1. Using Oracle Autonomous Database Serverless
  2. Features
  3. Security
  4. Audit Autonomous Database

Audit Autonomous Database

Autonomous Database provides auditing that allows you to monitor Oracle database activities.

Parent topic: Security

About Auditing Autonomous Database

Autonomous Database provides auditing to track, monitor, and record database actions. Auditing can help you detect security risks and improve regulatory compliance for your database.

Parent topic: Audit Autonomous Database

Audit Features on Autonomous Database

Autonomous Database includes extensive, sophisticated audit capabilities that allow you capture the audit information you need for your organization. Autonomous Database provides default auditing.

In addition, you can use either of the following to apply auditing policies:

  • Use Oracle Data Safe to apply auditing policies for database users, for administrative users, and to apply predefined auditing policies or to apply customized auditing policies. See Activity Auditing Overview for more information.

  • Configure Oracle Database Audit Policies. See Configuring Audit Policies for more information.

You can configure auditing to accomplish the following:

  • Enable accountability for actions. These include actions taken in a particular schema, table, or row, or affecting specific content.

  • Deter users, or others, such as intruders, from inappropriate actions based on their accountability.

  • Investigate suspicious activity. For example, if a user is logging into the database using the application's database credentials, then auditing connections to the database lets you determine that the login came from a user's workstation instead of from the application server.

  • Notify an auditor of the actions of an unauthorized user. For example, notify an auditor when an unauthorized user attempts to delete data from a table.

  • Monitor and gather data about specific database activities. For example, you can gather statistics about which tables are being updated, the number of failed logins, or how many concurrent users connect at peak times.

  • Detect problems with an authorization or access control implementation. For example, you can create audit policies that you expect will never generate an audit record because the data is protected in other ways. However, if these policies generate audit records, then you will know the other security controls are not properly implemented.

  • Address auditing requirements for compliance. Regulations such as the following have common auditing-related requirements:

    • European Union General Data Protection Regulation (GDPR)

    • Sarbanes-Oxley Act

    • Health Insurance Portability and Accountability Act (HIPAA)

    • International Convergence of Capital Measurement and Capital Standards: a Revised Framework (Basel II)

    • Japan Privacy Law

    • European Union Directive on Privacy and Electronic Communications

Parent topic: About Auditing Autonomous Database

Audit Data on Autonomous Database

Autonomous Database protects audit data and writes its audit trail to the UNIFIED_AUDIT_TRAIL data dictionary view.

The underlying table storing audit data on Autonomous Database is AUDSYS.AUD$UNIFIED. This table is protected and does not allow users to perform DML/DDL operations or to purge the table (any attempt to perform these actions automatically produces an audit record). After an audit record is written, the only activity allowed is for the ADMIN user to perform a PURGE. The ADMIN has the AUDIT_ADMIN role that is required to run a PURGE. If you assign the AUDIT_ADMIN role to another user, then that user could also perform a PURGE.

Depending on the number and type of audit policies you use and the amount of activity, over time the audit trail can grow to use a large amount of storage. Autonomous Database provides the following ways to limit the storage required for audit data:

  • Each Autonomous Database instance runs an automated purge job once a day to remove all audit records older than fourteen (14) days.

  • Users with the AUDIT_ADMIN role can purge audit records manually using the DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL procedure. See DBMS_AUDIT_MGMT for more information.

If you need a longer audit data retention period than 14 days, use Oracle Data Safe to retain audit data. See Extend Audit Record Retention with Oracle Data Safe on Autonomous Database for more information.

Autonomous Database audits and logs every operation carried out in your database by the Oracle Cloud Infrastructure Operations teams. See View Oracle Cloud Infrastructure Operations Actions for more information on how to audit Operations activities.

Parent topic: About Auditing Autonomous Database

Default Audit Policies on Autonomous Database

Autonomous Database provides auditing to track, monitor, and record activities on your database.

By default, Autonomous Database applies audit policies to audit the following database activities:

  • All activity by Oracle Cloud Operations

  • All login failures to the database

  • All password changes

  • Attempts to create or alter procedures

  • Execution of certain procedures, including procedures in the packages: UTL_HTTP or UTL_SMTP that connect to the network

In addition, you can use either of the following to apply additional auditing policies:

Parent topic: About Auditing Autonomous Database

Register Oracle Data Safe on Autonomous Database

Use Oracle Data Safe to apply auditing policies for database users, for administrative users, to apply predefined auditing policies or to extend the audit data record retention for your Autonomous Database instance.

Register your Autonomous Database instance with Oracle Data Safe as follows:

  1. Access your Autonomous Database instance from the Oracle Cloud Infrastructure Console.
    1. Open the Oracle Cloud Infrastructure Console by clicking the navigation icon next to Oracle Cloud.
    2. From the Oracle Cloud Infrastructure left navigation menu click Oracle Database and then, depending on your workload click one of: Autonomous Data Warehouse, Autonomous JSON Database, or Autonomous Transaction Processing.
    3. On the Autonomous Databases page select an Autonomous Database from the links under the Display Name column.
  2. Register your Autonomous Database instance with Oracle Data Safe.
    1. On the Autonomous Database Details page, under Data Safe, click Register.
    2. In the Register database with Data Safe dialog, click Confirm.

    The Data Safe status shows: Registering. This step takes about 15 to 20 minutes.

After Oracle Data Safe is registered, the Data Safe status shows Registered and two links: View and Deregister.

Click View to show the Data Safe register database details page.

Click Deregister to disable Oracle Data Safe.

Parent topic: Audit Autonomous Database

Extend Audit Record Retention with Oracle Data Safe on Autonomous Database

Use Oracle Data Safe to extend the audit data record retention to a specified number of months.

First register your Autonomous Database instance with Oracle Data Safe. See Register Oracle Data Safe on Autonomous Database for more information.

After your Autonomous Database instance is registered, you can specify the Data Safe retention period.

See Update Retention Periods for a Target Database for more information.

Parent topic: Audit Autonomous Database

View and Manage Oracle Data Safe Audit Trails on Autonomous Database

Data Safe uses audit trails to define where to retrieve the audit data and to collect Autonomous Database audit records. During the registration process, Oracle Data Safe discovers the audit trails and creates an audit trail resource.

Oracle Data Safe lists resources on the Audit Trails page. To access the Audit Trails page, under Security Center in Data Safe click Activity Auditing, and then, on the Activity Auditing page under Related Resources click Audit Trails. You can discover new audit trails at any time and remove audit trail resources in Oracle Data Safe as needed.

First register your Autonomous Database instance with Oracle Data Safe. See Register Oracle Data Safe on Autonomous Database for more information.

When the Autonomous Database is stopped or restarted, the following happens:

  • The audit trail switches to a retrying state and Data Safe makes multiple attempts to reconnect for four (4) hours. The Audit Trail Collection State field shows: RETRYING.

    In this case, if the Autonomous Database (target database) starts, the audit trail automatically resumes.

  • After four hours, the audit trail switches to a stopped state. The Audit Trail Collection State field shows: STOPPED_NEEDS_ATTN.

    In this case, when the Autonomous Database (target database) starts and the audit trail collection state is STOPPED_NEEDS_ATTN, you can manually resume the audit trail.

You can also manually stop or delete the audit trail. Deleting the audit trail does not remove audit records that have already been collected. Those records remain in Data Safe until the retention period is reached.

See View and Manage Audit Trails for more information.

Parent topic: Audit Autonomous Database

View and Manage Audit Policies with Oracle Data Safe on Autonomous Database

Use Oracle Data Safe to set audit policies for your Autonomous Database instance.

First register your Autonomous Database instance with Oracle Data Safe. See Register Oracle Data Safe on Autonomous Database for more information.

After your Autonomous Database instance is registered, access Oracle Data Safe to set audit policies.

See View and Manage Audit Policies for more information.

Parent topic: Audit Autonomous Database

Generate Audit Reports with Data Safe on Autonomous Database

Data Safe includes out-of-box audit data reports, and you can create custom reports to suit your needs.

After you enable and register Oracle Data Safe, and you add a trail to collect audit data from your Autonomous Database instance, then you can use the reports to monitor activity for your database.

See View and Manage Audit Reports for more information.

Parent topic: Audit Autonomous Database