Tip:
Highlight text to annotate it
X
Hello and welcome to this video tutorial on how
to create a unified audit policy. A unified audit
policy is a named group of audit settings that
can include conditions. It can easily be enabled or disabled. You can audit one or more users
or exclude specific users. The audit policy writes
the audit records to the unified audit trail, which can be queried with data dictionary
views. You can audit default database behavior, as
well as other Oracle Database components, such
as Oracle Database Vault or Oracle Real Application
Security. To manage a unified audit policy, you
must be granted the AUDIT_ADMIN role. The AUDIT_VIEWER role enables users to view audit
policy reports only. The table used for this demonstration,
EMP.SALARY, will have both authorized and unauthorized users querying it. The unified
audit policy for this table is designed to catch
only unauthorized proxy users, not authorized users.
This policy audits by specific user names, but
you can create policies that audit for other conditions as well, such as computer host
names or IP addresses. User AUD_MGR, who creates
the policy, does not need access to this table.
User AUD_MGR, who has the AUDIT_ADMIN role, creates the policy. The WHEN clause is a
condition that audits any user who tries to connect to the database using a proxy account
to query the EMP.SALARY table. The EVALUATE clause
enables the policy to perform the evaluation once for each database session.
After the policy is created, the “audit policy
created” message appears. To enable the policy, user AUD_MGR enters
the following AUDIT statement:
The SELECT_SAL policy is active. But before the
user actions can be captured, users must log into the database after the policy is created.
The EMP.SALARY table is queried. Users now start to query the EMP.SALARY table.
JPRENDERGAST connects using the APP_USER proxy and then performs the first query.
Because JPRENDERGAST is not authorized, the data
is not available. User EMP, who is authorized, decides to check
the number of employees in the table. He finds that it contains 18 employees.
User JBONILLA, who is also authorized, needs data for his report, so he performs the next
query. The users have finished querying the EMP.SALARY
table. Next, AUD_USR is ready to view an audit report showing their activities.
User AUD_USR queries the unified audit trail. As you can see, the actions by the unauthorized
user JPRENDERGAST, who had connected through the
APP_USER proxy, were captured by the audit trail.
However, the authorized users EMP and JBONILLA, who also queried the EMP.SALARY table, were
excluded from the audit trail. And that concludes our demo of unified auditing.
Thanks for watching. For this demo, user AUD_MGR was granted the
AUDIT_ADMIN role, user AUD_USER was granted the
AUDIT_VIEWER role, and user EMP was granted the
CREATE TABLE privilege. User JBONILLA was granted the SELECT privilege on the EMP.SALARY
table, and users JPRENDERGAST and APP_USER were
granted the CREATE SESSION privilege. JPRENDERGAST was granted privileges to connect
through the APP_USER proxy account. Oracle recommends that you practice the principle
of least privilege, granting users only the privileges needed to perform their job function.
Grant special privileges carefully, for a short
period of time, and for a particular purpose. To
learn more about security best practices, see
“Keeping Your Oracle Database Secure” in the
Oracle Database Security Guide.