DOAG Oracle Unified Audit in Multitenant Environments

BASEL | BERN | BRUGG | BUKAREST | DÜSSELDORF | FRANKFURT A.M. | FREIBURG I.BR. | GENF
HAMBURG | KOPENHAGEN | LAUSANNE | MANNHEIM | MÜNCHEN | STUTTGART | WIEN | ZÜRICH
Stefan Oehrli
Platform Architect, Trainer and Partner at Trivadis
• Since 1997 active in various IT areas
• Since 2008 with Trivadis AG
• More than 20 years of experience in Oracle databases
Focus: Protecting data and operating databases securely
• Security assessments and reviews
• Database security concepts and their implementation
• Oracle Backup & Recovery concepts and troubleshooting
• Oracle Enterprise User Security, Advanced Security, Database Vault, …
• Oracle Directory Services
Co-author of the book The Oracle DBA (Hanser, 2016/07)
@stefanoehrli www.oradba.ch

26.05.2020 DOAG - Oracle Unified Audit for Multitenant Databases (19c/20c)3

Agenda
• Unified Audit in a nutshell
• What about multitenant databases?
• Common and local audit policies
• Challenges and Best Practice
• A brief look into the latest enhancements
• Summary

A brief history of Unified Audit
• Unified Audit as been introduced with 12.1
• A new “fast” audit engine
• A single audit trail for all audit data
• Auditing is always activated
• Major changes in 12.2
• 12.1 was no that “fast”
• Redesign of base table for unified audit
conventional table AUDSYS.AUD$UNIFIED
• No SGA buffer any more
• Ongoing enhancements in 18c, 19c, 20c
• As of 20c traditional audit is deprecated

Traditional and Unified Audit

Unified Audit
• Unified audit trail keeps records for different database features
• e.g. Fine Grained Audit (FGA), Data Pump, Oracle RMAN, Oracle Label Security (OLS), Oracle
Database Vault (DV), Real Application Security (RAS)
• Records are stored in the unified audit trail base table in SYSAUX or a custom tablespace
• Can respectively should be customized
• Unified audit itself does work policy based
• Audit policies are “containers” for audit settings
• Used for auditing ACTIONS, PRIVILEGES, OBJECTS
• Based on system-wide or object-specific audit options
• Can contain roles directly
• Can contain conditions, exceptions
• Are activated/deactivated with the statement AUDIT and NOAUDIT

Unified Audit
• Oracle provides a set of default policies which is continuously enhanced e.g.
• Default policy for security related changes
• Policy for Logon / Logoff
• STIG / CIS compliant audit policies
• Offers a comprehensive range of functions, also for exporting / importing the audit data
• Datapump support for unified audit
• Central view of audit data
• New SYSLOG audit trail
• Oracle offers with DBMS_AUDIT_MGMT a PL/SQL package for administration and housekeeping
• Define purge and maintenance jobs
• Move audit trails
• Import binary audit files e.g. from read only or mount state ($ORACLE_BASE/audit)

• Enable the new audit policy
CREATE AUDIT POLICY tvd_dba ROLE dba CONTAINER=ALL;
AUDIT POLICY tvd_dba;
Just a simple example
• Create a simple audit policy to audit everthing from the DBA role
SQL> SELECT * FROM audit_unified_enabled_policies
WHERE policy_name='TVD_DBA';
USER_NAME POLICY_NAM ENABLED ENABLED_OPTION ENTITY_NAM ENTITY_ SUC FAI
---------- ---------- ------- --------------- ---------- ------- --- ---
ALL USERS TVD_DBA BY BY USER ALL USERS USER YES YES
• Check the new created / enabled audit policy

What else?
• Unified Audit is not immune to bugs
• Early release did have some nasty bugs which cause operational impact
• e.g data not purged as expected or user not audited
• Unified Audit is a read only table but not immune or immortal
• As long as the audit records remain in the database, there is a risk that they may be
manipulated.
• Just a hint, guess how Oracle can write into a ”read only” table!
• An reliable audit also depends on an appropriate concept for the Unified Audit
• If you ask to audit any SELECT you may get all! J
• Earlier release of Unified Audit did have major performance impact
• Although it was already way better than traditional audit
• Reorganisation took place in 12.2
• Upgrade requires to transfer the audit trail using TRANSFER_UNIFIED_AUDIT_RECORDS

Agenda
• Summary

What about multitenant databases?

What about multitenant databases?
• Each PDB has its own audit trail within a dedicated tablespace
• Central spill over location for audit during read only or mount state
• Predefined in $ORACLE_BASE/audit
• Dedicated audit trails per PDB implies...
• … distribution of relevant audit information,
there is not “unified” for the whole CDB
• … increased administration effort i.e housekeeping
• Challenges with the terms common and local
• Oracle has introduced a couple of common views / package
• CDB Views for Unified Audit display all audit data
• DBMS_AUDIT_MGMT can be used at CDB level or
in each PDB
• Never mind still challenging…

• DBMS_AUDIT_MGMT Package / Procedures allow to specify CONTAINER_CURRENT or ALL
SQL> SELECT con_id, event_timestamp, dbusername, action_name FROM
cdb_unified_audit_trail WHERE rownum <6;
CON_ID EVENT_TIMESTAMP DBUSERNAME ACTION_NAME
------ ---------------------------- ---------- -------------------------
1 27-MAY-20 07.41.30.212698 PM SYS ALTER PLUGGABLE DATABASE
1 27-MAY-20 07.41.45.765554 PM SYS LOGON
1 27-MAY-20 07.41.45.978964 PM SYS LOGON
BEGIN
DBMS_AUDIT_MGMT.CREATE_PURGE_JOB (
AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,
AUDIT_TRAIL_PURGE_INTERVAL => 12,
AUDIT_TRAIL_PURGE_NAME => 'Daily_Audit_Purge_Job’,
container => dbms_audit_mgmt.container_all,
USE_LAST_ARCH_TIMESTAMP => TRUE);
END;
/
Audit in a Multitenant Database
• CDB_UNIFIED_AUDIT_TRAIL common VIEW for all audit trails with collumn CON_DI

More Multitenant specific Stuff
• Unified Audit policy statements e.g. CREATE AUDIT POLICY and AUDIT can be used in the root
container and individual PDBs
• Create common and local audit policies
• Init.ora parameter UNIFIED_AUDIT_COMMON_SYSTEMLOG for the CDB root write certain unified
audit trail records to SYSLOG. (20c)
• Init.ora parameter UNIFIED_AUDIT_SYSTEMLOG for both the root and PDB level to enable Unified
Audit to SYSLOG
• Fine-grained Audit policies can be defined used in the root container and individual PDBs
• Purge operation on the audit trail can be performed in the root as well individual PDBs

Agenda
• Summary

• Common audit policies are also visible in PDBs
• View AUDIT_UNIFIED_POLICIES has an attribute for common
CREATE AUDIT POLICY tvd_dba ROLE DBA container=all;
SELECT policy_name,common FROM audit_unified_policies
GROUP BY policy_name,common ORDER BY 1;
POLICY_NAME COM
------------------------------ ---
ORA_ACCOUNT_MGMT NO
ORA_ALL_TOPLEVEL_ACTIONS NO
...
TVD_DBA YES
TVD_LOGON_LOGOFF YES
Common and local audit policies
• Ability to create common audit policies by specify CONTAINER = ALL in the CREATE AUDIT
POLICY statement
• CONTAINER = CURRENT is default
• CONTAINER = ALL only possible when connected to the CDB root container.

Common and local audit policies
But what is a common audit policy? I.e. Policy which is valid for all PDBs?
• No, my dear, at least not completely correct
COMMON audit policy
• Policies which are defined on CDB root with CONTAINER=ALL
• Valid / Visible in all PDBs
• When enabled the will audit actions for COMMON users in this particular PDB.
• LOCAL user in PDBs will not be audited by COMMON audit policies!
LOCAL audit policy
• Defined locally in the PDB or CDB root
• When enabled a local audit policy is valid for LOCL and COMMON users in this PDB

Consequences
• There is no possibility to enforce common audit settings to all PDBs for all users
• Common audit policies will be visible in each PDBs
• Risk to have to much policies active => decrease in performance
• It is highly recommended to have a proper user / role concept before starting to define the audit
• Do we have common user?
• If yes how and why they are used e.g. just common user and rarely local user => no need to
have to much local audit policies
• Do we need common policies? If yes how much?
• Just a hint: Oracle default audit policies are created as local policies.
• Audit is threaded individually in each PDB
• No “umbrella” audit

Agenda
• Summary

Challenges and Best Practice
There are still a couple of missing pieces
• There is no common view for enabled audit policies e.g. check in CDB root what is enabled across the
PDBs
• There is no possibility to enforce a common audit policy for all users across the PDBs
• The common audit trail view CDB_UNIFIED_AUDIT_TRAIL does only show audit trail information for
open PDBs
• E.g. if a PDB is down information is not visible
• Up to 18c EVENT_TIMESTAMP column has type TIMESTAMP(6) WITH LOCAL TIME ZONE
• Could be challenging when PDBs use different DB time zones.
• Accessing CDB_UNIFIED_AUDIT_TRAIL in CDB will use DB time zones of CDB
• => you may end up audit events in future
• As of 19c EVENT_TIMESTAMP is just TIMESTAMP(6)

SQL> BEGIN
dbms_audit_mgmt.clean_audit_trail(
audit_trail_type => dbms_audit_mgmt.audit_trail_unified,
container => dbms_audit_mgmt.container_all,
use_last_arch_timestamp => false);
6 END;
7 /
BEGIN
*
ERROR at line 1:
ORA-46273: DBMS_AUDIT_MGMT operation failed in one of the PDB
ORA-06512: at "AUDSYS.DBMS_AUDIT_MGMT", line 204
ORA-06512: at line 2
Housekeeping
• DBMS_AUDIT_MGMT allows housekeeping over all PDB but…
• … if one of the PDB is close the housekeeping does report an error

• Just the data of the open PDBs are purged
SQL> show pdbs
CON_ID CON_NAME OPEN MODE RESTRICTED
---------- ----------- ---------- ----------
2 PDB$SEED READ ONLY NO
3 PDB1 READ WRITE NO
4 PDB2 MOUNTED
Housekeeping
• Status of the PDBs

A couple of bugs
• Tablespace Issue when moving Audit Trail location
• LOB and INDEX partitions are not moved correctly. They remain in SYSAUX
• Bugfix available Patch 27576342
• Purge Audit Data at container level does not work
• Issue mentioned before
• Bug 22859443 enhancement request
• Workaround is to do housekeeping individually on each PDB
• Common Policies generally do not work
• Issue is related to COMMON vs LOCAL discussion
• Bug 22596655
• A couple of other bugs related to unified audit available

Best Practice
Highly depends on how you use multitenant databases
• Are your consolidating your internal enterprise databases
• You control how and by who your PDBs are used
• Are you setting up a Private Cloud environment
• A customer does have full control of its PDB
• Audit on PDB level is done idividually by departments / customers
• Customer may control / its own audit trail
• => what about common access?
• => What about housekeeping
• Consider to create no or only a minimal set of COMMON audit policies
• Focus on local PDB policies

Best Practice
• Consider to remove your audit data away
• Third party solution
• Using SYSLOG
• Consider to do Housekeeping on PDB level
• You may run into issues on CDB level when PDBs are down
• Be aware, that you do not see all audit data when accessing the CDB view
• Make sure to check running PDBs

Agenda
• Summary

Oracle 19c Audit Enhancements
• Ability to Audit Only Top-Level SQL Statements
• Long awaited feature
• Audit just the statement executed directly by a user. i.e. not from within a PL/SQL procedure
• Allows to reduce the size of the audit trail
• Improved read performance for the unified audit trial
• System table AUDSYS.AUD$UNIFIED has been redesigned
• Use of partition pruning
• New column EVENT_TIMESTAMP_UTC
• Data type of EVENT_TIMESTAMP changed from
TIMESTAMP(6) WITH LOCAL TIME ZONE to TIMESTAMP(6)
• PDB_GUID as audit record field name for SYSLOG and the windows event viewer
• In earlier releases it was not possible to distinguish the audit records of the PDBs in SYSLOG
• Unified Audit and SYSLOG becomes an interesting option in multitenant environments

• Unified Audit Policy Configuration Changes Effective Immediately
• It is no longer required log off / login before a new audit policy becomes active
• Changes made to audit policies will effective immediately in the current session and in all other
on-going active sessions.
• Unified audit policies enforced on the current user
• Policies are enforced on the current user who executes the SQL statement
• It used to be the user who owned the top-level user session i.e. login user
• Predefined unified audit policies for security technical implementation guides compliance (STIG)
• New predefined audit policies following the guides of Department of Defence (DoD)
• ORA_STIG_RECOMMENDATIONS
• ORA_ALL_TOPLEVEL_ACTIONS
• ORA_LOGON_LOGOFF

• SYSLOG Destination for Common Unified Audit Policies
• New init.ora parameter UNIFIED_AUDIT_COMMON_SYSTEMLOG at CDB level
• Records for common audit will be forwarded to SYSLOG
• Useful in consolidation environments, private clouds etc. i.e audit trails in PDBs will only contain
local audit records
• Auditing for Oracle XML DB HTTP and FTP Services
• Possibility to define unified audit policies for database connections using HTTP, HTTPS and FTP
• Deprecation of Traditional Auditing
• Unified Audit is the new “way to go”
• In preview it is not yet enabled by default i.e. audit does still run in mixed mode

Agenda
• Summary

Summary
• Unified Audit does also run transparently in multitenant environments.
• There are a couple of bugs around which life does not make easier
• In combination with the different levels of CDB and PDB
• Clean audit concept is indispensable.
• Define what as to be done on CDB level and what on PDB level
• Does it make sense when I collect audit data on CDB level when it not possible to control of PDBs
are available?
• I personally do miss the possibility to define COMMON policies which are valid for all user
• E.g. to enforce similar audit settings across all PDBs
• Oracle starts to enhance multitenant audit usability in never releases
• Very welcome, but is still a long way away.

DOAG Oracle Unified Audit in Multitenant Environments

Recommended

More Related Content

What's hot (20)

Similar to DOAG Oracle Unified Audit in Multitenant Environments (20)

More from Stefan Oehrli (15)

Recently uploaded (20)

DOAG Oracle Unified Audit in Multitenant Environments