Mandatory Auditing - Oracle 12c Always-On-Auditing

Certainly from an auditing and logging perspective, one of the best new features delivered by Oracle 12c is mandatory auditing of the administrative users such as SYSDBA.  This can be described as ‘always on auditing’.  By default, the following audit related activities are now mandatorily audited -

• CREATE AUDIT POLICY
• ALTER AUDIT POLICY
• DROP AUDIT POLICY
• AUDIT
• NOAUDIT
• EXECUTE of the DBMS_FGA PL/SQL package
• EXECUTE of the DBMS_AUDIT_MGMT PL/SQL package
• All configuration changes that are made to Oracle Database Vault
• ALTER TABLE attempts on the AUDSYS audit trail table (this table cannot be altered)
• Top level statements by administrative users SYS, SYSDBA, SYSOPER, SYSASM, SYSBACKUP, SYSDG, and SYSKM, until the database opens.  When the database opens, Oracle Database audits these users using the audit configurations in the system.

The audit activity resulting from mandatory auditing can be found in SYS.UNIFIED_AUDIT_TRAIL. 

Note when the database is not writable (such as during database mounting), if the database is closed, or if it is read-only, then Oracle writes the audit records to external files in the $ORACLE_BASE/audit/$ORACLE_SID directory. 

Note: Activity and be found in SYS.UNIFIED_AUDIT_TRAIL when in pure mode and to the traditional audit trails in mixed mode.

If you have questions, please contact us at mailto:info@integrigy.com

Reference

• Integrigy Oracle 12c Unified Auditing Whitepaper Oracle 12c Unified Auditing
• Oracle Database Security Guide
  12c Release 1 Guide: http://docs.oracle.com/database/121/DBSEG/audit_admin.htm#DBSEG361