Unified auditing:
Unified auditing是Oracle 12c推出的新的審計方式,相比於傳統的auditing,它可以做更復雜、粒度更細的審計。
Unified auditing enables you to capture audit records from the following sources:
Audit records (including SYS audit records) from unified audit policies and AUDIT settings
Fine-grained audit records from the DBMS_FGA PL/SQL package
Oracle Database Real Application Security audit records
Oracle Recovery Manager audit records
Oracle Database Vault audit records
Oracle Label Security audit records
Oracle Data Mining records
Oracle Data Pump
Oracle SQL*Loader Direct Load
Benefits of the Unified Audit Trail:
1)After unified auditing is enabled, it does not depend on the initialization parameters that were used in previous releases.
2)Overall auditing performance is greatly improved. By default, the audit records are automatically written to an internal relational table in the AUDSYS schema.
3)You can create named audit policies that enable you to audit the supported components listed at the beginning of this section, as well as SYS administrative users. Furthermore, you can build conditions and exclusions into your policies.
The unified audit trail, which resides in a read-only table in the AUDSYS schema in the SYSAUX tablespace, makes this information available in a uniform format in the UNIFIED_AUDIT_TRAIL data dictionary view, and is available in both single-instance and Oracle Database Real Application Clusters environments.
In addition to the user SYS, users who have been granted the AUDIT_ADMIN and AUDIT_VIEWER roles can query these views. If your users only need to query the views but not create audit policies, then grant them the AUDIT_VIEWER role.
When the database is writeable, audit records are written to the unified audit trail. If the database is not writable, then audit records are written to new format operating system files in the $ORACLE_BASE/audit/$ORACLE_SID directory.
In unified auditing, all Oracle Database audit trails (SYS.AUD$ for the database audit trail, SYS.FGA_LOG$ for fine-grained auditing, DVYS.AUDIT_TRAIL$ for Database Vault, and so on) are combined into one single audit trail, which you can view by querying the UNIFIED_AUDIT_TRAIL data dictionary view for single-instance installations and GV$UNIFIED_AUDIT_TRAIL for Oracle Real Application Clusters environments.
確認庫審計是否遷移到了Unified auditing:
SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';
Mixed Mode Auditing:
Mixed mode auditing enables both traditional (that is, the audit facility from releases earlier than Release 12c) and the new audit facilities (unified auditing).
Even though the features of unified auditing are enabled in both these modes, there are differences between them.
In mixed mode, you can use the new unified audit facility alongside the traditional auditing facility.
In pure unified auditing, you only use the unified audit facility.
Mixed Mode Auditing是被用來過渡使用的,從官網上這句話我們就能意識到:
Mixed mode is intended to introduce unified auditing, so that you can have a feel of how it works and what its nuances and benefits are.
關於Mixed Mode Auditing的特點:
1)It enables the use of all existing auditing initialization parameters: AUDIT_TRAIL, AUDIT_FILE_DEST, AUDIT_SYS_OPERATIONS, and AUDIT_SYSLOG_LEVEL.
2)It writes mandatory audit records only to the traditional audit trails.
3)It bases standard audit records on the standard audit configuration, and writes these records to the audit trail designated by the AUDIT_TRAIL initialization parameter.
However, be aware that standard audit trail records are also generated based on unified audit policies and only these audit records are written to the unified audit trail. The standard audit records generated as a result of unified audit policies follow the semantics of unified audit policy enablement.
4)The performance cost of writing an audit record is equivalent to the sum of the times required for generating and writing an audit record to the traditional audit trail and the unified audit trail.
5)The format of the audit records that are written to traditional audit trails remains the same as in Oracle Database 11g Release 2.
6)By default, Oracle Database writes unified audit records to system global area (SGA) queues. In other words, it writes the records periodically, not immediately. You can control how often the audit records are written.
7)Administrative user sessions generate SYS audit records. These records are written if the AUDIT_SYS_OPERATIONS initialization parameter is set to TRUE. This process writes the records only to the traditional audit trails.
However, when unified audit policies are enabled for administrative users, these unified audit records are also written to unified audit trail.
如果我們對審計的粒度要求沒那麼高的話,Mixed Mode Auditing看着也挺不錯的,但是我們要注意特點3說的,不要standard audit和unified audit有交叉的部分,因爲這樣的話,在審計的時候可能會有“寫兩處”的情況,這可能會使得審計的效率更低。
如何將Mixed Mode Auditing升級爲Unified auditing:
https://docs.oracle.com/database/121/UPGRD/afterup.htm#UPGRD52810
unified_audit_trail視圖介紹:
https://docs.oracle.com/database/121/REFRN/GUID-B7CE1C02-2FD4-47D6-80AA-CF74A60CDD1D.htm#REFRN29162
從我的角度理解,審計不是越細越好,也不是越全越好,而是要從審計需求、對業務性能的影響、審計實現等多方面綜合考慮,去制定一套最適合的策略。
