audit, fga, vpd and sys

audit, fga, vpd and sys

sys永远免疫vpd
The database user SYS is thus always exempt from VPD or Oracle Label Security enforcement, regardless of the export mode, application, or utility used to extract data from the database.

sys免疫普通的audit
AUDIT_SYS_OPERATIONS enables or disables the auditing of operations issued by user SYS, and users connecting with SYSDBA or SYSOPER privileges. The audit records are written to the operating system's audit trail.

sys免疫fga，这里有个bug需要注意
Subject: Bug 3450991 - FGA does not work if SQL is run by the SYS user
Doc ID: Note:3450991.8 Type: PATCH
Last Revision Date: 10-AUG-2005 Status: PUBLISHED
Click here for details of sections in this note.

Bug 3450991 FGA does not work if SQL is run by the SYS user
This note gives a brief overview of bug 3450991.

Affects:
Product (Component) Oracle Server (Rdbms)
Range of versions believed to be affected Versions < 10.2
Versions confirmed as being affected 9.2.0.4
10.1.0.3

Platforms affected Generic (all / most platforms affected)

Fixed:
This issue is fixed in 9.2.0.7 (Server Patch Set)
10.1.0.4 (Server Patch Set)
10.2.0.1 (Base Release)


Symptoms: Related To:
(None Specified)
Security ( Authentication / Privileges / Auditing )


Description
Once a SELECT statement has been run by SYS then other users sharing
that cursor do not get audited if there is an FGA policy on the table.

Workaround:
Do not run SQL from SYS user for FGA objects.