On my journey through the area of database security, Oracle Unified Audit has been a constant companion. I not only created audit concepts, but also often had the opportunity to implement them. Besides the configuration, the administration and evaluation of the audit data was always part of it. Occasionally I used scripts for this. However, I often evaluated the audit data ad hoc. There are only a handful of data dictionary views that have to be taken into account. So that was usually enough. Nevertheless, creating a collection of scripts for Unified Audit has been on my bucket list for a long time. At least until today. I finally found the time to put together a small toolbox of scripts, which I would like to show you in this blog post.
The scripts for the database audit are among others part of my GitHub repository oehrlis/oradba and are available to everyone. You are welcome to share them, use them, improve them or just like them.
What is currently covered by my scripts for Oracle Unified Audit?
- Configuration of the audit infrastructure, i.e. tablespace, housekeeping jobs, etc.
- Information on audit trails and storage usage
- Administration of audit policies. This includes the creation, deletion, activation and display of policies.
- Assessment of the unified audit trail showing various top events, e.g. policy, user, objects, etc.
- Overview of the audit session and analysis of the statements per session
Current list of scripts
The following SQL scripts are currently available for the assessment of Oracle Unified Audit data. Further information on the scripts can be found in the comments of the file headers.
| script | Purpose |
|---|---|
| saua_info.sql | Show information about the audit trails |
| daua_pol.sql | Disable all audit policies and drop all non-Oracle maintained policies |
| cdua_init.sql | Initialize Audit environment (create tablespace, reorganize tables, create jobs) |
| caua_pol.sql | Create custom local audit policies policies |
| iaua_pol.sql | Initialize / Enable custom local audit policies policies |
| saua_pol.sql | Show local audit policies policies. A join of the views AUDIT_UNIFIED_POLICIES and AUDIT_UNIFIED_ENABLED_POLICIES |
| saua_teact.sql | Show top unified audit events by action for current DBID |
| saua_tecli.sql | Show top unified audit events by client_program_name for current DBID |
| saua_tedbid.sql | Show top unified audit events by DBID |
| saua_teusr.sql | Show top unified audit events by dbusername for current DBID |
| saua_teobj.sql | Show top unified audit events by object_name for current DBID |
| saua_teobjusr.sql | Show top unified audit events by Object Name without Oracle maintained schemas for current DBID |
| saua_teown.sql | Show top unified audit events by object_schema for current DBID |
| saua_teosusr.sql | Show top unified audit events by os_username for current DBID |
| saua_tepol.sql | Show top unified audit events by unified_audit_policies for current DBID |
| saua_tepoldet.sql | Show top unified audit events by unified_audit_policies, dbusername, action for current DBID |
| saua_tehost.sql | Show top unified audit events by userhost for current DBID |
| saua_asdbv.sql | Show audit sessions for audit type Database Vault |
| saua_asdp.sql | Show audit sessions for audit type Datapump |
| saua_asfga.sql | Show audit sessions for audit type Fine Grained Audit |
| saua_asbck.sql | Show audit sessions for audit type RMAN |
| saua_asstd.sql | Show audit sessions for audit type Standard |
| saua_as.sql | Show audit sessions for audit any type |
| saua_asdet.sql | Show entries of a particular audit session with unified_audit_policies |
| saua_asdetsql.sql | Show entries of a particular audit session with SQL_TEXT |
| sdua_usage.sql | Show Unified Audit trail storage usage |
| saua_tabsize.sql | Show Unified Audit trail table and partition size |
| sdua_enpolstm.sql | Generate statements to enable all audit policies as currently set in AUDIT_UNIFIED_ENABLED_POLICIES |
| sdua_crpolstm.sql | Generate statements to create all audit policies as currently set in AUDIT_UNIFIED_ENABLED_POLICIES |
| sdua_drpolstm.sql | Generate statements to drop all audit policies as currently set in AUDIT_UNIFIED_ENABLED_POLICIES |
| sdua_dipolstm.sql | Generate statements to disable all audit policies as currently set in AUDIT_UNIFIED_ENABLED_POLICIES |
| sdua_prgstm.sql | Generate Unified Audit trail storage purge statements |
| sdua_stostm.sql | Generate Unified Audit trail storage usage modification statements |
A few Examples and Use Cases
Overview of Audit Trails saua_info.sql
Some information on the different audit trails and there size. Some data depend on up to date statistics.
Overview of Unified Audit Trail Storage Usage sdua_usage.sql
Summary of various information about the unified audit trail, e.g. number of records, oldest records, size etc. The output is always for the current DBID. If audit records are also available for other DBIDs, they are displayed as foreign DBIDs. These audit data can potentially be deleted. There is also the script saug_tabsize.sql, which displays information about the partitions.
Generate Unified Audit Trail purge statements sdua_prgstm.sql
Generate dbms_audit_mgmt statements based on the current setting / configuration. These statements can be used as a copy template directly or adapted to maintain the audit trail. There is also the script sdua_stostm.sql to create modification statements.
Show local audit policies policies saua_pol.sql
Show current audit policy settings. This script does join the views AUDIT_UNIFIED_POLICIES and AUDIT_UNIFIED_ENABLED_POLICIES. There are also corresponding script to create (caua_pol.sql), drop (daua_pol.sql) and enable/initialize (iaua_pol.sql) the audit policies.
Show Top Audit Events
There are several scripts to show top audit events e.g. by user (saua_teusr.sql), action (saua_teact.sql), policy (saua_tepol.sql), object name (saua_teobj.sql) and more. These script can be used to find the root cause of hig amout of audit data.
Below you see an example for top audit actions.
Audit Session Overview saua_as.sql
Show an overview of audit sessions in the audit trail, where the information is grouped by the session ID. This script also accepts parameters to limit the information based on days or fractions thereof. The following query limits the output to the last 2h. In addition, there are variants of this script that limit the information to the individual audit types, e.g. Datapump (saua_asdp.sql), RMAN (saua_asbck.sql) or Fine Grained Audit (saua_asfga.sql).
Audit Session Details saua_asdet.sql
This script does show all audit records for a specific audit session id. You can see what somebody did during its session. There is also a version of the script (saua_asdetsql.sql) which does show the sql_text. Below we see an example what session ID (scott) has done during its session. This script does also perfectly work for proxy sessions.
Naming Concept
A little confused by the script names? I have tried to somehow bring a bit of order to my scripts in the GitHub repository oehrli/oradba. That is an attempt. But I’m not sure I’ve been successful. Enclosed the information about the different abbreviations and prefixes.
The script names follow the format:
<script_qualifier><privileges_qualifier><topic_qualifier>_<use_case>.sqlScript Qualifier
The script qualifier is used to determine whether a script is used to read information or to configure, e.g. create, modify, activate, etc.
| Qualifier | Stands For | Comment |
|---|---|---|
| s | Show | Output only on screen |
| d | Delete | Delete any objects, configuration etc |
| i | Initialize | Initializes or enable a configuration |
| c | Create | Create any objects, configuration etc. |
| u | Update | Update any object |
| g | Grant | Grants some objects or system privileges |
Privileges Qualifier
The privilege qualifier is used to determine what privileges are required by a script.
| Qualifier | Stands For | Comment |
|---|---|---|
| s | SYS | SYS, SYSDBA or Internal |
| d | DBA | SYSTEM or any other user with DBA role |
| o | Owner | Object owner |
| p | Create | Needs some special privileges according to the scripts inline comments |
| a | Audit | Audit roles like AUDIT_ADMIN or AUDIT_VIEWER |
Topic Qualifier
Topic Qualifier is used to assign the different scripts to a certain topic and thus to be able to sort them better.
| Qualifier | Stands For | Comment |
|---|---|---|
| ua | Unified Audit | Everything related to Oracle Unified Audit |
| ta | Traditional Audit | Everything related to Oracle traditional Audit |
| sec | Security | Oracle security related stuff |
| enc | Encryption | Oracle Transparent DataEncryption |
| a | Admin | Database Administration |
Conclusion
This collection of SQL scripts around Oracle Unified Audit is certainly not perfect or conclusive. Nevertheless, it is helpful for the configuration and a first analysis of the audit data in the Unified Audit Trail. As already mentioned, you can find the scripts on GitHub under oehrlis/oradba. I would be happy if you share or like them. Feedback and ideas as comments to this blogpost or better directly as a GitHub issue are very welcome.