6.2.19 Ensure the 'AUDSYS.AUD$UNIFIED' Access Audit Is Enabled

Information

The AUDSYS.AUD$UNIFIED holds audit trail records generated by the database. Enabling this audit action causes logging of all access attempts to the AUDSYS.AUD$UNIFIED, whether successful or unsuccessful, regardless of the privileges held by the users to issue such statements.

Rationale:

Logging and monitoring of all attempts to access the AUDSYS.AUD$UNIFIED, whether successful or unsuccessful, may provide clues and forensic evidence about potential suspicious/unauthorized activities. Any such activities may be a cause for further investigation. In addition, organization security policies and industry/government regulations may require logging of all user activities involving access to this table.

Solution

For Oracle 12.2 and above, execute the following SQL statement to remediate this setting.

ALTER AUDIT POLICY CIS_UNIFIED_AUDIT_POLICY
ADD
ACTIONS
ALL on AUDSYS.AUD$UNIFIED;

Note: If you do not have CIS_UNIFIED_AUDIT_POLICY, please create one using the CREATE AUDIT POLICY statement.

See Also

https://workbench.cisecurity.org/benchmarks/13413