How to Enable Unified Auditing in Oracle E-Business Suite 12.2


Oracle EBS R12.2 Unified Auditing – Enable, Configure and Validate (Step-by-Step Guide)

Unified Auditing is Oracle Database’s consolidated auditing framework that combines standard auditing, fine-grained auditing (FGA), RMAN auditing, Data Pump auditing, and other audit mechanisms into a single unified audit trail (UNIFIED_AUDIT_TRAIL view).

In Oracle EBS R12.2, Unified Auditing is used to track sensitive object access, security object modifications, account management, login failures, and tablespace changes. It provides a centralized and secure auditing mechanism to simplify compliance and monitoring.

Prerequisites

Before proceeding, ensure that the Oracle E-Business Suite environment meets the minimum required AD and TXK code levels.

  • R12.AD.C.Delta.13 (Minimum)
  • R12.TXK.C.Delta.13 (Minimum)

Validate Current Auditing Status

SQL> SELECT VALUE
     FROM V$OPTION
     WHERE PARAMETER = 'Unified Auditing';

If the result is FALSE, Unified Auditing is not enabled.

Procedure to Enable Unified Auditing

Step 1: Stop EBS Services

$ adstpall.sh apps/<apps_password>

Step 2: Shutdown Database (All RAC Nodes)

$ sqlplus / as sysdba

SQL> shutdown immediate;

Step 3: Relink Oracle Binary (Enable Unified Audit)

$ cd $ORACLE_HOME/rdbms/lib

$ make -f ins_rdbms.mk uniaud_on ioracle ORACLE_HOME=$ORACLE_HOME

Step 4: Set audit_trail Parameter

$ sqlplus / as sysdba

SQL> startup nomount;
SQL> alter system set audit_trail=NONE scope=spfile;
SQL> shutdown immediate;
SQL> startup;

Step 5: Validate

SQL> SELECT VALUE
     FROM V$OPTION
     WHERE PARAMETER = 'Unified Auditing';

-- Should return TRUE

SQL> SHOW PARAMETER audit_trail;

-- Should return NONE

Step 6: Create Unified Audit User (CDB Level)

SQL> CREATE USER c##audit IDENTIFIED BY <password>;

SQL> GRANT CREATE SESSION TO c##audit CONTAINER=ALL;
SQL> GRANT AUDIT_ADMIN TO c##audit CONTAINER=ALL;
SQL> GRANT SELECT_CATALOG_ROLE TO c##audit CONTAINER=ALL;
SQL> GRANT CREATE PROCEDURE TO c##audit CONTAINER=ALL;
SQL> GRANT AUDIT SYSTEM TO c##audit CONTAINER=ALL;
SQL> GRANT AUDIT ANY TO c##audit CONTAINER=ALL;

SQL> GRANT SELECT ON SYS.audit_unified_contexts TO c##audit CONTAINER=ALL;
SQL> GRANT SELECT ON SYS.audit_unified_policies TO c##audit CONTAINER=ALL;
SQL> GRANT SELECT ON SYS.audit_unified_enabled_policies TO c##audit CONTAINER=ALL;

Step 7: Create Unified Audit User (PDB Level)

SQL> ALTER SESSION SET CONTAINER=<PDB_NAME>;

SQL> CREATE USER ebsuaad IDENTIFIED BY <password>;

SQL> GRANT CREATE SESSION TO ebsuaad;
SQL> GRANT AUDIT_ADMIN TO ebsuaad;
SQL> GRANT SELECT_CATALOG_ROLE TO ebsuaad;
SQL> GRANT CREATE PROCEDURE TO ebsuaad;
SQL> GRANT AUDIT SYSTEM TO ebsuaad;
SQL> GRANT AUDIT ANY TO ebsuaad;

SQL> GRANT SELECT ON SYS.audit_unified_contexts TO ebsuaad;
SQL> GRANT SELECT ON SYS.audit_unified_policies TO ebsuaad;
SQL> GRANT SELECT ON SYS.audit_unified_enabled_policies TO ebsuaad;

Step 8: Create EBS Unified Policies

$ cd $FND_TOP/patch/115/sql

$ sqlplus c##audit/<password>
SQL> @fnd_create_UA_policies.sql

$ sqlplus ebsuaad/<password>@<PDB_SERVICE>
SQL> @fnd_create_UA_policies.sql

Validate Enabled Policies

SQL> SHOW PDBS;

    CON_ID CON_NAME   OPEN MODE  RESTRICTED
---------- ---------- ---------- ----------
         3 ebsdb      READ WRITE NO

SQL> SELECT policy_name 
     FROM audit_unified_enabled_policies 
     ORDER BY policy_name;

POLICY_NAME
-----------------------------------------------------------------------------------------------------------------
EBS_ACTIONS_ON_SEC_OBJ
EBS_ACTIONS_ON_SENSITIVE_OBJ
EBS_AUDIT_DATAPUMP
EBS_OLS_POLICY_CHANGES
EBS_REDACTION_POLICY_CHANGES
EBS_TABLESPACE_CHANGES
EBS_VPD_POLICY_CHANGES
ORA_ACCOUNT_MGMT
ORA_DATABASE_PARAMETER
ORA_LOGON_FAILURES

10 rows selected.

The above output confirms that Unified Auditing is successfully enabled and the default EBS audit policies are active in the PDB.

Step 9: Start EBS Services

$ adstrtal.sh apps/<apps_password>

Procedure to Disable Unified Auditing

Relink Binary (Disable)

$ cd $ORACLE_HOME/rdbms/lib

$ make -f ins_rdbms.mk uniaud_off ioracle ORACLE_HOME=$ORACLE_HOME

Set Traditional Auditing

$ sqlplus / as sysdba

SQL> startup nomount;
SQL> alter system set audit_trail=DB scope=spfile;
SQL> shutdown immediate;
SQL> startup;

Validate

SQL> SELECT VALUE
     FROM V$OPTION
     WHERE PARAMETER = 'Unified Auditing';

SQL> SHOW PARAMETER audit_trail;

References

Oracle MOS Document ID 2777404.1 – Enabling Unified Auditing in Oracle E-Business Suite Release 12.2

Comments

Popular posts from this blog

How to troubleshoot long running concurrent request in R12.2

How to find EBS URL in R12.2

How to Grant Privileges in Oracle EBS R12.2 Using AD_ZD.GRANT_PRIVS