15 Auditing Oracle Label Security
All activities in Oracle Label Security can be audited, including Oracle Label Security administrator activities.
- Auditing Oracle Label Security Using Unified Auditing
Oracle recommends that you migrate all your Oracle Label Security audit policies to unified auditing. - Auditing Oracle Label Security Using Traditional Auditing
Traditional auditing is desupported, but traditional audit settings in an upgraded database can be used with some limitations. - Disabling Traditional Auditing for Oracle Label Security Policies
Oracle recommends that you disable traditional auditing for Oracle Label Security policies and use unified auditing instead.
Parent topic: Administering an Oracle Label Security Application
15.1 Auditing Oracle Label Security Using Unified Auditing
Oracle recommends that you migrate all your Oracle Label Security audit policies to unified auditing.
To create new audit policies in Oracle Label Security, you must use unified auditing. Traditional auditing is no longer supported as of Oracle Database 23ai for new audit settings, though the current existing traditional audit settings are still honored.
The unified audit trail will capture Oracle Label Security unified audit policy records, as well as mandatory Oracle Label Security audits.
Unified auditing enables you to create custom policies that capture more fine-tuned data than you can capture with traditional Oracle Label Security auditing. For example, you can create unified auditing policies that capture Oracle Label Security-specific events such as the creation, modification, and removal of Oracle Label Security policies, as well as activities such as authorization and actions that require Oracle Label Security privileges. The policies can incorporate standard unified audit features, such as conditions, application context values, and the ability to audit top-level statements.
In addition to this functionality, unified auditing provides the following predefined audit policies:
ORA_DV_SCHEMA_CHANGES
, which monitors Oracle Label SecurityLBACSYS
and Oracle Database VaultDVSYS
schema objects when Oracle Database Vault is in use.ORA_OLS_SCHEMA_CHANGES
, which also monitorsLBACSYS
schema objects. You can use this audit policy can if Oracle Database Vault is not in use. You do not need to enable this policy ifORA_DV_SCHEMA_CHANGES
is already enabled.
In a new Oracle Database installation, ORA_DV_SCHEMA_CHANGES
is enabled by default. In an upgraded Oracle database, it is not enabled by default. Uninstallation of Oracle Database Vault drops ORA_DV_SCHEMA_CHANGES
. To ensure that LBACSYS
objects are still audited, ORA_OLS_SCHEMA_CHANGES
will be enabled during uninstallation of Oracle Database Vault, if ORA_DV_SCHEMA_CHANGES
was enabled.
When you create a new policy, a label column for that policy is added to the database audit trail. The label column is created regardless of whether auditing is enabled or disabled, and independent of whether database auditing or operating system auditing is used. Whenever a record is written to the audit table, each policy provides a label for that record to indicate the session label. The administrator can create audit views to display these labels. Note that in the audit table, the label does not control access to the row, instead it only records the sensitivity of the row.
When you use unified auditing, the Oracle Label Security traditional audit settings will continue to collect audit records, until you do the following: complete migrating the audit settings to unified auditing, disable traditional auditing, and then archive and purge the older audit records. From then on, you can manage Oracle Label Security audit policies through the unified audit policy PL/SQL statements.
All configuration changes made to Oracle Label Security are mandatorily audited and these audit records are written to the unified audit trail, including actions of unprivileged users who attempt to modify Oracle Label Security policies.
Consider auditing any operations that require Oracle Label Security privileges. Because these privileges perform sensitive operations, and because their abuse could jeopardize security, you should closely monitor their dissemination and use.
To learn how to create unified audit policies for Oracle Label Security, see Oracle Database Security Guide. See also Oracle Database Security Guide for more information about how the desupport of traditional auditing works.
Parent topic: Auditing Oracle Label Security
15.2 Auditing Oracle Label Security Using Traditional Auditing
Traditional auditing is desupported, but traditional audit settings in an upgraded database can be used with some limitations.
Though traditional auditing is desupported starting in Oracle Database release 23ai, any current existing Oracle Label Security traditional audit settings that you have will be maintained when you upgrade to release 23ai and the Oracle Label Security data dictionary views will continue to capture this audit information. You can delete existing traditional audit settings. However, you cannot create new traditional audit settings. Instead, you must create unified audit policies to replace the traditional audit policies that you need to update.
The traditional audit settings are controlled through the SA_AUDIT_ADMIN
PL/SQL package. The audit indicates if the user's action succeeded (that is, the policy enabled the user to accomplish a task) or if the user's action failed (the policy was violated). Oracle Label Security uses this package to collect audit records and write these audit records to the Oracle Label Security data dictionary views.
When you install a new database and configure it to use Oracle Label Security, then it uses unified auditing only. If you have upgraded from a previous release, then Oracle Label Security uses the auditing that was implemented in that release.
The traditional audit trail lists only the action numbers. To find the corresponding audit action names, you can query the LABACSYS.OLS$AUDIT_ACTIONS
system table. You must have the AUDIT_VIEWER
, AUDIT_ADMIN
, or policy_DBA
role to query this table.
See Oracle Database Security Guide for more information about how the desupport of traditional auditing works.
Parent topic: Auditing Oracle Label Security
15.3 Disabling Traditional Auditing for Oracle Label Security Policies
Oracle recommends that you disable traditional auditing for Oracle Label Security policies and use unified auditing instead.
Related Topics
Parent topic: Auditing Oracle Label Security