Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
     
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Welcome, Guest. Please Login.
Nov 23rd, 2017, 7:16am
News: Welcome to Pete Finnigan's Oracle security forum
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Auditing
(Moderator: Pete Finnigan)
   Query Rewrite not working with FGA
« Previous topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: Query Rewrite not working with FGA  (Read 9010 times)
philhumphries
PeteFinnigan.com Newbie
*



I love YaBB 1G - SP1!

   
View Profile |

Gender: male
Posts: 2
Query Rewrite not working with FGA
« on: Jul 16th, 2014, 4:32pm »
Quote | Modify

We are using oracle 11g.  We have a requirement to record the user id and SQL statement every time a query is run that returns confidential columns. In my tests FGA (Fine Grained Auditing) appears to work as documented and do what we need except where query-rewrite is concerned.  
 
In our data warehouse we have many materialized view aggregates build on top of large fact tables. The MVs are enabled for query rewrite and transparently speed up queries issued by our BI tools.  However if I create an FGA policy on a base table, then summary queries always result in base table access operations and never rewrite to use the materialized views. These are queries that previously always resulted in a materialized view rewrite operation (as proven by explain plan and sql monitor), the only change is the addition of the FGA policy. The FGA policy is being triggered, because audit rows appear in DBA_FGA_AUDIT_TRAIL, but the queries will not rewrite.
 
I can’t find anything in the Oracle documentation that says query rewrite will not work with FGA policies, and I can’t find any mention of this problem in any online forums.
 
Why does query re-write not work with FGA, is this a known problem or  bug?
 
Is there anything ‘special’ I have to do to get query re-write to work with FGA?  
IP Logged
philhumphries
PeteFinnigan.com Newbie
*



I love YaBB 1G - SP1!

   
View Profile |

Gender: male
Posts: 2
Re: Query Rewrite not working with FGA
« Reply #1 on: Jul 18th, 2014, 12:20pm »
Quote | Modify

Our databases are 11.2.0.4.0 and I still find that a query will not rewrite if there is an FGA policy on any of the tables in the query. Note queries rewrite ok with Oracle Standard Auditing.
 
From a reply to my post on OTN I have been pointed in the direction of Oracle bug 7433976. However the details in the bug report are rather confusing; it states that a bug preventing query rewrite with FGA was fixed in 11.2, but it also quotes the 11.2 readme “text match rewrite will not take place if FGA is enabled on a table reference by the query”.  
 
The readme for 12.1 is more comprehensive:
 
“1.22.1.1 Fine Grained Auditing (FGA)
 
If Fine Grained Auditing (FGA) is enabled on a table in the query, then Query Rewrite will not occur for this query.”
 
…so my conclusion is if you need to use query rewrite (for performance reasons typically in a data warehouse) then you can use Oracle Standard Auditing, but not FGA, which is a bit irritating, but that’s the way it is.
IP Logged
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Query Rewrite not working with FGA
« Reply #2 on: Jul 23rd, 2014, 9:51am »
Quote | Modify

Thanks for your posts Phil,
 
I was not aware of this bug. I have used FGA with a number of clients on some very big systems and also a small system but not on a data warehouse.
 
The problem with standard audit and sql capture is that its not row level but at the statement level. Also the performance impact is bigger when SQL is captured and also its global for all audit and cannot be targetted onto just the statements that you need.
 
Did you test whether you could create a view over the access and then add FGA to the view not the base table? There is a risk that direct access to the base table would bypass the audit but you could create RBAC to prevent this access. Its not ideal but combined with standard audit on the base table perhaps without SQL capture which would then have less performance impact.
 
A more convoluted approach; maybe you could convert the table to make the important data an object and then the type body could write the audit for you; in this way you can achieve FGA without FGA.
 
cheers
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pages: 1  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board