Oracle 12c – Enable and configure Unified Audit Data Trail

In 12c the Unified Audit Trail consolidates audit information form multiple sources and makes this information available in a standard format in the UNIFIED_AUDIT_TRAIL dictionary view.
The Unified Audit Trail is stored in a read-only table in the AUDSYS schema in SYSAUX tablespace
Data is available to SYS and users with AUDIT_ADMIN and AUDIT_VIEWER roles.
AUDIT_ADMIN can view data and create audit policies.
AUDIT_VIEWER can only view data.
The Unified Audit Data Trail combines the following:
Unified audit policies and AUDIT settings

Once configured the unified auditing is always enabled and does not depend on initialization parameters.
If the database is open in READ-ONLY mode, audit records are written to new OS files in $ORACLE_BASE/audit/$ORACLE_SID directory.
The V$OPTION view can be queried to determine if DB is using unified auditing.

Select value from v$option where parameter=’Unified Auditing’;

Parameter Value

—————– —————–

Unified Auditing TRUE

New 12c database mixed mode auditing is enabled by default by predefined policy
Mixed-mode auditing enables both Traditional (pre-12c auditing and unified auditing.
Traditional auditing is controlled by AUDIT_TRAIL init parameters.
When AUDIT_TRAIL init parameter is parameter other than NONE, the traditional audit trail will be populated as well as the Unified Audit trail.
Auditing can be set to individual PDBs or CDB as a whole.
In Multi-tenant DB each PDB and root CDB has its own audit trail.
When upgrading to 12c, you have to manually migrate to unified auditing to enable.
Once unified auditing is enabled, traditional is disabled.
To start using Unified, at least one unified policy must be enabled.
To stop using Unified, disable all unified policies.
Predefined policy ORA_SECURECONFIG is initially enabled on all new 12c databases.

Larry Catt

OCP

Catt Solutions