Skip to Main Content

Database Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Unified Auditing - ORA_SECURECONFIG

carajandbJan 26 2015 — edited Feb 28 2015

Hi

I'm struggling with the default setting for unified auditing in Oracle 12c (12.1.0.2):

I didn't change anything so the following setting is active:

- AUDIT_TRAIL=DB (I know that this is useless)

- Parameter 'Unified Auditing' = FALSE in v$option

No changes to ORA_SECURECONFIG!

I did the following test:

1. create user

2. alter user (change password)

3. drop user

If I'm logged in with SYSTEM, everything is audited as expected

but if I'm logged in with SYS only the ALTER USER Is being audited.

Here's the layout:

SQL> SELECT policy_name, audit_option, audit_option_type FROM audit_unified_policies

  2  WHERE policy_name IN ('ORA_SECURECONFIG')

  3  AND audit_option LIKE '%USER%'

  4* ORDER BY AUDIT_OPTION_type


POLICY_NAME          AUDIT_OPTION    AUDIT_OPTION_TYPE

-------------------- --------------- --------------------

ORA_SECURECONFIG     ALTER USER      STANDARD ACTION

ORA_SECURECONFIG     DROP USER       SYSTEM PRIVILEGE

ORA_SECURECONFIG     CREATE USER     SYSTEM PRIVILEGE

SQL> SELECT * FROM audit_unified_enabled_policies

USER_NAME            POLICY_NAME          ENABLED_ SUC FAI

-------------------- -------------------- -------- --- ---

ALL USERS            ORA_SECURECONFIG     BY       YES YES

ALL USERS            ORA_LOGON_FAILURES   BY       NO  YES

SQL> SELECT audit_type,dbusername, action_name,sql_text

  2  FROM unified_audit_trail

  3  WHERE event_timestamp > sysdate - 1/24

  4* ORDER BY event_timestamp desc

AUDIT_TYPE      DBUSERNAME                     ACTION_NAME     SQL_TEXT

--------------- ------------------------------ --------------- --------------------------------------------------

Standard        SYS                            ALTER USER      ALTER USER johannes IDENTIFIED BY *

Standard        SYSTEM                         DROP USER       DROP USER JOHANNES

Standard        SYSTEM                         ALTER USER      ALTER USER johannes IDENTIFIED BY *

Standard        SYSTEM                         CREATE USER     CREATE USER johannes IDENTIFIED BY *

Any idea why some commands are audited while others are not?

Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Mar 28 2015
Added on Jan 26 2015
1 comment
2,597 views