New mandatory unified audit policy on 19.26

This entry was posted in Audit Oracle Oracle 19c Oracle 23ai on by

This feature was just backported from Oracle 23ai. The new ORA$MANDATORY audit policy was added with the Oracle 19.26 RU. This policy is not visible at UNIFIED_AUDIT_POLICIES or AUDIT_UNIFIED_ENABLED_POLICIES.

After patching the database to 19.26, then you see entries on UNIFIED_AUDIT_TRAIL:

SYS@CDB2.CDB$ROOT> select EVENT_TIMESTMAP, SYSTEM_PRIVILEGE_USED, ACTION_NAME 
from UNIFIED_AUDIT_TRAIL 
where UNIFIED_AUDIT_POLICIES='ORA$MANDATORY' 
order by EVENT_TIMESTMAP;

                  EVENT_TIMESTAMP     SYSTEM_PRIVILEGE_USED       ACTION_NAME
_________________________________ _________________________ _________________
02-FEB-2025 21:54:56.192982000    SYSDBA                    LOGON
02-FEB-2025 21:54:56.216549000    SYSDBA                    SELECT
02-FEB-2025 21:55:00.381577000    SYSDBA, ALTER DATABASE    ALTER DATABASE
02-FEB-2025 21:55:00.393882000    SYSDBA                    LOGOFF
...

The actions that are audited by ORA$MANDATORY policy are described on Oracle 23ai documentation.

What I find interesting, is that the “ALTER DATABASE MOUNT” during startup is audited, so we can have a good history of database startups.

A bit of annoying is that few seconds before the “mount”, there is the internal query to show the amount of SGA at startup which is also audited:

SELECT DECODE(null,'','Total System Global Area','') NAME_COL_PLUS_SHOW_SGA,   SUM(VALUE), DECODE (null,'', 'bytes','') units_col_plus_show_sga FROM V$SGA    
UNION ALL    
SELECT NAME NAME_COL_PLUS_SHOW_SGA , VALUE,    DECODE (null,'', 'bytes','') units_col_plus_show_sga FROM V$SGA

These are below summarized:

  • Activities of administrative users such as SYSDBASYSBACKUP, and SYSKM when the database is down is always audited.
  • Any DDL or DML attempts on UNIFIED_AUDIT_TRAIL or the underlying dictionary tables in AUDSYS schema is always audited.

A bit more fine-grained it means:

  • SQL Firewall administrative actions
  • ORADEBUG utility
  • Audit-Related Activities
    • CREATE AUDIT POLICY
    • ALTER AUDIT POLICY
    • DROP AUDIT POLICY
    • AUDIT
    • NOAUDIT
    • EXECUTE of the DBMS_FGA PL/SQL package
    • EXECUTE of the DBMS_AUDIT_MGMT PL/SQL package
    • ALTER TABLE attempts on the AUDSYS audit trail table
  • Top level statements by the administrative users SYSSYSDBASYSOPERSYSASMSYSBACKUPSYSDG, and SYSKM, until the database opens.
  • All user-issued DML statements on the SYS.AUD$ and SYS.FGA_LOG$ dictionary tables
  • Any attempts to modify the data or metadata of the unified audit internal table. 
  • All configuration changes that are made to Oracle Database Vault
  • Operations on Blockchain and Immutable Tables
    • CREATE TABLE
    • DROP TABLE
    • Failed ALTER TABLE operations
    • Failed DELETE operations
    • Failed FLASHBACK TABLE operations
    • Failed RENAME operations
    • Failed TRUNCATE TABLE operations
    • Failed UPDATE operations
  • Access to Sensitive Columns in the Oracle Optimizer Dictionary Tables
    • SYS.HIST_HEAD$minimummaximumlowvalhival
      SYS.HISTGRM$endpointepvalue_raw
      SYS.WRI$_OPSTAT_HISTGRM_HISTORYendpointepvalue_raw
      SYS.WRI$_OPTSTAT_HISTHEAD_HISTORYminimummaximumlowvalhival

Leave a comment

Your email address will not be published. Required fields are marked *