To enable Unified Auditing in Oracle Database 12 and 18 on Oracle Linux I did this:
export ORACLE_SID=ORCLCDB
cd $ORACLE_HOME/bin
./sqlplus sys as sysdba
SHUTDOWN IMMEDIATE
EXIT
./lsnrctl stop
cd $ORACLE_HOME/rdbms/lib
make -f ins_rdbms.mk uniaud_on ioracle
cd $ORACLE_HOME/bin
./lsnrctl start
./sqlplus sys as sysdba
STARTUP
After that the following query
SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';
returned TRUE. And the following query shows the list of enabled audit options:
col AUDIT_OPTION format A30
SELECT up.AUDIT_OPTION, uep.SUCCESS, uep.FAILURE from AUDIT_UNIFIED_ENABLED_POLICIES uep, AUDIT_UNIFIED_POLICIES up
where uep.USER_NAME = 'ALL USERS' and uep.ENABLED_OPT='BY USER' and uep.POLICY_NAME = up.POLICY_NAME and up.AUDIT_OPTION_TYPE = 'STANDARD ACTION'
or in Oracle 19c (see Oracle 19c Audit changes):
col AUDIT_OPTION format A30
SELECT up.AUDIT_OPTION, uep.SUCCESS, uep.FAILURE from AUDIT_UNIFIED_ENABLED_POLICIES uep, AUDIT_UNIFIED_POLICIES up
where uep.ENTITY_NAME = 'ALL USERS' and uep.ENABLED_OPTION='BY USER' and uep.POLICY_NAME = up.POLICY_NAME and up.AUDIT_OPTION_TYPE = 'STANDARD ACTION'
AUDIT_OPTION SUC FAI
------------------------------ --- ---
LOGON NO YES
CREATE DATABASE LINK YES YES
DROP DATABASE LINK YES YES
ALTER USER YES YES
CREATE ROLE YES YES
DROP ROLE YES YES
SET ROLE YES YES
CREATE PROFILE YES YES
DROP PROFILE YES YES
ALTER PROFILE YES YES
ALTER ROLE YES YES
AUDIT_OPTION SUC FAI
------------------------------ --- ---
CREATE DIRECTORY YES YES
DROP DIRECTORY YES YES
ALTER DATABASE LINK YES YES
CREATE PLUGGABLE DATABASE YES YES
ALTER PLUGGABLE DATABASE YES YES
DROP PLUGGABLE DATABASE YES YES
CREATE TABLE YES YES
DROP TABLE YES YES
ALTER TABLE YES YES
CREATE VIEW YES YES
DROP VIEW YES YES
AUDIT_OPTION SUC FAI
------------------------------ --- ---
CREATE PROCEDURE YES YES
ALTER PROCEDURE YES YES
RENAME YES YES
ALTER DATABASE YES YES
ALTER USER YES YES
ALTER SYSTEM YES YES
CREATE USER YES YES
CREATE ROLE YES YES
DROP USER YES YES
DROP ROLE YES YES
SET ROLE YES YES
AUDIT_OPTION SUC FAI
------------------------------ --- ---
CREATE TRIGGER YES YES
ALTER TRIGGER YES YES
DROP TRIGGER YES YES
CREATE PROFILE YES YES
DROP PROFILE YES YES
ALTER PROFILE YES YES
DROP PROCEDURE YES YES
CREATE MATERIALIZED VIEW YES YES
DROP MATERIALIZED VIEW YES YES
ALTER ROLE YES YES
TRUNCATE TABLE YES YES
AUDIT_OPTION SUC FAI
------------------------------ --- ---
CREATE FUNCTION YES YES
ALTER FUNCTION YES YES
DROP FUNCTION YES YES
CREATE PACKAGE YES YES
ALTER PACKAGE YES YES
DROP PACKAGE YES YES
CREATE PACKAGE BODY YES YES
ALTER PACKAGE BODY YES YES
DROP PACKAGE BODY YES YES
CREATE DIRECTORY YES YES
DROP DIRECTORY YES YES
AUDIT_OPTION SUC FAI
------------------------------ --- ---
CREATE JAVA YES YES
ALTER JAVA YES YES
DROP JAVA YES YES
PURGE TABLE YES YES
CREATE FLASHBACK ARCHIVE YES YES
ALTER FLASHBACK ARCHIVE YES YES
DROP FLASHBACK ARCHIVE YES YES
CREATE PLUGGABLE DATABASE YES YES
ALTER PLUGGABLE DATABASE YES YES
DROP PLUGGABLE DATABASE YES YES
CREATE AUDIT POLICY YES YES
AUDIT_OPTION SUC FAI
------------------------------ --- ---
ALTER AUDIT POLICY YES YES
DROP AUDIT POLICY YES YES
GRANT YES YES
REVOKE YES YES
AUDIT YES YES
NOAUDIT YES YES
LOGON YES YES
LOGOFF YES YES
74 rows selected.
The query to show enabled audit policies:
SELECT uep.POLICY_NAME from AUDIT_UNIFIED_ENABLED_POLICIES uep;
Disabling Unified Auditing:
make -f ins_rdbms.mk uniaud_off ioracle
To determine specific policies the following can be added to the query, for example:
... and up.AUDIT_OPTION in ('ALL', 'GRANT', 'REVOKE')
Also I enabled old auditing with the following commands:
export ORACLE_SID=ORCLCDB
cd $ORACLE_HOME/bin
./sqlplus sys as sysdba
ALTER SYSTEM SET audit_sys_operations=true SCOPE=spfile;
ALTER SYSTEM SET audit_trail=DB SCOPE=SPFILE;
commit;
SHUTDOWN IMMEDIATE
STARTUP
Checking if old audit has been enabled:
SELECT VALUE FROM V$PARAMETER WHERE NAME='audit_trail';
show parameter audit
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest string /opt/oracle/admin/ORCLCDB/adum
p
audit_sys_operations boolean TRUE
audit_syslog_level string
audit_trail string DB
unified_audit_sga_queue_size integer 1048576
unified_audit_systemlog string
Switching old auditing off:
ALTER SYSTEM SET audit_sys_operations=false SCOPE=spfile;
ALTER SYSTEM SET audit_trail=NONE SCOPE=SPFILE;
If audit_trail is set to XML or XML,EXTENDED the audit records are written in XML format to $ORACLE_BASE/admin/$ORACLE_SID/adump directory where $ORACLE_SID is “ORCLCDB”.
Links:
Oracle Database Sample Schemas: https://github.com/oracle/db-sample-schemas
Old audit:
AUDIT ALTER SYSTEM,SYSTEM AUDIT,SESSION,TABLE,USER, …
AUDIT ALTER DATABASE, FLASHBACK ARCHIVE ADMINISTER;
AUDIT SYSTEM GRANT, SESSION, TABLE, PROCEDURE BY ;
also it can be:
ALTER SYSTEM SET audit_trail=DB,Extended SCOPE=SPFILE;