Oracle 12c has implemented the unified auditing which is based off of system and user level policies. This article describes the use of audit policies.
Audit Policy General Aspects.
- A unified audit policy is a named group of audit setting that track a particular aspect of user behavior in DB.
- The CREATE AUDIT POLICY is used to create unified audit policy.
- Multiple audit policy can be active at any given time.
- AUDIT and NOAUDIT statements enable and disable.
- The AUDIT statement can include or exclude specific users.
- AUDIT and NOAUDIT can enable audit application context values.
- Activities that can be audited:
- USER ACCOUNTS, ROLES, and PRIVILEGEs
- OBJECT ACTION: drop table; running a procedure.
- APPLICATION CONTEXT VALUES.
- You should group auditing into related policies and attempt to minimize the number of policies defined.
- Many policies increase overhead in the UGA.
- The CREATE AUDIT POLICY statement creates a first class object in the SYS schema not in the schema of the creator.
- Once policy is created, it must be enabled with the AUDIT statement with POLICY clause.
- CREATE AUDIT POLICY and AUDIT statement do not affect current sessions, user must disconnect and reconnect for auditing to start.
- CLAUSES of the AUDIT statement.
BY — Used to apply the unified audit policy to one or more users.
AUDIT POLICY change_table_pol BY ocpuser;
EXCEPT — Used to exclude users from the unified audit policy.
AUDIT POLICY change_table_pol EXCEPT jtkirk, jlpicard;
WHENEVER SUCCESSFUL — Records only successful executions of the audited activity.
AUDIT change_table_pol WHENEVER SUCCESSFUL;
WHENEVER NOT SUCCESSFUL — Records only failed executions of the audited activity.
AUDIT change_table_pol WHENEVER NOT SUCCESSFUL;
Note the following:
WHENEVER — If the WHENEVER clause is omitted, then both failed and successful user activities are written to the audit trail.
BY/ EXCEPT — A unified audit policy can be enabled with either the BY clause or the EXCEPT clause, but not both simultaneously.
AUDIT… BY — If multiple AUDIT statements are executed on the same unified audit policy with different BY users, all of the specified users are audited.
AUDIT… EXCEPT — If multiple AUDIT statements are executed on the same unified audit policy with different EXCEPT users, only the last exception user list is used.
COMMON policies — Common unified audit policies can only be enabled from the root and only for common users.
LOCAL policies — Local audit policies can only be enabled from the PDB to which it applies.
- No audit policy is necessary to record RMAN activities. RMAN activities are recorded automatically.
RMAN_SESSION_RECID — Recovery Manager session identifier. Together with the RMAN_SESSION_STAMP column, this column uniquely identifies the Recovery Manager job. RMAN_SESSION_STAMP — Timestamp for the session.
RMAN_OPERATION — The Recovery Manager operation executed by the job.
RMAN_OBJECT_TYPE — Type of objects involved in a Recovery Manager session.
RMAN_DEVICE_TYPE — Device associated with a Recovery Manager session.
Larry Catt
OCP