Audit Policies

About Oracle Data Safe Audit Policies

When you register a target database, Oracle Data Safe automatically creates one audit policy resource for your target database. It does this after it retrieves the audit policies from the target database. The audit policy resource lets you provision unified audit policies within your target database, with conditional enablement of users and/or roles. It also enables you to retrieve the latest audit configurations from the target database in case these audit policies are modified within target database. The audit policies are also retrieved automatically by Oracle Data Safe once per day. Different categories of audit policies available for provisioning include:

Basic auditing policies
Administrator activity auditing policy
User activity auditing policy
Audit compliance standards policies
Custom and Oracle predefined audit policies

Once the audit policy is provisioned to the target database, audit records are generated for activities within target database that match the audit policies. You can manage audit data volume in the target database by using the auto purge feature (which is disabled by default). You can also manage the audit data volume collected by Oracle Data Safe using audit data retention setting.

Notes:

You have the flexibility to exclude activities performed by the Oracle Data Safe service account in the target database from auditing.
Provisioning and retrieval of audit policies is not supported in Oracle Database 12.1 and below.

Basic Auditing Policies

Basic audit policies represent a set of recommended audit configurations for Oracle Database. You can enable the following basic auditing policies:

Critical Database Activity
Login Events
Database Schema Changes

The Critical Database Activity policy allows you to audit critical database activity, for example, when a user, role, or profile is created, modified, or dropped.

The following audit policy gets provisioned on the target database:

CREATE AUDIT POLICY ORA_ADS$_CRITICAL_DB_ACTIVITY
PRIVILEGES EXEMPT ACCESS POLICY,EXEMPT REDACTION POLICY,
		ADMINISTER KEY MANAGEMENT,EXPORT FULL DATABASE,IMPORT FULL DATABASE,
		CREATE PUBLIC DATABASE LINK, ALTER PUBLIC DATABASE LINK, DROP PUBLIC DATABASE LINK,
		CREATE PUBLIC SYNONYM, DROP PUBLIC SYNONYM,
		SELECT ANY DICTIONARY, ADMINISTER DATABASE TRIGGER,
		PURGE DBA_RECYCLEBIN, LOGMINING
ACTIONS CREATE USER, ALTER USER, DROP USER,
		CREATE ROLE, DROP ROLE, ALTER ROLE, SET ROLE, GRANT, REVOKE,
		CREATE PROFILE, ALTER PROFILE, DROP PROFILE,
		CREATE PLUGGABLE DATABASE, DROP PLUGGABLE DATABASE, ALTER PLUGGABLE DATABASE,
		CREATE LOCKDOWN PROFILE, ALTER LOCKDOWN PROFILE, DROP LOCKDOWN PROFILE,
		ALTER DATABASE, ALTER SYSTEM,
		CREATE TABLESPACE, ALTER TABLESPACE, DROP TABLESPACE,
		CREATE ROLLBACK SEGMENT, ALTER ROLLBACK SEGMENT, DROP ROLLBACK SEGMENT,
		CREATE DIRECTORY, DROP DIRECTORY,
		 CREATE DISK GROUP,ALTER DISK GROUP,DROP DISK GROUP,
		CREATE PFILE,CREATE SPFILE
ACTIONS COMPONENT = datapump EXPORT,IMPORT
ACTIONS COMPONENT = DIRECT_LOAD LOAD;

AUDIT POLICY ORA_ADS$_CRITICAL_DB_ACTIVITY;
-- enabled for all users

The Login Events policy tracks all login and logoff activities by users. For more granularity, specify the trusted users to be excluded, irrespective of whether they are Oracle-maintained users or non-Oracle-maintained users.

The following audit policy gets provisioned on the target database:

CREATE AUDIT POLICY ORA_ADS$_LOGON_EVENTS ACTIONS LOGON,LOGOFF;
CREATE AUDIT POLICY ORA_ADS$_LOGON_FAILURES ACTIONS LOGON;
AUDIT POLICY ORA_ADS$_LOGON_EVENTS EXCEPT <comma separated user list>;
AUDIT POLICY ORA_ADS$_LOGON_FAILURES whenever not successful;

The Database Schema Changes policy tracks all Data Definition Language (DDL) commands issued by any database user, for example, when a table, database link, function, or trigger is created, modified, or dropped.

The following audit policy gets provisioned on the target database:

CREATE AUDIT POLICY ORA_ADS$_DB_SCHEMA_CHANGES
PRIVILEGES
		 CREATE EXTERNAL JOB, CREATE JOB, CREATE ANY JOB
ACTIONS CREATE PROCEDURE, DROP PROCEDURE, ALTER PROCEDURE,
		CREATE PACKAGE, ALTER PACKAGE, DROP PACKAGE, CREATE PACKAGE BODY, ALTER PACKAGE BODY, DROP PACKAGE BODY,
		CREATE FUNCTION, DROP FUNCTION, ALTER FUNCTION,
		CREATE TRIGGER, ALTER TRIGGER, DROP TRIGGER,
		CREATE LIBRARY, ALTER LIBRARY, DROP LIBRARY,
		CREATE SYNONYM, DROP SYNONYM,
		CREATE TABLE, ALTER TABLE, DROP TABLE, TRUNCATE TABLE,
		 CREATE DATABASE LINK, ALTER DATABASE LINK, DROP DATABASE LINK,
		CREATE INDEX, ALTER INDEX, DROP INDEX,
		CREATE OUTLINE, ALTER OUTLINE,DROP OUTLINE,
		CREATE CONTEXT, DROP CONTEXT,
		CREATE ATTRIBUTE DIMENSION,ALTER ATTRIBUTE DIMENSION,DROP ATTRIBUTE DIMENSION,
		CREATE DIMENSION,ALTER DIMENSION,DROP DIMENSION,
		CREATE INDEXTYPE,ALTER INDEXTYPE,DROP INDEXTYPE,
		CREATE OPERATOR,ALTER OPERATOR,DROP OPERATOR,
		CREATE JAVA,ALTER JAVA,DROP JAVA,
		CREATE MINING MODEL,ALTER MINING MODEL,DROP MINING MODEL,
		CREATE TYPE BODY,ALTER TYPE BODY,DROP TYPE BODY,
		CREATE TYPE,ALTER TYPE,DROP TYPE,
		CREATE MATERIALIZED VIEW,ALTER MATERIALIZED VIEW,DROP MATERIALIZED VIEW,
		CREATE MATERIALIZED VIEW LOG, ALTER MATERIALIZED VIEW LOG,DROP MATERIALIZED VIEW LOG,
		CREATE MATERIALIZED ZONEMAP, ALTER MATERIALIZED ZONEMAP,DROP MATERIALIZED ZONEMAP,
		CREATE VIEW, ALTER VIEW, DROP VIEW,CREATE ANALYTIC VIEW, ALTER ANALYTIC VIEW, DROP ANALYTIC VIEW,
		CREATE SEQUENCE, ALTER SEQUENCE, DROP SEQUENCE,
		CREATE CLUSTER, ALTER CLUSTER, DROP CLUSTER,TRUNCATE CLUSTER;

AUDIT POLICY ORA_ADS$_DB_SCHEMA_CHANGES;
-- enabled for all users

Admin Activity Auditing Policy

The Admin Activity Auditing policy lets you audit all activities by privileged administrators. These administrators can make significant changes to the wider system. A database administrator (DBA) can have access to sensitive data that is not protected by realms, and can exfiltrate. The Admin Activity auditing policy audits all activities for any user who has one of the following privileges or roles:

Admin privileges:
SYSOPER, SYSDG, SYSKM, SYSRAC, and SYSBACKUP
Roles:
DBA, DATAPUMP_EXP_FULL_DATABASE, DATAPUMP_IMP_FULL_DATABASE, EXP_FULL_DATABASE, IMP_FULL_DATABASE

The following audit policy gets provisioned on the target database:

CREATE AUDIT POLICY "ORA_ADS$_ADMIN_USER_ACTIVITY" ACTIONS ALL WHEN 'SYS_CONTEXT(''USERENV'', ''CURRENT_USER'') NOT IN 
(''CTXSYS'',''ORDSYS'',''OJVMSYS'',''DVSYS'',''SI_INFORMTN_SCHEMA'',''AUDSYS'',''GSMADMIN_INTERNAL'',''ORDPLUGINS'',''DIP'',''MDSYS'',
''OLAPSYS'',''ORDDATA'',''LBACSYS'',''SYSKM'',''OUTLN'',''ORACLE_OCM'',''SYS$UMP'',''SYSRAC'',''ANONYMOUS'',''GGSYS'',''REMOTE_SCHEDULER_AGENT'',
''SYSBACKUP'',''DBSFWUSER'',''MDDATA'',''APPQOSSYS'',''DBSNMP'',''GSMUSER'',''GSMCATUSER'',''XS$NULL'',''SYSTEM'',''SYS'',''SYSDG'',
''WMSYS'',''XDB'',''DVF'')' EVALUATE PER STATEMENT ONLY TOPLEVEL

AUDIT POLICY ORA_ADS$_ADMIN_USER_ACTIVITY BY USERS WITH GRANTED ROLES DBA,
DATAPUMP_EXP_FULL_DATABASE, DATAPUMP_IMP_FULL_DATABASE, EXP_FULL_DATABASE, 
IMP_FULL_DATABASE;

AUDIT POLICY ORA_ADS$_ADMIN_USER_ACTIVITY BY PUBLIC, SYSDG, SYSKM, SYSRAC, SYSBACKUP;

Note:

The ORA_ADS$_ADMIN_USER_ACTIVITY policy requires support for TOPLEVEL which is included starting in Oracle Database 19c. For databases older than Oracle Database 19c, ensure the required patch from My Oracle Support is applied as a prerequisite to provisioning this policy to the target database.

Login to My Oracle Support
Click the Patches & Updates tab
Search for patch number 21493004 and platform Linux x86-64
Select and download the patch that corresponds to the Oracle Database release of the target database

For Oracle Database 19c, the following audit policy also gets provisioned:

CREATE AUDIT POLICY ORA_ADS$_SYS_TOP_ACTIVITY ACTIONS ALL ONLY TOPLEVEL;
AUDIT POLICY ORA_ADS$_SYS_TOP_ACTIVITY by SYS;

User Activity Auditing Policy

The User Activity Auditing policy tracks all activity by users who may have access to sensitive data or who are under observation. Be sure that you specify which users to audit. These users could be “non-admin but privileged” users. When enabling this policy in the interface, you must specify non-Oracle maintained users to audit.

The following audit policy gets provisioned on the target database:

CREATE AUDIT POLICY ORA_ADS$_USER_ACTIVITY ACTIONS ALL
WHEN 'SYS_CONTEXT(''USERENV'', ''CURRENT_USER'') NOT IN (''DIP'',''WMSYS'',''XDB'',''ORDDATA'',''OLAPSYS'',''MDSYS'',''ORDPLUGINS'',''GSMADMIN_INTERNAL'',''SI_INFORMTN_SCHEMA'',''ANONYMOUS'',''GGSYS'',''DBSFWUSER'',''APPQOSSYS'',''DBSNMP'',''GSMUSER'',''SYSDG'',''SYS$UMF'',''ORACLE_OCM'',''OUTLN'',''SYSKM'',''SYS'',''SYSTEM'',''XS$NULL'',''GSMCATUSER'',''MDDATA'',''SYSBACKUP'',''REMOTE_SCHEDULER_AGENT'',''SYSRAC'',''CTXSYS'',''DVF'',''OJVMSYS'',''DVSYS'',''AUDSYS'',''ORDSYS'',''LBACSYS'')' EVALUATE PER STATEMENT;

AUDIT POLICY ORA_ADS$_USER_ACTIVITY BY <comma-separated non-Oracle maintained user list>

This audit policy is intended for non-Oracle users whose activity needs to be monitored. The policy excludes the following Oracle users:

`ANONYMOUS`	`DVF`	`MDDATA`	`ORDSYS`	`SYSDG`
`APPQOSSYS`	`DVSYS`	`MDSYS`	`OUTLN`	`SYSKM`
`AUDSYS`	`GGSYS`	`OJVMSYS`	`REMOTE_SCHEDULER_AGENT`	`SYSRAC`
`CTXSYS`	`GSMADMIN_INTERNAL`	`OLAPSYS`	`SI_INFORMTN_SCHEMA`	`SYSTEM`
`DBSFWUSER`	`GSMCATUSER`	`ORACLE_OCM`	`SYS`	`WMSYS`
`DBSNMP`	`GSMUSER`	`ORDDATA`	`SYS$UMP`	`XDB`
`DIP`	`LBACSYS`	`ORDPLUGINS`	`SYSBACKUP`	`XS$NULL`

Custom Policies

Custom policies represent set of custom audit policies that defines audit configurations unique to your scenario, for example tracking sensitive data access. You can create custom audit policies in the target database and Oracle Data Safe retrieves them. You can then enable or disable them.

Oracle Predefined Policies

Oracle predefined policies represent a set of pre-designed best practice audit policies provided by Oracle Database. They cover audit settings that are commonly relevant to security.

Audit Compliance Standards

Audit compliance standards represent a set of audit policies that helps accelerate compliance to regulatory standards. They also help you evaluate whether you are adhering to database compliance requirements.

During Activity Auditing, you can enable or disable two audit compliance standards policies:

Center for Internet Security (CIS) Configuration - available for Oracle Database 12.2 and later
Security Technical Implementation Guidelines (STIG) - available for Oracle Database 21c and later

These policies tracks many activities and can help you evaluate whether you are adhering to database compliance requirements. For example, you can track when a user, database link, profile, or procedure is created, altered, or dropped.

The Center for Internet Security (CIS) Recommendations policy (ORA_CIS_RECOMMENDATIONS) is a predefined unified audit policy in Oracle Database designed to perform audits that the CIS recommends. CIS is a world-recognized organization that provides consensus-based best practices for helping organizations assess and improve their cyber security posture. They provide resources, such as configuration assessment tools, secure configuration benchmarks, security metrics, and certifications. One of the main objectives of the organization is to help businesses prioritize what they need to do for security, and they strive to provide recommendations in simple, non-technical terms.

STIG is a set of rules, checklists, and other best practices created by the Defense Information Systems Agency (DISA) to ensure compliance with Department of Defense (DOD)-mandated security requirements.

Related Topics

View and Manage Audit Policies