15 Auditing Oracle Label Security

All activities in Oracle Label Security can be audited, including Oracle Label Security administrator activities.

15.1 Auditing Oracle Label Security Using Unified Auditing

Oracle recommends that you migrate all your Oracle Label Security audit policies to unified auditing.

To create new audit policies in Oracle Label Security, you must use unified auditing. Traditional auditing is no longer supported as of Oracle Database 23ai for new audit settings, though the current existing traditional audit settings are still honored.

The unified audit trail will capture Oracle Label Security unified audit policy records, as well as mandatory Oracle Label Security audits.

Unified auditing enables you to create custom policies that capture more fine-tuned data than you can capture with traditional Oracle Label Security auditing. For example, you can create unified auditing policies that capture Oracle Label Security-specific events such as the creation, modification, and removal of Oracle Label Security policies, as well as activities such as authorization and actions that require Oracle Label Security privileges. The policies can incorporate standard unified audit features, such as conditions, application context values, and the ability to audit top-level statements.

In addition to this functionality, unified auditing provides the following predefined audit policies:

  • ORA_DV_SCHEMA_CHANGES, which monitors Oracle Label Security LBACSYS and Oracle Database Vault DVSYS schema objects when Oracle Database Vault is in use.
  • ORA_OLS_SCHEMA_CHANGES, which also monitors LBACSYS schema objects. You can use this audit policy can if Oracle Database Vault is not in use. You do not need to enable this policy if ORA_DV_SCHEMA_CHANGES is already enabled.

In a new Oracle Database installation, ORA_DV_SCHEMA_CHANGES is enabled by default. In an upgraded Oracle database, it is not enabled by default. Uninstallation of Oracle Database Vault drops ORA_DV_SCHEMA_CHANGES. To ensure that LBACSYS objects are still audited, ORA_OLS_SCHEMA_CHANGES will be enabled during uninstallation of Oracle Database Vault, if ORA_DV_SCHEMA_CHANGES was enabled.

When you create a new policy, a label column for that policy is added to the database audit trail. The label column is created regardless of whether auditing is enabled or disabled, and independent of whether database auditing or operating system auditing is used. Whenever a record is written to the audit table, each policy provides a label for that record to indicate the session label. The administrator can create audit views to display these labels. Note that in the audit table, the label does not control access to the row, instead it only records the sensitivity of the row.

When you use unified auditing, the Oracle Label Security traditional audit settings will continue to collect audit records, until you do the following: complete migrating the audit settings to unified auditing, disable traditional auditing, and then archive and purge the older audit records. From then on, you can manage Oracle Label Security audit policies through the unified audit policy PL/SQL statements.

All configuration changes made to Oracle Label Security are mandatorily audited and these audit records are written to the unified audit trail, including actions of unprivileged users who attempt to modify Oracle Label Security policies.

Consider auditing any operations that require Oracle Label Security privileges. Because these privileges perform sensitive operations, and because their abuse could jeopardize security, you should closely monitor their dissemination and use.

To learn how to create unified audit policies for Oracle Label Security, see Oracle Database Security Guide. See also Oracle Database Security Guide for more information about how the desupport of traditional auditing works.

15.2 Auditing Oracle Label Security Using Traditional Auditing

Traditional auditing is desupported, but traditional audit settings in an upgraded database can be used with some limitations.

Though traditional auditing is desupported starting in Oracle Database release 23ai, any current existing Oracle Label Security traditional audit settings that you have will be maintained when you upgrade to release 23ai and the Oracle Label Security data dictionary views will continue to capture this audit information. You can delete existing traditional audit settings. However, you cannot create new traditional audit settings. Instead, you must create unified audit policies to replace the traditional audit policies that you need to update.

The traditional audit settings are controlled through the SA_AUDIT_ADMIN PL/SQL package. The audit indicates if the user's action succeeded (that is, the policy enabled the user to accomplish a task) or if the user's action failed (the policy was violated). Oracle Label Security uses this package to collect audit records and write these audit records to the Oracle Label Security data dictionary views.

When you install a new database and configure it to use Oracle Label Security, then it uses unified auditing only. If you have upgraded from a previous release, then Oracle Label Security uses the auditing that was implemented in that release.

The traditional audit trail lists only the action numbers. To find the corresponding audit action names, you can query the LABACSYS.OLS$AUDIT_ACTIONS system table. You must have the AUDIT_VIEWER, AUDIT_ADMIN, or policy_DBA role to query this table.

See Oracle Database Security Guide for more information about how the desupport of traditional auditing works.

15.3 Disabling Traditional Auditing for Oracle Label Security Policies

Oracle recommends that you disable traditional auditing for Oracle Label Security policies and use unified auditing instead.

  1. Log in to the database instance as a user who has the LBAC_DBA database role (or the policy_DBA role for a specific policy).
  2. If necessary, query the ALL_SA_POLICIES data dictionary view to find the policies whose traditional auditing you want to disable.
  3. Run the SA_AUDIT_ADMIN.NOAUDIT procedure to disable auditing for the policy.
    For example:
    BEGIN
     SA_AUDIT_ADMIN.NOAUDIT(
      policy_name      => 'hr_ols_pol',
      users            => 'jjones',
      audit_option     => NULL);
    END;
    /

    In this specification,

    • policy_name: The policy name is required. To find existing policies, query the POLICY_NAME column of the ALL_SA_POLICIES data dictionary view.
    • users: This setting is a comma-delimited list of users who were audited. If you omit this setting or specify NULL for the users parameter, then auditing is disabled for all users. To find users who have privileges to modify Oracle Label Security policies, query the USER_NAME column of the ALL_SA_AUDIT_OPTIONS view.
    • audit_option: NULL is specified to disable all audit options that have been applied to the hr_ols_pol policy. If you want to disable only specific options, then the choices are as follows:
      • APPLY: Disables auditing of the application of specified Oracle Label Security policies to tables and schemas
      • REMOVE: Disables auditing of the removal of specified Oracle Label Security policies from tables and schemas
      • SET: Disables auditing of the setting of user authorizations, and user and program privileges
      • PRIVILEGES: Disables auditing of the use of all policy-specific privileges