Oracle 12c introduces “Unified Audit Trail” a faster, easier to access and more secure audit system.
It optionally allows to stage the audit records in a dedicated memory buffer (UNIFIED_AUDIT_SGA_QUEUE_SIZE), where they are temporarily grouped before being written into the audit table via batch transactions.
This new audit configuration substantially reduces the transactional overhead generated by the auditing.
Important improvements have also done to simplify the utilization:
– One single audit trail for any audit data, in fact UNIFIED_AUDIT_TRAIL view replaces SYS.AUD$/DBA_AUDIT_TRAIL, SYS.FGA_LOGS$/DBA_FGA_AUDIT_TRAIL, DVSYS.AUDIT_TRAIL$, V$XML_AUDIT_TRAIL and the OS audit files in adump.
– All audit data stored in Oracle secure files.
– Role segregation between:
- DBA responsible to maintain free space and backup.
- AUDIT_ADMIN responsible to manage the audit policies and define the data retention.
- AUDIT_VIEWER in charge of the reports.
Unified Audit Trail introduces also new security options important to mention:
– It is activated with a kernel relink and it doesn’t require additional steps or parameters.
– The new AUDSYS table has a Read-Only Protection for all users. Even the DBA privilege can’t manipulate the audit records!
How to activate Unified Audit Trail
--Stop all Oracle processes: databases, listener and Enterprise Manager agent. --Relink Oracle with the uniaud_on option. $ cd $ORACLE_HOME/rdbms/lib $ make -f ins_rdbms.mk uniaud_on ioracle --Restart all Oracle processes: databases, listener and Enterprise Manager agent. --Check is Unified Audit Trail is active SQL> select * from v$option where PARAMETER='Unified Auditing'; INST_ID PARAMETER VALUE CON_ID ------- ------------------------------ ------------------- ---------- 1 Unified Auditing TRUE 0
Optional, but strongly recommended it is possible to relocate the AUDIT segments from SYSAUX Tablespace to a dedicated one.
SQL> Create tablespace TBS_AUDIT datafile SIZE 2G AUTOEXTEND ON; BEGIN DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_LOCATION( audit_trail_type => dbms_audit_mgmt.audit_trail_unified, audit_trail_location_value => 'TBS_AUDIT'); END; / SQL> select OWNER, SEGMENT_NAME, PARTITION_NAME, SEGMENT_TYPE, BYTES from dba_segments where TABLESPACE_NAME='TBS_AUDIT'; OWNER SEGMENT_NAME PARTITION_NAME SEGMENT_TYPE BYTES --------------- ------------------------------ ------------------------------ ------------------ ---------- AUDSYS CLI_SWP$1b2a49f1$1$1 HIGH_PART TABLE PARTITION 65536 AUDSYS CLI_SWP$1b2a49f1$1$1 PART_2 TABLE PARTITION 65536 AUDSYS CLI_LOB$1b2a49f1$1$1 HIGH_PART INDEX PARTITION 65536 AUDSYS CLI_TIME$1b2a49f1$1$1 HIGH_PART INDEX PARTITION 65536 AUDSYS CLI_LOB$1b2a49f1$1$1 PART_2 INDEX PARTITION 65536 AUDSYS CLI_TIME$1b2a49f1$1$1 PART_2 INDEX PARTITION 65536 AUDSYS CLI_SCN$1b2a49f1$1$1 PART_2 INDEX PARTITION 65536 AUDSYS SYS_IL0000091784C00014$$ SYS_IL_P241 INDEX PARTITION 65536 AUDSYS CLI_SCN$1b2a49f1$1$1 HIGH_PART INDEX PARTITION 65536 AUDSYS SYS_IL0000091784C00014$$ SYS_IL_P246 INDEX PARTITION 65536 AUDSYS SYS_LOB0000091784C00014$$ SYS_LOB_P244 LOB PARTITION 131072 AUDSYS SYS_LOB0000091784C00014$$ SYS_LOB_P239 LOB PARTITION 131072 12 rows selected.
The introduction of Audit Policies have brought flexibility and granularity on what it is possible to audit, here an example using Oracle sys_context function.
CREATE AUDIT POLICY hr_employees
PRIVILEGES CREATE TABLE
ACTIONS UPDATE ON HR.EMPLOYEES
WHEN 'SYS_CONTEXT(''USERENV'', ''SESSION_USER'') != ''HR_ADMIN'''
EVALUATE PER STATEMENT;
AUDIT POLICY hr_employees;
My Oracle Notes 
Hi Emiliano,
Good to know about the criitical bug related to UA: Bug 25188062 : TSPITR FAIL WITH ORA-00376 ORA-01110 BECAUSE OF UNIFIED AUDITING ( https://support.oracle.com/epmos/faces/ui/km/BugDisplay.jspx?id=25188062 ).
Cheers,
Nenad
LikeLike
Hi Nenad,
Thank you, your remark can save precious time, avoiding to re-execute the restore with the workaround desctibed on the MOS note.
Ciao
Emiliano
LikeLike
Hi Emiliano,
Mind also the bug 19383839 : UNIFIED AUDIT – NO LOGON OR FAILED LOGON ACTION CAPTURED . However, there is a patch for this one.
Cheers,
Nenad
LikeLiked by 1 person