Daily Archives: December 14, 2015

12c, Administration, alert / logs, audit

Oracle 12c – Unified Audit Data Trail features

Leave a comment

In 12c the Unified Audit Trail consolidates audit information from multiple sources and makes this information available in a standard format in the UNIFIED_AUDIT_TRAIL dictionary view.  This article describes this new feature and gives a brief example of enabling it.

 

Unified Audit Data Trail features.

 

  1. The Unified Audit Trail is stored in a read-only table in the AUDSYS schema in SYSAUX tablespace
  2. Data is available to SYS and users with AUDIT_ADMIN and AUDIT_VIEWER roles.
  3. AUDIT_ADMIN can view data and create audit policies.
  4. AUDIT_VIEWER can only view data.
  5. The Unified Audit Data Trail combines the audit data from:
  • Fine-grained audit records from DBMS_FGA
  • Oracle Database Real Application Security
  • Oracle Recovery Manager
  • Oracle Database Vault
  • Oracle Label Security
  • Oracle Data Mining
  • Oracle Data Pump
  • Oracle SQL* Loader Direct Load
  1. Once configured the unified auditing is always enabled and does not depend on initialization parameters.
  2. If the database is open in READ-ONLY mode, audit records are written to new OS files in $ORACLE_BASE/audit/$ORACLE_SID directory.
  3. The V$OPTION view can be queried to determine if DB is using unified auditing.

Select value from v$option where parameter=’Unified Auditing’;

Parameter                          Value

—————–                    —————–

Unified Auditing              TRUE

 

  1. New 12c database mixed mode auditing is enabled by default by predefined policy
  2. Mixed-mode auditing enables both Traditional pre-12c auditing and unified auditing.
  3. Traditional auditing is controlled by AUDIT_TRAIL init parameters.
  4. When AUDIT_TRAIL init parameter is parameter other than NONE, the traditional audit trail will be populated as well as the Unified Audit trail.
  5. Auditing can be set to individual PDBs or CDB as a whole.
  6. In Multi-tenant DB each PDB and root CDB has its own audit trail.
  7. When upgrading to 12c, you have to manually migrate to Unified Auditing to enable.
  8. Once unified auditing is enabled, traditional is disabled.
  9. To start using Unified, at least one unified policy must be enabled.
  10. To stop using Unified, disable all unified policies.
  11. Predefined policy ORA_SECURECONFIG is initially enabled on all new 12c databases.

 

 

Larry Catt

OCP