Security Blogs

Mandatory Auditing - Oracle 12c Always-On-Auditing

Certainly from an auditing and logging perspective, one of the best new features delivered by Oracle 12c is mandatory auditing of the administrative users such as SYSDBA.  This can be described as ‘always on auditing’.  By default, the following audit related activities are now mandatorily audited -

  • CREATE AUDIT POLICY
  • ALTER AUDIT POLICY
  • DROP AUDIT POLICY
  • AUDIT
  • NOAUDIT
  • EXECUTE of the DBMS_FGA PL/SQL package
  • EXECUTE of the DBMS_AUDIT_MGMT PL/SQL package
  • All configuration changes that are made to Oracle Database Vault
  • ALTER TABLE attempts on the AUDSYS audit trail table (this table cannot be altered)
  • Top level statements by administrative users SYS, SYSDBA, SYSOPER, SYSASM, SYSBACKUP, SYSDG, and SYSKM, until the database opens.  When the database opens, Oracle Database audits these users using the audit configurations in the system.

The audit activity resulting from mandatory auditing can be found in SYS.UNIFIED_AUDIT_TRAIL. 

Note when the database is not writable (such as during database mounting), if the database is closed, or if it is read-only, then Oracle writes the audit records to external files in the $ORACLE_BASE/audit/$ORACLE_SID directory. 

Mandatory Auditing

Integrigy Framework Event

  • CREATE AUDIT POLICY
  • ALTER AUDIT POLICY
  • DROP AUDIT POLICY
  • EXECUTE of the DBMS_FGA PL/SQL package
  • EXECUTE of the DBMS_AUDIT_MGMT PL/SQL package
  • All configuration changes that are made to Oracle Database Vault
  • ALTER TABLE attempts on the AUDSYS audit trail table (remember that this table cannot be altered)

E12 - Modify audit and logging

  • Top level statements by the administrative users SYS, SYSDBA, SYSOPER, SYSASM, SYSBACKUP, SYSDG, and SYSKM until the database opens
  • AUDIT
  • NOAUDIT

E11 - Privileged commands

Note: Activity and be found in SYS.UNIFIED_AUDIT_TRAIL when in pure mode and to the traditional audit trails in mixed mode.

If you have questions, please contact us at mailto:info@integrigy.com

Reference
Auditing, Oracle Database
Categories: APPS Blogs, Security Blogs

What Is Oracle 12 Unified Auditing? The View UNIFIED_AUDIT_TRAIL with 94 Columns

What is Oracle 12c Unified Auditing? The short answer is the view UNIFED_AUDIT_TRAIL. This view consolidates all logging and auditing information into a single source. Regardless of using either Mixed Mode or Pure Unified Auditing, the SYS.UNIFIED_AUDIT_TRAIL can be used. 

The key column in SYS.UNIFIED_AUDIT_TRAIL is AUDIT_TYPE.  This column shows from which Oracle component the log data originated -

SYS.UNIFIED_AUDIT_TRAIL Component Sources

Column AUDIT_TYPE Value

Description

Number of Columns in Table

Standard

Standard auditing including SYS audit records

44

XS

Real Application Security (RAS)and RAS auditing

17

Label Security

Oracle Label Security

14

Datapump

Oracle Data Pump

2

FineGrainedAudit

Fine grained audit(FGA)

1

Database Vault

Data Vault(DV)

10

RMAN_AUDIT

Oracle RMAN

5

Direct path API

SQL*Loader Direct Load

1

 

Total

94

If you have questions, please contact us at mailto:info@integrigy.com

Reference
Auditing, Oracle Database
Categories: APPS Blogs, Security Blogs

Oracle 12c Unified Auditing - Mixed Mode

Next in our blog series on Oracle 12 Unified Auditing is a discussion of Mixed Mode. Mixed Mode is the default auditing mode for Oracle 12c.  Oracle describes Mixed Mode auditing as a means of becoming familiar with Unified Auditing prior to migrating to Pure Unified Auditing.  Mixed Mode allows for all traditional, pre-12c log and audit functionality to co-exist with Unified Auditing.  More importantly, Mixed Mode will support any current Syslog-based logging solution.

Mixed mode auditing provides the following key capabilities –

  • All existing (pre-12c) auditing initialization configurations and parameters are used such as AUDIT_TRAILAUDIT_FILE_DESTAUDIT_SYS_OPERATIONS, and AUDIT_SYSLOG_LEVEL
  • The format of the audit records remains the same as in Oracle Database 11g Release 2
  • Writes mandatory audit records to the traditional audit trails
  • If the AUDIT_SYS_OPERATIONS initialization parameter is set to TRUE, writes audit records only to the traditional audit trails

With Mixed Mode, audit data can be found both in the traditional locations as well as in SYS.UNIFIED_AUDIT_TRAIL.  This is because the Unified Auditing Policy ORA_SECURECONFIG is enabled by default.  ORA_SECURECONFIG audits the same default audit settings from Oracle Database Release 11g.  Integrigy recommends to either periodically purge Unified Auditing data or disable the policy.  To disable ORA_SECURECONFIG policy follow the instructions in Oracle Support Note Doc ID 1624051.1.

The following table shows the definition of the default policy ORA_SECURECONFIG.  Note the column ‘Common’ that shows that the policy is defined for all PDBs (tenant) databases.

Mixed Mode Default Unified Policy ORA_SECURECONFIG

Audit Option

Option Type

Common

Integrigy Framework

ADMINISTER KEY MANAGEMENT

SYSTEM PRIVILEGE

YES

E11 - Privileged commands

ALTER ANY PROCEDURE

SYSTEM PRIVILEGE

YES

E13 – Objects

ALTER ANY SQL TRANSLATION PROFILE

SYSTEM PRIVILEGE

YES

E11 - Privileged commands

ALTER ANY TABLE

SYSTEM PRIVILEGE

YES

E13 – Objects

ALTER DATABASE

SYSTEM PRIVILEGE

YES

E11 - Privileged commands

ALTER DATABASE LINK

STANDARD ACTION

YES

E13 – Objects

ALTER PLUGGABLE DATABASE

STANDARD ACTION

YES

E11 - Privileged commands

ALTER PROFILE

STANDARD ACTION

YES

E14 - Modify configuration settings

ALTER ROLE

STANDARD ACTION

YES

E8 - Modify role

ALTER SYSTEM

SYSTEM PRIVILEGE

YES

E14 - Modify configuration settings

ALTER USER

STANDARD ACTION

YES

E6 - Modify user account

AUDIT SYSTEM

SYSTEM PRIVILEGE

YES

E11 - Privileged commands

CREATE ANY JOB

SYSTEM PRIVILEGE

YES

E13 – Objects

CREATE ANY LIBRARY

SYSTEM PRIVILEGE

YES

E13 – Objects

CREATE ANY PROCEDURE

SYSTEM PRIVILEGE

YES

E13 – Objects

CREATE ANY SQL TRANSLATION PROFILE

SYSTEM PRIVILEGE

YES

E11 - Privileged commands

CREATE ANY TABLE

SYSTEM PRIVILEGE

YES

E13 – Objects

CREATE DATABASE LINK

STANDARD ACTION

YES

E13 – Objects

CREATE DIRECTORY

STANDARD ACTION

YES

E13 – Objects

CREATE EXTERNAL JOB

SYSTEM PRIVILEGE

YES

E13 – Objects

CREATE PLUGGABLE DATABASE

STANDARD ACTION

YES

E11 - Privileged commands

CREATE PROFILE

STANDARD ACTION

YES

E11 - Privileged commands

CREATE PUBLIC SYNONYM

SYSTEM PRIVILEGE

YES

E13 – Objects

CREATE ROLE

STANDARD ACTION

YES

E7 - Create role

CREATE SQL TRANSLATION PROFILE

SYSTEM PRIVILEGE

YES

E13 – Objects

CREATE USER

SYSTEM PRIVILEGE

YES

E5 – Create user account

DROP ANY PROCEDURE

SYSTEM PRIVILEGE

YES

E13 – Objects

DROP ANY SQL TRANSLATION PROFILE

SYSTEM PRIVILEGE

YES

E13 - Objects

DROP ANY TABLE

SYSTEM PRIVILEGE

YES

E13 – Objects

DROP DATABASE LINK

STANDARD ACTION

YES

E13 – Objects

DROP DIRECTORY

STANDARD ACTION

YES

E13 – Objects

DROP PLUGGABLE DATABASE

STANDARD ACTION

YES

E11 - Privileged commands

DROP PROFILE

STANDARD ACTION

YES

E14 - Modify configuration settings

DROP PUBLIC SYNONYM

SYSTEM PRIVILEGE

YES

E13 – Objects

DROP ROLE

STANDARD ACTION

YES

E8 - Modify role

DROP USER

SYSTEM PRIVILEGE

YES

E6 - Modify user account

EXEMPT ACCESS POLICY

SYSTEM PRIVILEGE

YES

E14 - Modify configuration settings

EXEMPT REDACTION POLICY

SYSTEM PRIVILEGE

YES

E14 - Modify configuration settings

GRANT ANY OBJECT PRIVILEGE

SYSTEM PRIVILEGE

YES

E9 - Grant/revoke user privileges

GRANT ANY PRIVILEGE

SYSTEM PRIVILEGE

YES

E9 - Grant/revoke user privileges

GRANT ANY ROLE

SYSTEM PRIVILEGE

YES

E9 - Grant/revoke user privileges

LOGMINING

SYSTEM PRIVILEGE

YES

E12 - Modify audit and logging

LOGOFF

STANDARD ACTION

YES

E2 - Logoff

LOGON

STANDARD ACTION

YES

E1 - Login

PURGE DBA_RECYCLEBIN

SYSTEM PRIVILEGE

YES

E11 - Privileged commands

SET ROLE

STANDARD ACTION

YES

E11 - Privileged commands

TRANSLATE ANY SQL

SYSTEM PRIVILEGE

YES

E11 - Privileged commands

If you have questions, please contact us at mailto:info@integrigy.com

Reference
Auditing, Oracle Database
Categories: APPS Blogs, Security Blogs

Oracle 12c Unified Auditing - Pure Mode

Continuing our blog series on Oracle 12 Unified Auditing is a discussion of Pure  Mode. Mixed mode is intended by Oracle to introduce Unified Auditing and provide a transition from the traditional Oracle database auditing.  Migrating to PURE Unified Auditing requires the database be stopped, the Oracle binary linked to uniaud_on, and then restarted.  This operation can be reversed if auditing needs to be changed back to Mixed Mode. 

When changing from Mixed to pure Unified Audit, two key changes occur.  The first is the audit trails are no longer written to their traditional pre-12c audit locations.  Auditing is consolidated into the Unified Audit views and stored using Oracle SecureFiles.  Oracle Secured Files use a proprietary format which means that Unified Audit logs cannot be viewed using editors such vi and may preclude or affect the use of third party logging solutions such as Splunk or HP ArcSight.  As such, Syslog auditing is not possible with Pure Unified Audit.

Unified Audit Mixed vs. Pure Mode Audit Locations

System Tables

Mixed Mode

Pure Unified Audit Impact

SYS.AUD$

Same as 11g

Exists, but will only have pre-unified audit records

SYS.FGA_LOG$

Same as 11g

Exists, but will only have pre-unified audit records

The second change is that the traditional audit configurations are no longer used.  For example, traditional auditing is largely driven by the AUDIT_TRAIL initialization parameter.  With pure Unified Audit, the initialization parameter AUDIT_TRAIL is ignored.

Unified Audit Mixed vs. Pure Mode Audit Configurations

System Parameters

Mixed Mode

Pure Unified Audit Impact

AUDIT_TRAIL

Same as 11g

Exists, but will not have any effect

AUDIT_FILE_DEST

Same as 11g

Exists, but will not have any effect

AUDIT_SYS_OPERATIONS

Same as 11g

Exists, but will not have any effect

AUDIT_SYSLOG_LEVEL

Same as 11g

Exists, but will not have any effect

UNIFIED_AUDIT_SGA_QUEUE_SIZE

Same as 11g

Yes

If you have questions, please contact us at mailto:info@integrigy.com

Reference
Auditing, Oracle Database
Categories: APPS Blogs, Security Blogs

Pages

Subscribe to Oracle FAQ aggregator - Security Blogs