Auditing Enhancements (Audit Policies and Unified Audit Trail) in Oracle Database 12c Release 1 (12.1)

select
  substrb(parameter_name ,1,25) name,
  substrb(parameter_value,1,20) value,
  substrb(audit_trail    ,1,20) trail
from
  dba_audit_mgmt_config_params
;

8i | 9i | 10g | 11g | 12c | 13c | 18c | 19c | Misc | PL/SQL | SQL | RAC | WebLogic | Linux

Home » Articles » 12c » Here

Auditing Enhancements (Audit Policies and Unified Audit Trail) in Oracle Database 12c Release 1 (12.1)

The introduction of audit policies and the unified audit trail simplifies the configuration of database auditing in Oracle 12c. Database auditing has always been extremely flexible, but that flexibility has also served to make it feel complicated. The new auditing functionality can also be used to create very complicated auditing policies, but I don‘t think is how most people will want to approach it, so instead this article will focus on simple examples. Once you‘ve got to grips with the basics you can become a bit more adventurous.

Related articles.

Creating Audit Policies

Just like standard auditing that came before it, unified auditing can be used to create extremely complex auditing rules. The documentation for managing audit policies is very good, so rather than trying to duplicate that, I will just show some simple examples to give a flavour of the functionality.

It is better to create an audit policy that contains all necessary auditing for a session, rather using several small policies. Using multiple policies results in greater login overhead, greater UGA consumption and less efficient internal audit check functionality.

An audit policy is made up of several distinct clauses, some of which are optional.

CREATE AUDIT POLICY policy_name
    { {privilege_audit_clause [action_audit_clause ] [role_audit_clause ]}
        | { action_audit_clause  [role_audit_clause ] }
        | { role_audit_clause }
     }
    [WHEN audit_condition EVALUATE PER {STATEMENT|SESSION|INSTANCE}]
    [CONTAINER = {CURRENT | ALL}];

Examples of the usages are given in the sections below, but here is a quick summary of them.

  • privilege_audit_clause : Used to specify a list of system privileges to be audited.
  • action_audit_clause : Defines the actions that need to be audited. These can be standard_actions, like DELETE, or object-specific, like DELETE ON schema.table. They can also be component_actions that target specific features like data pump or SQL*Loader.
  • role_audit_clause : Specifies a list of roles. All system privileges granted via those roles are audited.
  • WHEN ... EVALUATE PER : Allows you to define an audit_condition to determine when the auditing should take place. The condition can be evaluated for each STATEMENTSESSION or INSTANCE, depending on the level of granularity the condition requires.
  • CONTAINER : Determines if an audit policy is specific to an individual PDB (CURRENT) or common to all PDBs (ALL).

This might sound a little confusing, but if you‘ve ever used database auditing in previous releases, it will quickly look quite familiar. The main thing to remember is rather than issuing the AUDIT/NOAUDIT commands directly, you create an audit policy containing the relevant pieces, then enable and disable it using the AUDIT/NOAUDIT commands.

Some of the following examples require these three test users.

CONN [email protected] AS SYSDBA

CREATE USER test IDENTIFIED BY test QUOTA UNLIMITED ON users;
GRANT CREATE SESSION, CREATE TABLE, CREATE SEQUENCE TO test;

CREATE USER test2 IDENTIFIED BY test2 QUOTA UNLIMITED ON users;
GRANT CREATE SESSION TO test2;

CREATE USER test3 IDENTIFIED BY test3 QUOTA UNLIMITED ON users;
GRANT CREATE SESSION TO test3;

In some cases the contents of the unified audit trail has been purged between tests to keep the output simple and specific to the functionality being tested.

Privilege Auditing

As the name suggests, privilege auditing allows you to audit the use of system privileges. The SYSTEM_PRIVILEGE_MAP view identifies the system privileges that can be audited.

SELECT name
FROM   system_privilege_map
ORDER BY name;

NAME
----------------------------------------
ADMINISTER ANY SQL TUNING SET
ADMINISTER DATABASE TRIGGER
.
.
.
UPDATE ANY TABLE
USE ANY SQL TRANSLATION PROFILE

237 rows selected.

SQL>

If we want to audit the creation of tables and sequences by the TEST user, we might do something like the following.

CONN [email protected] AS SYSDBA

CREATE AUDIT POLICY test_audit_policy
  PRIVILEGES CREATE TABLE, CREATE SEQUENCE
  WHEN    ‘SYS_CONTEXT(‘‘USERENV‘‘, ‘‘SESSION_USER‘‘) = ‘‘TEST‘‘‘
  EVALUATE PER SESSION
  CONTAINER = CURRENT;

AUDIT POLICY test_audit_policy;

Display the configuration of the policy.

SET LINESIZE 200
COLUMN audit_option FORMAT A15
COLUMN condition_eval_opt FORMAT A10
COLUMN audit_condition FORMAT A50

SELECT audit_option,
       condition_eval_opt,
       audit_condition
FROM   audit_unified_policies
WHERE  policy_name = ‘TEST_AUDIT_POLICY‘;

AUDIT_OPTION    CONDITION_ AUDIT_CONDITION
--------------- ---------- --------------------------------------------------
CREATE SEQUENCE SESSION    SYS_CONTEXT(‘USERENV‘, ‘SESSION_USER‘) = ‘TEST‘
CREATE TABLE    SESSION    SYS_CONTEXT(‘USERENV‘, ‘SESSION_USER‘) = ‘TEST‘

SQL>

Connect to the TEST user and create some objects.

CONN test/[email protected]

CREATE TABLE tab1 (id NUMBER);
CREATE SEQUENCE tab1_seq;

Check the audit trail. If you are in delayed-write mode, you may need to flush the audit trail before you can see the audit records.

CONN [email protected] AS SYSDBA

-- You might need to flush the audit information before it is visible.
-- EXEC DBMS_AUDIT_MGMT.flush_unified_audit_trail;

COLUMN event_timestamp FORMAT A30
COLUMN dbusername FORMAT A10
COLUMN action_name FORMAT A20
COLUMN object_schema FORMAT A10
COLUMN object_name FORMAT A20

SELECT event_timestamp,
       dbusername,
       action_name,
       object_schema,
       object_name
FROM   unified_audit_trail
WHERE  dbusername = ‘TEST‘
ORDER BY event_timestamp;

EVENT_TIMESTAMP                DBUSERNAME ACTION_NAME          OBJECT_SCH OBJECT_NAME
------------------------------ ---------- -------------------- ---------- --------------------
27-JUN-2015 10:25:37.359596    TEST       CREATE TABLE         TEST       TAB1
27-JUN-2015 10:25:37.363989    TEST       CREATE SEQUENCE      TEST       TAB1_SEQ

SQL>

Disable the policy and drop it.

NOAUDIT POLICY test_audit_policy;

DROP AUDIT POLICY test_audit_policy;

Action Auditing

Actions against all objects, specific objects or even those actions performed by specific utilities can be audited quite easily in Oracle 12c.

Create some schema objects to audit and grant access to them to the second user.

CONN test/[email protected]

DROP TABLE tab1 PURGE;
DROP SEQUENCE tab1_seq;
DROP TABLE tab2 PURGE;
DROP SEQUENCE tab2_seq;

CREATE TABLE tab1 (
  id NUMBER,
  CONSTRAINT tab1_pk PRIMARY KEY (id)
);

CREATE SEQUENCE tab1_seq;

CREATE TABLE tab2 (
  id NUMBER,
  CONSTRAINT tab2_pk PRIMARY KEY (id)
);

CREATE SEQUENCE tab2_seq;

GRANT SELECT, INSERT, UPDATE, DELETE ON tab1 TO test2;
GRANT SELECT ON tab1_seq TO test2;
GRANT SELECT, INSERT, UPDATE, DELETE ON tab2 TO test2;
GRANT SELECT ON tab2_seq TO test2;

Create and enable an audit policy that audits some actions against those objects, when performed by the TEST2 user.

CONN [email protected] AS SYSDBA

CREATE AUDIT POLICY test_audit_policy
  ACTIONS DELETE ON test.tab1,
          INSERT ON test.tab1,
          UPDATE ON test.tab1,
          SELECT ON test.tab1_seq,
          ALL ON test.tab2,
          SELECT ON test.tab2_seq
  WHEN    ‘SYS_CONTEXT(‘‘USERENV‘‘, ‘‘SESSION_USER‘‘) = ‘‘TEST2‘‘‘
  EVALUATE PER SESSION
  CONTAINER = CURRENT;

AUDIT POLICY test_audit_policy;

Display the configuration of the policy.

SET LINESIZE 200
COLUMN object_schema FORMAT A15
COLUMN object_name FORMAT A15
COLUMN object_type FORMAT A12
COLUMN audit_option FORMAT A15
COLUMN condition_eval_opt FORMAT A10
COLUMN audit_condition FORMAT A50

SELECT object_schema,
       object_name,
       object_type,
       audit_option,
       condition_eval_opt,
       audit_condition
FROM   audit_unified_policies
WHERE  policy_name = ‘TEST_AUDIT_POLICY‘;

OBJECT_SCHEMA   OBJECT_NAME     OBJECT_TYPE  AUDIT_OPTION    CONDITION_ AUDIT_CONDITION
--------------- --------------- ------------ --------------- ---------- --------------------------------------------------
TEST            TAB1            TABLE        DELETE          SESSION    SYS_CONTEXT(‘USERENV‘, ‘SESSION_USER‘) = ‘TEST2‘
TEST            TAB1            TABLE        INSERT          SESSION    SYS_CONTEXT(‘USERENV‘, ‘SESSION_USER‘) = ‘TEST2‘
TEST            TAB1            TABLE        UPDATE          SESSION    SYS_CONTEXT(‘USERENV‘, ‘SESSION_USER‘) = ‘TEST2‘
TEST            TAB1_SEQ        SEQUENCE     SELECT          SESSION    SYS_CONTEXT(‘USERENV‘, ‘SESSION_USER‘) = ‘TEST2‘
TEST            TAB2            TABLE        ALL             SESSION    SYS_CONTEXT(‘USERENV‘, ‘SESSION_USER‘) = ‘TEST2‘
TEST            TAB2_SEQ        SEQUENCE     SELECT          SESSION    SYS_CONTEXT(‘USERENV‘, ‘SESSION_USER‘) = ‘TEST2‘

SQL>

Perform some actions that won‘t match the policy condition.

CONN test/[email protected]

INSERT INTO tab1 (id) VALUES (tab1_seq.NEXTVAL);
INSERT INTO tab2 (id) VALUES (tab2_seq.NEXTVAL);
COMMIT;

Perform some actions that will match the policy condition.

CONN test2/[email protected]

UPDATE test.tab1 SET id = test.tab1_seq.NEXTVAL;
UPDATE test.tab2 SET id = test.tab2_seq.NEXTVAL;
DELETE FROM test.tab1;
DELETE FROM test.tab2;
COMMIT;

Check the audit trail. If you are in delayed-write mode, you may need to flush the audit trail before you can see the audit records.

CONN [email protected] AS SYSDBA

-- You might need to flush the audit information before it is visible.
-- EXEC DBMS_AUDIT_MGMT.flush_unified_audit_trail;

COLUMN event_timestamp FORMAT A30
COLUMN dbusername FORMAT A10
COLUMN action_name FORMAT A20
COLUMN object_schema FORMAT A10
COLUMN object_name FORMAT A20

SELECT event_timestamp,
       dbusername,
       action_name,
       object_schema,
       object_name
FROM   unified_audit_trail
WHERE  dbusername LIKE ‘TEST%‘
ORDER BY event_timestamp;

EVENT_TIMESTAMP                DBUSERNAME ACTION_NAME          OBJECT_SCH OBJECT_NAME
------------------------------ ---------- -------------------- ---------- --------------------
27-JUN-2015 10:41:40.070965    TEST2      SELECT               TEST       TAB1_SEQ
27-JUN-2015 10:41:40.071033    TEST2      UPDATE               TEST       TAB1
27-JUN-2015 10:41:40.073326    TEST2      SELECT               TEST       TAB2_SEQ
27-JUN-2015 10:41:40.073347    TEST2      UPDATE               TEST       TAB2
27-JUN-2015 10:41:40.074657    TEST2      DELETE               TEST       TAB1
27-JUN-2015 10:41:40.076132    TEST2      DELETE               TEST       TAB2

SQL>

Amend the audit policy and check the changes have been reflected in the configuration.

ALTER AUDIT POLICY test_audit_policy
  DROP ACTIONS ALL ON test.tab2,
               SELECT ON test.tab2_seq;

SET LINESIZE 200
COLUMN object_schema FORMAT A15
COLUMN object_name FORMAT A15
COLUMN object_type FORMAT A12
COLUMN audit_option FORMAT A15
COLUMN condition_eval_opt FORMAT A10
COLUMN audit_condition FORMAT A50

SELECT object_schema,
       object_name,
       object_type,
       audit_option,
       condition_eval_opt,
       audit_condition
FROM   audit_unified_policies
WHERE  policy_name = ‘TEST_AUDIT_POLICY‘;

OBJECT_SCHEMA   OBJECT_NAME     OBJECT_TYPE  AUDIT_OPTION    CONDITION_ AUDIT_CONDITION
--------------- --------------- ------------ --------------- ---------- --------------------------------------------------
TEST            TAB1            TABLE        DELETE          SESSION    SYS_CONTEXT(‘USERENV‘, ‘SESSION_USER‘) = ‘TEST2‘
TEST            TAB1            TABLE        INSERT          SESSION    SYS_CONTEXT(‘USERENV‘, ‘SESSION_USER‘) = ‘TEST2‘
TEST            TAB1            TABLE        UPDATE          SESSION    SYS_CONTEXT(‘USERENV‘, ‘SESSION_USER‘) = ‘TEST2‘
TEST            TAB1_SEQ        SEQUENCE     SELECT          SESSION    SYS_CONTEXT(‘USERENV‘, ‘SESSION_USER‘) = ‘TEST2‘

SQL>

Disable and drop the audit policy, then check the changes have been reflected in the configuration.

NOAUDIT POLICY test_audit_policy;

DROP AUDIT POLICY test_audit_policy;

SET LINESIZE 200
COLUMN object_schema FORMAT A15
COLUMN object_name FORMAT A15
COLUMN object_type FORMAT A12
COLUMN audit_option FORMAT A15
COLUMN condition_eval_opt FORMAT A10
COLUMN audit_condition FORMAT A50

SELECT object_schema,
       object_name,
       object_type,
       audit_option,
       condition_eval_opt,
       audit_condition
FROM   audit_unified_policies
WHERE  policy_name = ‘TEST_AUDIT_POLICY‘;

no rows selected

SQL>

In the above examples the audit policies were object specific. We could have omitted the ON object-name part of the action to make it apply to all objects. If we wanted to audit all DML and queries issued by the TEST2 user, we might create a policy like the following.

CREATE AUDIT POLICY test_audit_policy
  ACTIONS DELETE, INSERT, UPDATE, SELECT
  WHEN    ‘SYS_CONTEXT(‘‘USERENV‘‘, ‘‘SESSION_USER‘‘) = ‘‘TEST2‘‘‘
  EVALUATE PER SESSION
  CONTAINER = CURRENT;

--DROP AUDIT POLICY test_audit_policy;

Component Action Auditing

Rather than auditing actions on specific objects, you can instead audit actions relevant to specific functionality or utilities, such as Oracle Label Security (OLS), Real Application Security, Database Vault, Data Pump or SQL*Loader. There are two examples of component_action auditing linked below.

Role Auditing

It is possible to audit all system privileges granted via a built-in or custom role using an audit policy.

Create a new role, then grant privileges on the TEST objects via the new role.

CONN [email protected] AS SYSDBA

CREATE ROLE create_table_role;
GRANT CREATE TABLE TO create_table_role;

GRANT create_table_role TO test3;

Create an audit policy based on all the system privileges associated with the role. Enable the auditing policy and check the configuration.

CREATE AUDIT POLICY create_table_role_policy
  ROLES create_table_role
  WHEN    ‘SYS_CONTEXT(‘‘USERENV‘‘, ‘‘SESSION_USER‘‘) = ‘‘TEST3‘‘‘
  EVALUATE PER SESSION
  CONTAINER = CURRENT;

AUDIT POLICY create_table_role_policy;

SET LINESIZE 200
COLUMN audit_option FORMAT A20
COLUMN condition_eval_opt FORMAT A10
COLUMN audit_condition FORMAT A50

SELECT audit_option,
       audit_option_type,
       condition_eval_opt,
       audit_condition
FROM   audit_unified_policies
WHERE  policy_name = ‘CREATE_TABLE_ROLE_POLICY‘;

AUDIT_OPTION         AUDIT_OPTION_TYPE  CONDITION_ AUDIT_CONDITION
-------------------- ------------------ ---------- --------------------------------------------------
CREATE_TABLE_ROLE    ROLE PRIVILEGE     SESSION    SYS_CONTEXT(‘USERENV‘, ‘SESSION_USER‘) = ‘TEST3‘

SQL>

Perform some actions that will match the policy condition.

CONN test3/[email protected]

CREATE TABLE tab1 (id NUMBER);

Check the audit trail. If you are in delayed-write mode, you may need to flush the audit trail before you can see the audit records.

CONN [email protected] AS SYSDBA

-- You might need to flush the audit information before it is visible.
-- EXEC DBMS_AUDIT_MGMT.flush_unified_audit_trail;

COLUMN event_timestamp FORMAT A30
COLUMN dbusername FORMAT A10
COLUMN action_name FORMAT A20
COLUMN object_schema FORMAT A10
COLUMN object_name FORMAT A20

SELECT event_timestamp,
       dbusername,
       action_name,
       object_schema,
       object_name
FROM   unified_audit_trail
WHERE  dbusername = ‘TEST3‘
ORDER BY event_timestamp;

EVENT_TIMESTAMP                DBUSERNAME ACTION_NAME          OBJECT_SCH OBJECT_NAME
------------------------------ ---------- -------------------- ---------- --------------------
27-JUN-2015 10:48:40.744492    TEST3      CREATE TABLE         TEST3      TAB1

SQL>

Disable and drop the policy.

NOAUDIT POLICY create_table_role_policy;

DROP AUDIT POLICY create_table_role_policy;

Unified Audit Trail Administration

Administration of the unified audit trail can seem a little complicated at first, but there are a few things to keep in mind.

  • Unified auditing works by default, so you don‘t need to do anything to get started.
  • The default settings are OK. You will probably only have to focus on your specific audit policies.
  • Setting up an archival and purging process will need some thought, but you will probably only do this once in the lifetime of your database, so don‘t get scared off by this aspect of auditing.

With that said, the remaining parts of this article will explain how to perform some of the basic administration tasks.

For brevity, I will avoid repetition of functionality explained in previous articles, but links will be provided.

Available By Default

The unified audit trail and audit policy functionality is available by default in all editions, but it can run in two modes. By default it runs in mixed mode, which means you can combine traditional auditing with unified auditing. The following query shows that "pure" unified auditing is not enabled, which means we are running in mixed mode.

SELECT value FROM v$option WHERE parameter = ‘Unified Auditing‘;

VALUE
----------------------------------------------------------------
FALSE

SQL>

All the functionality of unified auditing is still available, but you may still need to consider the AUDIT_TRAIL parameter, as it still controls how the traditional auditing is performed.

Enable/Disable Pure Unified Auditing

Running in mixed mode is perfectly acceptable, but you can choose to switch to pure unified auditing, so the traditional auditing functionality is no longer available. This is done by relinking the Oracle binaries as follows.

sqlplus / as sysdba <<EOF
SHUTDOWN IMMEDIATE;
EXIT
EOF

cd $ORACLE_HOME/rdbms/lib
make -f ins_rdbms.mk uniaud_on ioracle

sqlplus / as sysdba <<EOF
STARTUP;
EXIT
EOF

After restarting, the banner will include the "Unified Auditing" option and we can see the unified auditing option is enabled.

$ sqlplus / as sysdba

SQL*Plus: Release 12.1.0.2.0 Production on Mon Jun 1 11:35:52 2015

Copyright (c) 1982, 2014, Oracle.  All rights reserved.

Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
With the Partitioning, OLAP, Advanced Analytics, Real Application Testing
and Unified Auditing options

SQL> SELECT value FROM v$option WHERE parameter = ‘Unified Auditing‘;

VALUE
----------------------------------------------------------------
TRUE

SQL>

Switching back to mixed mode involves a relink again.

sqlplus / as sysdba <<EOF
SHUTDOWN IMMEDIATE;
EXIT
EOF

cd $ORACLE_HOME/rdbms/lib
make -f ins_rdbms.mk uniaud_off ioracle

sqlplus / as sysdba <<EOF
STARTUP;
EXIT
EOF

After restarting, the banner no longer includes the "Unified Auditing" option and we can see the unified auditing option is disabled.

$ sqlplus / as sysdba

SQL*Plus: Release 12.1.0.2.0 Production on Mon Jun 1 11:35:52 2015

Copyright (c) 1982, 2014, Oracle.  All rights reserved.

Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options

SQL> SELECT value FROM v$option WHERE parameter = ‘Unified Auditing‘;

VALUE
----------------------------------------------------------------
FALSE

SQL>

For Windows, the documentation suggests it is just a case of turning the services off and moving the relevant DLL. I‘ve not tried this, so I can‘t guarantee it works.

Rem Enable
%ORACLE_HOME%/bin/orauniaud12.dll.dbl file to %ORACLE_HOME%/bin/orauniaud12.dll

Rem Disable
%ORACLE_HOME%/bin/orauniaud12.dll file to %ORACLE_HOME%/bin/orauniaud12.dll.dbl

Audit Trail Security

Maintenance of the audit trail and audit policies is limited to those users granted the AUDIT_ADMIN role.

The AUDIT_VIEWER role can be granted to users who need to view the audit information, but not manage the audit trail or audit policies.

Under unified auditing, users are no longer able to create auditing policies against their own objects. For backwards compatibility, this is still possible for traditional auditing. This is possibly a reason to move away from mixed-mode auditing.

Write Mode

For performance reasons unified auditing uses a queued-write mechanism, so audited actions are written to the SGA and periodically pushed out to disk. This can result in loss of audit records during an instance crash, since the records may not be pushed out to disk before the instance fails. If this represents a problem, the write mode can be altered to immediate-write, so the audit actions are pushed directly to disk, but this will result in auditing having a greater overhead. The following code shows how to switch between these two modes. In a multitenant environment, these setting are container-specific.

-- Switch to immediate-write.
BEGIN
  DBMS_AUDIT_MGMT.set_audit_trail_property(
    audit_trail_type           => DBMS_AUDIT_MGMT.audit_trail_unified,
    audit_trail_property       => DBMS_AUDIT_MGMT.audit_trail_write_mode,
    audit_trail_property_value => DBMS_AUDIT_MGMT.audit_trail_immediate_write
  );
END;
/

-- Switched to queued-write.
BEGIN
  DBMS_AUDIT_MGMT.set_audit_trail_property(
    audit_trail_type           => DBMS_AUDIT_MGMT.audit_trail_unified,
    audit_trail_property       => DBMS_AUDIT_MGMT.audit_trail_write_mode,
    audit_trail_property_value => DBMS_AUDIT_MGMT.audit_trail_queued_write
  );
END;
/

The size of the queue in the SGA is controlled by the UNIFIED_AUDIT_SGA_QUEUE_SIZE initialization parameter, which can be set to values between 1-30MB, with the default being 1MB. Each RAC instance can have a different value.

As a consequence of running in queued-write mode, in some cases, especially while testing or before maintenance, it may be necessary to flush audit records to the audit trail. This can be done using the FLUSH_UNIFIED_AUDIT_TRAIL procedure. It accepts the FLUSH_TYPE and CONTAINER parameters, which allow the following variations.

-- Flush records to audit trail for the current container in the current instance.
EXEC DBMS_AUDIT_MGMT.flush_unified_audit_trail;

EXEC DBMS_AUDIT_MGMT.flush_unified_audit_trail(flush_type => DBMS_AUDIT_MGMT.flush_current_instance);

EXEC DBMS_AUDIT_MGMT.flush_unified_audit_trail(container => DBMS_AUDIT_MGMT.container_current);

BEGIN
  DBMS_AUDIT_MGMT.flush_unified_audit_trail(
    flush_type => DBMS_AUDIT_MGMT.flush_current_instance,
    container  => DBMS_AUDIT_MGMT.container_current);
END;
/

-- Flush records to audit trail for all containers in the current instance.
-- Must be run from root container.
EXEC DBMS_AUDIT_MGMT.flush_unified_audit_trail(container => DBMS_AUDIT_MGMT.container_all);

BEGIN
  DBMS_AUDIT_MGMT.flush_unified_audit_trail(
    flush_type => DBMS_AUDIT_MGMT.flush_current_instance,
    container  => DBMS_AUDIT_MGMT.container_all);
END;
/

-- Flush records to audit trail for the all RAC instances. Current Container.
EXEC DBMS_AUDIT_MGMT.flush_unified_audit_trail(flush_type => DBMS_AUDIT_MGMT.flush_all_instances);

BEGIN
  DBMS_AUDIT_MGMT.flush_unified_audit_trail(
    flush_type => DBMS_AUDIT_MGMT.flush_all_instances,
    container  => DBMS_AUDIT_MGMT.container_current);
END;
/

-- Flush records to audit trail for the all RAC instances. All Containers.
-- Must be run from root container.
BEGIN
  DBMS_AUDIT_MGMT.flush_unified_audit_trail(
    flush_type => DBMS_AUDIT_MGMT.flush_all_instances,
    container  => DBMS_AUDIT_MGMT.container_all);
END;
/

Purging the Unified Audit Trail

Oracle 11g Release 2 introduced the DBMS_AUDIT_MGMT package to manage the audit trail. Oracle 12c uses the same functionality to archive and purge the unified audit trail, described here, with the addition of constants to identify the unified audit trail. For mixed mode auditing environments, remember to manage both the conventional audit trails as well as the unified audit trail.

The following example shows how to set the last archived time for the unified audit trail and manually purge audit records older than that time. Remember to archive records before purging them if you need to store them long term.

-- Set the last archive timestamp.
BEGIN
  DBMS_AUDIT_MGMT.set_last_archive_timestamp(
    audit_trail_type     => DBMS_AUDIT_MGMT.audit_trail_unified,
    last_archive_time    => SYSTIMESTAMP-5,
    --rac_instance_number  =>  1,
    container            => DBMS_AUDIT_MGMT.container_current
  );
END;
/

-- Check the new setting.
COLUMN audit_trail FORMAT A20
COLUMN last_archive_ts FORMAT A40

SELECT audit_trail,
       last_archive_ts
FROM   dba_audit_mgmt_last_arch_ts;

AUDIT_TRAIL          LAST_ARCHIVE_TS
-------------------- ----------------------------------------
UNIFIED AUDIT TRAIL  10-JUN-15 13.48.14.000000 +00:00

SQL>

-- Manually purge the audit trail to the last archive timestamp.
SELECT COUNT(*) FROM unified_audit_trail;

  COUNT(*)
----------
        49

SQL>

BEGIN
  DBMS_AUDIT_MGMT.clean_audit_trail(
   audit_trail_type        => DBMS_AUDIT_MGMT.audit_trail_unified,
   use_last_arch_timestamp => TRUE);
END;
/

SELECT COUNT(*) FROM unified_audit_trail;

  COUNT(*)
----------
         4

SQL>

You can automate purging by creating a purge job, as described here.

Updates in 12.2

One of the main criticisms of the unified audit trail in 12.1 was the performance. In 12.2 the unified audit trail now resides in a conventional table called AUDSYS.AUD$UNIFIED. When you upgrade a database you can choose to migrate the existing audit information to this table using the TRANSFER_UNIFIED_AUDIT_RECORDS in the DBMS_AUDIT_MGMT, which should give better performance.

For more information see:

原文地址:https://www.cnblogs.com/yaoyangding/p/12258260.html

时间: 2024-10-13 19:40:20

Auditing Enhancements (Audit Policies and Unified Audit Trail) in Oracle Database 12c Release 1 (12.1)的相关文章

Auditing Enhancements (DBMS_AUDIT_MGMT) in Oracle Database 11g

Auditing Enhancements (DBMS_AUDIT_MGMT) in Oracle Database 11g Release 2 Oracle 11g Release 1 turned on auditng by default for the first time. Oracle 11g Release 2 now allows better management of the audit trail using the DBMS_AUDIT_MGMT package. Mov

Trail: JDBC(TM) Database Access1

package com.oracle.tutorial.jdbc; import java.sql.BatchUpdateException; import java.sql.Connection; import java.sql.DriverManager; import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Savepoint;

12C预定义audit policies

在12C中,预定义了三种审计策略:ora_secureconfig,ora_database_parameter,ora_account_mgmt可以通过脚本$ORACLE_HOME/rdbms/admin/secconf.sql脚本来创建这个三个预定义审计策略,并开启ora_secureconfig策略,另外两个不是默认开启. ora_account_mgmt:审计用户账户和权限ora_database_parameter:审计对数据库参数修改行为ora_secureconfig:包含11g中

Oracle列自增实现(3)-DEFAULT Values Using Sequences

Oracle 12c中,可以使用序列的NEXTVAL and CURRVAL的值作为默认值,来实现列自增! 一.使用序列的NEXTVAL and CURRVAL的值作为默认值 创建序列 CREATE SEQUENCE t1_seq; 建表 CREATE TABLE t1 ( id NUMBER DEFAULT t1_seq.NEXTVAL, description VARCHAR2(30) ); 插入数据 INSERT INTO t1 (description) VALUES ('DESCRIP

Oracle 11g Articles

发现一个比较有意思的网站,http://www.oracle-base.com/articles/11g/articles-11g.php Oracle 11g Articles Oracle Database 11g: New Features For Administrators OCP Exam Articles Oracle Database 11g Release 1: Miscellaneous Articles Oracle Database 11g Release 2: Misc

探索Oracle之数据库升级十 12c(12.1.0.2)CPU 19774304

探索Oracle之数据库升级十 12c(12.1.0.2)CPU 19774304 一.   补丁描述 参考metalink doc: (Doc ID 19774304.8) Bug19774304 - 12.1.0.2 Bundle Patch 2 for Engineered Systems and DB In-Memory (Nov2014) (Doc ID 19774304.8) 二.   补丁包含 19649591 DATABASE BUNDLE PATCH 12.1.0.2.2 (O

Database Initialization Parameters for Oracle E-Business Suite Release 12

In This Document Section 1: Common Database Initialization Parameters For All Releases Section 2: Release-Specific Database Initialization Parameters For Oracle 10g Release 2 Section 3: Release-Specific Database Initialization Parameters For Oracle 1

ipv6,/etc/hosts配置文件解析问题

客户反馈,11.2.0.4,Linux7  GI集群软件,Oracle软件均已正常安装完毕. DBCA建库,出现 VIP do not all share the same subnetwork,or the vip subnetwok does not match that of any public network interface in the cluster 一 .观察问题 查询集群资源状态 Cluster Resources -----------------------------

P6 EPPM Installation and Configuration Guide 16 R1 April 2016

P6 EPPM Installation and Configuration Guide 16 R1         April 2016 Contents About Installing and Configuring P6 EPPM ........................................................ 6 Prerequisites for P6 EPPM Configuration ...............................