Home » Articles » 21c » Here

Auditing Enhancements in Oracle Database 21c

This article gives an overview of the auditing enhancements in Oracle database 21c.

• Traditional Auditing Deprecated
• Unified Auditing Immediacy
• Security Technical Implementation Guide (STIG) Compliance
• Unified Audit Policies Enforced on the Current User
• Audit XML DB HTTP and FTP Protocols
• Auditing of Editioned Objects

Related articles.

• Auditing : All Articles

Traditional Auditing Deprecated

From Oracle 21c onward, traditional auditing has been deprecated, but is still available for backwards compatibility, so you should start to transition away from traditional auditing.

Unified Auditing Immediacy

In previous releases, changes to object auditing policies only took effect the next time a session connected. From Oracle 21c onward, all object auditing policy changes take effect immediately in all sessions, including the current session. There is no additional configuration needed for this functionality change.

Changes to system audit options, or audit conditions of the policy are still only activated for new sessions.

Security Technical Implementation Guide (STIG) Compliance

You can read a top-level description of Security Technical Implementation Guide (STIG) here.

Oracle 21c includes three pre-defined unified audit policies for STIG compliance.

• ORA_STIG_RECOMMENDATIONS
• ORA_ALL_TOPLEVEL_ACTIONS
• ORA_LOGON_LOGOFF

Unified Audit Policies Enforced on the Current User

Prior to Oracle 21c all unified audit policies were enforced on the top-level user session, the login user session, which executed the SQL statement. From Oracle 21c onward unified audit policies are enforced on the current user who executes the SQL statement.

Audit XML DB HTTP and FTP Protocols

In Oracle 21c we can now audit HTTP and FTP actions against XML DB, along with their authentication. In this example we create three separate unified audit policies for HTTP, FTP and authentication.

create audit policy http_pol
  actions component=protocol http;
  
create audit policy ftp_pol
  actions component=protocol ftp;
  
create audit policy auth_pol
  actions component=protocol authentication;

We initiate auditing of the policies. Both HTTP and FTP audit both successful and unsuccessful attempts. The authentication policy only audits authentication failures.

audit policy http_pol;
audit policy ftp_pol;
audit policy auth_pol whenever not successful;

We use the AUDIT_UNIFIED_POLICIES and AUDIT_UNIFIED_ENABLED_POLICIES views to display information about the policies.

column policy_name format a15

select policy_name,
       audit_option,
       audit_option_type
from   audit_unified_policies
where  policy_name in ('HTTP_POL', 'FTP_POL', 'AUTH_POL');


POLICY_NAME     AUDIT_OPTION    AUDIT_OPTION_TYPE
--------------- --------------- ------------------
HTTP_POL        HTTP            PROTOCOL ACTION
FTP_POL         FTP             PROTOCOL ACTION
AUTH_POL        AUTHENTICATION  PROTOCOL ACTION

SQL>


column entity_name format a11
column entity_type format a11
column success format a7
column failure format a7

select policy_name,
       enabled_option,
       entity_name,
       entity_type,
       success,
       failure
from   audit_unified_enabled_policies
where  policy_name in ('HTTP_POL', 'FTP_POL', 'AUTH_POL');

POLICY_NAME     ENABLED_OPTION  ENTITY_NAME ENTITY_TYPE SUCCESS FAILURE
--------------- --------------- ----------- ----------- ------- -------
HTTP_POL        BY USER         ALL USERS   USER        YES     YES
AUTH_POL        BY USER         ALL USERS   USER        NO      YES
FTP_POL         BY USER         ALL USERS   USER        YES     YES

SQL>

The following columns have been added to the UNIFIED_AUDIT_TRAIL view.

PROTOCOL_SESSION_ID               NUMBER
PROTOCOL_RETURN_CODE              NUMBER
PROTOCOL_ACTION_NAME              VARCHAR2(32)
PROTOCOL_USERHOST                 VARCHAR2(128)
PROTOCOL_MESSAGE                  VARCHAR2(4000)

We stop auditing and drop the audit policies.

noaudit policy http_pol;
noaudit policy ftp_pol;
noaudit policy auth_pol;

drop audit policy http_pol;
drop audit policy ftp_pol;
drop audit policy auth_pol;

Auditing of Editioned Objects

Unified audit policies on editioned objects are now applied to aa its editions. When a new object is created in an edition, it will inherit the audit policies from the existing edition.

When querying the UNIFIED_AUDIT_TRAIL view you should use the OBJECT_SCHEMA, OBJECT_NAME and OBJ_EDITION columns to accurate identify the object.

For more information see:

• Unified Audit Policy Configuration Changes Effective Immediately
• Predefined Unified Audit Policies for Security Technical Implementation Guide Compliance
• Unified Audit Policies Enforced on the Current User
• Auditing for Oracle XML DB HTTP and FTP Services
• Unified Auditing on an Editioned Object Now Applies to All Its Editions
• Deprecation of Traditional Auditing
• Auditing : All Articles

Hope this helps. Regards Tim...

Back to the Top.

Created: 2022-01-07  Updated: 2022-04-05

Contact Us

Home | Articles | Scripts | Blog | Certification | Videos | Misc | About

About Tim Hall
Copyright & Disclaimer