8i | 9i | 10g | 11g | 12c | 13c | 18c | 19c | Misc | PL/SQL | SQL | RAC | WebLogic | Linux

Auditing Enhancements (Audit Policies and Unified Audit Trail) in Oracle Database 12c Release 1 (12.1)

The introduction of audit policies and the unified audit trail simplifies the configuration of database auditing in Oracle 12c. Database auditing has always been extremely flexible, but that flexibility has also served to make it feel complicated. The new auditing functionality can also be used to create very complicated auditing policies, but I don't think is how most people will want to approach it, so instead this article will focus on simple examples. Once you've got to grips with the basics you can become a bit more adventurous.

Creating Audit Policies

Just like standard auditing that came before it, unified auditing can be used to create extremely complex auditing rules. The documentation for managing audit policies is very good, so rather than trying to duplicate that, I will just show some simple examples to give a flavour of the functionality.

It is better to create an audit policy that contains all necessary auditing for a session, rather using several small policies. Using multiple policies results in greater login overhead, greater UGA consumption and less efficient internal audit check functionality.

An audit policy is made up of several distinct clauses, some of which are optional.

CREATE AUDIT POLICY policy_name
    { {privilege_audit_clause [action_audit_clause ] [role_audit_clause ]}
        | { action_audit_clause  [role_audit_clause ] } 
        | { role_audit_clause }
     }        
    [WHEN audit_condition EVALUATE PER {STATEMENT|SESSION|INSTANCE}] 
    [CONTAINER = {CURRENT | ALL}];

Examples of the usages are given in the sections below, but here is a quick summary of them.

privilege_audit_clause : Used to specify a list of system privileges to be audited.
action_audit_clause : Defines the actions that need to be audited. These can be standard_actions, like DELETE, or object-specific, like DELETE ON schema.table. They can also be component_actions that target specific features like data pump or SQL*Loader.
role_audit_clause : Specifies a list of roles. All system privileges granted via those roles are audited.
WHEN ... EVALUATE PER : Allows you to define an audit_condition to determine when the auditing should take place. The condition can be evaluated for each STATEMENT, SESSION or INSTANCE, depending on the level of granularity the condition requires.
CONTAINER : Determines if an audit policy is specific to an individual PDB (CURRENT) or common to all PDBs (ALL).

This might sound a little confusing, but if you've ever used database auditing in previous releases, it will quickly look quite familiar. The main thing to remember is rather than issuing the AUDIT/NOAUDIT commands directly, you create an audit policy containing the relevant pieces, then enable and disable it using the AUDIT/NOAUDIT commands.

Some of the following examples require these three test users.

CONN sys@pdb1 AS SYSDBA

CREATE USER test IDENTIFIED BY test QUOTA UNLIMITED ON users;
GRANT CREATE SESSION, CREATE TABLE, CREATE SEQUENCE TO test;

CREATE USER test2 IDENTIFIED BY test2 QUOTA UNLIMITED ON users;
GRANT CREATE SESSION TO test2;

CREATE USER test3 IDENTIFIED BY test3 QUOTA UNLIMITED ON users;
GRANT CREATE SESSION TO test3;

In some cases the contents of the unified audit trail has been purged between tests to keep the output simple and specific to the functionality being tested.

Privilege Auditing

As the name suggests, privilege auditing allows you to audit the use of system privileges. The SYSTEM_PRIVILEGE_MAP view identifies the system privileges that can be audited.

SELECT name
FROM   system_privilege_map
ORDER BY name;

NAME
----------------------------------------
ADMINISTER ANY SQL TUNING SET
ADMINISTER DATABASE TRIGGER
.
.
.
UPDATE ANY TABLE
USE ANY SQL TRANSLATION PROFILE

237 rows selected.

SQL>

If we want to audit the creation of tables and sequences by the TEST user, we might do something like the following.

CONN sys@pdb1 AS SYSDBA

CREATE AUDIT POLICY test_audit_policy
  PRIVILEGES CREATE TABLE, CREATE SEQUENCE
  WHEN    'SYS_CONTEXT(''USERENV'', ''SESSION_USER'') = ''TEST'''
  EVALUATE PER SESSION
  CONTAINER = CURRENT;

AUDIT POLICY test_audit_policy;

Display the configuration of the policy.

SET LINESIZE 200
COLUMN audit_option FORMAT A15
COLUMN condition_eval_opt FORMAT A10
COLUMN audit_condition FORMAT A50

SELECT audit_option,
       condition_eval_opt,
       audit_condition
FROM   audit_unified_policies
WHERE  policy_name = 'TEST_AUDIT_POLICY';

AUDIT_OPTION    CONDITION_ AUDIT_CONDITION
--------------- ---------- --------------------------------------------------
CREATE SEQUENCE SESSION    SYS_CONTEXT('USERENV', 'SESSION_USER') = 'TEST'
CREATE TABLE    SESSION    SYS_CONTEXT('USERENV', 'SESSION_USER') = 'TEST'

SQL>

Connect to the TEST user and create some objects.

CONN test/test@pdb1

CREATE TABLE tab1 (id NUMBER);
CREATE SEQUENCE tab1_seq;

Check the audit trail. If you are in delayed-write mode, you may need to flush the audit trail before you can see the audit records.

CONN sys@pdb1 AS SYSDBA

-- You might need to flush the audit information before it is visible.
-- EXEC DBMS_AUDIT_MGMT.flush_unified_audit_trail;

COLUMN event_timestamp FORMAT A30
COLUMN dbusername FORMAT A10
COLUMN action_name FORMAT A20
COLUMN object_schema FORMAT A10
COLUMN object_name FORMAT A20

SELECT event_timestamp,
       dbusername,
       action_name,
       object_schema,
       object_name
FROM   unified_audit_trail
WHERE  dbusername = 'TEST'
ORDER BY event_timestamp;

EVENT_TIMESTAMP                DBUSERNAME ACTION_NAME          OBJECT_SCH OBJECT_NAME
------------------------------ ---------- -------------------- ---------- --------------------
27-JUN-2015 10:25:37.359596    TEST       CREATE TABLE         TEST       TAB1
27-JUN-2015 10:25:37.363989    TEST       CREATE SEQUENCE      TEST       TAB1_SEQ

SQL>

Disable the policy and drop it.

NOAUDIT POLICY test_audit_policy;

DROP AUDIT POLICY test_audit_policy;

Action Auditing

Actions against all objects, specific objects or even those actions performed by specific utilities can be audited quite easily in Oracle 12c.

Create some schema objects to audit and grant access to them to the second user.

CONN test/test@pdb1

DROP TABLE tab1 PURGE;
DROP SEQUENCE tab1_seq;
DROP TABLE tab2 PURGE;
DROP SEQUENCE tab2_seq;

CREATE TABLE tab1 (
  id NUMBER,
  CONSTRAINT tab1_pk PRIMARY KEY (id)
);

CREATE SEQUENCE tab1_seq;

CREATE TABLE tab2 (
  id NUMBER,
  CONSTRAINT tab2_pk PRIMARY KEY (id)
);

CREATE SEQUENCE tab2_seq;

GRANT SELECT, INSERT, UPDATE, DELETE ON tab1 TO test2;
GRANT SELECT ON tab1_seq TO test2;
GRANT SELECT, INSERT, UPDATE, DELETE ON tab2 TO test2;
GRANT SELECT ON tab2_seq TO test2;

Create and enable an audit policy that audits some actions against those objects, when performed by the TEST2 user.

CONN sys@pdb1 AS SYSDBA

CREATE AUDIT POLICY test_audit_policy
  ACTIONS DELETE ON test.tab1,
          INSERT ON test.tab1,
          UPDATE ON test.tab1,
          SELECT ON test.tab1_seq,
          ALL ON test.tab2,
          SELECT ON test.tab2_seq
  WHEN    'SYS_CONTEXT(''USERENV'', ''SESSION_USER'') = ''TEST2'''
  EVALUATE PER SESSION
  CONTAINER = CURRENT;

AUDIT POLICY test_audit_policy;

Display the configuration of the policy.

SET LINESIZE 200
COLUMN object_schema FORMAT A15
COLUMN object_name FORMAT A15
COLUMN object_type FORMAT A12
COLUMN audit_option FORMAT A15
COLUMN condition_eval_opt FORMAT A10
COLUMN audit_condition FORMAT A50

SELECT object_schema,
       object_name,
       object_type,
       audit_option,
       condition_eval_opt,
       audit_condition
FROM   audit_unified_policies
WHERE  policy_name = 'TEST_AUDIT_POLICY';


OBJECT_SCHEMA   OBJECT_NAME     OBJECT_TYPE  AUDIT_OPTION    CONDITION_ AUDIT_CONDITION
--------------- --------------- ------------ --------------- ---------- --------------------------------------------------
TEST            TAB1            TABLE        DELETE          SESSION    SYS_CONTEXT('USERENV', 'SESSION_USER') = 'TEST2'
TEST            TAB1            TABLE        INSERT          SESSION    SYS_CONTEXT('USERENV', 'SESSION_USER') = 'TEST2'
TEST            TAB1            TABLE        UPDATE          SESSION    SYS_CONTEXT('USERENV', 'SESSION_USER') = 'TEST2'
TEST            TAB1_SEQ        SEQUENCE     SELECT          SESSION    SYS_CONTEXT('USERENV', 'SESSION_USER') = 'TEST2'
TEST            TAB2            TABLE        ALL             SESSION    SYS_CONTEXT('USERENV', 'SESSION_USER') = 'TEST2'
TEST            TAB2_SEQ        SEQUENCE     SELECT          SESSION    SYS_CONTEXT('USERENV', 'SESSION_USER') = 'TEST2'

SQL>

Perform some actions that won't match the policy condition.

CONN test/test@pdb1

INSERT INTO tab1 (id) VALUES (tab1_seq.NEXTVAL);
INSERT INTO tab2 (id) VALUES (tab2_seq.NEXTVAL);
COMMIT;

Perform some actions that will match the policy condition.

CONN test2/test2@pdb1

UPDATE test.tab1 SET id = test.tab1_seq.NEXTVAL;
UPDATE test.tab2 SET id = test.tab2_seq.NEXTVAL;
DELETE FROM test.tab1;
DELETE FROM test.tab2;
COMMIT;

Check the audit trail. If you are in delayed-write mode, you may need to flush the audit trail before you can see the audit records.

CONN sys@pdb1 AS SYSDBA

-- You might need to flush the audit information before it is visible.
-- EXEC DBMS_AUDIT_MGMT.flush_unified_audit_trail;

COLUMN event_timestamp FORMAT A30
COLUMN dbusername FORMAT A10
COLUMN action_name FORMAT A20
COLUMN object_schema FORMAT A10
COLUMN object_name FORMAT A20

SELECT event_timestamp,
       dbusername,
       action_name,
       object_schema,
       object_name
FROM   unified_audit_trail
WHERE  dbusername LIKE 'TEST%'
ORDER BY event_timestamp;

EVENT_TIMESTAMP                DBUSERNAME ACTION_NAME          OBJECT_SCH OBJECT_NAME
------------------------------ ---------- -------------------- ---------- --------------------
27-JUN-2015 10:41:40.070965    TEST2      SELECT               TEST       TAB1_SEQ
27-JUN-2015 10:41:40.071033    TEST2      UPDATE               TEST       TAB1
27-JUN-2015 10:41:40.073326    TEST2      SELECT               TEST       TAB2_SEQ
27-JUN-2015 10:41:40.073347    TEST2      UPDATE               TEST       TAB2
27-JUN-2015 10:41:40.074657    TEST2      DELETE               TEST       TAB1
27-JUN-2015 10:41:40.076132    TEST2      DELETE               TEST       TAB2

SQL>

Amend the audit policy and check the changes have been reflected in the configuration.

ALTER AUDIT POLICY test_audit_policy
  DROP ACTIONS ALL ON test.tab2,
               SELECT ON test.tab2_seq;

SET LINESIZE 200
COLUMN object_schema FORMAT A15
COLUMN object_name FORMAT A15
COLUMN object_type FORMAT A12
COLUMN audit_option FORMAT A15
COLUMN condition_eval_opt FORMAT A10
COLUMN audit_condition FORMAT A50

SELECT object_schema,
       object_name,
       object_type,
       audit_option,
       condition_eval_opt,
       audit_condition
FROM   audit_unified_policies
WHERE  policy_name = 'TEST_AUDIT_POLICY';

OBJECT_SCHEMA   OBJECT_NAME     OBJECT_TYPE  AUDIT_OPTION    CONDITION_ AUDIT_CONDITION
--------------- --------------- ------------ --------------- ---------- --------------------------------------------------
TEST            TAB1            TABLE        DELETE          SESSION    SYS_CONTEXT('USERENV', 'SESSION_USER') = 'TEST2'
TEST            TAB1            TABLE        INSERT          SESSION    SYS_CONTEXT('USERENV', 'SESSION_USER') = 'TEST2'
TEST            TAB1            TABLE        UPDATE          SESSION    SYS_CONTEXT('USERENV', 'SESSION_USER') = 'TEST2'
TEST            TAB1_SEQ        SEQUENCE     SELECT          SESSION    SYS_CONTEXT('USERENV', 'SESSION_USER') = 'TEST2'

SQL>

Disable and drop the audit policy, then check the changes have been reflected in the configuration.

NOAUDIT POLICY test_audit_policy;

DROP AUDIT POLICY test_audit_policy;

SET LINESIZE 200
COLUMN object_schema FORMAT A15
COLUMN object_name FORMAT A15
COLUMN object_type FORMAT A12
COLUMN audit_option FORMAT A15
COLUMN condition_eval_opt FORMAT A10
COLUMN audit_condition FORMAT A50

SELECT object_schema,
       object_name,
       object_type,
       audit_option,
       condition_eval_opt,
       audit_condition
FROM   audit_unified_policies
WHERE  policy_name = 'TEST_AUDIT_POLICY';

no rows selected

SQL>

In the above examples the audit policies were object specific. We could have omitted the ON object-name part of the action to make it apply to all objects. If we wanted to audit all DML and queries issued by the TEST2 user, we might create a policy like the following.

CREATE AUDIT POLICY test_audit_policy
  ACTIONS DELETE, INSERT, UPDATE, SELECT
  WHEN    'SYS_CONTEXT(''USERENV'', ''SESSION_USER'') = ''TEST2'''
  EVALUATE PER SESSION
  CONTAINER = CURRENT;

--DROP AUDIT POLICY test_audit_policy;

Component Action Auditing

Rather than auditing actions on specific objects, you can instead audit actions relevant to specific functionality or utilities, such as Oracle Label Security (OLS), Real Application Security, Database Vault, Data Pump or SQL*Loader. There are two examples of component_action auditing linked below.

Role Auditing

It is possible to audit all system privileges granted via a built-in or custom role using an audit policy.

Create a new role, then grant privileges on the TEST objects via the new role.

CONN sys@pdb1 AS SYSDBA

CREATE ROLE create_table_role;
GRANT CREATE TABLE TO create_table_role;

GRANT create_table_role TO test3;

Create an audit policy based on all the system privileges associated with the role. Enable the auditing policy and check the configuration.

CREATE AUDIT POLICY create_table_role_policy
  ROLES create_table_role
  WHEN    'SYS_CONTEXT(''USERENV'', ''SESSION_USER'') = ''TEST3'''
  EVALUATE PER SESSION
  CONTAINER = CURRENT;

AUDIT POLICY create_table_role_policy;

SET LINESIZE 200
COLUMN audit_option FORMAT A20
COLUMN condition_eval_opt FORMAT A10
COLUMN audit_condition FORMAT A50

SELECT audit_option,
       audit_option_type,
       condition_eval_opt,
       audit_condition
FROM   audit_unified_policies
WHERE  policy_name = 'CREATE_TABLE_ROLE_POLICY';

AUDIT_OPTION         AUDIT_OPTION_TYPE  CONDITION_ AUDIT_CONDITION
-------------------- ------------------ ---------- --------------------------------------------------
CREATE_TABLE_ROLE    ROLE PRIVILEGE     SESSION    SYS_CONTEXT('USERENV', 'SESSION_USER') = 'TEST3'

SQL>

Perform some actions that will match the policy condition.

CONN test3/test3@pdb1

CREATE TABLE tab1 (id NUMBER);

Check the audit trail. If you are in delayed-write mode, you may need to flush the audit trail before you can see the audit records.

CONN sys@pdb1 AS SYSDBA

-- You might need to flush the audit information before it is visible.
-- EXEC DBMS_AUDIT_MGMT.flush_unified_audit_trail;

COLUMN event_timestamp FORMAT A30
COLUMN dbusername FORMAT A10
COLUMN action_name FORMAT A20
COLUMN object_schema FORMAT A10
COLUMN object_name FORMAT A20

SELECT event_timestamp,
       dbusername,
       action_name,
       object_schema,
       object_name
FROM   unified_audit_trail
WHERE  dbusername = 'TEST3'
ORDER BY event_timestamp;

EVENT_TIMESTAMP                DBUSERNAME ACTION_NAME          OBJECT_SCH OBJECT_NAME
------------------------------ ---------- -------------------- ---------- --------------------
27-JUN-2015 10:48:40.744492    TEST3      CREATE TABLE         TEST3      TAB1

SQL>

Disable and drop the policy.

NOAUDIT POLICY create_table_role_policy;

DROP AUDIT POLICY create_table_role_policy;

Unified Audit Trail Administration

Administration of the unified audit trail can seem a little complicated at first, but there are a few things to keep in mind.

Unified auditing works by default, so you don't need to do anything to get started.
The default settings are OK. You will probably only have to focus on your specific audit policies.
Setting up an archival and purging process will need some thought, but you will probably only do this once in the lifetime of your database, so don't get scared off by this aspect of auditing.

With that said, the remaining parts of this article will explain how to perform some of the basic administration tasks.

For brevity, I will avoid repetition of functionality explained in previous articles, but links will be provided.

Available By Default

The unified audit trail and audit policy functionality is available by default in all editions, but it can run in two modes. By default it runs in mixed mode, which means you can combine traditional auditing with unified auditing. The following query shows that "pure" unified auditing is not enabled, which means we are running in mixed mode.

SELECT value FROM v$option WHERE parameter = 'Unified Auditing';

VALUE
----------------------------------------------------------------
FALSE

SQL>

All the functionality of unified auditing is still available, but you may still need to consider the AUDIT_TRAIL parameter, as it still controls how the traditional auditing is performed.

Enable/Disable Pure Unified Auditing

Running in mixed mode is perfectly acceptable, but you can choose to switch to pure unified auditing, so the traditional auditing functionality is no longer available. This is done by relinking the Oracle binaries as follows.

sqlplus / as sysdba <<EOF
SHUTDOWN IMMEDIATE;
EXIT
EOF

cd $ORACLE_HOME/rdbms/lib
make -f ins_rdbms.mk uniaud_on ioracle

sqlplus / as sysdba <<EOF
STARTUP;
EXIT
EOF

After restarting, the banner will include the "Unified Auditing" option and we can see the unified auditing option is enabled.

$ sqlplus / as sysdba

SQL*Plus: Release 12.1.0.2.0 Production on Mon Jun 1 11:35:52 2015

Copyright (c) 1982, 2014, Oracle.  All rights reserved.


Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
With the Partitioning, OLAP, Advanced Analytics, Real Application Testing
and Unified Auditing options

SQL> SELECT value FROM v$option WHERE parameter = 'Unified Auditing';

VALUE
----------------------------------------------------------------
TRUE

SQL>

Switching back to mixed mode involves a relink again.

sqlplus / as sysdba <<EOF
SHUTDOWN IMMEDIATE;
EXIT
EOF

cd $ORACLE_HOME/rdbms/lib
make -f ins_rdbms.mk uniaud_off ioracle

sqlplus / as sysdba <<EOF
STARTUP;
EXIT
EOF

After restarting, the banner no longer includes the "Unified Auditing" option and we can see the unified auditing option is disabled.

$ sqlplus / as sysdba

SQL*Plus: Release 12.1.0.2.0 Production on Mon Jun 1 11:35:52 2015

Copyright (c) 1982, 2014, Oracle.  All rights reserved.


Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options

SQL> SELECT value FROM v$option WHERE parameter = 'Unified Auditing';

VALUE
----------------------------------------------------------------
FALSE

SQL>

For Windows, the documentation suggests it is just a case of turning the services off and moving the relevant DLL. I've not tried this, so I can't guarantee it works.

Rem Enable
%ORACLE_HOME%/bin/orauniaud12.dll.dbl file to %ORACLE_HOME%/bin/orauniaud12.dll

Rem Disable
%ORACLE_HOME%/bin/orauniaud12.dll file to %ORACLE_HOME%/bin/orauniaud12.dll.dbl

Audit Trail Security

Maintenance of the audit trail and audit policies is limited to those users granted the AUDIT_ADMIN role.

The AUDIT_VIEWER role can be granted to users who need to view the audit information, but not manage the audit trail or audit policies.

Under unified auditing, users are no longer able to create auditing policies against their own objects. For backwards compatibility, this is still possible for traditional auditing. This is possibly a reason to move away from mixed-mode auditing.

Write Mode

For performance reasons unified auditing uses a queued-write mechanism, so audited actions are written to the SGA and periodically pushed out to disk. This can result in loss of audit records during an instance crash, since the records may not be pushed out to disk before the instance fails. If this represents a problem, the write mode can be altered to immediate-write, so the audit actions are pushed directly to disk, but this will result in auditing having a greater overhead. The following code shows how to switch between these two modes. In a multitenant environment, these setting are container-specific.

-- Switch to immediate-write.
BEGIN
  DBMS_AUDIT_MGMT.set_audit_trail_property(
    audit_trail_type           => DBMS_AUDIT_MGMT.audit_trail_unified,
    audit_trail_property       => DBMS_AUDIT_MGMT.audit_trail_write_mode, 
    audit_trail_property_value => DBMS_AUDIT_MGMT.audit_trail_immediate_write
  );
END;
/

-- Switched to queued-write.
BEGIN
  DBMS_AUDIT_MGMT.set_audit_trail_property(
    audit_trail_type           => DBMS_AUDIT_MGMT.audit_trail_unified,
    audit_trail_property       => DBMS_AUDIT_MGMT.audit_trail_write_mode, 
    audit_trail_property_value => DBMS_AUDIT_MGMT.audit_trail_queued_write
  );
END;
/

The size of the queue in the SGA is controlled by the UNIFIED_AUDIT_SGA_QUEUE_SIZE initialization parameter, which can be set to values between 1-30MB, with the default being 1MB. Each RAC instance can have a different value.

As a consequence of running in queued-write mode, in some cases, especially while testing or before maintenance, it may be necessary to flush audit records to the audit trail. This can be done using the FLUSH_UNIFIED_AUDIT_TRAIL procedure. It accepts the FLUSH_TYPE and CONTAINER parameters, which allow the following variations.

-- Flush records to audit trail for the current container in the current instance.
EXEC DBMS_AUDIT_MGMT.flush_unified_audit_trail;

EXEC DBMS_AUDIT_MGMT.flush_unified_audit_trail(flush_type => DBMS_AUDIT_MGMT.flush_current_instance);

EXEC DBMS_AUDIT_MGMT.flush_unified_audit_trail(container => DBMS_AUDIT_MGMT.container_current);

BEGIN
  DBMS_AUDIT_MGMT.flush_unified_audit_trail(
    flush_type => DBMS_AUDIT_MGMT.flush_current_instance,
    container  => DBMS_AUDIT_MGMT.container_current);
END;
/

-- Flush records to audit trail for all containers in the current instance.
-- Must be run from root container.
EXEC DBMS_AUDIT_MGMT.flush_unified_audit_trail(container => DBMS_AUDIT_MGMT.container_all);

BEGIN
  DBMS_AUDIT_MGMT.flush_unified_audit_trail(
    flush_type => DBMS_AUDIT_MGMT.flush_current_instance,
    container  => DBMS_AUDIT_MGMT.container_all);
END;
/

-- Flush records to audit trail for the all RAC instances. Current Container.
EXEC DBMS_AUDIT_MGMT.flush_unified_audit_trail(flush_type => DBMS_AUDIT_MGMT.flush_all_instances);

BEGIN
  DBMS_AUDIT_MGMT.flush_unified_audit_trail(
    flush_type => DBMS_AUDIT_MGMT.flush_all_instances,
    container  => DBMS_AUDIT_MGMT.container_current);
END;
/

-- Flush records to audit trail for the all RAC instances. All Containers.
-- Must be run from root container.
BEGIN
  DBMS_AUDIT_MGMT.flush_unified_audit_trail(
    flush_type => DBMS_AUDIT_MGMT.flush_all_instances,
    container  => DBMS_AUDIT_MGMT.container_all);
END;
/

Purging the Unified Audit Trail

Oracle 11g Release 2 introduced the DBMS_AUDIT_MGMT package to manage the audit trail. Oracle 12c uses the same functionality to archive and purge the unified audit trail, described here, with the addition of constants to identify the unified audit trail. For mixed mode auditing environments, remember to manage both the conventional audit trails as well as the unified audit trail.

The following example shows how to set the last archived time for the unified audit trail and manually purge audit records older than that time. Remember to archive records before purging them if you need to store them long term.

-- Set the last archive timestamp.
BEGIN
  DBMS_AUDIT_MGMT.set_last_archive_timestamp(
    audit_trail_type     => DBMS_AUDIT_MGMT.audit_trail_unified,
    last_archive_time    => SYSTIMESTAMP-5,
    --rac_instance_number  =>  1,
    container            => DBMS_AUDIT_MGMT.container_current
  );
END;
/

-- Check the new setting.
COLUMN audit_trail FORMAT A20
COLUMN last_archive_ts FORMAT A40

SELECT audit_trail,
       last_archive_ts
FROM   dba_audit_mgmt_last_arch_ts;

AUDIT_TRAIL          LAST_ARCHIVE_TS
-------------------- ----------------------------------------
UNIFIED AUDIT TRAIL  10-JUN-15 13.48.14.000000 +00:00

SQL>

-- Manually purge the audit trail to the last archive timestamp.
SELECT COUNT(*) FROM unified_audit_trail;

  COUNT(*)
----------
        49

SQL>

BEGIN
  DBMS_AUDIT_MGMT.clean_audit_trail(
   audit_trail_type        => DBMS_AUDIT_MGMT.audit_trail_unified,
   use_last_arch_timestamp => TRUE);
END;
/

SELECT COUNT(*) FROM unified_audit_trail;

  COUNT(*)
----------
         4

SQL>

You can automate purging by creating a purge job, as described here.

Updates in 12.2

One of the main criticisms of the unified audit trail in 12.1 was the performance. In 12.2 the unified audit trail now resides in a conventional table called AUDSYS.AUD$UNIFIED. When you upgrade a database you can choose to migrate the existing audit information to this table using the TRANSFER_UNIFIED_AUDIT_RECORDS in the DBMS_AUDIT_MGMT, which should give better performance.

For more information see: