Database Reference
In-Depth Information
Oracle has had more security issues relative to Sybase, DB2 and SQL Server, but the upside has been that Oracle has a
great audit trail. What do I mean by great? I mean it can be read using Vi and integrates with *nix syslog, so I can audit
a whole estate by piggybacking the current Unix logging infrastructure. This is a very powerful capability and has set
Oracle above its competitors.
Now, 12c makes a change. For the time being all the usual audit-trail mechanisms are preserved, but in addition
there is the option of Unified Audit Trail (UAT). UAT brings centralization (good) but also proprietorization through
the use of the SecureFile format for audit-trail entries. In other words, you would not be able to use Vi to read the audit
record. Proprietorizing the audit trail into the SecureFile format does not help Oracle technologists to use the audit
trail. Agreed, there is some reduction in the risk of an unauthorized user reading that audit trail, but that is not of
high enough importance relative to the usability of the audit trail. This is because the big problem is that not enough
people read the audit trail, and therefore the organization misses an important event.
If Oracle did decide to de-support the 11g audit-trail mechanisms, then the risk of no one reading the audit trail
increases. It may be the case that this proposed proprietorization is because other audit-trail consolidation companies
have been selling SIEMs (i.e., log correlation software to view many logs) that have had unfettered access to Oracle
audit trail from the OS—thus making money from Oracle's open audit trail. I appreciate this concern, but rather than
proprietorize the audit trail, I would hope that Oracle can build and improve on its *nix audit-trail integration and be
proud of the fact that so many other companies support Oracle's audit trail. I believe that with customer influence
Oracle can be convinced to keep support for plain text syslog audit trail, which currently provides much-needed
transparency to many database estates. The good news is that Oracle has assured me that the clear text current audit
trails, including syslog, will stay in place for at least, the immediate future.
Actual 12c Release Audit Trail
Now that we have covered some of the context regarding the changes to audit trail from 11g to 12c Beta, let's drill into
the detail of the actual public release of 12c. The first point of interest is that the normal audit trail is turned on by
default, as shown by the following query:
SQL> sho parameter audit;
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest string /u01/app/oracle/admin/orcl/adump
audit_sys_operations boolean TRUE
audit_syslog_level string
audit_trail string DB
unified_audit_sga_queue_size integer 1048576
And the standard audit entries are readable through the
UNIFIED_AUDIT_TRAIL
view. A centralized view of audit
trails is great. This includes FGA logs as well.
SQL> select count(*)
2 from unified_audit_trail;
COUNT(*)
----------
2203
However, this does not mean that the new
UNIFIED AUDITING
itself is actually turned on.
