Exploring Oracle 12c Unified Auditing

After installing and starting up your oracle 12c database, check that the “Unified Auditing” status by default it should be “FALSE”.

When you create a new database, by default the database uses mixed mode auditing, which enables both traditional (that is, the audit facility from releases earlier than Release 12c) and the new audit facilities (unified auditing). This chapter describes how to use pure unified auditing only.

You can enable the database in either of these two modes: the mixed mode auditing or pure unified auditing mode. Even though the features of unified auditing are enabled in both these modes, there are differences between them. In mixed mode, you can use the new unified audit facility alongside the traditional auditing facility. In pure unified auditing, you only use the unified audit facility.

SQL> select parameter , value from v$option where PARAMETER = ‘Unified Auditing’;

unif_status_sql

***Oracle 12c Unified Auditing Architecture Diagram***

Oracle 12c unified auditing architecture diagram

Howe to enable unified auditing?

1.Shutdown listener and database:

Lsnrctl stop listener_dev5

SQL> shutdown immediate

2.Relink Oracle Home binaries:

For (unix/linux)

cd $ORACLE_HOME/rdbms/lib


make -f ins_rdbms.mk uniaud_on ioracle

For windows:

must rename the %ORACLE_HOME%\bin\orauniaud12.dll.dbl file to %ORACLE_HOME%\bin\orauniaud12.dll

 

3.startup the database

SQL> startup

4.Check the status if the unified is enabled successfully by executing the query:

SQL> select * from v$option where PARAMETER = ‘Unified Auditing’;

uni_true

 

Also to avoid having both auditing mechanisms working check the following parameter:

SQL> show parameter AUDIT_TRAIL

 

NAME                                 TYPE

———————————— ——————————–

VALUE

——————————

audit_trail                          string

DB, EXTENDED

It should be set to NONE

audit_trail_none

To turn unified auditing OFF in (Unix/Linux) environment:

cd $ORACLE_HOME/rdbms/lib


make -f ins_rdbms.mk uniaud_off ioracle ORACLE_HOME=$ORACLE_HOME

 

I will now explore data pump and RMAN operations with the new feature:

 

 

A.  Auditing Oracle Data pump operations:

Create the a new export data pump policy called AUDIT_EXPORT_DATAPUMP

SQL> create audit policy AUDIT_EXPORT_DATAPUMP actions component=datapump export;

Audit policy created.

Enable the audit policy:

SQL> audit policy AUDIT_EXPORT_DATAPUMP;

Audit succeeded.

To verify that audit policy is enabled execute the sql query:

SQL> select * from AUDIT_UNIFIED_ENABLED_POLICIES

 where POLICY_NAME like ‘%AUD%’;

audit_policy_datapump.png

Remark: you will notice in the highlighted yellow bellow that auditing option is being generated while performing the export

uni_export.png

After the export is finished, you can check that export process in the unified audit view:

SQL> select DBUSERNAME, DP_TEXT_PARAMETERS1, DP_BOOLEAN_PARAMETERS1

 from   UNIFIED_AUDIT_TRAIL where  DP_TEXT_PARAMETERS1 is not null;

 

B.  Auditing Oracle RMAN operations:

Perform a backup

RMAN> backup tablespace ts_user_data_01;

After finishing the backup check if this was update:

SQL> select DBUSERNAME, RMAN_OPERATION

from UNIFIED_AUDIT_TRAIL where RMAN_OPERATION is not null;

 

rman_uni_query

If not updated yet, flush it:

SQL> exec SYS.DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL;

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s