Maximizing Database Security: Unified Auditing Housekeeping Guide
Contents
Introduction
Data is the new currency. It is one of the most valuable organizational assets, however, if that data is not well protected, it can quickly become a liability. At an alarming rate we are seeing more and more data breaches that impact an organization’s brand, their ability to continue to deliver services and do business, and of course they are impacted financially. We know that most sensitive data is stored and managed within databases.
Organizations spend colossal sums of money to keep data within compliance standards. Also, it is crucial to have a centralized and consolidated auditing mechanism for databases. Oracle Unified Auditing (OUA) is a comprehensive auditing solution introduced in Oracle Database 12c that consolidates database-level auditing into a single audit trail. Before Oracle 12c, auditing in Oracle databases was fragmented, with different audit trails for different types of activities (e.g., DML, DDL, system privileges). Unified Auditing streamlines this process by providing a centralized repository for all audit records, offering a more efficient and secure auditing mechanism.
For production environments auditing generates a large amount of data, housekeeping in Oracle Unified Auditing is crucial for maintaining the integrity, performance, and security of your database environment.
Here are some reasons why housekeeping is important:
- Performance Optimization:
Regular housekeeping tasks such as purging old audit records can help optimize the performance of your database by reducing the size of audit trails. This can lead to faster query execution and overall improved database performance.
- Compliance Requirements:
Many industries and organizations have regulatory compliance requirements that mandate the retention and management of audit data. Proper housekeeping ensures that you meet these compliance standards and avoid potential penalties or legal issues.
- Resource Management:
Auditing can consume significant disk space and system resources if not managed properly. Housekeeping activities such as archiving or purging old audit data help free up resources and prevent unnecessary strain on your database infrastructure.
- Security Enhancement:
Regularly reviewing and managing audit data can help identify suspicious activities or security breaches in your database environment. By maintaining an organized and up-to-date audit trail, you can quickly detect and respond to security incidents.
- Cost Reduction:
Storing large volumes of audit data for extended periods can incur additional storage costs. Proper housekeeping practices help control storage expenses by removing obsolete or unnecessary audit records.
In this article, I will elaborate on how to perform the housekeeping for unified auditing. This is the main meta link note from Oracle to perform unified auditing housekeeping
How To Purge The UNIFIED AUDIT TRAIL (Doc ID 1582627.1)
Understand the Partition Range:
It’s better to get a clear idea of the current partition range interval. Execute below mentioned query to get the partition interval.
Query
set lines 600
col owner for a10
col table_name for a20
col INTERVAL for a30
select owner,table_name,interval,partitioning_type,partition_count,def_tablespace_name from dba_part_Tables where owner='AUDSYS';
set lines 600
col owner for a10
col table_name for a20
col INTERVAL for a30
select owner,table_name,interval,partitioning_type,partition_count,def_tablespace_name from dba_part_Tables where owner='AUDSYS'
SQL> /
OWNER TABLE_NAME INTERVAL PARTITION PARTITION_COUNT DEF_TABLESPACE_NAME
---------- -------------------- ------------------------------ --------- --------------- ------------------------------
AUDSYS AUD$UNIFIED INTERVAL '1' MONTH RANGE 1048575 SYSAUX
SQL>
Change partition range
If you need to change the partition range to the day, use this below-mentioned procedure to change the partition range, the current example is to change the partition range today.
begin
DBMS_AUDIT_MGMT.ALTER_PARTITION_INTERVAL
(INTERVAL_NUMBER => 1,
INTERVAL_FREQUENCY => 'DAY');
end;
/
Manual Purging
Audit records can be validated from the gv$unified_audit_trail table.
DBSM_AUDIT_TYPE.CLEAN_AUDIT_TRAIL procedure can used to purge data manually.
SQL> select count(*) from gv$unified_audit_trail;
COUNT(*)
----------
81134
This is the below-mentioned procedure to housekeep manually.
Sample output after running the procedure
BEGIN
DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,
use_last_arch_timestamp => FALSE);
END;
/
SQL> select count(*) from gv$unified_audit_trail;
COUNT(*)
----------
81134
SQL> BEGIN
DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,
use_last_arch_timestamp => FALSE);
END;
/ 2 3 4 5 6
PL/SQL procedure successfully completed.
SQL> SQL> select count(*) from gv$unified_audit_trail;
COUNT(*)
----------
4
SQL>
File Location
This is the sample location where audit files are located, Once you run the procedure these files automatically maintained.
[oracle@ebs-12-2-12 ~]$ cd /u01/install/APPS/audit/ebscdb/2809223196EC2AF8E053A740D20A4DB6
[oracle@ebs-12-2-12 2809223196EC2AF8E053A740D20A4DB6]$ ls -lrth
total 12K
-rw-------. 1 oracle oinstall 1.5K Apr 11 14:14 ora_audit_03249.bin
-rw-------. 1 oracle oinstall 1.5K Apr 11 14:14 ora_audit_01282.bin
-rw-------. 1 oracle oinstall 1.5K Apr 11 14:14 ora_audit_01233.bin
[oracle@ebs-12-2-12 2809223196EC2AF8E053A740D20A4DB6]$
Schedule a unified Audit Housekeeping Job
You can use this procedure to create a schedular job.
BEGIN
DBMS_SCHEDULER.create_job (
job_name => 'PURGE_UNIFIED_AUDIT_JOB',
job_type => 'PLSQL_BLOCK',
job_action => 'BEGIN
DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP(DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, SYSTIMESTAMP-31);
DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,
use_last_arch_timestamp => TRUE);
END;',
start_date => '',
repeat_interval => 'freq=daily; byhour=3; byminute=10; bysecond=0;',
end_date => NULL,
enabled => TRUE,
comments => 'Purge unified audit trail older than 31 days.');
END;
/
Sample Output
SQL> BEGIN
2 DBMS_SCHEDULER.create_job (
job_name => 'PURGE_UNIFIED_AUDIT_JOB',
3 4 job_type => 'PLSQL_BLOCK',
job_action => 'BEGIN DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP(DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, SYSTIMESTAMP-31); DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL( audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, 5 use_last_arch_timestamp => TRUE); END;',
start_date => '',
repeat_interval => 'freq=daily; byhour=3; byminute=10; bysecond=0;',
end_date => NULL,
enabled => TRUE,
comments => 'Purge unified audit trail older than 31 days.');
END; 6
/ 7 8 9 10 11 12 13 14 15 16 17
PL/SQL procedure successfully completed.
SQL>
Validate Schedular Job
set lines 600
COLUMN owner FORMAT A20
COLUMN job_name FORMAT A30
COLUMN job_class FORMAT A30
COLUMN next_run_date FORMAT A36
SELECT owner,
job_name,
enabled,
job_class,
next_run_date
FROM dba_scheduler_jobs
where job_name='PURGE_UNIFIED_AUDIT_JOB'
ORDER BY owner, job_name;
OWNER JOB_NAME ENABL JOB_CLASS NEXT_RUN_DATE
-------------------- ------------------------------ ----- ------------------------------ ------------------------------------
SYS PURGE_UNIFIED_AUDIT_JOB TRUE DEFAULT_JOB_CLASS 12-APR-24 03.10.00.826286 AM ETC/UTC
Conclusion
In summary, housekeeping in Oracle Unified Auditing is essential for ensuring compliance, optimizing performance, enhancing security, and reducing operational costs in your database environment. By implementing regular housekeeping tasks, you can maintain a healthy and efficient auditing system that supports your organization’s goals and objectives.
Leave a Comment
Want to read more?
Fill out the form below to unlock access to more Eclipsys blogs – It’s that easy!