I am currently working on audit concepts as well as corresponding Unified Audit Policies for various customer projects. That’s why today I once again had a closer look at Oracle Unified Audit.<\/p>\n\n\n\n
One requirement in the security concept is to be able to track if someone accesses the operating system via Oracle DIRECTORY OBJECTS. To do this, you can either work with an explicit object action on a specific directory or you can generally audit the object actions on directories. An audit policy with one or more explicit object actions must of course be managed accordingly. Therefore I decided to monitor actions on Oracle directories in general. I.e. READ, WRITE and EXECUTE. <\/p>\n\n\n\n
My audit policy looks as follows:<\/p>\n\n\n\n
CREATE AUDIT POLICY tvdlm_dir_access\n ACTIONS\n READ DIRECTORY,\n WRITE DIRECTORY,\n EXECUTE DIRECTORY\n ONLY TOPLEVEL;<\/pre>\n\n\n\nCheerfully we check once in the data dictionary view audit_unified_policies<\/em> our policy<\/p>\n\n\n\n
SET pagesize 200\nSET linesize 160\nCOL policy_name FOR A25\nSELECT policy_name FROM audit_unified_policies\nGROUP BY policy_name ORDER BY policy_name;<\/pre>\n\n\n\nAs you can see the new policy is not shown in the data dictionary view audit_unified_policies<\/em>.<\/p>\n\n\n\n
POLICY_NAME\n-------------------------\nORA_ACCOUNT_MGMT\nORA_CIS_RECOMMENDATIONS\nORA_DATABASE_PARAMETER\nORA_DV_AUDPOL\nORA_DV_AUDPOL2\nORA_LOGON_FAILURES\nORA_RAS_POLICY_MGMT\nORA_RAS_SESSION_MGMT\nORA_SECURECONFIG\n\n9 rows selected.<\/pre>\n\n\n\nBut when you try to create it once more you get an error ORA-46358.<\/p>\n\n\n\n
CREATE AUDIT POLICY tvdlm_dir_access\n ACTIONS\n READ DIRECTORY,\n WRITE DIRECTORY,\n EXECUTE DIRECTORY\n ONLY TOPLEVEL;<\/pre>\n\n\n\nCREATE AUDIT POLICY tvdlm_dir_access\n*\nERROR at line 1:\nORA-46358: Audit policy TVDLM_DIR_ACCESS already exists.<\/pre>\n\n\n\nBut where is it? Lets see if we found it in dba_objects<\/em>.<\/p>\n\n\n\n
SET pagesize 200\nSET linesize 160\nCOL object_name FOR A25\nCOL object_type FOR A25\nSELECT object_name, object_type FROM dba_objects\n WHERE object_name LIKE 'TVD%' ORDER BY object_name;<\/pre>\n\n\n\nOBJECT_NAME\t\t OBJECT_TYPE\n------------------------- -------------------------\nTVDLM_DIR_ACCESS\t UNIFIED AUDIT POLICY<\/pre>\n\n\n\nOK in dba_objects<\/em> we can see the policy. Can we also use \/ enable it? <\/p>\n\n\n\n
Test Case<\/h2>\n\n\n\n
Let’s setup a simple test case to see if this audit policy does work even when it is not shown as valid audit policy in audit_unified_policies<\/em>. As a first step we do enable the audit policy for all user.<\/p>\n\n\n\n
AUDIT POLICY tvdlm_dir_access;<\/pre>\n\n\n\nVerify all active unified audit policies by quering audit_unified_enabled_policies<\/em>.<\/p>\n\n\n\n
SET linesize 160 pagesize 200\nCOL policy_name FOR A20\nCOL entity_name FOR A10\n\nSELECT * FROM audit_unified_enabled_policies;<\/pre>\n\n\n\nPOLICY_NAME ENABLED_OPTION ENTITY_NAM ENTITY_ SUC FAI\n-------------------- --------------- ---------- ------- --- ---\nORA_SECURECONFIG BY USER ALL USERS USER YES YES\nORA_LOGON_FAILURES BY USER ALL USERS USER NO YES\nTVDLM_DIR_ACCESS BY USER ALL USERS USER YES YES\n\n3 rows selected.<\/pre>\n\n\n\nThis looks promising. At least the active audit policy is shown correctly. Now, to test access, we create an Oracle directory object. For the test I use the user scott<\/em>.<\/p>\n\n\n\n
CREATE OR REPLACE DIRECTORY exttab AS '\/u01\/app\/oracle\/admin\/TSEC02\/adhoc';\nGRANT READ, WRITE ON DIRECTORY exttab TO scott;<\/pre>\n\n\n\nIn the adhoc folder we do create a csv file scott.emp.csv<\/em> with the following content.<\/p>\n\n\n\n
SELECT empno||','||ename||','||job csv_output FROM scott.emp;<\/pre>\n\n\n\nCSV_OUTPUT\n-------------------------------------------------------------\n7369,SMITH,CLERK\n7499,ALLEN,SALESMAN\n7521,WARD,SALESMAN\n7566,JONES,MANAGER\n7654,MARTIN,SALESMAN\n7698,BLAKE,MANAGER\n7782,CLARK,MANAGER\n7788,SCOTT,ANALYST\n7839,KING,PRESIDENT\n7844,TURNER,SALESMAN\n7876,ADAMS,CLERK\n7900,JAMES,CLERK\n7902,FORD,ANALYST\n7934,MILLER,CLERK\n\n14 rows selected.<\/pre>\n\n\n\nAnd finally we do create a simple external table on this csv file.<\/p>\n\n\n\n
CREATE TABLE scott.emp_external(\n EMPNO NUMBER(4),\n ename VARCHAR2(10),\n job VARCHAR2(9)\n)\nORGANIZATION EXTERNAL(\n TYPE oracle_loader\n DEFAULT DIRECTORY exttab\n ACCESS PARAMETERS \n (FIELDS TERMINATED BY ',')\n LOCATION ('scott.emp.csv'));<\/pre>\n\n\n\nBefore we query the external table, we purge the audit trail to have a clean trail \ud83d\ude0a<\/p>\n\n\n\n
EXEC dbms_audit_mgmt.clean_audit_trail( audit_trail_type => dbms_audit_mgmt.audit_trail_unified,use_last_arch_timestamp => FALSE);<\/pre>\n\n\n\nRun the query on the external table scott.emp_external<\/em>.<\/p>\n\n\n\n
SELECT * FROM scott.emp_external;<\/pre>\n\n\n\nEMPNO ENAME JOB\n---------- ---------- ---------\n 7369 SMITH CLERK\n 7499 ALLEN SALESMAN\n 7521 WARD SALESMAN\n 7566 JONES MANAGER\n 7654 MARTIN SALESMAN\n 7698 BLAKE MANAGER\n 7782 CLARK MANAGER\n 7788 SCOTT ANALYST\n 7839 KING PRESIDENT\n 7844 TURNER SALESMAN\n 7876 ADAMS CLERK\n 7900 JAMES CLERK\n 7902 FORD ANALYST\n 7934 MILLER CLERK\n\n14 rows selected.<\/pre>\n\n\n\nVerify what we do have in the unified_audit_trail<\/em>. <\/p>\n\n\n\n
COL event_timestamp FOR A26\nCOL entry_id FOR 999\nCOL dbusername FOR A5\nCOL dbproxy_username FOR A10\nCOL action_name FOR A18\nCOL return_code FOR 999999\nCOL object_schema FOR A10\nCOL object_name FOR A16\nCOL unified_audit_policies FOR A20\nSET LINES 200\nSET PAGES 999\nSELECT\n to_char(event_timestamp,'DD.MM.YY HH24:MI:SS') \"Timestamp\",\n entry_id,\n action_name,\n object_name\n --, unified_audit_policies\nFROM\n unified_audit_trail\nORDER BY\n event_timestamp ,\n entry_id;<\/pre>\n\n\n\nTimestamp ENTRY_ID ACTION_NAME OBJECT_NAME \n----------------- -------- ------------------ ---------------- \n16.03.23 15:52:17 42 EXECUTE DBMS_AUDIT_MGMT \n16.03.23 15:52:36 1 READ DIRECTORY EXTTAB \n16.03.23 15:52:36 2 EXECUTE DIRECTORY EXTTAB \n16.03.23 15:52:36 3 WRITE DIRECTORY EXTTAB \n16.03.23 15:52:36 4 READ DIRECTORY EXTTAB \n16.03.23 15:52:36 5 EXECUTE DIRECTORY EXTTAB \n16.03.23 15:52:36 6 WRITE DIRECTORY EXTTAB \n16.03.23 15:52:36 7 READ DIRECTORY EXTTAB \n16.03.23 15:52:36 8 EXECUTE DIRECTORY EXTTAB \n16.03.23 15:52:36 9 WRITE DIRECTORY EXTTAB \n16.03.23 15:52:36 10 READ DIRECTORY EXTTAB \n16.03.23 15:52:36 11 EXECUTE DIRECTORY EXTTAB \n16.03.23 15:52:36 12 WRITE DIRECTORY EXTTAB \n16.03.23 15:52:36 13 READ DIRECTORY EXTTAB \n16.03.23 15:52:36 14 EXECUTE DIRECTORY EXTTAB \n16.03.23 15:52:36 15 WRITE DIRECTORY EXTTAB \n16.03.23 15:52:36 16 READ DIRECTORY EXTTAB \n16.03.23 15:52:36 17 EXECUTE DIRECTORY EXTTAB \n16.03.23 15:52:36 18 WRITE DIRECTORY EXTTAB \n\n19 rows selected.<\/pre>\n\n\n\nConclusion<\/h2>\n\n\n\n
So the whole thing is not as bad as it looked at the beginning. The audit policy is created, can be activated and the corresponding audit records are created. Nevertheless, not seeing the audit policy in audit_unified_policies is a bit confusing. Especially since according to Oracle documentation this view should list all available audit policies. After a bit of research and a service request, it sure turned out that this is a known issue. A corresponding bugfix seems to be in the works. Until then you have to query dba_objects<\/em> to check if a policy really exists.<\/p>\n\n\n\n
A few final facts…<\/p>\n\n\n\n
\n
- Oracle Support Document 30769454.8<\/a> <\/em>Bug 30769454 – Policy Created For Some Actions Are Not Showing In Audit_Unified_Policies.<\/li>\n\n\n\n
- Oracle Support Document 2419064.1<\/a><\/em> Audit Policy is Not Seen in AUDIT_UNIFIED_POLICIES After Dropping Objects.<\/li>\n\n\n\n
- Oracle Database Enterprise Edition up to 21.3 is affected. Testing with 21c RU January 2023 (21.9.0.0) showed that in this version the problem is fixed.<\/li>\n\n\n\n
- Audit policies on directory action do create a couple of audit records. It seems that this is related to how external tables are accessed. This can be reduced by explicitly set NOLOGFILE, NOBADFILE or NODISCARDFILE. But still then there will always be more than just one single entry.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
Just realized that under some conditions audit policies are not shown in AUDIT_UNIFIED_POLICIES. This blog post does provide a few information and a test case.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[101,11,32,1,198],"tags":[221,222,223,135],"class_list":["post-13000","post","type-post","status-publish","format-standard","hentry","category-bug","category-security","category-security-audit","category-uncategorized","category-unified-audit","tag-bug","tag-oracle-audit","tag-security","tag-unified-audit"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p1aErb-3nG","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":13852,"url":"https:\/\/www.oradba.ch\/wordpress\/2023\/08\/sql-toolbox-for-simplified-oracle-unified-audit-data-analysis\/","url_meta":{"origin":13000,"position":0},"title":"SQL Toolbox for simplified Oracle Unified Audit Data Analysis","author":"Stefan","date":"28. August 2023","format":false,"excerpt":"On my journey through the area of database security, Oracle Unified Audit has been a constant companion. I not only created audit concepts, but also often had the opportunity to implement them. Besides the configuration, the administration and evaluation of the audit data was always part of it. Occasionally I\u2026","rel":"","context":"In "19c"","block_context":{"text":"19c","link":"https:\/\/www.oradba.ch\/wordpress\/category\/oracle-database\/19c\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/saua_teact.sql.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/saua_teact.sql.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/saua_teact.sql.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/saua_teact.sql.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":13118,"url":"https:\/\/www.oradba.ch\/wordpress\/2023\/04\/great-i-found-my-audit-policies-again\/","url_meta":{"origin":13000,"position":1},"title":"Great, I found my Audit Policies again","author":"Stefan","date":"4. April 2023","format":false,"excerpt":"A while ago I wrote a blog post about issues with some Oracle Unified Audit Policies see Help I lost my brand new Unified Audit Policy? In the meantime, the whole thing no longer looks so tragic. The problem is an official bug for which Oracle has already released a\u2026","rel":"","context":"In "Audit"","block_context":{"text":"Audit","link":"https:\/\/www.oradba.ch\/wordpress\/category\/audit\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":13876,"url":"https:\/\/www.oradba.ch\/wordpress\/2023\/12\/easy-audit-data-analysis-with-sql-developer-reports\/","url_meta":{"origin":13000,"position":2},"title":"Easy Audit Data Analysis with SQL Developer Reports","author":"Stefan","date":"21. December 2023","format":false,"excerpt":"In one of my last blog post SQL Toolbox for simplified Oracle Unified Audit Data Analysis, I introduced a set of scripts designed to streamline Oracle Unified Audit data analysis. These scripts, now available on my GitHub repository oehrlis\/oradba, have received positive feedback. Building on that, I'd like to explore\u2026","rel":"","context":"In "19c"","block_context":{"text":"19c","link":"https:\/\/www.oradba.ch\/wordpress\/category\/oracle-database\/19c\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/ChartAuditEventsDay-1.png?fit=1200%2C916&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/ChartAuditEventsDay-1.png?fit=1200%2C916&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/ChartAuditEventsDay-1.png?fit=1200%2C916&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/ChartAuditEventsDay-1.png?fit=1200%2C916&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/ChartAuditEventsDay-1.png?fit=1200%2C916&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":1978,"url":"https:\/\/www.oradba.ch\/wordpress\/2015\/05\/doag-sig-security-munich-2015\/","url_meta":{"origin":13000,"position":3},"title":"DOAG SIG Security Munich 2015","author":"Stefan","date":"19. May 2015","format":false,"excerpt":"Just finished my presentation about Unified Audit at the DOAG SIG Security in M\u00fcnchen. It is about Oracle Unified Audit and a few considerations for migrating old standard audit to new policy based unified audit. The slides are available for download . Some impression for the event and my presentation.","rel":"","context":"In "12cR1"","block_context":{"text":"12cR1","link":"https:\/\/www.oradba.ch\/wordpress\/category\/oracle-database\/12cr1\/"},"img":{"alt_text":"DOAG_SIG_SEC_2015_1","src":"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/DOAG_SIG_SEC_2015_1-1024x768.jpg?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":9867,"url":"https:\/\/www.oradba.ch\/wordpress\/2022\/03\/how-to-write-unified-audit-trail-records-to-syslog\/","url_meta":{"origin":13000,"position":4},"title":"How to write Unified Audit Trail Records to SYSLOG\u00a0","author":"Stefan","date":"23. March 2022","format":false,"excerpt":"With the introduction of Oracle Unified Audit, Oracle has completely redesigned the process of logging audit events. With the new unified audit trail, there is only one place where audit records are stored. Ok, the audit trail exists per PDB and for a read only database additionally somehow as a\u2026","rel":"","context":"In "18c"","block_context":{"text":"18c","link":"https:\/\/www.oradba.ch\/wordpress\/category\/oracle-database\/18c\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/Oracle-SYSLOG-Audit-PDB.png?fit=1200%2C630&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/Oracle-SYSLOG-Audit-PDB.png?fit=1200%2C630&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/Oracle-SYSLOG-Audit-PDB.png?fit=1200%2C630&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/Oracle-SYSLOG-Audit-PDB.png?fit=1200%2C630&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/Oracle-SYSLOG-Audit-PDB.png?fit=1200%2C630&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":14847,"url":"https:\/\/www.oradba.ch\/wordpress\/2024\/01\/its-a-wrap-insights-from-the-soug-espresso-on-oracle-audit\/","url_meta":{"origin":13000,"position":5},"title":"It\u2019s a Wrap: Insights from the SOUG Espresso on Oracle Audit","author":"Stefan","date":"26. January 2024","format":false,"excerpt":"In my latest SOUG Espresso session, Easy Audit Data Analysis with SQL Developer Reports, I focused on Oracle Unified Audit Analysis. This was an opportunity to share my experience and insights into database security and audit data workflow enhancement. Event Highlights Based on my considerable experience with Oracle databases, I\u2026","rel":"","context":"In "19c"","block_context":{"text":"19c","link":"https:\/\/www.oradba.ch\/wordpress\/category\/oracle-database\/19c\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/SOUG2024_expresso_audit_oehrli.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/SOUG2024_expresso_audit_oehrli.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/SOUG2024_expresso_audit_oehrli.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/SOUG2024_expresso_audit_oehrli.png?resize=700%2C400&ssl=1 2x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/posts\/13000","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/comments?post=13000"}],"version-history":[{"count":17,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/posts\/13000\/revisions"}],"predecessor-version":[{"id":13017,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/posts\/13000\/revisions\/13017"}],"wp:attachment":[{"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/media?parent=13000"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/categories?post=13000"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/tags?post=13000"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}