Unified Auditing Features

Always-on audits

Certain security-sensitive database activities are always audited in Oracle Database, and they cannot be disabled. Take advantage of them to kick off database auditing from day one. These activities include, but are not limited to, the following:

• Top-level statements executed by users with administrative privileges until the database opens, such as SYSDBA, SYSOPER, SYSASM, SYSBACKUP, SYSDG, and SYSKM.
• Attempts to modify or delete audit records.
• Oracle Database Vault configuration changes.
• Audit-related activities, such as modifications to audit policies and executions of DBMS_AUDIT_MGMT package.

For a complete list of mandatory auditable events corresponding to your database version, refer to the section “Activities That Are Mandatorily Audited” in the Oracle Database Security Guide.

Predefined audit policies

Oracle Database provides several predesigned and ready-to-use best practice unified audit policies that cover common security-relevant audit settings, such as the following:

• Audits of failed logons and logoffs.
• Audits of changes to Oracle Database parameter settings.
• Audits of modifications to user accounts and privileges.
• Audit requirements for Security Technical Implementation Guides (STIG) compliance.

You might see a couple of them enabled by default. Oracle Autonomous Database also provides several additional audits enabled by default.

Refer to the section Auditing Activities with the Predefined Unified Audit Policies in the Oracle Database Security guide for more details. Refer to the section Default Audit Policies on Autonomous Database in the Using Oracle Autonomous Database Serverless guide if you are using Autonomous Database. If you are using Data Safe or AVDF to monitor your database targets, you will see additional predefined unified audit policies that can be provisioned with a single click. Refer to the section Provisioning Unified Audit Policies in the AVDF Auditor's Guide for more details. Refer to the section About Oracle Data Safe Audit Policies in Using Oracle Data Safe for more details.

Conditional auditing

With conditional auditing, you can create precise, highly selective and context-aware policies, which makes it easier to audit specific actions and reduce the amount of irrelevant audit records. Conditional audits lower your storage needs and provide high-value audit records that will be useful for auditors, forensic investigations, or regulatory compliance requirements. Conditions can be based on application contexts, session context, or built-in functions.

Named audit policies can be created once and enforced in multiple dimensions, such as users and roles, providing more flexibility and simplicity. Refer to the section Unified Auditing with Configurable Conditions in the Oracle Database Security guide for more details.

Extending the Unified Audit Trail

The unified audit trail can be extended to include application attributes by configuring auditing for application context values. The application context namespace can be populated with the required attributes, and this is captured in the APPLICATION_CONTEXTS column of the unified audit trail. Refer to the section Extending Unified Auditing to Capture Custom Attributes in the Oracle Database Security guide for more details.

Integrity of audit

Unified Auditing offers a high degree of audit trail integrity with a tamper-resistant audit trail. The unified audit trail is stored in the AUDSYS schema, and no one is allowed to log in to that schema in the database. AUD$UNIFIED is a specialized table that allows only INSERT activity. Any attempt to directly truncate, delete, or update the contents of the AUD$UNIFIED table will fail and generate audit records. Audit data is managed using the built-in audit data management DBMS_AUDIT_MGMT package. Additionally, the audit tablespace can be encrypted with transparent data encryption (TDE). The unified audit table can also be protected with an Oracle Database Vault realm.

With the UNIFIED_AUDIT_SYSTEMLOG parameter set, certain key fields of the unified audit records are written to syslog while the complete audit record is written to UNIFIED_AUDIT_TRAIL. Syslog records cannot be changed by the Oracle Database or its users, so audit data in the unified audit trail can be verified with the audit fields from the syslog.

Consolidation

Unified Auditing combines multiple legacy audit trails into a single unified audit trail. Audit records are generated by a variety of audit sources including the following:

• Audit system–related sources, such as audit records, including SYS audit records
• Mandatory audit records
• Security control–related sources, such as Oracle Database Vault, Oracle Label Security, and Oracle Real Application Security
• Database operations–related sources, such as Oracle Recovery Manager, Oracle Data Pump, and Oracle SQL*Loader

With Unified Auditing, audit records from all audit sources are written to a consolidated audit trail, either an AUDSYS.AUD$UNIFIED table or OS files, and exposed through the UNIFIED_AUDIT_TRAIL view. The unified audit trail also normalizes the audit record format, using standardized column names and data types across all audit sources. The consolidated, normalized, and unified audit trail simplifies collection, analysis, and management of audit records generated by the different audit sources. Consistent formatting simplifies reporting and analysis of the audit data.