Introduction to Auditing

Privileged users can create policies that track the changes that all users, including other privileged users, make in the database. Note: Except where noted, this part describes how to use pure unified auditing, in which all audit records are centralized in one place.

What Is Auditing?

Auditing is the monitoring and recording of database activity, from both database users and nondatabase users.

“Nondatabase users” refers to application users who are recognized in the database using the CLIENT_IDENTIFIER attribute. To audit this type of user, you can use a unified audit policy condition, a fine-grained audit policy, or Oracle Database Real Application Security.

This guide describes how to use unified auditing to create policies that consolidate audit trails from different Oracle Database components, such as fine-grained auditing or Oracle Database Vault, into one consolidated audit trail. This audit trail is viewable in the UNIFIED_AUDIT_TRAIL data dictionary view. (Other unified audit trail views, such as AUDIT_UNIFIED_POLICIES, are available.) A consolidated audit data trail enables you to run analysis reports on an entire set of audit data in one operation, rather than having to first gather them into one location before performing the analysis. Audit mining tools such as Oracle Audit Vault can look at one location rather than several in order to gather audit records. A unified audit trail ensures that the audit information is consistently formatted and contains consistent fields.

Alternatively, you can use traditional auditing, which is described in the Oracle Database release 11.2 Oracle Database Security Guide.

You can base auditing on individual actions, such as the type of SQL statement executed, or on combinations of session metadata that can include the user name, application, time, and so on.

You can configure auditing for both successful and failed operations, however, parse or syntax errors are not audited. Additionally, you can include or exclude specific users from the audit. In a multitenant environment, you can audit individual actions of the pluggable database (PDB) or individual actions in the entire multitenant container database (CDB). In addition to auditing the standard activities the database provides, auditing can include activities from Oracle Database Real Application Security, Oracle Recovery Manager, Oracle Data Pump, Oracle Data Mining, Oracle Database Vault, Oracle Label Security, and Oracle SQL*Loader direct path events.

Auditing is enabled by default. All audit records are written to the unified audit trail in a uniform format and are made available through the UNIFIED_AUDIT_TRAIL view. These records reside in the AUDSYS schema. The audit records are stored in the SYSAUX tablespace by default. Oracle recommends that you configure a different tablespace for the unified audit trail, which you can do by using the DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_LOCATION procedure. Be aware that for Oracle Database Standard Edition and Express Edition, but not for Enterprise Edition, you can only associate the tablespace for unified auditing once. You should perform this association before you generate any audit records for the unified audit trail. After you have associated the tablespace, you cannot modify it because partitioning is only supported on Enterprise Edition.

You can configure auditing by using any of the following methods:

Oracle recommends that you audit your databases. Auditing is an effective method of enforcing strong internal controls so that your site can meet its regulatory compliance requirements, as defined in the Sarbanes-Oxley Act. This enables you to monitor business operations, and find any activities that may deviate from company policy. Doing so translates into tightly controlled access to your database and the application software, ensuring that patches are applied on schedule and preventing ad hoc changes. By creating effective audit policies, you can generate an audit record for audit and compliance personnel. Be selective with auditing and ensure that it meets your business compliance needs.

Why Is Auditing Used?

You typically use auditing to monitor user activity.

Auditing can be used to accomplish the following:

Best Practices for Auditing

You should follow best practices guidelines for auditing.

What Is Unified Auditing?

In unified auditing, the unified audit trail captures audit information from a variety of sources.

Unified auditing enables you to capture audit records from the following sources:

The unified audit trail table AUD$UNIFIED is a specialized table in the AUDSYS schema in the SYSAUX tablespace which allows only INSERT activity. Any attempt to directly truncate, delete or update contents of the AUD$UNIFIED table fail, and generate audit records. Audit data is managed using the built-in audit data management DBMS_AUDIT_MGMT package. The audit data is made available in a uniform format in the UNIFIED_AUDIT_TRAIL data dictionary view for the end user. In addition to the user SYS, users who have been granted the AUDIT_ADMIN and AUDIT_VIEWER roles can query these views. If your users only need to query the views but not create audit policies, then grant them the AUDIT_VIEWER role.

When the database is writeable, audit records are written to the unified audit trail. If the database is not writable, then audit records are written to new format operating system files in the $ORACLE_BASE/audit/$ORACLE_SID directory.

Benefits of the Unified Audit Trail

The benefits of a unified audit trail are many.

For example:

Checking if Your Database Has Migrated to Pure Unified Auditing

The V$OPTION dynamic view indicates if your database has been migrated to using pure unified auditing (that is, traditional auditing is turned off).

SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';

PARAMETER         VALUE

----------------  ----------
Unified Auditing  TRUE

This output shows that unified auditing is enabled and traditional auditing is disabled. If pure unified auditing has not been enabled, then the output is FALSE, which implies that your database is using mixed mode auditing. Mixed mode auditing means that both traditional auditing and unified auditing are present.

Mixed Mode Auditing

Mixed mode auditing is the default auditing in a newly installed database.

About Mixed Mode Auditing

Mixed mode auditing enables both traditional (that is, the audit facility from releases earlier than release 12c) and the new audit facilities (unified auditing).

When you create a new database, by default the database uses mixed mode auditing.

You can enable the database in either of these two modes: the mixed mode auditing or pure unified auditing mode. Even though the features of unified auditing are enabled in both these modes, there are differences between them. In mixed mode, you can use the new unified audit facility alongside the traditional auditing facility. In pure unified auditing, you only use the unified audit facility. The following table summarizes the features of these two modes and how you enable them.

Mode Features How to Enable
Mixed mode auditing Has both traditional and unified auditing Ensure that at least one unified audit policy is enabled in your database. Typically you will see the ORA_SECURECONFIG and ORA_LOGON_FAILURES policies enabled by default.
Pure unified auditing Has only unified auditing; traditional auditing is turned off Link the oracle binary with uniaud_on, and then restart the database. Relinking the binary turns off traditional audit. After you have decided to use pure unified auditing, you can relink the oracle binary with the unified audit option turned on. This turns off traditional auditing. Oracle Database Upgrade Guide describes how to enable pure unified auditing.

Mixed mode is intended to introduce unified auditing, so that you can have a feel of how it works and what its nuances and benefits are. Mixed mode enables you to migrate your existing applications and scripts to use unified auditing. Once you have decided to use pure unified auditing, you can relink the oracle binary with the unified audit option turned on and thereby enable it as the one and only audit facility the Oracle database runs. If you decide to revert back to mixed mode, you can.

As in previous releases, the traditional audit facility is driven by the AUDIT_TRAIL initialization parameter. Only for mixed mode auditing, you should set this parameter to the appropriate traditional audit trail. This traditional audit trail will then be populated with audit records, along with the unified audit trail.

When you upgrade your database to the current release, traditional auditing is preserved, and the new audit records are written to the traditional audit trail. After you complete the migration, the audit records from the previous release are still available in those audit trails. You then can archive and purge these older audit trails by using the DBMS_AUDIT_MGMT PL/SQL procedures, based on your enterprise retention policies.

Enablement of Unified Auditing

By default and depending on the edition of Oracle Database, Oracle Database uses mixed mode auditing, supporting both unified audit and traditional audit.

When you are ready to migrate to pure unified audit mode (which turns off traditional audit and improves audit performance), link the oracle binary with uniaud_on, and then restart the database, as described in Oracle Database Upgrade Guide.

How Database Creation Determines the Type of Auditing You Have Enabled

Unified auditing uses the $ORACLE_BASE/audit directory as the location for the operating system files.

For newly created databases, mixed mode auditing is enabled by default through the predefined policies ORA_SECURECONFIG and ORA_LOGON_FAILURES.

Ensure that at least one unified audit policy is enabled in your database. Enable the ORA_SECURECONFIG and ORA_LOGON_FAILURES policies if they are not yet enabled. Note that Oracle Database has mandatory audits that cannot be turned off, so auditing of the most common security relevant events will continue to happen even if none of the unified audit policies are enabled.

Capabilities of Mixed Mode Auditing

Mixed mode auditing provides several capabilities.

These capabilities are as follows:

Who Can Perform Auditing?

Oracle provides two roles for users who perform auditing: AUDIT_ADMIN and AUDIT_VIEWER.

The privileges that these roles provide are as follows:

To change audit policies or modify the audit trail (including purging old audit data), you must be granted the AUDIT_ADMIN role. An auditor can view audit data after being granted the AUDIT_VIEWER role.

Unified Auditing in a Multitenant Environment

You can apply audit settings to individual PDBs or to the CDB, depending on the type of policy.

Each PDB, including the root, has its own unified audit trail.

Auditing in a Distributed Database

Auditing is site autonomous in that a database instance audits only the statements issued by directly connected users.

A local Oracle Database node cannot audit actions that take place in a remote database.