Oracle Database
Netwrix Auditor relies on native logs for collecting audit data. Therefore, successful change and access auditing requires a certain configuration of native audit settings in the audited environment and on the Auditor console computer. Configuring your IT infrastructure may also include enabling certain built-in Windows services, etc. Proper audit configuration is required to ensure audit data integrity, otherwise your change reports may contain warnings, errors or incomplete audit data.
CAUTION: Folder associated with Netwrix Auditor must be excluded from antivirus scanning. See the Antivirus Exclusions for Netwrix Auditor knowledge base article for additional information.
You can configure your IT Infrastructure for monitoring in one of the following ways:
-
Automatically through a monitoring plan – This is a recommended method. If you select to automatically configure audit in the target environment, your current audit settings will be checked on each data collection and adjusted if necessary.
-
Manually – Native audit settings must be adjusted manually to ensure collecting comprehensive and reliable audit data. You can enable Auditor to continually enforce the relevant audit policies or configure them manually:
- On the Oracle server, configure the required settings described below.
- On the Auditor console computer, verify that Oracle Data Provider for .NET and Oracle Instant Client are installed and properly configured. See the Permissions for Oracle Database Auditing topic of system requirements.
Ensure that you have met all software requirements on the Oracle Database side. See the Software Requirements topic for additional information.
Before you start monitoring your Oracle Database with Netwrix Auditor, you should configure it to provide audit trails. Depending on your current database version and edition, Oracle supports different auditing types:
| Auditing type | Oracle version | Details |
|---|---|---|
| Unified Auditing | Oracle Database 23c, 21c, 19c, 18c, 12c | Consolidates all auditing into a single repository and view. This provides a two-fold simplification: audit data can now be found in a single location and all audit data is in a single format. See Configure Oracle Database for Auditing topic for more information. |
| Fine Grained Auditing | Oracle Database 23c, 21c, 19c, 18c, 12c, 11g Available for Enterprise Edition only. | Supports auditing of actions associated with columns in application tables — along with conditions necessary for an audit record to be generated. Helps to focus on security-relevant columns and rows, ignoring areas that are less important. See Configure Fine Grained Auditing topic for more information. |
| Standard Auditing (trail auditing mode) | Oracle Database 11g | See topic for more information. Use initialization parameters and the AUDIT and NOAUDIT SQL statements to audit: - SQL statements - privileges - schema objects - network and multitier activities See Oracle documentation for more information. Starting with version 10.5, Netwrix Auditor provides limited support of Oracle Database 11g and trail auditing mode, in particular: Netwrix Auditor client UI does not display any warnings and / or errors related to Standard Auditing mode operation. |
CAUTION: Folder associated with Netwrix Auditor must be excluded from antivirus scanning. See the Antivirus Exclusions for Netwrix Auditor knowledge base article for additional information.
Considerations for Oracle Database 11g
Starting with version 9.95, Netwrix Auditor for Oracle Database is focused on versions 12c and above. It means that Oracle Database 11g users will not be able to benefit from latest features and improvements of the product. Oracle Database 11g users should also consider its support expiration dates set by the vendor. So, when planning your Netwrix Auditor deployment, consider the following:
-
Several limitations apply to Oracle 11g support in Netwrix Auditor 9.96:
- Oracle wallets are not supported
- Lightweight drivers for Oracle Instant Client are not supported
- Auditor client UI does not display any warnings and / or errors regarding to trail audit mode operation
-
If you are using Oracle Database 11g and have performed seamless upgrade to the latest version of Auditor, the audit data collection will operate properly. However, consider and keep in mind Oracle Database 11g support expiration dates.
If you are using Oracle Database 12c or later, make sure you have Unified auditing mode enabled. Otherwise, Netwrix Auditor may not operate properly. See the Migrate to Unified Audit topic for additional information.
See the Software Requirements topic for additional information.
Configuration
If you are using Oracle Wallet to connect to your database, see the Create and Configure Oracle Wallet topic for configuration details.
Oracle Wallet is not supported for Oracle 11g. If you are unsure of your audit settings, refer to the Verify Your Oracle Database Audit Settings
Follow the steps for proper configuration.
Step 1 – Configure Data Collecting Account, as described in the Permissions for Oracle Database Auditing topic.
Step 2 – Configure required protocols and ports, as described in the Oracle Database Ports topic.
Oracle Database objects
Review a full list of object types Netwrix Auditor can collect on Oracle Database. If you deployed your Oracle Database in a cluster mode (Oracle Real Application Cluster), a host name also will be reported.
Details marked with asterisk (*) are reported for Oracle Database 11g only.
Details marked with asterisk (**) are reported for Oracle Database 12c only.
Oracle Object modification under Privileges and object rename under Rename are reported without Object type (“Not available” is displayed).
Oracle Database startup under System Settings is reported without Workstation (“Not available” is displayed).
| Object type | Actions | Details |
|---|---|---|
| Directories | ||
| - Directory | - Added / Add (Failed attempt) - Removed / Remove (Failed attempt) | - Cause (for failed attempts) - Container name** - Database User - Program name / Database session requester** - Privilege for action - Session ID - Object schema |
| Executable objects | ||
| - Procedure - Function - Package - Package body - Java | - Added / Add (Failed attempt) - Modified / Modify (Failed attempt) - Removed / Remove (Failed attempt) | - Cause (for failed attempts) - Container name** - Database User - Privilege for action - Program name / Database session requester** - Session ID - Unified policy name** |
| For Oracle 11g database Modified / Modify (Failed attempt) events will not be monitored for the following objects: Procedure, Function, Package, Package body since native audit of these events is not supported. See the Database SQL Language Reference for additional information. | ||
| Logons | ||
| - Logon | - Successful logon / Failed logon - Logoff | - Cause (for failed attempts) - Client IP (only for logon events) - Container name** - Database User - Privilege for action - Program name / Database session requester** - Session ID - Object schema - Unified policy name** |
| Materialized views | ||
| - Materialized view | - Added / Failed Add - Removed / Failed Remove | - Cause (for failed attempts) - Container name** - Database user - With option - Program name / Database session requester** - Session ID - Object schema - Unified policy name** |
| Privileges | ||
| - Object | - Modified / Modify (Failed attempt) | - Cause (for failed attempts) - Container name** - Database user - With option - Privilege user - Program name / Database session requester** - Session ID - Unified policy name** |
| - Role | - Added / Add (Failed attempt) - Modified / Modify (Failed attempt) - Removed / Remove (Failed attempt) | - Captured SQL statement - Cause (for failed attempts) - Container name** - Database user - With option - Program name / Database session requester** - Role name - Session ID - Unified policy name** |
| - Database | - Modified / Modify (Failed attempt) | - Captured SQL statement - Cause (for failed attempts) - Container name** - Database user - With option - Program name / Database session requester** - Session ID - Unified policy name** |
| Profiles | ||
| - Profile | - Added / Add (Failed attempt) - Modified / Modify (Failed attempt) - Removed / Remove (Failed attempt) | - Captured SQL statement - Cause (for failed attempts) - Container name** - Database user - Privilege for action - Program name / Database session requester** - Session ID - Unified policy name** |
| Rename | ||
| - Object | - Renamed / Rename (Failed attempt) | - Cause (for failed attempts) - Container name** - Database user - New object name - With option - Privilege user - Session ID - Unified policy name** |
| Roles | ||
| - Role | - Added / Add (Failed attempt) - Modified / Modify (Failed attempt) - Removed / Remove (Failed attempt) | - Captured SQL statement - Cause (for failed attempts) - Container name** - Database user - Privilege for action - Program name / Database session requester** - Session ID - Unified policy name** |
| Data | ||
| - Data | - Added / Add (Failed attempt) - Modified / Modify (Failed attempt) - Read / Read (Failed attempt) - Removed / Remove (Failed attempt) | - Cause (for failed attempts) - Container name** - Database user - FGA policy name - Session ID |
| System Settings | ||
| - Audit Policy | - Added / Add (Failed attempt) - Modified / Modify (Failed attempt) | - Captured SQL statement - Cause (for failed attempts) - Container name** - Database user - With option - Program name / Database session requester** - Session ID - Unified policy name** |
| - Database | - Modified / Modify (Failed attempt) | |
| Tables | ||
| - Table | - Added / Add (Failed attempt) - Modified / Modify (Failed attempt) - Removed / Remove (Failed attempt) | - Captured SQL statement - Cause (for failed attempts) - Container name** - Database user - Program name / Database session requester** - Session ID - Object schema - Unified policy name |
| Triggers | ||
| - Trigger | - Added / Add (Failed attempt) - Modified / Modify (Failed attempt) - Removed / Remove (Failed attempt) | - Captured SQL statement - Cause (for failed attempts) - Container name** - Database user - With option - Program name / Database session requester** - Referenced table - Referenced table schema - Session ID - Object schema - Triggered by* - Unified policy name** |
| Users | ||
| - User | - Added / Add (Failed attempt) - Modified / Modify (Failed attempt) - Removed / Remove (Failed attempt) | - Captured SQL statement - Cause (for failed attempts) - Container name** - Database user - Privilege for action - Program name / Database session requester** - Session ID - Unified policy name** |
| Views | ||
| - View | - Added / Add (Failed attempt) - Removed / Remove (Failed attempt) | - Cause (for failed attempts) - Container name** - Database user - With option - Program name / Database session requester** - Session ID - Object schema - Unified policy name** |
| Oracle Datapump | ||
| - Datapump | - Read / Read (Failed attempt) - Modified / Modify (Failed attempt) | - Cause (for failed attempts) - Container name** - Database user - Datapump boolean parameters - Datapump text parameters - Program name / Database session requester** - Session ID |
| Oracle Recovery Manager (RMAN) | ||
| - RMAN | - Added / Add (Failed attempt) - Modified / Modify (Failed attempt) - Read / Read (Failed attempt) - Removed / Remove (Failed attempt) | - Cause (for failed attempts) - Container name** - Database user - Program name / Database session requester** - RMAN operation |
| Oracle SQL*Loader Direct Path Load | ||
| - Direct Path Load API | - Modified / Modify (Failed attempt) | - Cause (for failed attempts) Container name** - Database user - Program name / Database session requester** - Session ID |