{"id":199,"date":"2024-04-09T15:01:27","date_gmt":"2024-04-09T13:01:27","guid":{"rendered":"http:\/\/130.61.57.200\/?p=199"},"modified":"2024-04-09T15:01:27","modified_gmt":"2024-04-09T13:01:27","slug":"manage-audit-in-oracle","status":"publish","type":"post","link":"http:\/\/130.61.57.200\/index.php\/2024\/04\/09\/manage-audit-in-oracle\/","title":{"rendered":"Manage Audit in Oracle"},"content":{"rendered":"\n

Enable Unified Auditing<\/h4>\n\n\n\n

To enable Unified Auditing (being available since 12c) stop instance and listener and relink auditing library:<\/p>\n\n\n\n

Check current value:
SELECT value FROM v$option WHERE parameter = ‘Unified Auditing’;
Let’s assume it is FALSE.
Stop instance.

Go to library directory and relink:
cd $ORACLE_HOME\/rdbms\/lib
make -f ins_rdbms.mk unaiaud_on ioracle

Start the instance

Check the value again.
Now it should be TRUE.<\/p>\n\n\n\n

Audit Parameters<\/h4>\n\n\n\n

To check current audit settings we need to check two places:<\/p>\n\n\n\n

Audit parameters:
show parameter audit<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

audit_file_dest <\/strong>specifies the operating system directory into which the audit trail is written when the AUDIT_TRAIL<\/code> initialization parameter is set to os<\/strong>, xml<\/strong>, or xml,extended<\/strong>.
audit_sys_operations <\/strong>enables or disables the auditing of directly issued user SQL statements with SYS<\/code> authorization. These include SQL statements directly issued by users when connected with the SYSASM<\/code>, SYSBACKUP<\/code>, SYSDBA<\/code>, SYSDG<\/code>, SYSKM<\/code>, or SYSOPER<\/code> privileges, as well as SQL statements that have been executed with SYS<\/code> authorization using the PL\/SQL package DBMS_SYS_SQL<\/code>.
audit_syslog_level <\/strong>allows SYS<\/code> and standard OS<\/code> audit records to be written to the system audit log using the SYSLOG<\/code> utility.
audit_trail <\/strong>enables or disables database auditing. Values are none<\/strong>, os <\/strong>(directing audit records to files), db <\/strong>(logging in SYS.AUD$ table), db,extended<\/strong> (extends db by keeping sql and variables information also), xml<\/strong> (writes in XML files) and xml,extended<\/strong> (extends xml by keeping sql and variables information also).
unified_audit_common_systemlog <\/strong>specifies whether key fields of unified audit records generated due to common audit policies will be written to the SYSLOG utility.
unified_audit_sga_queue_size <\/strong>specifies the size in bytes of SGA queue for unified auditing.
unified_audit_systemlog <\/strong>specifies whether key fields of unified audit records will be written to the SYSLOG utility (on UNIX platforms) or to the Windows Event Viewer (on Windows). In a CDB, this parameter is a per-PDB static initialization parameter.<\/p>\n\n\n\n

Audit Management Configuration Parameters<\/h4>\n\n\n\n

Check Audit Management configuration parameters with:
select * from dba_audit_mgmt_config_params;<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Use DBMS_AUDIT_MGMT  package to manage auditing:<\/p>\n\n\n\n

Change Default Audit Tablespace<\/h4>\n\n\n\n

Change the tablespace of the UNIFIED_AUDIT_TRAIL view tables with subprogram set_audit_trail_location <\/strong>accepting two parameters: audit_trail_type <\/strong>of PLS_INTEGER type and audit_trail_location_value <\/strong>of VARCHAR2 type. An example follows that makes UNIFIED_AUDIT_TRAIL tables use AUDIT_TBS tablespace:<\/p>\n\n\n\n

begin
dbms_audit_mgmt.set_audit_trail_location(
audit_trail_type => dbms_audit_mgmt.audit_trail_unified,
audit_trail_location_value => ‘AUDIT_TBS’);
end;
\/<\/p>\n\n\n\n

Other audit_trail_type values are:
dbms_audit_mgmt.audit_trail_aud_std and dbms_audit_mgmt.audit_trail_fga_std<\/p>\n\n\n\n

Change partition interval of audit<\/h4>\n\n\n\n

Setup cleanup job<\/h4>\n\n\n\n
exec DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP (AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,LAST_ARCHIVE_TIME => sysdate-7)<\/pre>\n\n\n\n
See enabled policies<\/h4>\n\n\n\n
There are two default policies enabled by Oracle:ORA_SECURECONFIG and ORA_LOGON_FAILURES:<\/p>\n\n\n\n
select * from audit_enabled_policies;<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Action audited from these policies:<\/p>\n\n\n\n
SELECT policy_name,  audit_option,  condition_eval_opt,audit_condition  FROM   audit_unified_policies
WHERE  policy_name in (‘ORA_SECURECONFIG’,’ORA_LOGON_FAILURES’)
order by 1 ,2;<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Create Audit Policy<\/h4>\n\n\n\n
Let’s create a policy for example let’s log all password changes in all containers:<\/p>\n\n\n\n
In root:
CREATE AUDIT POLICY POLICY_PASSWORD_CHANGE ACTIONS CHANGE PASSWORD CONTAINER=ALL;
And enable it with:
AUDIT POLICY_PASSWORD_CHANGE;<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Disable policy with:
NOAUDIT POLICY_PASSWORD_CHANGE;<\/p>\n\n\n\n
Drop it with:
DROP AUDIT POLICY POLICY_PASSWORD_CHANGE;
You cannot drop an enabled audit policy; you must disable it first.<\/p>\n","protected":false},"excerpt":{"rendered":"
Enable Unified Auditing To enable Unified Auditing (being available since 12c) stop instance and listener and relink auditing library: Check current value:SELECT value FROM v$option WHERE parameter = ‘Unified Auditing’;Let’s assume it is FALSE.Stop instance. Go to library directory and relink:cd $ORACLE_HOME\/rdbms\/libmake -f ins_rdbms.mk unaiaud_on ioracle Start the instance Check the value again.Now it should […]<\/p>\n","protected":false},"author":1,"featured_media":106,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[66],"class_list":["post-199","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oracle","tag-audit"],"blocksy_meta":[],"_links":{"self":[{"href":"http:\/\/130.61.57.200\/index.php\/wp-json\/wp\/v2\/posts\/199","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/130.61.57.200\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/130.61.57.200\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/130.61.57.200\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/130.61.57.200\/index.php\/wp-json\/wp\/v2\/comments?post=199"}],"version-history":[{"count":15,"href":"http:\/\/130.61.57.200\/index.php\/wp-json\/wp\/v2\/posts\/199\/revisions"}],"predecessor-version":[{"id":223,"href":"http:\/\/130.61.57.200\/index.php\/wp-json\/wp\/v2\/posts\/199\/revisions\/223"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/130.61.57.200\/index.php\/wp-json\/wp\/v2\/media\/106"}],"wp:attachment":[{"href":"http:\/\/130.61.57.200\/index.php\/wp-json\/wp\/v2\/media?parent=199"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/130.61.57.200\/index.php\/wp-json\/wp\/v2\/categories?post=199"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/130.61.57.200\/index.php\/wp-json\/wp\/v2\/tags?post=199"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}