New Audit Mechanism on Oracle 12c : Unified Auditing

 

Hello everyone, Today I want to talk about new auditing features on Oracle 12c. As you know in Oracle 11g and below versions there were two audit mechanism:

  • Fine grain auditing
  • Default audit mechanism

In Traditional Oracle Database audit records are written to AUD$, In FGA , audit records are written to  FGA_LOG$ table, SYS log auditing is written to the Oracle Home location. If you need an anlalyse you need to correlate all of these sources. In 12c new properties added to Oracle Auditing. All audit records are written to the unified audit trail in a uniform format and are made available through the UNIFIED_AUDIT_TRAIL view.These records reside in the AUDSYS schema. The audit records are stored in the SYSAUX tablespace by default.

If you use pure unified auditing, the unified audit trail captures audit information from a variety of sources.These sources are:

  • Audit records (including SYS audit records) from unified audit policies and AUDIT settings
  • Fine-grained audit records from the DBMS_FGA PL/SQL package
  • Oracle Database Real Application Security audit records
  • Oracle Recovery Manager audit records
  • Oracle Database Vault audit records
  • Oracle Label Security audit records
  • Oracle Data Mining records
  • Oracle Data Pump
  • Oracle SQL*Loader Direct Load

The audit records, including records from the SYS audit trail, for all the audited components of your Oracle Database installation are placed in one location and in one format.

Auditing Mode of the database

There are two modes: Pure Unified auditing and Mixed mode. The default mode in a new installed database is Mixed mode. In mixed mode both the traditional audit and new audit facilities are used.

For checking if our database has migrated to Unified Auditing, query the v$option view:

If the value is True, it means that the database unified audit mechanism has activated. And database is using the pure Unified Auditing.
If the value is false, it means that the database uses mixed mode auditing.

Relinking unified auditing option

If the value is false and you want to use pure unified audit mechanism you need to relink the option:

Auditing policies

By default there are two enabled unified auditing policy. They are:

ORA_LOGON_FAILURES
ORA_SECURECONFIG

One can query the enabled policies from AUDIT_UNIFIED_ENABLED_POLICIES dictionary view. To start using unified auditing, you must enable at least one unified audit policy, and to stop using it, disable all unified audit policies. There are many disabled policies where can be seen from AUDIT_UNIFIED_POLICIES dictionary view.

In addition to these existing policies, you can configure unified auditing by creating custom unified audit policies or using fine-grained auditing. You can create policies that use conditions.

To create a new audit policy:

 

After creating the policy it must be enabled to start auditing:

 

For disabling the policy:

Writing mode to the view

By default, Oracle Database writes unified audit records to system global area (SGA) queues. In other words, it writes the records periodically, not immediately. You can control how often the audit records are written. The audit data is written periodically to UNIFIED_AUDIT_TRAIL view. So when you query this view you may not see the audit record immediately, because they are waiting in memory.

You can flush manually by:

You can purge periodically by createing a purge job.

Conclusion

As a conclusion unified audit mechanism provides easy access by consolidating all audit sources. Creating different policies provides flexibility. And the audit views are in AUDSYS schema and you can’t connect directly to this schema.
It increases the security of the audit sources.

Selcen Sahin
Author: Selcen Sahin

Leave a Reply

Your email address will not be published. Required fields are marked *