Question

D8AC:

Discuss in 500 words or more why Oracle 12c has introduced two new roles – AUDIT_ADMIN and AUDIT_VIEWER. Include a discussion of what database auditing is and what it does. Consider why these new roles were introduced and what problem they are meant to resolve. Do not simply define the roles. Explain why they are useful.

Do not copy without providing proper attribution. Write in essay format not in outline, bulleted, numbered or other list format.  

Use the five paragraph format. Each paragraph must have at least five sentences. Include 3 quotes with quotation marks and cited in-line and in a list of references. Include an interesting meaninful title.

Answer 1

Solution :-

The process of recording and monitoring of selected user database actions is called as Database Auditing. Appropriate system privileges must be granted in order to perform auditing. Database auditing can be used for various activities such as investigation of suspicious actions, enabling user accountability and deterring inappropriate user actions. Auditing is frequently done for protecting and preserving privacy of information stored in databases and it is always about accountability. A depth of auditing is being provided by Oracle database enabling system administrators for implementing early detection of suspicious activities, finely tuned security responses and enhanced protections.

As threats to applications become more sophisticated database auditing has become increasingly important. Now a days Oracle Database auditing has become mandatory in many organizations and has steadily increased over the past decade.Independent Oracle User Group(IOUG) did a survey and showed that consistently over 50% of the respondents uses some level of native Oracle Database Auditing. With every Oracle database release, new features were introduced. The Fine Grained Auditing(FGA) feature was introduced in Oracle 9i which enabled audit policies that are associated with application tables, audit based connection factors such as IP address and new built-in manageability features were introduced in Oracle 11g.

Auditing is done for the following reasons -

Investigating suspicious activity - A security administrator might decide to audit all connections to the database and deletions of rows from all tables that are successful and unsuccessful in a database if a user is deleting data from tables.

Based on users accountability deterring users from inappropriate actions.

Enabling accountability for actions - This action can be taken in a particular table, row, schema or particular content.

Notifying unauthorized actions by a user to an auditor.

In case of compliance addressing auditing requirements.

Monitoring and gathering data about particular database activities.

Unified Auditing is supported by two roles defined by ORACLE 12c namely AUDIT_ADMIN and AUDIT_VIEWER. Separation of duty and flexibility to organizations is provided by these two roles Privileges such as to create, alter and drop audit policies is supported by AUDIT_ADMIN role. Apart from this it also supports privileges such as viewing of audit records, cleaning up the audit trail and enabling and disabling audit policies for each business requirements. The security administrators are granted this role.

AUDIT_VIEWER is the role for users whose purpose is only to view the audit trail contents. The external auditors are granted this role. In Oracle 11g release 2 and earlier releases if Unified Auditing is used then two AUDSYS roles may exist which affect upgrading: AUDIT_ADMIN and AUDIT_VIEWER. Before upgrading to Oracle Database 12c release 1 or later due the changes in roles, earlier release users or user roles need to be dropped.

In the previous versions of database addition and removal of audit configuration to objects in their own schemas without any additional privileges. There were no separation of roles and responsibility in roles. This might cause risk while handling database. This ability is removed and no longer allowed in Oracle Database 12c. This is the reason why these two roles were introduced in Oracle Database 12c.