Pete Finnigan's Oracle Security Forum (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
Oracle Security >> Oracle Auditing >> Query Rewrite not working with FGA
(Message started by: Pete Finnigan on Jul 16th, 2014, 4:32pm)

Title: Query Rewrite not working with FGA
Post by Pete Finnigan on Jul 16th, 2014, 4:32pm
We are using oracle 11g.  We have a requirement to record the user id and SQL statement every time a query is run that returns confidential columns. In my tests FGA (Fine Grained Auditing) appears to work as documented and do what we need except where query-rewrite is concerned.

In our data warehouse we have many materialized view aggregates build on top of large fact tables. The MVs are enabled for query rewrite and transparently speed up queries issued by our BI tools.  However if I create an FGA policy on a base table, then summary queries always result in base table access operations and never rewrite to use the materialized views. These are queries that previously always resulted in a materialized view rewrite operation (as proven by explain plan and sql monitor), the only change is the addition of the FGA policy. The FGA policy is being triggered, because audit rows appear in DBA_FGA_AUDIT_TRAIL, but the queries will not rewrite.

I can’t find anything in the Oracle documentation that says query rewrite will not work with FGA policies, and I can’t find any mention of this problem in any online forums.

Why does query re-write not work with FGA, is this a known problem or  bug?

Is there anything ‘special’ I have to do to get query re-write to work with FGA?

Title: Re: Query Rewrite not working with FGA
Post by Pete Finnigan on Jul 18th, 2014, 12:20pm
Our databases are 11.2.0.4.0 and I still find that a query will not rewrite if there is an FGA policy on any of the tables in the query. Note queries rewrite ok with Oracle Standard Auditing.

From a reply to my post on OTN I have been pointed in the direction of Oracle bug 7433976. However the details in the bug report are rather confusing; it states that a bug preventing query rewrite with FGA was fixed in 11.2, but it also quotes the 11.2 readme “text match rewrite will not take place if FGA is enabled on a table reference by the query”.  

The readme for 12.1 is more comprehensive:

“1.22.1.1 Fine Grained Auditing (FGA)

If Fine Grained Auditing (FGA) is enabled on a table in the query, then Query Rewrite will not occur for this query.”

…so my conclusion is if you need to use query rewrite (for performance reasons typically in a data warehouse) then you can use Oracle Standard Auditing, but not FGA, which is a bit irritating, but that’s the way it is.

Title: Re: Query Rewrite not working with FGA
Post by Pete Finnigan on Jul 23rd, 2014, 9:51am
Thanks for your posts Phil,

I was not aware of this bug. I have used FGA with a number of clients on some very big systems and also a small system but not on a data warehouse.

The problem with standard audit and sql capture is that its not row level but at the statement level. Also the performance impact is bigger when SQL is captured and also its global for all audit and cannot be targetted onto just the statements that you need.

Did you test whether you could create a view over the access and then add FGA to the view not the base table? There is a risk that direct access to the base table would bypass the audit but you could create RBAC to prevent this access. Its not ideal but combined with standard audit on the base table perhaps without SQL capture which would then have less performance impact.

A more convoluted approach; maybe you could convert the table to make the important data an object and then the type body could write the audit for you; in this way you can achieve FGA without FGA.

cheers
Pete



Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board