Activity Auditing Overview
Activity Auditing lets you collect audit data from your target databases so that you can monitor database activities.
About Activity Auditing
You entrust your databases to your database administrators, account owners, and end users. However, it’s important to monitor database activity regularly because accounts are always at risk for being compromised or misused. Activity Auditing in Oracle Data Safe helps to ensure accountability and improve regulatory compliance.
With Activity Auditing, you can collect and retain audit records per industry and regulatory compliance requirements and monitor user activities on Oracle databases. For example, you can audit access to sensitive data, security-relevant events, administrator and user activities, activities recommended by compliance regulations like the Center for Internet Security (CIS), and activities defined by your own organization. You can collect up to one million audit records per month per target database in Oracle Data Safe for free.
Activity Auditing Dashboard
By default, the Activity Auditing dashboard shows you a summary of audit events for the last one week for all target databases, in the form of charts and tables. This gives you a broad overview of audit events across all target databases monitored by Oracle Data Safe. You can modify the filters set on target database and time period as needed. The charts and tables are immediately updated.
The Failed login activity chart shows you the number of failed logins on all or selected target databases for the specified time period.
The Admin activity chart shows you the number of database schema changes, logins, audit setting changes, and entitlement changes on all or selected target databases for the specified time period.
The All activity chart shows you the total count of audit events on all or selected target databases for the specified time period.
The Events summary tab lists the following audit event categories. For each category, you can view the number of target databases that have an audit event in each event category as well as the total number of events per category.
- Login failures by admin
- Schema changes by admin
- Entitlement changes by admin
- Login failures
- Schema changes
- Entitlement changes
- Audit settings changes
- Database Vault all violations
- Database Vault policy changes
- Data access events
- All activity by admin
- All activity
The Targets summary tab shows you various audit event counts per target database. Audit events include the number of login failures, schema changes, entitlement changes, audit settings changes, all activity (all audit events), database vault realm violations and command rule violations, and database vault policy changes. If there are no audit events for a target database, the target database isn't listed.
The Notifications tab shows you what event notifications and subscriptions you have created for Activity auditing. More specifically, it displays the event, rule name, topic name, and when the event notification was created. This table will only show Events that you have created directly within Data Safe. In addition to displaying existing event notifications, you can also create new notifications by using the Create notification button. See Create and Modify Event Notifications in Activity Auditing for more information.
Audit Profiles, Audit Policies, Audit Trails, and Archive Data Retrievals
Activity Auditing resources that pertain to audit data collection, retention, and retrieval are audit profiles, audit policies, audit trails, and archive data retrievals.
An audit profile resource gives you the flexibility to compute how much audit data is available on the target database for each audit trail that Oracle Data Safe has not yet collected. This helps you evaluate the initial audit data volume when you configure collection in Oracle Data Safe. You also can compute how much audit data Oracle Data Safe has already collected from the target database.
An audit profile defines the online retention period, offline retention period, and the paid usage settings for a target database.
An audit policy resource represents the audit policies for the target database, their corresponding provisioning status, and which policies are enabled or disabled on the target database.
An audit trail represents audit record collection from the target's database trail such as UNIFIED_AUDIT_TRAIL, which provides documentary evidence of the sequence of activities. Configuring audit trails in Oracle Data Safe, and enabling audit data collection on the audit trails copies the audit records from the target database's audit trail into the Oracle Data Safe repository.
An archive data retrieval represents an archive retrieve request for audit data. You can retrieve audit data for a target database from the archive and store it online.
Activity Auditing Reports
Oracle Data Safe generates several predefined audit reports that you can view from the Audit Reports page. The reports track general database activities, such as audited SQL statements, application access activities, and user login activities, as well as Oracle Data Safe activities.
The following table describes each report.
Report Name | Description |
---|---|
All Activity | All audited activities |
Admin Activity | Report tracking database activities on admin users as identified in the User Assessment feature. Please note that changes on users may not be reflected immediately in the report and might take up to 12 hours to appear. |
User/Entitlement Changes | User creation/deletion/privilege and role changes |
Audit Policy Changes | All changes in audit policies |
Login Activity | Database login attempts |
Data Access | Database query operations |
Data Modification | Data modification activities (DMLs) |
Database Schema Changes | Database schema changes (DDLs) |
Data Safe Activity | Activity generated by the Oracle Data Safe service |
Database Vault Activity | Auditable activities of enabled Oracle Database Vault policies in target databases, including mandatory Database Vault configuration changes, realm violations, and command rule violations |
Common User Activity | Report tracking database activities on common users as identified in the User Assessment feature. |
Database Error | Report tracking errors reported in database for activities that are audited. |
Data Extraction Activity | Report tracking DataPump and RMAN activities in database. |
Sensitive Data Activity | Report tracking database activities on sensitive objects
as identified in the sensitive data models of the Data Discovery
feature.
Note: This report will only display data if there is a Sensitive Data Model for the target database. |
SQL Firewall audited violations | Report tracking all SQL Firewall violations that are audited in the database. |
Prerequisites for Using Activity Auditing
These are the prerequisites for using Activity Auditing:
- Register the target databases that you want to use with Activity Auditing.
- Grant the Audit Collection and Audit Setting roles on the target database. A Database Administrator can grant these roles to the Oracle Data Safe Service Account on the target database.
- Obtain permission in Oracle Cloud Infrastructure Identity and Access Management (IAM) to use the Activity Auditing feature in Oracle Data Safe. An OCI administrator can grant
view
ormanage
permission as needed on the following resources:data-safe-work-requests
data-safe-audit-profiles
data-safe-audit-trails
data-safe-audit-events
data-safe-archive-retrievals
data-safe-report-definitions
data-safe-reports
data-safe-audit-policies
As an alternative to selectively granting permissions, you can grant permissions
on data-safe-audit-family
in the relevant compartments, which would include
permissions on all of the resources above. See data-safe-audit-family Resource in the
Administering Oracle Data Safe guide for more information.
See Also:
The Administering Oracle Data Safe guide provides these sections to help with establishing the prerequisites:- Grant Roles to the Oracle Data Safe Service Account on Your Target Database describes the roles required for Activity Auditing and for other Oracle Data Safe features.
- OCI Resources for Oracle Data Safe describes the permissions for each resource in Oracle Data Safe.
Activity Auditing Workflow
The general steps for collecting and managing audit data for a target database are as follows:
- Register your target database. Oracle Data Safe creates an audit profile, creates an audit policy, and discovers the audit trails on your target database.
- Review and modify the audit profile to customize audit data retention
settings and paid usage settings.
- Specify if you want to collect audit data for your target database after it reaches the monthly free limit.
- Specify the number of months that you want to retain audit data online and archive audit data.
- Provision audit policies for your target database.
- Select predefined Oracle Data Safe audit policies, predefined Oracle Database audit policies, individual custom policies, and audit compliance standards policies to provision on your target database.
- For some audit policies, specify users to audit or exclude users from auditing.
- Retrieve updates to existing audit policies.
- Retrieve new audit policies that are created on your target database post target database registration.
- Discover additional audit trails, remove audit trails, and enable auto purge on your target database as needed.
- Start collecting audit data by starting the audit trail(s) for your target database.
- Monitor and analyze the audit data on the Activity Auditing dashboard and in audit reports.
- Set up event
notifications. For example, you can subscribe to the
Audit Trail Collection Free Limit Warning
event to be automatically informed if an audit collection reaches 80% of the free limit. - Manage audit data collection
by adjusting audit trails.
- Start, stop, and resume collecting audit data as needed.
- Enable or disable auto purge.
- Discover new audit trails.
- Delete unused audit trails.
- Retrieve archived audit data
when needed.
- You can retrieve audit data from the Oracle Data Safe archive if you have previously archived audit data for your target database.
- View and Manage Audit Reports.
- You can view and schedule audit reports, set filters and modify columns in audit reports, download audit reports as PDF, XLS, or JSON files, as well as create, update, and delete custom audit reports.
- Configure Auditing and Alerts.
- You can configure auditing and alerts or start auditing trails by using the wizard in Activity Auditing.