Unified Audit Trail In Oracle 12c

SQL> select AUDIT_OPTION from AUDIT_UNIFIED_POLICIES where POLICY_NAME=’ORA_SECURECONFIG’;

LOGMINING
TRANSLATE ANY SQL
EXEMPT REDACTION POLICY
PURGE DBA_RECYCLEBIN
ADMINISTER KEY MANAGEMENT
DROP ANY SQL TRANSLATION PROFILE
ALTER ANY SQL TRANSLATION PROFILE
CREATE ANY SQL TRANSLATION PROFILE
CREATE SQL TRANSLATION PROFILE
CREATE EXTERNAL JOB
CREATE ANY JOB
GRANT ANY OBJECT PRIVILEGE
EXEMPT ACCESS POLICY
CREATE ANY LIBRARY
GRANT ANY PRIVILEGE
DROP ANY PROCEDURE
ALTER ANY PROCEDURE
CREATE ANY PROCEDURE
ALTER DATABASE
GRANT ANY ROLE
DROP PUBLIC SYNONYM
CREATE PUBLIC SYNONYM
DROP ANY TABLE
ALTER ANY TABLE
CREATE ANY TABLE
DROP USER
CREATE USER
AUDIT SYSTEM
ALTER SYSTEM
CREATE DATABASE LINK
DROP DATABASE LINK
ALTER USER
CREATE ROLE
DROP ROLE
SET ROLE
CREATE PROFILE
DROP PROFILE
ALTER PROFILE
ALTER ROLE
CREATE DIRECTORY
DROP DIRECTORY
ALTER DATABASE LINK
CREATE PLUGGABLE DATABASE
ALTER PLUGGABLE DATABASE
DROP PLUGGABLE DATABASE
EXECUTE

Even if no new policy is created in database, Audit action of the above audit options will be recorded in unified_audit_trail.

Below are few test cases of unified audit policy :

TEST CASE 1 : ( default audit option):

DROP DIRECTORY , which is one of the audit option of the default policy ORA_SECURECONFIG.

Connect to bsstdba and drop a directory

SQL> show user
USER is “BSSTDBA”
SQL> drop directory TEST;
Directory dropped.

Check the audit report

set lines 299
col SQL_TEXT for a23
col action_name for a18
col UNIFIED_AUDIT_POLICIES for a23
SQL> select action_name,SQL_TEXT,UNIFIED_AUDIT_POLICIES ,EVENT_TIMESTAMP from unified_AUDIT_trail where DBUSERNAME=’BSSTDBA’ and EVENT_TIMESTAMP > sysdate -1/24;

ACTION_NAME SQL_TEXT UNIFIED_AUDIT_POLICIES EVENT_TIMESTAMP
—————— ———————– ———————– ——————————
LOGON ORA_LOGON_FAILURES 16-FEB-17 11.29.03.981436 PM
DROP DIRECTORY drop directory TEST2 ORA_SECURECONFIG 16-FEB-17 11.29.59.924533 PM

TEST CASE 2 : CREATE AUDIT POLICY WITH MULTIPLE AUDIT OPTIONS:

create audit policy test_case2
ACTIONS CREATE TABLE,
INSERT ON bsstdba.EMP_TAB,
TRUNCATE TABLE,
select on bsstdba.PROD_TAB;

set lines 299
col POLICY_NAME for a23
col AUDIT_OPTION for a12
col AUDIT_CONDITION for a12
col OBJECT_SCHEMA for a23
col OBJECT_NAME for a14
select POLICY_NAME,audit_option,AUDIT_CONDITION,OBJECT_SCHEMA,OBJECT_NAME FROM AUDIT_UNIFIED_POLICIES where POLICY_NAME=’TEST_CASE2′;

POLICY_NAME AUDIT_OPTION AUDIT_CONDITION OBJECT_SCHEMA OBJECT_NAME
———— ——————— —————— ————— ——————
TEST_CASE2 CREATE TABLE NONE NONE NONE
TEST_CASE2 TRUNCATE TABLE NONE NONE NONE
TEST_CASE2 INSERT NONE BSSTDBA EMP_TAB
TEST_CASE2 SELECT NONE BSSTDBA PROD_TAB

SQL> select distinct policy_name from AUDIT_UNIFIED_ENABLED_POLICIES where policy_name=’TEST_CASE2′;

no rows selected

Unless we enable the policy, auditing conditions wont be evaluated

SQL> audit policy TEST_CASE2;

Audit succeeded.

SQL> select distinct policy_name from AUDIT_UNIFIED_ENABLED_POLICIES where policy_name=’TEST_CASE2′;

POLICY_NAME
————
TEST_CASE2

Do some changes and generate audit report:

SQL> select action_name,SQL_TEXT,UNIFIED_AUDIT_POLICIES ,EVENT_TIMESTAMP from unified_AUDIT_trail where DBUSERNAME=’STCDBA’ and EVENT_TIMESTAMP > sysdate -1/24;

ACTION_NAME SQL_TEXT UNIFIED_AUDIT_POLICIES EVENT_TIMESTAMP
—————— ———————– ———————– ——————————–
CREATE TABLE create table EMP_NUM as TEST_CASE2 17-FEB-17 09.19.16.054209 AM
select * from bsstdba.
emp_tab

EXCLUDE ONE USER FROM THE POLICY:

SQL> select USER_NAME,POLICY_NAME,ENABLED_OPT from AUDIT_UNIFIED_ENABLED_POLICIES where POLICY_NAME=’TEST_CASE2′;

USER_NAME POLICY_NAME ENABLED_OPT
————- ———— ———————–
ALL USERS TEST_CASE2 BY

SQL> audit policy TEST_CASE2 except stcdba;
audit policy TEST_CASE2 except stcdba
*
ERROR at line 1:
ORA-46350: Audit policy TEST_CASE2 already applied with the BY clause.

SQL> noaudit policy TEST_CASE2;

Noaudit succeeded.

SQL> audit policy TEST_CASE2 except stcdba;

Audit succeeded.

SQL> select USER_NAME,POLICY_NAME,ENABLED_OPT from AUDIT_UNIFIED_ENABLED_POLICIES where POLICY_NAME=’TEST_CASE2′;

USER_NAME POLICY_NAME ENABLED_OPT
————- ———— ———————–
STCDBA TEST_CASE2 EXCEPT

Now create a table from stcdba.

SQL> SQL> connect stcdba
Enter password:
Connected.
SQL> create table TEST4 ( empnum number);

Table created.

SQL> conn / as sysdba
Connected.
SQL> select action_name,SQL_TEXT,UNIFIED_AUDIT_POLICIES ,EVENT_TIMESTAMP from unified_AUDIT_trail where DBUSERNAME=’STCDBA’ and EVENT_TIMESTAMP > sysdate -1/24;

ACTION_NAME SQL_TEXT UNIFIED_AUDIT_POLICIES EVENT_TIMESTAMP
—————— ———————– ———————– —————————————————————————
CREATE TABLE create table EMP_NUM as TEST_CASE2 17-FEB-17 09.19.16.054209 AM
select * from bsstdba.
emp_tab

We can see the new audit action ( CREATE TABLE TEST4 is not recorded in audit trail table) as expected.
We can mention success/failure condition similar to traditional auditing:

audit policy TEST_CASE2 whenever successful;
audit policy TEST_CASE2 Whenever not successful;

3. TEST_CASE 3 :

Create an audit policy, to audit delete on table bsstdba.EMP_TAB,insert on bsstdba.PROD_TAB and update on bsstdba.SAL_TAB TABLE BY user STCDBA.

This can be achieved by using the same method of test_case2, But here we will define the condition in the audit policy itself, instead of mentioning it while enabling audit.

SQL> create AUDIT POLICY test_case3
ACTIONS DELETE ON bsstdba.EMP_TAB,
INSERT ON bsstdba.PROD_TAB,
UPDATE ON bsstdba.SAL_TAB
WHEN ‘SYS_CONTEXT(”USERENV”, ”SESSION_USER”) = ”STCDBA”’
EVALUATE PER SESSION; 2 3 4 5 6

Audit policy created.

SQL> audit policy TEST_CASE3;

Audit succeeded.

SQL> select POLICY_NAME,audit_option,AUDIT_CONDITION,OBJECT_SCHEMA,OBJECT_NAME,CONDITION_EVAL_OPT FROM AUDIT_UNIFIED_POLICIES where POLICY_NAME=’TEST_CASE3′;

POLICY_NAME AUDIT_OPTION AUDIT_CONDITION OBJECT_SCHEMA OBJECT_NAME CONDITION
———— ——————— —————— ————— —————— ———
TEST_CASE3 UPDATE SYS_CONTEXT(‘USERE BSSTDBA SAL_TAB SESSION
NV’, ‘SESSION_USER
‘) = ‘STCDBA’

TEST_CASE3 DELETE SYS_CONTEXT(‘USERE BSSTDBA EMP_TAB SESSION
NV’, ‘SESSION_USER
‘) = ‘STCDBA’

TEST_CASE3 INSERT SYS_CONTEXT(‘USERE BSSTDBA PROD_TAB SESSION
NV’, ‘SESSION_USER
‘) = ‘STCDBA’

SQL> select USER_NAME,POLICY_NAME,ENABLED_OPT from AUDIT_UNIFIED_ENABLED_POLICIES where POLICY_NAME=’TEST_CASE3′;

USER_NAME POLICY_NAME ENABLED_OPT
————- ———— ———————–
ALL USERS TEST_CASE3 BY

TESTCASE_4:

Create an audit policy, to audit insert on bsstdba.PROD_TAB and update on bsstdba.SAL_TAB TABLE WHEN USER_NAME NOT IN (‘STCDBA’,’TCSDBA’)

SQL>
CREATE AUDIT POLICY test_case4
ACTIONS insert on bsstdba.PROD_TAB,
update on bsstdba.SAL_TAB
WHEN ‘sys_context(”userenv”,”SESSION_USER”) not in ( ”STCDBA”,”TCSDBA”)’
EVALUATE PER STATEMENT;SQL> 2 3 4 5

Audit policy created.

SQL> AUDIT POLICY test_case4;
Audit succeeded.

SQL> SQL> select POLICY_NAME,audit_option,AUDIT_CONDITION,OBJECT_SCHEMA,OBJECT_NAME,CONDITION_EVAL_OPT FROM AUDIT_UNIFIED_POLICIES where POLICY_NAME=’TEST_CASE4′;

POLICY_NAME AUDIT_OPTION AUDIT_CONDITION OBJECT_SCHEMA OBJECT_NAME CONDITION
———— ——————— —————— ————— —————— ———
TEST_CASE4 UPDATE sys_context(‘usere BSSTDBA SAL_TAB STATEMENT
nv’,’SESSION_USER’
) not in ( ‘STCDBA
‘,’TCSDBA’)

TEST_CASE4 INSERT sys_context(‘usere BSSTDBA PROD_TAB STATEMENT
nv’,’SESSION_USER’
) not in ( ‘STCDBA
‘,’TCSDBA’)

SQL> connect stcdba
Enter password:
Connected.
SQL> insert into BSSTDBA.PROD_TAB select * from BSSTDBA.PROD_TAB;

4 rows created.

SQL> SQL> commit;

Commit complete.

SQL> select action_name,SQL_TEXT,UNIFIED_AUDIT_POLICIES ,EVENT_TIMESTAMP from unified_AUDIT_trail where UNIFIED_AUDIT_POLICIES=’TEST_CASE4′;

no rows selected

No audit record found for stcdba as expected.

TEST_CASE 5 ( AUDITING ROLE)

It will audit all users using a particular ROLE

Create an user with dba privs

CREATE USER TCSDBA IDENTIFIED BY TCSDBA;
GRANT DBA TO TCSDBA;

Enable audit for the role DBA

CREATE AUDIT POLICY ROLE_AUDIT roles dba;
audit policy ROLE_AUDIT;

Enable audit for the role DBA

CREATE AUDIT POLICY ROLE_AUDIT roles dba;
audit policy ROLE_AUDIT;

Do any dba activity and check report

TEST_CASE7 ( AUDITING FOR SYSTEM PRIVILEGES):

We can enable auditing for system privileges as below.