Auditing Enhancements (Audit Policies and Unified Audit Trail) in Oracle Database 12c Release 1 (12.1)
The introduction of audit policies and the unified audit trail simplifies the configuration of database auditing in Oracle 12c. Database auditing has always been extremely flexible, but that flexibility has also served to make it feel complicated. The new auditing functionality can also be used to create very complicated auditing policies, but I don‘t think is how most people will want to approach it, so instead this article will focus on simple examples. Once you‘ve got to grips with the basics you can become a bit more adventurous.
Related articles.
- Audit Data Pump Operations
- Audit Data Pump Commands
- Audit SQL*Loader Direct Path Loads
- Auditing in Oracle 10g Release 2
- Fine Grained Auditing (9i)
- Fine Grained Auditing Enhancements (10g)
- Uniform Audit Trail (10g)
- Audit Trail Contents (10g)
- Auditing Enhancements (DBMS_AUDIT_MGMT) in Oracle Database 11g Release 2
Creating Audit Policies
Just like standard auditing that came before it, unified auditing can be used to create extremely complex auditing rules. The documentation for managing audit policies is very good, so rather than trying to duplicate that, I will just show some simple examples to give a flavour of the functionality.
An audit policy is made up of several distinct clauses, some of which are optional.
CREATE AUDIT POLICY policy_name { {privilege_audit_clause [action_audit_clause ] [role_audit_clause ]} | { action_audit_clause [role_audit_clause ] } | { role_audit_clause } } [WHEN audit_condition EVALUATE PER {STATEMENT|SESSION|INSTANCE}] [CONTAINER = {CURRENT | ALL}];
Examples of the usages are given in the sections below, but here is a quick summary of them.
privilege_audit_clause
: Used to specify a list of system privileges to be audited.action_audit_clause
: Defines the actions that need to be audited. These can bestandard_actions
, likeDELETE
, or object-specific, likeDELETE ON schema.table
. They can also becomponent_actions
that target specific features like data pump or SQL*Loader.role_audit_clause
: Specifies a list of roles. All system privileges granted via those roles are audited.WHEN ... EVALUATE PER
: Allows you to define anaudit_condition
to determine when the auditing should take place. The condition can be evaluated for eachSTATEMENT
,SESSION
orINSTANCE
, depending on the level of granularity the condition requires.CONTAINER
: Determines if an audit policy is specific to an individual PDB (CURRENT
) or common to all PDBs (ALL
).
This might sound a little confusing, but if you‘ve ever used database auditing in previous releases, it will quickly look quite familiar. The main thing to remember is rather than issuing the AUDIT/NOAUDIT
commands directly, you create an audit policy containing the relevant pieces, then enable and disable it using the AUDIT/NOAUDIT
commands.
Some of the following examples require these three test users.
CONN sys@pdb1 AS SYSDBA CREATE USER test IDENTIFIED BY test QUOTA UNLIMITED ON users; GRANT CREATE SESSION, CREATE TABLE, CREATE SEQUENCE TO test; CREATE USER test2 IDENTIFIED BY test2 QUOTA UNLIMITED ON users; GRANT CREATE SESSION TO test2; CREATE USER test3 IDENTIFIED BY test3 QUOTA UNLIMITED ON users; GRANT CREATE SESSION TO test3;
Privilege Auditing
As the name suggests, privilege auditing allows you to audit the use of system privileges. The SYSTEM_PRIVILEGE_MAP
view identifies the system privileges that can be audited.
SELECT name FROM system_privilege_map ORDER BY name; NAME ---------------------------------------- ADMINISTER ANY SQL TUNING SET ADMINISTER DATABASE TRIGGER . . . UPDATE ANY TABLE USE ANY SQL TRANSLATION PROFILE 237 rows selected. SQL>
If we want to audit the creation of tables and sequences by the TEST
user, we might do something like the following.
CONN sys@pdb1 AS SYSDBA CREATE AUDIT POLICY test_audit_policy PRIVILEGES CREATE TABLE, CREATE SEQUENCE WHEN ‘SYS_CONTEXT(‘‘USERENV‘‘, ‘‘SESSION_USER‘‘) = ‘‘TEST‘‘‘ EVALUATE PER SESSION CONTAINER = CURRENT; AUDIT POLICY test_audit_policy;
Display the configuration of the policy.
SET LINESIZE 200 COLUMN audit_option FORMAT A15 COLUMN condition_eval_opt FORMAT A10 COLUMN audit_condition FORMAT A50 SELECT audit_option, condition_eval_opt, audit_condition FROM audit_unified_policies WHERE policy_name = ‘TEST_AUDIT_POLICY‘; AUDIT_OPTION CONDITION_ AUDIT_CONDITION --------------- ---------- -------------------------------------------------- CREATE SEQUENCE SESSION SYS_CONTEXT(‘USERENV‘, ‘SESSION_USER‘) = ‘TEST‘ CREATE TABLE SESSION SYS_CONTEXT(‘USERENV‘, ‘SESSION_USER‘) = ‘TEST‘ SQL>
Connect to the TEST
user and create some objects.
CONN test/test@pdb1 CREATE TABLE tab1 (id NUMBER); CREATE SEQUENCE tab1_seq;
Check the audit trail. If you are in delayed-write mode, you may need to flush the audit trail before you can see the audit records.
CONN sys@pdb1 AS SYSDBA -- You might need to flush the audit information before it is visible. -- EXEC DBMS_AUDIT_MGMT.flush_unified_audit_trail; COLUMN event_timestamp FORMAT A30 COLUMN dbusername FORMAT A10 COLUMN action_name FORMAT A20 COLUMN object_schema FORMAT A10 COLUMN object_name FORMAT A20 SELECT event_timestamp, dbusername, action_name, object_schema, object_name FROM unified_audit_trail WHERE dbusername = ‘TEST‘ ORDER BY event_timestamp; EVENT_TIMESTAMP DBUSERNAME ACTION_NAME OBJECT_SCH OBJECT_NAME ------------------------------ ---------- -------------------- ---------- -------------------- 27-JUN-2015 10:25:37.359596 TEST CREATE TABLE TEST TAB1 27-JUN-2015 10:25:37.363989 TEST CREATE SEQUENCE TEST TAB1_SEQ SQL>
Disable the policy and drop it.
NOAUDIT POLICY test_audit_policy; DROP AUDIT POLICY test_audit_policy;
Action Auditing
Actions against all objects, specific objects or even those actions performed by specific utilities can be audited quite easily in Oracle 12c.
Create some schema objects to audit and grant access to them to the second user.
CONN test/test@pdb1 DROP TABLE tab1 PURGE; DROP SEQUENCE tab1_seq; DROP TABLE tab2 PURGE; DROP SEQUENCE tab2_seq; CREATE TABLE tab1 ( id NUMBER, CONSTRAINT tab1_pk PRIMARY KEY (id) ); CREATE SEQUENCE tab1_seq; CREATE TABLE tab2 ( id NUMBER, CONSTRAINT tab2_pk PRIMARY KEY (id) ); CREATE SEQUENCE tab2_seq; GRANT SELECT, INSERT, UPDATE, DELETE ON tab1 TO test2; GRANT SELECT ON tab1_seq TO test2; GRANT SELECT, INSERT, UPDATE, DELETE ON tab2 TO test2; GRANT SELECT ON tab2_seq TO test2;
Create and enable an audit policy that audits some actions against those objects, when performed by the TEST2
user.
CONN sys@pdb1 AS SYSDBA CREATE AUDIT POLICY test_audit_policy ACTIONS DELETE ON test.tab1, INSERT ON test.tab1, UPDATE ON test.tab1, SELECT ON test.tab1_seq, ALL ON test.tab2, SELECT ON test.tab2_seq WHEN ‘SYS_CONTEXT(‘‘USERENV‘‘, ‘‘SESSION_USER‘‘) = ‘‘TEST2‘‘‘ EVALUATE PER SESSION CONTAINER = CURRENT; AUDIT POLICY test_audit_policy;
Display the configuration of the policy.
SET LINESIZE 200 COLUMN object_schema FORMAT A15 COLUMN object_name FORMAT A15 COLUMN object_type FORMAT A12 COLUMN audit_option FORMAT A15 COLUMN condition_eval_opt FORMAT A10 COLUMN audit_condition FORMAT A50 SELECT object_schema, object_name, object_type, audit_option, condition_eval_opt, audit_condition FROM audit_unified_policies WHERE policy_name = ‘TEST_AUDIT_POLICY‘; OBJECT_SCHEMA OBJECT_NAME OBJECT_TYPE AUDIT_OPTION CONDITION_ AUDIT_CONDITION --------------- --------------- ------------ --------------- ---------- -------------------------------------------------- TEST TAB1 TABLE DELETE SESSION SYS_CONTEXT(‘USERENV‘, ‘SESSION_USER‘) = ‘TEST2‘ TEST TAB1 TABLE INSERT SESSION SYS_CONTEXT(‘USERENV‘, ‘SESSION_USER‘) = ‘TEST2‘ TEST TAB1 TABLE UPDATE SESSION SYS_CONTEXT(‘USERENV‘, ‘SESSION_USER‘) = ‘TEST2‘ TEST TAB1_SEQ SEQUENCE SELECT SESSION SYS_CONTEXT(‘USERENV‘, ‘SESSION_USER‘) = ‘TEST2‘ TEST TAB2 TABLE ALL SESSION SYS_CONTEXT(‘USERENV‘, ‘SESSION_USER‘) = ‘TEST2‘ TEST TAB2_SEQ SEQUENCE SELECT SESSION SYS_CONTEXT(‘USERENV‘, ‘SESSION_USER‘) = ‘TEST2‘ SQL>
Perform some actions that won‘t match the policy condition.
CONN test/test@pdb1 INSERT INTO tab1 (id) VALUES (tab1_seq.NEXTVAL); INSERT INTO tab2 (id) VALUES (tab2_seq.NEXTVAL); COMMIT;
Perform some actions that will match the policy condition.
CONN test2/test2@pdb1 UPDATE test.tab1 SET id = test.tab1_seq.NEXTVAL; UPDATE test.tab2 SET id = test.tab2_seq.NEXTVAL; DELETE FROM test.tab1; DELETE FROM test.tab2; COMMIT;
Check the audit trail. If you are in delayed-write mode, you may need to flush the audit trail before you can see the audit records.
CONN sys@pdb1 AS SYSDBA -- You might need to flush the audit information before it is visible. -- EXEC DBMS_AUDIT_MGMT.flush_unified_audit_trail; COLUMN event_timestamp FORMAT A30 COLUMN dbusername FORMAT A10 COLUMN action_name FORMAT A20 COLUMN object_schema FORMAT A10 COLUMN object_name FORMAT A20 SELECT event_timestamp, dbusername, action_name, object_schema, object_name FROM unified_audit_trail WHERE dbusername LIKE ‘TEST%‘ ORDER BY event_timestamp; EVENT_TIMESTAMP DBUSERNAME ACTION_NAME OBJECT_SCH OBJECT_NAME ------------------------------ ---------- -------------------- ---------- -------------------- 27-JUN-2015 10:41:40.070965 TEST2 SELECT TEST TAB1_SEQ 27-JUN-2015 10:41:40.071033 TEST2 UPDATE TEST TAB1 27-JUN-2015 10:41:40.073326 TEST2 SELECT TEST TAB2_SEQ 27-JUN-2015 10:41:40.073347 TEST2 UPDATE TEST TAB2 27-JUN-2015 10:41:40.074657 TEST2 DELETE TEST TAB1 27-JUN-2015 10:41:40.076132 TEST2 DELETE TEST TAB2 SQL>
Amend the audit policy and check the changes have been reflected in the configuration.
ALTER AUDIT POLICY test_audit_policy DROP ACTIONS ALL ON test.tab2, SELECT ON test.tab2_seq; SET LINESIZE 200 COLUMN object_schema FORMAT A15 COLUMN object_name FORMAT A15 COLUMN object_type FORMAT A12 COLUMN audit_option FORMAT A15 COLUMN condition_eval_opt FORMAT A10 COLUMN audit_condition FORMAT A50 SELECT object_schema, object_name, object_type, audit_option, condition_eval_opt, audit_condition FROM audit_unified_policies WHERE policy_name = ‘TEST_AUDIT_POLICY‘; OBJECT_SCHEMA OBJECT_NAME OBJECT_TYPE AUDIT_OPTION CONDITION_ AUDIT_CONDITION --------------- --------------- ------------ --------------- ---------- -------------------------------------------------- TEST TAB1 TABLE DELETE SESSION SYS_CONTEXT(‘USERENV‘, ‘SESSION_USER‘) = ‘TEST2‘ TEST TAB1 TABLE INSERT SESSION SYS_CONTEXT(‘USERENV‘, ‘SESSION_USER‘) = ‘TEST2‘ TEST TAB1 TABLE UPDATE SESSION SYS_CONTEXT(‘USERENV‘, ‘SESSION_USER‘) = ‘TEST2‘ TEST TAB1_SEQ SEQUENCE SELECT SESSION SYS_CONTEXT(‘USERENV‘, ‘SESSION_USER‘) = ‘TEST2‘ SQL>
Disable and drop the audit policy, then check the changes have been reflected in the configuration.
NOAUDIT POLICY test_audit_policy; DROP AUDIT POLICY test_audit_policy; SET LINESIZE 200 COLUMN object_schema FORMAT A15 COLUMN object_name FORMAT A15 COLUMN object_type FORMAT A12 COLUMN audit_option FORMAT A15 COLUMN condition_eval_opt FORMAT A10 COLUMN audit_condition FORMAT A50 SELECT object_schema, object_name, object_type, audit_option, condition_eval_opt, audit_condition FROM audit_unified_policies WHERE policy_name = ‘TEST_AUDIT_POLICY‘; no rows selected SQL>
In the above examples the audit policies were object specific. We could have omitted the ON object-name
part of the action to make it apply to all objects. If we wanted to audit all DML and queries issued by the TEST2
user, we might create a policy like the following.
CREATE AUDIT POLICY test_audit_policy ACTIONS DELETE, INSERT, UPDATE, SELECT WHEN ‘SYS_CONTEXT(‘‘USERENV‘‘, ‘‘SESSION_USER‘‘) = ‘‘TEST2‘‘‘ EVALUATE PER SESSION CONTAINER = CURRENT; --DROP AUDIT POLICY test_audit_policy;
Component Action Auditing
Rather than auditing actions on specific objects, you can instead audit actions relevant to specific functionality or utilities, such as Oracle Label Security (OLS), Real Application Security, Database Vault, Data Pump or SQL*Loader. There are two examples of component_action
auditing linked below.
Role Auditing
It is possible to audit all system privileges granted via a built-in or custom role using an audit policy.
Create a new role, then grant privileges on the TEST objects via the new role.
CONN sys@pdb1 AS SYSDBA CREATE ROLE create_table_role; GRANT CREATE TABLE TO create_table_role; GRANT create_table_role TO test3;
Create an audit policy based on all the system privileges associated with the role. Enable the auditing policy and check the configuration.
CREATE AUDIT POLICY create_table_role_policy ROLES create_table_role WHEN ‘SYS_CONTEXT(‘‘USERENV‘‘, ‘‘SESSION_USER‘‘) = ‘‘TEST3‘‘‘ EVALUATE PER SESSION CONTAINER = CURRENT; AUDIT POLICY create_table_role_policy; SET LINESIZE 200 COLUMN audit_option FORMAT A20 COLUMN condition_eval_opt FORMAT A10 COLUMN audit_condition FORMAT A50 SELECT audit_option, audit_option_type, condition_eval_opt, audit_condition FROM audit_unified_policies WHERE policy_name = ‘CREATE_TABLE_ROLE_POLICY‘; AUDIT_OPTION AUDIT_OPTION_TYPE CONDITION_ AUDIT_CONDITION -------------------- ------------------ ---------- -------------------------------------------------- CREATE_TABLE_ROLE ROLE PRIVILEGE SESSION SYS_CONTEXT(‘USERENV‘, ‘SESSION_USER‘) = ‘TEST3‘ SQL>
Perform some actions that will match the policy condition.
CONN test3/test3@pdb1 CREATE TABLE tab1 (id NUMBER);
Check the audit trail. If you are in delayed-write mode, you may need to flush the audit trail before you can see the audit records.
CONN sys@pdb1 AS SYSDBA -- You might need to flush the audit information before it is visible. -- EXEC DBMS_AUDIT_MGMT.flush_unified_audit_trail; COLUMN event_timestamp FORMAT A30 COLUMN dbusername FORMAT A10 COLUMN action_name FORMAT A20 COLUMN object_schema FORMAT A10 COLUMN object_name FORMAT A20 SELECT event_timestamp, dbusername, action_name, object_schema, object_name FROM unified_audit_trail WHERE dbusername = ‘TEST3‘ ORDER BY event_timestamp; EVENT_TIMESTAMP DBUSERNAME ACTION_NAME OBJECT_SCH OBJECT_NAME ------------------------------ ---------- -------------------- ---------- -------------------- 27-JUN-2015 10:48:40.744492 TEST3 CREATE TABLE TEST3 TAB1 SQL>
Disable and drop the policy.
NOAUDIT POLICY create_table_role_policy; DROP AUDIT POLICY create_table_role_policy;
Unified Audit Trail Administration
Administration of the unified audit trail can seem a little complicated at first, but there are a few things to keep in mind.
- Unified auditing works by default, so you don‘t need to do anything to get started.
- The default settings are OK. You will probably only have to focus on your specific audit policies.
- Setting up an archival and purging process will need some thought, but you will probably only do this once in the lifetime of your database, so don‘t get scared off by this aspect of auditing.
With that said, the remaining parts of this article will explain how to perform some of the basic administration tasks.
Available By Default
The unified audit trail and audit policy functionality is available by default in all editions, but it can run in two modes. By default it runs in mixed mode, which means you can combine traditional auditing with unified auditing. The following query shows that "pure" unified auditing is not enabled, which means we are running in mixed mode.
SELECT value FROM v$option WHERE parameter = ‘Unified Auditing‘; VALUE ---------------------------------------------------------------- FALSE SQL>
All the functionality of unified auditing is still available, but you may still need to consider the AUDIT_TRAIL
parameter, as it still controls how the traditional auditing is performed.
Enable/Disable Pure Unified Auditing
Running in mixed mode is perfectly acceptable, but you can choose to switch to pure unified auditing, so the traditional auditing functionality is no longer available. This is done by relinking the Oracle binaries as follows.
sqlplus / as sysdba <<EOF SHUTDOWN IMMEDIATE; EXIT EOF cd $ORACLE_HOME/rdbms/lib make -f ins_rdbms.mk uniaud_on ioracle sqlplus / as sysdba <<EOF STARTUP; EXIT EOF
After restarting, the banner will include the "Unified Auditing" option and we can see the unified auditing option is enabled.
$ sqlplus / as sysdba SQL*Plus: Release 12.1.0.2.0 Production on Mon Jun 1 11:35:52 2015 Copyright (c) 1982, 2014, Oracle. All rights reserved. Connected to: Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production With the Partitioning, OLAP, Advanced Analytics, Real Application Testing and Unified Auditing options SQL> SELECT value FROM v$option WHERE parameter = ‘Unified Auditing‘; VALUE ---------------------------------------------------------------- TRUE SQL>
Switching back to mixed mode involves a relink again.
sqlplus / as sysdba <<EOF SHUTDOWN IMMEDIATE; EXIT EOF cd $ORACLE_HOME/rdbms/lib make -f ins_rdbms.mk uniaud_off ioracle sqlplus / as sysdba <<EOF STARTUP; EXIT EOF
After restarting, the banner no longer includes the "Unified Auditing" option and we can see the unified auditing option is disabled.
$ sqlplus / as sysdba SQL*Plus: Release 12.1.0.2.0 Production on Mon Jun 1 11:35:52 2015 Copyright (c) 1982, 2014, Oracle. All rights reserved. Connected to: Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options SQL> SELECT value FROM v$option WHERE parameter = ‘Unified Auditing‘; VALUE ---------------------------------------------------------------- FALSE SQL>
For Windows, the documentation suggests it is just a case of turning the services off and moving the relevant DLL. I‘ve not tried this, so I can‘t guarantee it works.
Rem Enable %ORACLE_HOME%/bin/orauniaud12.dll.dbl file to %ORACLE_HOME%/bin/orauniaud12.dll Rem Disable %ORACLE_HOME%/bin/orauniaud12.dll file to %ORACLE_HOME%/bin/orauniaud12.dll.dbl
Audit Trail Security
Maintenance of the audit trail and audit policies is limited to those users granted the AUDIT_ADMIN
role.
The AUDIT_VIEWER
role can be granted to users who need to view the audit information, but not manage the audit trail or audit policies.
Under unified auditing, users are no longer able to create auditing policies against their own objects. For backwards compatibility, this is still possible for traditional auditing. This is possibly a reason to move away from mixed-mode auditing.
Write Mode
For performance reasons unified auditing uses a queued-write mechanism, so audited actions are written to the SGA and periodically pushed out to disk. This can result in loss of audit records during an instance crash, since the records may not be pushed out to disk before the instance fails. If this represents a problem, the write mode can be altered to immediate-write, so the audit actions are pushed directly to disk, but this will result in auditing having a greater overhead. The following code shows how to switch between these two modes. In a multitenant environment, these setting are container-specific.
-- Switch to immediate-write. BEGIN DBMS_AUDIT_MGMT.set_audit_trail_property( audit_trail_type => DBMS_AUDIT_MGMT.audit_trail_unified, audit_trail_property => DBMS_AUDIT_MGMT.audit_trail_write_mode, audit_trail_property_value => DBMS_AUDIT_MGMT.audit_trail_immediate_write ); END; / -- Switched to queued-write. BEGIN DBMS_AUDIT_MGMT.set_audit_trail_property( audit_trail_type => DBMS_AUDIT_MGMT.audit_trail_unified, audit_trail_property => DBMS_AUDIT_MGMT.audit_trail_write_mode, audit_trail_property_value => DBMS_AUDIT_MGMT.audit_trail_queued_write ); END; /
The size of the queue in the SGA is controlled by the UNIFIED_AUDIT_SGA_QUEUE_SIZE
initialization parameter, which can be set to values between 1-30MB, with the default being 1MB. Each RAC instance can have a different value.
As a consequence of running in queued-write mode, in some cases, especially while testing or before maintenance, it may be necessary to flush audit records to the audit trail. This can be done using the FLUSH_UNIFIED_AUDIT_TRAIL
procedure. It accepts the FLUSH_TYPE
and CONTAINER
parameters, which allow the following variations.
-- Flush records to audit trail for the current container in the current instance. EXEC DBMS_AUDIT_MGMT.flush_unified_audit_trail; EXEC DBMS_AUDIT_MGMT.flush_unified_audit_trail(flush_type => DBMS_AUDIT_MGMT.flush_current_instance); EXEC DBMS_AUDIT_MGMT.flush_unified_audit_trail(container => DBMS_AUDIT_MGMT.container_current); BEGIN DBMS_AUDIT_MGMT.flush_unified_audit_trail( flush_type => DBMS_AUDIT_MGMT.flush_current_instance, container => DBMS_AUDIT_MGMT.container_current); END; / -- Flush records to audit trail for all containers in the current instance. -- Must be run from root container. EXEC DBMS_AUDIT_MGMT.flush_unified_audit_trail(container => DBMS_AUDIT_MGMT.container_all); BEGIN DBMS_AUDIT_MGMT.flush_unified_audit_trail( flush_type => DBMS_AUDIT_MGMT.flush_current_instance, container => DBMS_AUDIT_MGMT.container_all); END; / -- Flush records to audit trail for the all RAC instances. Current Container. EXEC DBMS_AUDIT_MGMT.flush_unified_audit_trail(flush_type => DBMS_AUDIT_MGMT.flush_all_instances); BEGIN DBMS_AUDIT_MGMT.flush_unified_audit_trail( flush_type => DBMS_AUDIT_MGMT.flush_all_instances, container => DBMS_AUDIT_MGMT.container_current); END; / -- Flush records to audit trail for the all RAC instances. All Containers. -- Must be run from root container. BEGIN DBMS_AUDIT_MGMT.flush_unified_audit_trail( flush_type => DBMS_AUDIT_MGMT.flush_all_instances, container => DBMS_AUDIT_MGMT.container_all); END; /
Purging the Unified Audit Trail
Oracle 11g Release 2 introduced the DBMS_AUDIT_MGMT
package to manage the audit trail. Oracle 12c uses the same functionality to archive and purge the unified audit trail, described here, with the addition of constants to identify the unified audit trail. For mixed mode auditing environments, remember to manage both the conventional audit trails as well as the unified audit trail.
The following example shows how to set the last archived time for the unified audit trail and manually purge audit records older than that time. Remember to archive records before purging them if you need to store them long term.
-- Set the last archive timestamp. BEGIN DBMS_AUDIT_MGMT.set_last_archive_timestamp( audit_trail_type => DBMS_AUDIT_MGMT.audit_trail_unified, last_archive_time => SYSTIMESTAMP-5, --rac_instance_number => 1, container => DBMS_AUDIT_MGMT.container_current ); END; / -- Check the new setting. COLUMN audit_trail FORMAT A20 COLUMN last_archive_ts FORMAT A40 SELECT audit_trail, last_archive_ts FROM dba_audit_mgmt_last_arch_ts; AUDIT_TRAIL LAST_ARCHIVE_TS -------------------- ---------------------------------------- UNIFIED AUDIT TRAIL 10-JUN-15 13.48.14.000000 +00:00 SQL> -- Manually purge the audit trail to the last archive timestamp. SELECT COUNT(*) FROM unified_audit_trail; COUNT(*) ---------- 49 SQL> BEGIN DBMS_AUDIT_MGMT.clean_audit_trail( audit_trail_type => DBMS_AUDIT_MGMT.audit_trail_unified, use_last_arch_timestamp => TRUE); END; / SELECT COUNT(*) FROM unified_audit_trail; COUNT(*) ---------- 4 SQL>
You can automate purging by creating a purge job, as described here.
Updates in 12.2
One of the main criticisms of the unified audit trail in 12.1 was the performance. In 12.2 the unified audit trail now resides in a conventional table called AUDSYS.AUD$UNIFIED
. When you upgrade a database you can choose to migrate the existing audit information to this table using the TRANSFER_UNIFIED_AUDIT_RECORDS
in the DBMS_AUDIT_MGMT
, which should give better performance.
For more information see:
- Introduction to Auditing
- Configuring Audit Policies
- Administering the Audit Trail
- CREATE AUDIT POLICY
- DBMS_AUDIT_MGMT
- Audit Data Pump Operations
- Audit Data Pump Commands
- Audit SQL*Loader Direct Path Loads
- Auditing in Oracle 10g Release 2
- Fine Grained Auditing (9i)
- Fine Grained Auditing Enhancements (10g)
- Uniform Audit Trail (10g)
- Audit Trail Contents (10g)
- Auditing Enhancements (DBMS_AUDIT_MGMT) in Oracle Database 11g Release 2