Oracle Security: audit

Oracle comes with two auditing variations:

• Traditional audting
• Unified auditing

Traditional auditing allows to

• Track SQL execution (who, when etc.)
• Operations on a given object

The so called unified audit trail stores audit records that are generated in multiple source (compare with v$unified_audit_record_format):

• Audit records (including SYS audit records) from unified audit policies and AUDIT settings
• Fine grainded auditing (dbms_fga)
• Oracle Database Real Application Security
• Oracle Recovery Manager
• Oracle Database Vault
• Oracle Label Security
• Oracle Machine Learning for SQL
• Oracle Data Pump
• Oracle SQL*Loader Direct Load
• Oracle XML DB HTTP and FTP protocol messages

Unified auditing was introduced in Oracle 12c, traditional auditing is deprecated with Oracle 21c.

v$option can be queried to determine if unified auditing is enabled:

select value from v$option where parameter = 'Unified Auditing';

In order to make transition from traditional to unified auditing easier, there is a so called mixed mode audit facility with which traditional audting can be used alongside unified audting.

$ORACLE_HOME/rdbms/admin/cataudit.sql.

x$unified_audit_trail

v$unified_audit_trail

all_def_audit_opts

The init parameters

• audit_trail
• audit_file_dest
• audit_sys_operations
• audit_syslog_level

Oracle security