U1.T1
Result=Rule Set Evaluation Succeeded
Command=SELECT RuleSet_ID=1 RuleSet_Name=Enabled
Current_User=SYSTEM
Object_Owner=U1 Object_Name=T1 Object_Type=TABLE
SQL_Text=SELECT * FROM U1.T1
Example E-3 shows how highest level violations that involve Oracle Scheduler jobs authorization can appear in a trace file when trace is enabled at the highest level.
Example E-3 Highest Level Traces on Violations on Realm-Protected Objects
------ Call Stack Trace ------
kzvdvechk<-kzvdveqau<-kksfbc<-opiexe<-kpoal8<-opiodr<-ttcpip<-opitsk<-opiino<-opiodr<-opidrv<-sou2o<-opimai_real<-ssthrdmain<-main<-__libc_start_main<-_start
Result=Object Privilege check passed
Current_User=INVOKER2 Used_Role=1
Object_Owner=SYSTEM Object_Name=PRODUCT_PRIVS Object_Type=VIEW
SQL_Text=SELECT CHAR_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*PLUS') LIKE UPPER(PRODUCT)) AND ((USER LIKE USERID) OR (USERID = 'PUBLIC')) AND (UPPER(ATTRIBUTE) = 'ROLES')
*** MODULE NAME:(SQL*Plus) 2010-02-05 18:57:53.973
*** ACTION NAME:() 2010-02-05 18:57:53.973
----- Current SQL Statement for this session (sql_id=2sr63rjm45yfh) -----
UPDATE INVOKER1.T1 SET A = 20
----- PL/SQL Stack -----
----- PL/SQL Call Stack -----
object line object
handle number name
0x26a00e34 1 anonymous block
0x2495b000 185 package body SYS.DBMS_ISCHED
0x24958fb8 486 package body SYS.DBMS_SCHEDULER
0x247bbb34 1 anonymous block
------ Call Stack Trace ------
kzvdvechk<-kzvdveqau<-kksfbc<-opiexe<-opipls<-opiodr<-__PGOSF151_rpidrus<-skgmstack<-rpidru<-rpiswu2<-rpidrv<-psddr0<-psdnal<-pevm_EXECC<-pfrinstr_EXECC<-pfrrun_no_tool<-pfrrun<-plsql_run<-peicnt<-kkxexe<-opiexe<-kpoal8<-opiodr<-kpoodr<-upirtrc<-kpurcsc<-kpuexec
<-OCIStmtExecute<-jslvec_execcb<-jslvswu<-jslve_execute0<-jskaJobRun<-jsiRunJob<-jsaRunJob<-spefcmpa<-spefmccallstd<-pextproc<-__PGOSF495_peftrusted<-__PGOSF522_psdexsp<-rpiswu2<-psdextp<-pefccal<-pefcal<-pevm_FCAL<-pfrinstr_FCAL<-pfrrun_no_tool<-pfrrun<-plsql_run
<-peicnt<-kkxexe<-opiexe<-kpoal8<-opiodr<-ttcpip<-opitsk<-opiino<-opiodr<-opidrv<-sou2o<-opimai_real<-ssthrdmain<-main<-__libc_start_main<-_start
Result=Realm Authorization Succeeded
Realm_Name=jobowner realm Used_Auth_Level=0
Current_User=119
Object_Owner=INVOKER1 Object_Name=T1 Object_Type=TABLE
SQL_Text=UPDATE INVOKER1.T1 SET A = 20
Result=Scheduler Job Authorization Succeeded
Current_User=JOBOWNER Logon_User=INVOKER2
Job_Owner=JOBOWNER Job_Name=DMLJOB1
Object_Owner=INVOKER1 Object_Name=T1 Object_Type=TABLE
SQL_Text=UPDATE INVOKER1.T1 SET A = 20
You can disable tracing for Oracle Database Vault events.
Topics:
You can use the ALTER SESSION SET EVENTS SQL statement to disable Database Vault tracing for the current database session.
Log into the database instance as a user who has been granted the DV_ADMIN role and the ALTER SESSION system privilege.
For example:
sqlplus leo_dvowner
Enter password: password
Connected.
Enter both of the following SQL statements to disable tracing:
ALTER SESSION SET EVENTS 'TRACE[DV] OFF'; ALTER SESSION SET EVENTS '47998 trace name context off';
Alternatively, you can use the ALTER SYSTEM statement as well:
ALTER SYSTEM SET EVENTS 'TRACE[DV] OFF'; ALTER SYSTEM SET EVENTS '47998 trace name context off';
You can use the ALTER SYSTEM SET EVENTS SQL statement to disable Database Vault tracing for all database sessions.
Log into the database instance as a user who has been granted the DV_ADMIN role and the ALTER SYSTEM system privilege.
For example:
sqlplus leo_dvowner
Enter password: password
Connected.
Enter the ALTER SYSTEM SET EVENTS SQL statement, using the syntax that is shown in Step 2 in "Disabling Trace Events for the Current Database Session".
For example:
ALTER SYSTEM SET EVENTS 'TRACE[DV] OFF';
Restart the database.
For example:
SHUTDOWN IMMEDIATE STARTUP
Another way that you can disable trace events for all database sessions is to add the following line to the init.ora file, and then restart the database:
event="47998 trace name context off"
Ensure that the init.ora file does not have any conflicting 47998 lines, such as event="47998 trace name context forever, level [1]".
You should be aware of how enabling trace events is affected in a multitenant environment.
Trace events for the current session: In a multitenant environment, running the ALTER SESSION SET EVENTS SQL statement from either the root or a PDB disables tracing for the current user session. If you switch from one PDB to another PDB (by using the ALTER SESSION SET CONTAINER statement), then tracing is still disabled for the new PDB. You cannot disable tracing for a single PDB in a CDB; it applies to all PDBs and the root. Remember that must have the ALTER SESSION SET CONTAINER system privilege to move from one PDB to another.
Trace events for all database sessions: In a multitenant environment, running the ALTER SYSTEM SET EVENTS statement from either the root or a specific PDB disables tracing for all PDBs in the CDB.
Oracle provides general tips for diagnosing problems in realms, factors, and rule sets.
These guidelines are as follows:
For realm protections, verify that a user has the underlying system or object privileges (granted directly or through a role) that might affect the command.
If a realm authorization is not working, verify that the account roles are set correctly.
For PL/SQL expressions used in factors and rule sets, grant the EXECUTE privilege on the PL/SQL package functions used in these expressions directly to the account and determine if the results appear to be correct.
Use the auditing reports to diagnose problems in general. See "Oracle Database Vault Auditing Reports" for more information.
If you suspect problems with the configuration of realms, command rules, factors, rule sets, or secure application roles, you can run the appropriate configuration report.
See the following sections for more information:
To run these reports, see "Running the Oracle Database Vault Reports".