Oracle Database
Netwrix Auditor relies on native logs for collecting audit data. Therefore, successful change and access auditing requires a certain configuration of native audit settings in the audited environment and on the Auditor console computer. Configuring your IT infrastructure may also include enabling certain built-in Windows services. Proper audit configuration is required to ensure audit data integrity, otherwise your change reports may contain warnings, errors or incomplete audit data.
CAUTION: Folder associated with Netwrix Auditor must be excluded from antivirus scanning. See the Antivirus Exclusions for Netwrix Auditor knowledge base article for additional information.
Native audit settings must be configured manually to ensure comprehensive and reliable audit data collection. Configure your IT Infrastructure as follows:
- On the Oracle server, configure the required settings described below.
- On the Auditor console computer, verify that Oracle Data Provider for .NET and Oracle Instant Client are installed and properly configured. See Permissions for Oracle Database Auditing for the account privileges and object permissions required.
Ensure that you have met all software requirements on the Oracle Database side. See Software Requirements for the full list of supported Oracle versions and required components.
Before you start monitoring your Oracle Database with Netwrix Auditor, you should configure it to provide audit trails. Depending on your current database version and edition, Oracle supports different auditing types:
| Auditing type | Oracle version | Details |
|---|---|---|
| Unified Auditing | Oracle Database 12c, 18c, 19c, 21c, 23c | Consolidates all auditing into a single repository and view. This provides a two-fold simplification: audit data can now be found in a single location and all audit data is in a single format. See Configure Oracle Database for Auditing topic for more information. |
| Fine Grained Auditing | Oracle Database 12c, 18c, 19c, 21c, 23c. Available for Enterprise Edition only. Used in addition to Unified Auditing, not as a replacement. | Supports auditing of actions associated with columns in application tables — along with conditions necessary for an audit record to be generated. Helps to focus on security-relevant columns and rows, ignoring areas that are less important. See Configure Fine Grained Auditing topic for more information. |
See Software Requirements for the full list of supported Oracle versions and required components.
Configuration
If you are using Oracle Wallet to connect to your database, see the Create and Configure Oracle Wallet topic for configuration details.
If you are unsure of your audit settings, refer to the Verify Your Oracle Database Audit Settings topic. Then follow the steps for proper configuration.
Step 1 – Configure Data Collecting Account, as described in the Permissions for Oracle Database Auditing topic.
Step 2 – Configure required protocols and ports, as described in the Oracle Database Ports topic.
Oracle Database objects
Review a full list of object types Netwrix Auditor can collect on Oracle Database. If you deployed your Oracle Database in a cluster mode (Oracle Real Application Cluster), a host name also will be reported.
Details marked with asterisk (**) are reported for Oracle Database 12c only.
Oracle Object modification under Privileges and object rename under Rename are reported without Object type (“Not available” is displayed).
Oracle Database startup under System Settings is reported without Workstation (“Not available” is displayed).
| Object type | Actions | Details |
|---|---|---|
| Directories | ||
| - Directory | - Added / Add (Failed attempt) - Removed / Remove (Failed attempt) | - Cause (for failed attempts) - Container name** - Database User - Program name / Database session requester** - Privilege for action - Session ID - Object schema |
| Executable objects | ||
| - Procedure - Function - Package - Package body - Java | - Added / Add (Failed attempt) - Modified / Modify (Failed attempt) - Removed / Remove (Failed attempt) | - Cause (for failed attempts) - Container name** - Database User - Privilege for action - Program name / Database session requester** - Session ID - Unified policy name** |
| Logons | ||
| - Logon | - Successful logon / Failed logon - Logoff | - Cause (for failed attempts) - Client IP (only for logon events) - Container name** - Database User - Privilege for action - Program name / Database session requester** - Session ID - Object schema - Unified policy name** |
| Materialized views | ||
| - Materialized view | - Added / Failed Add - Removed / Failed Remove | - Cause (for failed attempts) - Container name** - Database user - With option - Program name / Database session requester** - Session ID - Object schema - Unified policy name** |
| Privileges | ||
| - Object | - Modified / Modify (Failed attempt) | - Cause (for failed attempts) - Container name** - Database user - With option - Privilege user - Program name / Database session requester** - Session ID - Unified policy name** |
| - Role | - Added / Add (Failed attempt) - Modified / Modify (Failed attempt) - Removed / Remove (Failed attempt) | - Captured SQL statement - Cause (for failed attempts) - Container name** - Database user - With option - Program name / Database session requester** - Role name - Session ID - Unified policy name** |
| - Database | - Modified / Modify (Failed attempt) | - Captured SQL statement - Cause (for failed attempts) - Container name** - Database user - With option - Program name / Database session requester** - Session ID - Unified policy name** |
| Profiles | ||
| - Profile | - Added / Add (Failed attempt) - Modified / Modify (Failed attempt) - Removed / Remove (Failed attempt) | - Captured SQL statement - Cause (for failed attempts) - Container name** - Database user - Privilege for action - Program name / Database session requester** - Session ID - Unified policy name** |
| Rename | ||
| - Object | - Renamed / Rename (Failed attempt) | - Cause (for failed attempts) - Container name** - Database user - New object name - With option - Privilege user - Session ID - Unified policy name** |
| Roles | ||
| - Role | - Added / Add (Failed attempt) - Modified / Modify (Failed attempt) - Removed / Remove (Failed attempt) | - Captured SQL statement - Cause (for failed attempts) - Container name** - Database user - Privilege for action - Program name / Database session requester** - Session ID - Unified policy name** |
| Data | ||
| - Data | - Added / Add (Failed attempt) - Modified / Modify (Failed attempt) - Read / Read (Failed attempt) - Removed / Remove (Failed attempt) | - Cause (for failed attempts) - Container name** - Database user - FGA policy name - Session ID |
| System Settings | ||
| - Audit Policy | - Added / Add (Failed attempt) - Modified / Modify (Failed attempt) | - Captured SQL statement - Cause (for failed attempts) - Container name** - Database user - With option - Program name / Database session requester** - Session ID - Unified policy name** |
| - Database | - Modified / Modify (Failed attempt) | |
| Tables | ||
| - Table | - Added / Add (Failed attempt) - Modified / Modify (Failed attempt) - Removed / Remove (Failed attempt) | - Captured SQL statement - Cause (for failed attempts) - Container name** - Database user - Program name / Database session requester** - Session ID - Object schema - Unified policy name |
| Triggers | ||
| - Trigger | - Added / Add (Failed attempt) - Modified / Modify (Failed attempt) - Removed / Remove (Failed attempt) | - Captured SQL statement - Cause (for failed attempts) - Container name** - Database user - With option - Program name / Database session requester** - Referenced table - Referenced table schema - Session ID - Object schema - Triggered by - Unified policy name** |
| Users | ||
| - User | - Added / Add (Failed attempt) - Modified / Modify (Failed attempt) - Removed / Remove (Failed attempt) | - Captured SQL statement - Cause (for failed attempts) - Container name** - Database user - Privilege for action - Program name / Database session requester** - Session ID - Unified policy name** |
| Views | ||
| - View | - Added / Add (Failed attempt) - Removed / Remove (Failed attempt) | - Cause (for failed attempts) - Container name** - Database user - With option - Program name / Database session requester** - Session ID - Object schema - Unified policy name** |
| Oracle Datapump | ||
| - Datapump | - Read / Read (Failed attempt) - Modified / Modify (Failed attempt) | - Cause (for failed attempts) - Container name** - Database user - Datapump boolean parameters - Datapump text parameters - Program name / Database session requester** - Session ID |
| Oracle Recovery Manager (RMAN) | ||
| - RMAN | - Added / Add (Failed attempt) - Modified / Modify (Failed attempt) - Read / Read (Failed attempt) - Removed / Remove (Failed attempt) | - Cause (for failed attempts) - Container name** - Database user - Program name / Database session requester** - RMAN operation |
| Oracle SQL*Loader Direct Path Load | ||
| - Direct Path Load API | - Modified / Modify (Failed attempt) | - Cause (for failed attempts) Container name** - Database user - Program name / Database session requester** - Session ID |