Utilizing Out-of-the-Box Unified Audit Policies in Oracle 19c

-

 

Utilizing Out-of-the-Box Unified Audit Policies in Oracle 19c

Oracle 19c offers powerful auditing capabilities via Unified Auditing, which consolidates all audit records into a single repository. One of its most useful features is the availability of Out-of-the-Box (OOB) policies like ORA_SECURECONFIG, which are automatically enabled and provide a strong baseline for database security monitoring.

In this blog, we’ll demonstrate how to:

  • Review the built-in auditing policies.

  • Create and drop a user.

  • Query the unified audit trail to verify audit records.

 Step 1: Check Auto-Enabled Unified Audit Policies

To view which auditing policies are enabled in your database, use the following SQL command:

sql
SELECT DISTINCT POLICY_NAME 
FROM audit_unified_enabled_policies;

This will list all the policies that are currently in effect, including predefined ones like ORA_SECURECONFIG, ORA_LOGON_FAILURES, and others.

 Step 2: Review Policy Details

Let's say we are interested in knowing whether the DROP USER action is audited under the ORA_SECURECONFIG policy. Use this query:

sql
SELECT audit_option 
FROM audit_unified_policies 
WHERE policy_name = 'ORA_SECURECONFIG' 
AND audit_option LIKE 'DROP%' 
ORDER BY 1;

If DROP USER appears in the result, it confirms that this action is audited by the policy.

Step 3: Create and Drop a User

To test the auditing policy, perform the following actions:

sql
CREATE USER test_audit IDENTIFIED BY oracle12;
DROP USER test_audit;

These operations will be captured by the Unified Auditing framework if the auditing policy is enabled properly.

Step 4: Check Audit Records in UNIFIED_AUDIT_TRAIL

Query the unified audit trail to confirm whether the DROP USER action was audited:

sql
COLUMN event_timestamp FORMAT A30
COLUMN dbusername FORMAT A10
COLUMN action_name FORMAT A20
COLUMN object_schema FORMAT A10
COLUMN object_name FORMAT A20

SELECT event_timestamp,
       dbusername,
       action_name,
       object_schema,
       object_name
FROM unified_audit_trail
WHERE action_name LIKE 'DROP USER%'
ORDER BY event_timestamp;

This output will show when the action occurred, which user performed it, and the object affected.

Conclusion

Oracle’s Unified Auditing simplifies and strengthens your security auditing strategy. By leveraging Out-of-the-Box policies like ORA_SECURECONFIG, you can automatically track sensitive operations such as user creation and deletion without additional configuration.

Tip: Always review which policies are auto-enabled after installing or upgrading your Oracle database, and customize your auditing policies as per your compliance requirements.

Comments

Post a Comment

Popular posts from this blog

Configure Oracle Database Vault Realms

-
Configure Oracle Database Vault Realms to Secure the HR Schema Oracle Database Vault (DV) is a powerful security feature that enables fine-grained access control by enforcing security policies that protect sensitive data. One of the most important components in Database Vault is the Realm , which creates a security boundary around database objects to prevent unauthorized access — even by highly privileged users. In this blog, we’ll walk through the step-by-step process of configuring a Realm to secure the HR schema in an Oracle Database 19c environment. You’ll learn how to: Create a Realm Add objects to it Restrict access Enable auditing for security tracking What is a Realm? A Realm in Oracle Database Vault defines a logical security boundary around one or more database objects. Once a Realm is in place, no one — not even privileged users like DBAs — can access the protected objects without being explicitly authorized. Realms are ideal for: Securing sensitive ap...
Read more

Configure Transparent Database Encryption (TDE) in Oracle CDB

-
   Configure Transparent Database Encryption (TDE) in Oracle CDB Transparent Data Encryption (TDE) is a vital Oracle feature used to secure sensitive data at rest by encrypting database files. In this guide, we'll walk through configuring TDE in a CDB (Container Database) environment and demonstrate its effectiveness with a test tablespace and HR schema. Prerequisites Oracle Database (12c and above, preferably 19c or later) File system access to create wallets Appropriate privileges to administer TDE and manage tablespaces Step 1: Create a New Tablespace in PDB Connect to the PDB and create a new tablespace: sql SQL > CREATE TABLE SPACE userstab DATAFILE '/opt/oracle/oradata/XE/XEPDB1/userstab01.dbf' SIZE 1 G; Tablespace created. Step 2:Install the Sample HR Schema Install the sample HR schema into the newly created userstab tablespace: sql SQL > @? / demo / schema / human_resources / hr_main.sql This will create and populate HR sc...
Read more

Cloning Oracle E-Business Suite 12.2.11: RMAN + Rapid Clone

-
Cloning Oracle E-Business Suite (EBS) environments is a critical part of managing development, testing, and DR landscapes. In this post, we walk through the process of cloning EBS 12.2.11 from a production environment to a non-production one using RMAN active duplication and Oracle Rapid Clone utilities . Clone Scenario Source Database CDB : PRODCDB Source PDB : prod Target Database CDB : RNDCDB Target PDB : RND Step 1: Prepare the Target Server Create Required Directories mkdir -p /u01/oracle/RNDCDB mkdir -p /u01/oracle/RND mkdir -p /u01/oracle/clone_logs Verify Swap Space (Must be ≥ 16GB) free -h Step 2: Run Pre-Clone on Source Database Tier cd $ORACLE_HOME/appsutil/scripts/prod_PRODCDB perl adpreclone.pl dbTier Application Tier cd $ADMIN_SCRIPTS_HOME perl adpreclone.pl appsTier  Step 3: Clone the CDB with RMAN 3.1: Startup Target CDB in NOMOUNT Mode export ORACLE_SID=RNDCDB sqlplus / as sysdba STARTUP NOMOUNT; 3.2: Run RMAN Active Duplicate rman target sys@PRODCDB auxiliary sy...
Read more