Oracle Database Auditing
Auditing is always about accountability, and is frequently done to protect and preserve privacy for the information stored in databases. Concern about privacy policies and practices has been rising steadily with the ubiquitous use of databases in businesses and on the Internet. Oracle Database provides a depth of auditing that readily enables system administrators to implement enhanced protections, early detection of suspicious activities, and finely-tuned security responses.
Unified Auditing
(Recommended for Oracle Database 12.2 or higher)
Unified Auditing enables selective and effective auditing inside the Oracle database using policies and conditions. The policy based syntax simplifies management of auditing within the database and provides the ability to accelerate auditing based on conditions. For example, audit policies can be configured to audit based on specific IP addresses, programs, time periods, or connection types such as proxy authentication. In addition, specific schemas can be easily exempted from auditing when the audit policy is enabled.
For management of policies and viewing of audit data, AUDIT_ADMIN and AUDIT_VIEWER roles provide separation of duties. The architecture unifies the existing audit trails into a single audit trail, enabling simplified management and increasing the security of audit data generated by the database. Audit data can only be managed using the built-in audit data management package within the database and not directly updated or removed using SQL commands. Several pre-defined unified audit policies that cover common security-relevant audit settings are shipped out of the box in Oracle Database. If you are using Oracle Data Safe or Oracle Audit Vault and Database Firewall (AVDF) to monitor database activity, one can provision many of the recommended audit configurations in addition to provisioning predefined policies of Oracle Database.
Internal performance tests using a TPC-C mixed application workload indicates negligible performance impact with unified audit.You may see a CPU overhead in mid-single digit when auditing up to 360,000 audit records/hour. For extreme audit loads up to 1,800,000 audit records/hour, the additional overhead is still in a single digit. As auditing is a transactional activity with typical ACID properties to guarantee record of database activities, we recommend that you fine-tune your audit policies to collect audit data that is targeted to your needs. Collecting unnecessary audit information impacts database performance, increases storage costs, and may make it more difficult to spot malicious database activity.Refer to the technical report for best practices involved in fine-tuning the unified audit policies.
Traditional Auditing
(For Oracle Database version 12.1 or lower)
Traditional Audit is the legacy Oracle Database audit framework and should only be used for Oracle Databases 12.1 and lower.
Oracle recommends that you use Unified Auditing if your Oracle Database version is 12.2 and higher. Traditional auditing is deprecated from 21c.
In traditional audit, audit records can be stored in the database audit trail or in files on the operating system. Auditing includes operations on privileges, schemas, objects, and statements. To reduce the overhead on the source database system, write the audit trail to the operating system files.