Unified Auditing FAQ

Try Unified Auditing on LiveLabs

Access technical report (PDF)

FAQ topics

General
Performance
Storage
Transition
Configuration
Integrity

General

1. What Oracle Database versions support Unified Auditing?

Unified Auditing has been available since the release of Oracle Database 12c.

2. How do I enable Unified Auditing in Oracle Database?

Unified Auditing is enabled by default for Oracle Database 12c and above.

3. Is Unified Auditing a licensable feature in Oracle Database?

Unified Auditing is included in all releases of Oracle Database starting with Oracle Database 12c.

4. Can traditional audit be used in Oracle Database 23ai?

Traditional auditing is no longer supported in Oracle Database 23ai. If you create a new Oracle Database 23ai, the traditional audit does not exist.

If you upgrade an older database to Database 23ai, the result depends on the database that’s upgraded. If the older database was already using Unified Auditing and no existing traditional audit settings remain, then the upgraded database will continue to use Unified Auditing.

But, if you upgrade a database that has traditional audit settings, the upgraded database will continue to apply those audit settings and capture them in the older-version audit trail until you disable those audit settings with a NOAUDIT command. You will not be able to create new traditional audit settings or modify the existing ones.

Oracle recommends that you plan your transition to Unified Auditing before you plan an upgrade to Database 23ai.

5. I am new to Unified Auditing. Where do I begin?

If you are novice to Unified Auditing, start with the ready-to-use audit tools and features that cover most of the essential auditing needs. Here are a few tips.

Leverage what’s “always-on” in your database: Oracle Database has mandatory auditing enabled for certain security-sensitive operations. These always-on audits are built in and cannot be turned off. So you don’t need to duplicate them in your own policies.

For Database 19c and above, to see the audit records from the mandatory audits, query the UNIFIED_AUDIT_TRAIL view:

SELECT * FROM UNIFIED_AUDIT_TRAIL
WHERE UNIFIED_AUDIT_POLICIES LIKE ' ORA$MANDATORY';
Leverage the predefined policies: Oracle provides built-in audit policies that cover the most common security-relevant events. A few of them are enabled by default; you can verify the enabled ones using the query:

SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES;

You can enable the ones you need with a simple AUDIT command like

AUDIT POLICY ORA_SECURECONFIG;

Note: If you're using Oracle Autonomous Database, many essential audit policies are already pre-enabled.
Leverage ready-to-use audit policies with a single click from Oracle Data Safe and/or Oracle Audit Vault and Database Firewall.

6. How do I query Unified Auditing records?

You can query audit records using the UNIFIED_AUDIT_TRAIL view.

Performance

1. Does Unified Auditing impact database performance?

For typical use cases of auditing privileged users or auditing key database operations, the performance impact is so low that it cannot even be measured due to low audit volume spread throughout the week. You could begin to see a performance impact of 1% when the audit load increases to a couple of thousand audit records per minute. Most use cases will not have a performance impact beyond this, but for cases where organizations want to audit application usage, it is best to tune the audit policies.

Internal performance tests using a TPC-C mixed application workload show that you may see a CPU overhead range between 2% to 5% when auditing beyond 6,000 audit records per minute. For extreme audit loads up to 36,000 audit records per minute, the additional overhead is still within a single digit.

Storage

1. Where is audit data stored in Unified Auditing?

Audit records are stored in a secured internal table AUD$UNIFIED in the AUDSYS schema. This table resides in the SYSAUX tablespace by default.

When it is not possible to write to database, for example, when the database is not open and the tablespace is full, audit records are written to OS as spillover bin files in the directory $ORACLE_BASE/audit/$ORACLE_SID. Audit records are accessed using UNIFIED_AUDIT_TRAIL view, which internally fetches the audit records from the table AUDSYS.AUD$UNIFIED and the data of the spillover files.

2. How can I manage the size and retention of Unified Auditing data?

It is good practice to regularly archive and purge audit records using DBMS_AUDIT_MGMT interface. The DBMS_AUDIT_MGMT package provides utilities to set archive timestamp, purge the audit trail, and schedule a purge job.

Another good practice is to set the audit trail partition interval such that each partition has a manageable set of audit records.

3. Can I move the audit data to another tablespace?

It is good practice to move the audit data from the default SYSAUX tablespace to a different tablespace. The DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_LOCATION procedure enables you to do so.

Transition

1. How do I transition from traditional audit to Unified Auditing?

Transition is simple in most cases. Follow the steps below:

Leverage what’s always-on in your database.
Leverage the predefined policies in your database.
Ensure that predefined policies, such as ORA_SECURECONFIG, ORA_LOGIN_LOGOUT are enabled.
Define and enable equivalent Unified Audit policies for custom traditional audit settings if they exist. Refer to MOS 2909718.1 for conversion utility if required.
Disable traditional auditing using NOAUDIT.
Set AUDIT_TRAIL=None and AUDIT_SYS_OPERATIONS =False.

Configuration

1. What are the recommended best practices for configuring Unified Auditing policies?

Create effective audit policies that are selective and targeted to your needs by focusing audit configuration on three factors: privileged user activity, security-relevant events, and sensitive data access. For more details, read the Oracle Database Unified Audit: Best Practice Guidelines.

2. Are there Oracle LiveLabs available for learning Unified Auditing?

Yes, this LiveLab will help you understand how to configure and use Unified Auditing within 30 minutes.

Integrity

1. Is Unified Auditing data tamper resistant?

Unified Auditing offers high degree of integrity of audit trail by not allowing users to tamper with the audit trail. The audit trail is stored in AUDSYS schema, and no one is allowed to log in to that schema in the database. AUD$UNIFIED is a specialized table which allows only INSERT activity. Any attempt to directly truncate, delete, or update contents of the AUD$UNIFIED table will fail and generate audit records. Audit data is managed using the built-in audit data management DBMS_AUDIT_MGMT package.

2. Can I prevent DBAs or privileged users from tampering with unified audit logs?

Unified audit data is securely stored and not modifiable. It is recommended to use separation of duties AUDIT_ADMIN and AUDIT_VIEWER roles to dedicated security personnel instead of DBAs. Use Oracle Database Vault for stronger enforcement of operational controls and access restrictions.

3. Is the audit data encrypted?

While audit records in the database are not encrypted by default, you can use transparent data encryption on the tablespace storing audit data.

Use network encryption (SSL/TLS) to protect audit data in transit.