Here’s one of those funny little details that can cause confusion:
SQL> select * from user_audit_object;
no rows selected
SQL> audit select on indjoin by session whenever successful;
Audit succeeded.
SQL> select
2 count(*)
3 from
4 indjoin ij
5 where
6 id between 100 and 200
7 and val between 50 and 150
8 ;
COUNT(*)
----------
51
1 row selected.
SQL> select * from user_audit_object where obj_name = 'INDJOIN';
no rows selected
So we had nothing in our “object audit trail”, then we enabled auditing on one particular table for select statements (and audit_trail = db has been set in the parameter file) but our select statement hasn’t been audited. What went wrong ?
Let’s try a different query against the audit view which, until a moment ago, held no data:
SQL> select obj_name from user_audit_object; OBJ_NAME ----------------------------------------------- index$_join$_001
So we have audited something – but what ? Here’s the execution plan for our query:
----------------------------------------------------------------------------------------
| Id | Operation | Name | Rows | Bytes | Cost (%CPU)| Time |
----------------------------------------------------------------------------------------
| 0 | SELECT STATEMENT | | 1 | 8 | 5 (20)| 00:00:01 |
| 1 | SORT AGGREGATE | | 1 | 8 | | |
|* 2 | VIEW | index$_join$_001 | 3 | 24 | 5 (20)| 00:00:01 |
|* 3 | HASH JOIN | | | | | |
|* 4 | INDEX RANGE SCAN| IJ_PK | 3 | 24 | 3 (34)| 00:00:01 |
|* 5 | INDEX RANGE SCAN| IJ_VAL | 3 | 24 | 3 (34)| 00:00:01 |
----------------------------------------------------------------------------------------
Predicate Information (identified by operation id):
---------------------------------------------------
2 - filter("VAL"<=150 AND "ID"<=200 AND "ID">=100 AND "VAL">=50)
3 - access(ROWID=ROWID)
4 - access("ID">=100 AND "ID"<=200) 5 - access("VAL">=50 AND "VAL"<=150)
See that index$_join$_001 in line 2 ? We have a plan that uses the “index hash join” mechanism to query that table – so Oracle audits the query, but unfortunately uses the name of the internal view in the audit record.
Be very careful how you audit objects; you may think that an object has not been accessed when it has (sort of). If you’ve started doing this type of auditing to check whether or not an object is ever accessed you could be fooled.
You could claim, of course, that the object hasn’t really been accessed – but compare the index join above with the following (cut-n-paste) example, which I ran after deleting everything from the aud$ table:
SQL> connect test_user/test
Connected.
SQL> select obj_name from user_audit_object;
no rows selected
SQL> set autotrace on explain
SQL> select count(*) from indjoin where id = 23;
COUNT(*)
----------
1
1 row selected.
Execution Plan
----------------------------------------------------------
Plan hash value: 689603510
----------------------------------------------------------------------------
| Id | Operation | Name | Rows | Bytes | Cost (%CPU)| Time |
----------------------------------------------------------------------------
| 0 | SELECT STATEMENT | | 1 | 4 | 1 (0)| 00:00:01 |
| 1 | SORT AGGREGATE | | 1 | 4 | | |
|* 2 | INDEX UNIQUE SCAN| IJ_PK | 1 | 4 | 1 (0)| 00:00:01 |
----------------------------------------------------------------------------
Predicate Information (identified by operation id):
---------------------------------------------------
2 - access("ID"=23)
SQL> set autotrace off
SQL> select obj_name from user_audit_object;
OBJ_NAME
----------------
INDJOIN
1 row selected.
We haven’t actually visited the indjoin table, but the audit code recognises that that was the intent, even though the optimizer made physical access unnecessary. The behaviour ought to be the same for both cases.
(This example orginally came from a client site, by the way – with the question “how come the audit trail says we’re not visiting this table?”. The client version, and the version I tested on, was 10.2.0.3. There were a couple of other little surprises I found at the same time – I may find time to write about them some other day.)
Update (June 2017)
Prompted by a question on OTN I was searching my blog for a particular answer and rediscovered this note. Running the test again on 11.2.0.4 I can confirm that the anomaly has been fixed by (at least) that version.
Oracle Scratchpad 
Houston. We have a problem.
What you see is not what you get.
What you get is not what you expect.
Comment by Hemant K Chitale — May 26, 2011 @ 2:19 am BST May 26,2011 |
[…] Jonathan Lewis blogs about one of those funny little details that can cause confusion. […]
Pingback by Log Buffer #222, A Carnival of the Vanities for DBAs | The Pythian Blog — May 27, 2011 @ 12:35 pm BST May 27,2011 |
I’m rather new in auditing and that behavior is a problem for me. How can I make sure that all tables being accessed (data or index) are found in audit ? I thought about hints or adding indexes so that this kind of operation does not happen but it is not an easy task…
Would anybody know of ways to make sure no tables that are really accessed are left “unaudited” ?
I’d be ready to add a significant amount of work.
Serge
Comment by Serge Beaule — July 5, 2011 @ 2:09 pm BST Jul 5,2011 |