8i | 9i | 10g | 11g | 12c | 13c | 18c | 19c | 21c | 23ai | Misc | PL/SQL | SQL | RAC | WebLogic | Linux
Auditing Enhancements in Oracle Database 21c
This article gives an overview of the auditing enhancements in Oracle database 21c.
- Traditional Auditing Deprecated
- Unified Auditing Immediacy
- Security Technical Implementation Guide (STIG) Compliance
- Unified Audit Policies Enforced on the Current User
- Audit XML DB HTTP and FTP Protocols
- Auditing of Editioned Objects
Related articles.
Traditional Auditing Deprecated
From Oracle 21c onward, traditional auditing has been deprecated, but is still available for backwards compatibility, so you should start to transition away from traditional auditing.
Unified Auditing Immediacy
In previous releases, changes to object auditing policies only took effect the next time a session connected. From Oracle 21c onward, all object auditing policy changes take effect immediately in all sessions, including the current session. There is no additional configuration needed for this functionality change.
Changes to system audit options, or audit conditions of the policy are still only activated for new sessions.
Security Technical Implementation Guide (STIG) Compliance
You can read a top-level description of Security Technical Implementation Guide (STIG) here.
Oracle 21c includes three pre-defined unified audit policies for STIG compliance.
Unified Audit Policies Enforced on the Current User
Prior to Oracle 21c all unified audit policies were enforced on the top-level user session, the login user session, which executed the SQL statement. From Oracle 21c onward unified audit policies are enforced on the current user who executes the SQL statement.
Audit XML DB HTTP and FTP Protocols
In Oracle 21c we can now audit HTTP and FTP actions against XML DB, along with their authentication. In this example we create three separate unified audit policies for HTTP, FTP and authentication.
create audit policy http_pol actions component=protocol http; create audit policy ftp_pol actions component=protocol ftp; create audit policy auth_pol actions component=protocol authentication;
We initiate auditing of the policies. Both HTTP and FTP audit both successful and unsuccessful attempts. The authentication policy only audits authentication failures.
audit policy http_pol; audit policy ftp_pol; audit policy auth_pol whenever not successful;
We use the AUDIT_UNIFIED_POLICIES
and AUDIT_UNIFIED_ENABLED_POLICIES
views to display information about the policies.
column policy_name format a15 select policy_name, audit_option, audit_option_type from audit_unified_policies where policy_name in ('HTTP_POL', 'FTP_POL', 'AUTH_POL'); POLICY_NAME AUDIT_OPTION AUDIT_OPTION_TYPE --------------- --------------- ------------------ HTTP_POL HTTP PROTOCOL ACTION FTP_POL FTP PROTOCOL ACTION AUTH_POL AUTHENTICATION PROTOCOL ACTION SQL> column entity_name format a11 column entity_type format a11 column success format a7 column failure format a7 select policy_name, enabled_option, entity_name, entity_type, success, failure from audit_unified_enabled_policies where policy_name in ('HTTP_POL', 'FTP_POL', 'AUTH_POL'); POLICY_NAME ENABLED_OPTION ENTITY_NAME ENTITY_TYPE SUCCESS FAILURE --------------- --------------- ----------- ----------- ------- ------- HTTP_POL BY USER ALL USERS USER YES YES AUTH_POL BY USER ALL USERS USER NO YES FTP_POL BY USER ALL USERS USER YES YES SQL>
The following columns have been added to the UNIFIED_AUDIT_TRAIL
view.
PROTOCOL_SESSION_ID NUMBER PROTOCOL_RETURN_CODE NUMBER PROTOCOL_ACTION_NAME VARCHAR2(32) PROTOCOL_USERHOST VARCHAR2(128) PROTOCOL_MESSAGE VARCHAR2(4000)
We stop auditing and drop the audit policies.
noaudit policy http_pol; noaudit policy ftp_pol; noaudit policy auth_pol; drop audit policy http_pol; drop audit policy ftp_pol; drop audit policy auth_pol;
Auditing of Editioned Objects
Unified audit policies on editioned objects are now applied to aa its editions. When a new object is created in an edition, it will inherit the audit policies from the existing edition.
When querying the UNIFIED_AUDIT_TRAIL
view you should use the OBJECT_SCHEMA
, OBJECT_NAME
and OBJ_EDITION
columns to accurate identify the object.
For more information see:
- Unified Audit Policy Configuration Changes Effective Immediately
- Predefined Unified Audit Policies for Security Technical Implementation Guide Compliance
- Unified Audit Policies Enforced on the Current User
- Auditing for Oracle XML DB HTTP and FTP Services
- Unified Auditing on an Editioned Object Now Applies to All Its Editions
- Deprecation of Traditional Auditing
- Auditing : All Articles
Hope this helps. Regards Tim...