The following auditing modes are available for Oracle Database 12c, 18c, 19c:
Unified Auditing—Recommended. See the following Oracle technical article for detailed instructions on how to enable Unified Auditing: Enabling Unified Auditing.
Perform the following steps to configure Unified Auditing on your Oracle Database:
Create and enable an audit policy to audit specific parameters across your Oracle Database.
NOTE: After an audit policy has been enabled or disabled, Netwrix Auditor starts collecting data after a successful logon session.
- If needed, create and enable specific audit policies to audit successful data access and changes, user actions, component actions, etc.
Mixed Mode—Default auditing in a newly installed database. It enables both traditional and the new Unified Auditing facilities. Netwrix recommends using Unified Auditing mode if you do not have any trail audit facilities in your infrastructure.
NOTE: The product does not log any errors on these events to the Netwrix Auditor System Health log.
To configure Oracle Database 12c, 18c, 19c Unified Auditing
- On the computer where your database is deployed, run the sqlplus tool.
Connect to your Oracle Database—use Oracle account with the
SYSDBAprivilege. For example:
OracleUser as sysdba
Enter your password.
Create and enable audit policies. You can set them to audit the following:
- Configuration changes
- Successful and failed data access and changes
Oracle Data Pump,
Oracle Recovery Manager (RMAN)and
Oracle SQL*Loader Direct Path Loadcomponents
To monitor... Execute the command... Configuration changes
Create an audit policy (e.g.,
nwx_actions_pol) for any user:
CREATE AUDIT POLICY nwx_actions_pol ACTIONS
CREATE TABLE,DROP TABLE,ALTER TABLE,GRANT,REVOKE,
CREATE VIEW,DROP VIEW,CREATE PROCEDURE,
ALTER DATABASE,ALTER USER,ALTER SYSTEM,
CREATE USER,CREATE ROLE,SET ROLE,DROP USER,
DROP ROLE,CREATE TRIGGER,ALTER TRIGGER,
DROP TRIGGER,CREATE PROFILE,DROP PROFILE,
ALTER PROFILE,DROP PROCEDURE,
CREATE MATERIALIZED VIEW,DROP MATERIALIZED VIEW,
ALTER ROLE,TRUNCATE TABLE,CREATE FUNCTION,
ALTER FUNCTION,DROP FUNCTION,CREATE PACKAGE,
ALTER PACKAGE,DROP PACKAGE,CREATE PACKAGE BODY,
ALTER PACKAGE BODY,DROP PACKAGE BODY,LOGON,LOGOFF,
CREATE DIRECTORY,DROP DIRECTORY,CREATE JAVA,
ALTER JAVA,DROP JAVA,PURGE TABLE,
CREATE PLUGGABLE DATABASE,ALTER PLUGGABLE DATABASE,
DROP PLUGGABLE DATABASE,CREATE AUDIT POLICY,
ALTER AUDIT POLICY,DROP AUDIT POLICY,
CREATE FLASHBACK ARCHIVE,ALTER FLASHBACK ARCHIVE,
DROP FLASHBACK ARCHIVE;
Enable the audit policy:
AUDIT POLICY nwx_actions_pol;
NOTE: To disable audit policy, use the following command:
NOAUDIT POLICY nwx_actions_pol;
Data access and changes (successful and failed)
Create the audit policy (e.g.,
CREATE AUDIT POLICY nwx_actions_obj_pol ACTIONS
DELETE on hr.employees, INSERT on hr.employees,
UPDATE on hr.employees, SELECT on hr.employees, FLASHBACK on hr.employees CONTAINER = CURRENT;
Enable the audit policy (e.g.,
AUDIT POLICY nwx_actions_obj_pol;
Oracle Data Pump,
Oracle Recovery Manager, and
Oracle SQL*Loader Direct Path Load
Create the audit policies (e.g.,
NOTE: No special configuration required to audit RMAN events.
CREATE AUDIT POLICY nwx_datapump_exp_pol ACTIONS COMPONENT=DATAPUMP EXPORT;
CREATE AUDIT POLICY nwx_datapump_imp_pol ACTIONS COMPONENT=DATAPUMP IMPORT;
CREATE AUDIT POLICY nwx_sqlloader_dp_pol ACTIONS COMPONENT=DIRECT_LOAD LOAD;
Enable these policies:
AUDIT POLICY nwx_datapump_exp_pol;
AUDIT POLICY nwx_datapump_imp_pol;
AUDIT POLICY nwx_sqlloader_dp_pol;
If necessary, enable more granular audit policies.
To... Execute the command...
Apply audit policy to selected users
AUDIT POLICY nwx_actions_pol BY SYS, SYSTEM, <user_name>;
Exclude user actions from being audited (e.g., exclude failed
AUDIT POLICY nwx_actions_pol EXCEPT Operator WHENEVER NOT SUCCESSFUL;
Audit successful actions of selected user (e.g.,
AUDIT POLICY nwx_actions_pol BY Operator WHENEVER SUCCESSFUL;
For additional information on
CREATE AUDIT POLICY and
AUDIT POLICY parameters, see the following Oracle Database administration documents:
Currently, Netwrix Auditor checks audit settings for Unified Auditing when accomptability is enabled for
ACTIONS. If any of your current settings conflict with the audit configuration required for Netwrix Auditor, these conflicts will be listed in the Netwrix Auditor System Health event log.
Also, remember to do the following:
- Configure Data Collecting Account as described in the For Oracle Database Auditing section.
- Configure ports as described in Protocols and Ports Required for Monitoring Oracle Database.