OracleDB12c New Feature: Unified Auditing

Unified Auditing is a new feature introduced in Oracle Database 12c, to streamline and standardize all audit trail information. The traditional auditing architectures involve many audit-trail locations and tables to review information for the auditors, and do not follow a standard. Every new product introduced in the database had to essentially have a new audit table because the AUD$ table is limited. The Oracle Unified Audit feature introduced in Oracle Database 12c addresses these issues and gives a standard interface and single location for the audit trail.

Unified Auditing is a database option and is not enabled by default. The following query shows if Unified Auditing is enabled or not.

SQL> SELECT VALUE FROM V$OPTION
     WHERE PARAMETER = 'Unified Auditing';

VALUE
----------
FALSE

To enable Unified Auditing, shut down the database and listener, and then relink the oracle executable using the following options:

cd $ORACLE_HOME /rdbms/lib

make -f ins_rdbms.mk uniaud_on ioracle ORACLE_HOME=$ORACLE_HOME

Unified Auditing is managed by creating and enabling audit policies. Unified audit-trail records can be read using the UNIFIED_AUDIT_TRAIL view. This view includes audit records from standard and fine-grained auditing, along with auditing of data pump, SQL loader, database vault, label security, recovery manager, and real application security products.

Oracle Database 12c has two roles to support Unified Auditing. The AUDIT_ADMIN role has privileges to create, alter, and drop audit policies. It also has privileges to enable or disable audit policies for each business requirement, to view audit records, and to clean up the audit trail. The AUDIT_VIEWER role is for users who only need to view the audit-trail contents. Unified Auditing is owned by AUDSYS user, not SYS user.

Privilege auditing in traditional auditing has to be enabled by setting the AUDIT_SYS_OPERATIONS=true. The audit records are written to operating system files. With Unified Auditing, privilege audit is enabled by default and can be queried using the same UNIFIED_AUDIT_TRAIL view. In a unified audit database, the following actions are audited mandatory without any policy:

  • CREATE AUDIT POLICY
  • ALTER AUDIT POLICY
  • DROP AUDIT POLICY
  • AUDIT
  • NOAUDIT
  • EXECUTE of DBMS_FGA
  • EXECUTE of DBMS_AUDIT_MGMT

Read more at
http://docs.oracle.com/cd/E16655_01/network.121/e17607/audit_admin.htm#DBSEG1026

http://docs.oracle.com/cd/E16655_01/server.121/e17609/tdpsg_auditing.htm#TDPSG50000