On Oracle 12c - both dba_audit_trail (aud$) and unified_Audit_trail (unified) are running as per document.
Does TOAD have a GUI way to view all the settings of both auditing methods?
Thank you
Yes.
If you have the DB Admin module, you can see a tab/dropdown item in Schema Browser left hand side for "Unified Audit Policies". you can find the set up unified audit policies there and see the audit trail items that each policy created.
For traditional auditing -
- There is an "auditing" tab on the right hand side of the schema browser for every object database object type that can be audited (all kinds of audit trails)
- To see auditing options for all objects (not just one at a time) go to main menu -> database -> administer -> audit objects.
- Audit options for system privileges is right under that in the menu. main menu -> database -> administer -> audit sys privs.
Thank you.
How do I see what's actively running? I clicked on each of the Unified Audit Policies but do not see anything that says enabled or active. Yet, alot of records generated in unified_Audit_trail
The same for dba_audit_trail. I clicked on a few at both audit objects and audit sql / sys privileges and all of them show "No Audit"
Thank you
dba_audit_trail has the columns OWNER and OBJNAME to tell you what is being audited.
Unified_audit_trail has the column UNIFIED_AUDIT_POLICIES to tell you which policy triggered the audit record.
it may be easiest to just do "select * from dba_audit_trail order by timestamp desc" and "select * from unified_audit_trail order by event_timestamp desc" in the editor to get started.
BTW, you can look in dba_audit_objects to see what is being audited database-wide. Look for any object that has something besides '-/-' in the last several columns.
These go to dba_audit_trail.
select *
from dba_OBJ_AUDIT_OPTS
where (alt is not null and alt <> '-/-')
or (aud is not null and aud <> '-/-')
or (com is not null and com <> '-/-')
or (del is not null and del <> '-/-')
or (gra is not null and gra <> '-/-')
or (ind is not null and ind <> '-/-')
or (ins is not null and ins <> '-/-')
or (loc is not null and loc <> '-/-')
or (ren is not null and ren <> '-/-')
or (sel is not null and sel <> '-/-')
or (upd is not null and upd <> '-/-')
or (exe is not null and exe <> '-/-')
or (cre is not null and cre <> '-/-')
or (rea is not null and rea <> '-/-')
or (wri is not null and wri <> '-/-')
or (fbk is not null and fbk <> '-/-')
1 Like
Thank you so much for your help.
After doing some more reading, I don't think the rows and rows of data are from unified audits because select * from v$option where PARAMETER = 'Unified Auditing'; returns FALSE.
Since unified audit trail is a combination of SYS.AUD$ for the database audit trail, SYS.FGA_LOG$ for fine-grained auditing, etc; I think the audit records may be from one of those other audits.
Your DBA_OBJ_AUDIT_OPTS returns 214 rows with these 3 usernames DVF, DVSYS and LBACSYS. I'm going to have to dig into what they are doing.
Again, thank you so much for your help.
If you suspect some fine-grained auditing exists, look in Schema Browser -> Audit Policies. That's FGA. You can filter it to "all schemas" if you want.
Or just go into editor and run "select * from dba_audit_policies".
Nothing in Schema Browser, SYS, Audit Policies. No filters as far as I can tell.
Similarly, no rows when I run select * from dba_audit_policies
Is anyone logging in as SYS? If so, and the audit_sys_operations = true, then that could be causing your audit records.
check this:
SELECT name, value
FROM gv$parameter
WHERE name LIKE '%audit%';
BTW, select * from v$option where PARAMETER = 'Unified Auditing'; returns false for me too, but somehow it works anyway.
Go to the Schema Browser, Unified Auditing. On the Right, go to the "Enablement" tab. Then click through your policies on the left one by one. If any of them have a row in the right hand side, that policy is enabled at least sometimes. You can double-click it on the left then change it to "disabled" if you want.
1 Like
Looks like that was it - ORA_LOGON_FAILURES and ORA_SECURECONFIG was on.
Double clicking on the left suggestion is what I needed. I was able to see Audited Standard Actions and All Standard Actions and move each action in / out of the Audited Actions.
Can't tell you how much I appreciate all your help! Thank you so much!
I was able to see Audited Standard Actions and All Standard Actions and move each action in / out of the Audited Actions.
I know you've already changed the actions. FYI, if you just disabled, they would have stopped auditing even with the audit actions in place. There is probably no harm in what you did but as long as they aren't doing anything you might want to just set them to disabled.
I understand. I wanted it enabled; but, able to see and adjust what's being audited.
1 Like