简单介绍Oracle Unified auditing和Mixed Mode Auditing

Unified auditing：

    Unified auditing是Oracle 12c推出的新的审计方式，相比于传统的auditing，它可以做更复杂、粒度更细的审计。

Unified auditing enables you to capture audit records from the following sources:
    Audit records (including SYS audit records) from unified audit policies and AUDIT settings
    Fine-grained audit records from the DBMS_FGA PL/SQL package
    Oracle Database Real Application Security audit records
    Oracle Recovery Manager audit records
    Oracle Database Vault audit records
    Oracle Label Security audit records
    Oracle Data Mining records
    Oracle Data Pump
    Oracle SQL*Loader Direct Load

Benefits of the Unified Audit Trail：
    1)After unified auditing is enabled, it does not depend on the initialization parameters that were used in previous releases.
    2)Overall auditing performance is greatly improved. By default, the audit records are automatically written to an internal relational table in the AUDSYS schema.
    3)You can create named audit policies that enable you to audit the supported components listed at the beginning of this section, as well as SYS administrative users. Furthermore, you can build conditions and exclusions into your policies.

    The unified audit trail, which resides in a read-only table in the AUDSYS schema in the SYSAUX tablespace, makes this information available in a uniform format in the UNIFIED_AUDIT_TRAIL data dictionary view, and is available in both single-instance and Oracle Database Real Application Clusters environments. 
    In addition to the user SYS, users who have been granted the AUDIT_ADMIN and AUDIT_VIEWER roles can query these views. If your users only need to query the views but not create audit policies, then grant them the AUDIT_VIEWER role.

    When the database is writeable, audit records are written to the unified audit trail. If the database is not writable, then audit records are written to new format operating system files in the $ORACLE_BASE/audit/$ORACLE_SID directory.

    In unified auditing, all Oracle Database audit trails (SYS.AUD$ for the database audit trail, SYS.FGA_LOG$ for fine-grained auditing, DVYS.AUDIT_TRAIL$ for Database Vault, and so on) are combined into one single audit trail, which you can view by querying the UNIFIED_AUDIT_TRAIL data dictionary view for single-instance installations and GV$UNIFIED_AUDIT_TRAIL for Oracle Real Application Clusters environments.

确认库审计是否迁移到了Unified auditing：
    SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';

Mixed Mode Auditing：

    Mixed mode auditing enables both traditional (that is, the audit facility from releases earlier than Release 12c) and the new audit facilities (unified auditing).

Even though the features of unified auditing are enabled in both these modes, there are differences between them. 
    In mixed mode, you can use the new unified audit facility alongside the traditional auditing facility. 
    In pure unified auditing, you only use the unified audit facility.

Mixed Mode Auditing是被用来过渡使用的，从官网上这句话我们就能意识到：
    Mixed mode is intended to introduce unified auditing, so that you can have a feel of how it works and what its nuances and benefits are.
    
关于Mixed Mode Auditing的特点：
    1)It enables the use of all existing auditing initialization parameters: AUDIT_TRAIL, AUDIT_FILE_DEST, AUDIT_SYS_OPERATIONS, and AUDIT_SYSLOG_LEVEL.
    2)It writes mandatory audit records only to the traditional audit trails.
    3)It bases standard audit records on the standard audit configuration, and writes these records to the audit trail designated by the AUDIT_TRAIL initialization parameter.
        However, be aware that standard audit trail records are also generated based on unified audit policies and only these audit records are written to the unified audit trail. The standard audit records generated as a result of unified audit policies follow the semantics of unified audit policy enablement.
    4)The performance cost of writing an audit record is equivalent to the sum of the times required for generating and writing an audit record to the traditional audit trail and the unified audit trail.
    5)The format of the audit records that are written to traditional audit trails remains the same as in Oracle Database 11g Release 2.
    6)By default, Oracle Database writes unified audit records to system global area (SGA) queues. In other words, it writes the records periodically, not immediately. You can control how often the audit records are written. 
    7)Administrative user sessions generate SYS audit records. These records are written if the AUDIT_SYS_OPERATIONS initialization parameter is set to TRUE. This process writes the records only to the traditional audit trails. 
        However, when unified audit policies are enabled for administrative users, these unified audit records are also written to unified audit trail.

    如果我们对审计的粒度要求没那么高的话，Mixed Mode Auditing看着也挺不错的，但是我们要注意特点3说的，不要standard audit和unified audit有交叉的部分，因为这样的话，在审计的时候可能会有“写两处”的情况，这可能会使得审计的效率更低。

如何将Mixed Mode Auditing升级为Unified auditing：
    https://docs.oracle.com/database/121/UPGRD/afterup.htm#UPGRD52810

unified_audit_trail视图介绍：
    https://docs.oracle.com/database/121/REFRN/GUID-B7CE1C02-2FD4-47D6-80AA-CF74A60CDD1D.htm#REFRN29162

    
    从我的角度理解，审计不是越细越好，也不是越全越好，而是要从审计需求、对业务性能的影响、审计实现等多方面综合考虑，去制定一套最适合的策略。