Friday, June 28, 2013

12c Auditing Tutorial

SQL*Plus: Release 12.1.0.1.0 Production on Fri Jun 28 17:07:52 2013
Copyright (c) 1982, 2013, Oracle.  All rights reserved.

Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.1.0 - 64bit Production
With the Partitioning, OLAP, Advanced Analytics, Real Application Testing
and Unified Auditing options


New Auditing came with oracle 12c called Unified Auditing which is " enables selective and effective auditing inside the Oracle database using policies and conditions. The new policy based syntax simplifies management of auditing within the database and provides the ability to accelerate auditing based on conditions. For example, audit policies can be configured to audit based on specific IP addresses, programs, time periods, or connection types such as proxy authentication. In addition, specific schemas can be easily exempted from auditing when the audit policy is enabled."

You can check here.

regarding to oracle Documentation with this kind of new audit you can capture :

  • Audit records (including SYS audit records) from unified audit policies and AUDIT settings

  • Fine-grained audit records from the DBMS_FGA PL/SQL package
  • Oracle Database Real Application Security audit records
  • Oracle Recovery Manager audit records
  • Oracle Database Vault audit records
  • Oracle Label Security audit records
  • Oracle Data Mining records
  • Oracle Data Pump
  • Oracle SQL*Loader Direct Load

For More Information Read Oracle Documentation Here

With Show parameter auditing you will not see value for unified auditing

SQL> show parameter audit ;
NAME     TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest              string          /u01/app/oracle/admin/db12c/adump
audit_sys_operations     boolean FALSE
audit_syslog_level     string
audit_trail               string          DB
unified_audit_sga_queue_siz    integer 1048576

To check Value you need to see v$option table 

select value from v$option where PARAMETER = 'Unified Auditing';
PARAMETER VALUE
----------------------------------------------------------------
Unified Auditing FALSE

if you set this parameter to OS level, check $ORACLE_BASE/audit which the new folder to save all the information , when you create database , oracle uses new feature for auditing called Mixed mode from the name you can see there's more than one auditing in this mode , One : old mode that we already know in oracle 10g,11g  and new mode that called unified auditing.

Auditing Traditional way can be control using AUDIT_TRAIL parameter , the new Way can be determine using Audit Policy called  ORA_SECURECONFIG ( Policy create already in database ) and to enable Unified audit you have to enable at least one policy. Only sysdba can do that or someone have two role AUDIT_ADMIN,AUDIT_VIEWER. i mention before on my blog for 12c new feature how to use audit policy and enable,disable and drop them.

This is only small section for what ORA_SECURECONFIG contain and what can audit :

select POLICY_NAME, AUDIT_OPTION from   AUDIT_UNIFIED_POLICIES where  policy_name =  'ORA_SECURECONFIG'  order by 2 ;

POLICY_NAME     AUDIT_OPTION
-------------------- ----------------------------------------
ORA_SECURECONFIG     ADMINISTER KEY MANAGEMENT
ORA_SECURECONFIG     ALTER ANY PROCEDURE
ORA_SECURECONFIG     ALTER ANY SQL TRANSLATION PROFILE
ORA_SECURECONFIG     ALTER ANY TABLE
ORA_SECURECONFIG     ALTER DATABASE
ORA_SECURECONFIG     ALTER DATABASE LINK
ORA_SECURECONFIG     ALTER PLUGGABLE DATABASE
ORA_SECURECONFIG     ALTER PROFILE
ORA_SECURECONFIG     ALTER ROLE
ORA_SECURECONFIG     ALTER SYSTEM
ORA_SECURECONFIG     ALTER USER
ORA_SECURECONFIG     AUDIT SYSTEM
ORA_SECURECONFIG     CREATE ANY JOB
ORA_SECURECONFIG     CREATE ANY LIBRARY
ORA_SECURECONFIG     CREATE ANY PROCEDURE
ORA_SECURECONFIG     CREATE ANY SQL TRANSLATION PROFILE
ORA_SECURECONFIG     CREATE ANY TABLE
ORA_SECURECONFIG     CREATE DATABASE LINK
ORA_SECURECONFIG     CREATE DIRECTORY
ORA_SECURECONFIG     CREATE EXTERNAL JOB
ORA_SECURECONFIG     CREATE PLUGGABLE DATABASE
ORA_SECURECONFIG     CREATE PROFILE
ORA_SECURECONFIG     CREATE PUBLIC SYNONYM
ORA_SECURECONFIG     CREATE ROLE
ORA_SECURECONFIG     CREATE SQL TRANSLATION PROFIL
Check if this Audit Policy set as default for Database :

SQL> select POLICY_NAME from   AUDIT_UNIFIED_ENABLED_POLICIES where  policy_name = 'ORA_SECURECONFIG';

POLICY_NAME
--------------------
ORA_SECURECONFIG

Check this to see by default oracle 12c enable audit which is very useful :

select action_name, dbusername from unified_audit_trail where dbusername='OSAMA'

ACTION_NAME     DBUSERNAME
-------------------- --------------------
SELECT     OSAMA
SELECT     OSAMA
SELECT     OSAMA
SELECT     OSAMA
SELECT     OSAMA
SELECT     OSAMA
SELECT     OSAMA
SELECT     OSAMA
UPDATE     OSAMA
LOGON     OSAMA
LOGON     OSAMA
LOGON     OSAMA
LOGON     OSAMA
LOGOFF     OSAMA
LOGOFF     OSAMA
LOGOFF     OSAMA
LOGOFF     OSAMA
LOGOFF     OSAMA
LOGOFF     OSAMA
Unified Contain new features to monitor RMAN command , Expdp,impdp and other new features but to enable it ( set value to true ) you have to relink oracle lib after shutdown all services using the below command , cd $ORACLE_HOME/rdbms/lib and fire :
make -f ins_rdbms.mk uniaud_on ioracle
SQL> select value from v$option where PARAMETER = 'Unified Auditing';

VALUE
----------
TRUE
Let's Test Some New Features and Audit RMAN :

SQL> create audit policy expdp_aduit actions component=datapump export;
Audit policy created.

SQL> audit policy expdp_aduit;
Audit succeeded.
Check if our audit policy is enabled :

select * from AUDIT_UNIFIED_ENABLED_POLICIES where POLICY_NAME like '%EXPDP%';
USER_NAME  POLICY_NAM ENABLED_ SUC FAI
---------- ---------- -------- --- ---
ALL USERS  EXPDP_AUDIT     BY       YES YES

 Make sure you create directory , Grant privileges on this directory and run expdp command ( system user )

[oracle@test12c dump]$ expdp directory=dump logfile=audit.log dumpfile=osama_schema schemas=osama

this transaction will exists on memory until background process flash it to disks , so before check the tables i will execute package that ensure to do this immediately ( no waiting )

SQL> EXEC SYS.DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL;
PL/SQL procedure successfully completed.

check the user who make expdp
SQL> select DBUSERNAME, DP_TEXT_PARAMETERS1, DP_BOOLEAN_PARAMETERS1
from   UNIFIED_AUDIT_TRAIL
where  DP_TEXT_PARAMETERS1 is not null;  


SYSTEM
MASTER TABLE:  "SYSTEM"."SYS_EXPORT_SCHEMA_01" , JOB_TYPE: EXPORT, METADATA_JOB_
MODE: SCHEMA_EXPORT, JOB VERSION: 12.1.0.0.0, ACCESS METHOD: AUTOMATIC, DATA OPT
IONS: 0, DUMPER DIRECTORY: NULL  REMOTE LINK: NULL, TABLE EXISTS: NULL, PARTITIO
N OPTIONS: NONE
MASTER_ONLY: FALSE, DATA_ONLY: FALSE, METADATA_ONLY: FALSE, DUMPFILE_PRESENT: TR
UE, JOB_RESTARTED: FALSE
For test case , i remove users tablespace from os after take backup using rman ( database should be in archive mode ) , by default Audit For RMAN is enable no need to do anything ,like the following :

RMAN > backup tablespace users ;

On OS Level :

rm /u01/app/oracle/oradata/db12c/users01.dbf
Back to RMAN :
RMAN> alter tablespace users offline immediate;
using target database control file instead of recovery catalog
Statement processed
RMAN> restore tablespace USERS;
RMAN> alter tablespace users online;
Now Check Audit : 
SQL> select  DBUSERNAME, RMAN_OPERATION from    UNIFIED_AUDIT_TRAIL where   RMAN_OPERATION is not null; 

DBUSERNAME       RMAN_OPERATION
------------------------------ --------------------
SYS       Recover
SYS       Restore
SYS       Backup
SYS       Backup
Note : if nothing appear at audit table level re run 
exec SYS.DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL
After finished test  :

SQL> noaudit POLICY EXPDP_AUDIT;
Noaudit succeeded.

SQL> select count(*) from unified_audit_trail;
  COUNT(*)
----------
      3334
You can clean your Audit Now Using Package Called : DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL


Thank you 
Osama mustafa

No comments:

Post a Comment