A lot of the Traditional Auditing is covered by CIDs 12619, 12620, 12621, 12622, 12623 and 12624 when using Unified Auditing. However, there is one in particular that I am having trouble finding.
1. In Traditional Auditing section of CIS Benchmark (v2.0.0 - 12-28-2016): 5.1.18 Enable 'ALL' Audit Option on 'SYS.AUD$', Page.... 149, this is covered by CID 1500 Status of auditing of commands run against the 'SYS.AUD$' table.
2. Since Unified Auditing is implemented in our environment, the equivalent control of the above mentioned traditional auditing in Unified Auditing is 5.2.19 Enable 'UNIFIED_AUDIT_TRAIL’ Access Audit Page................ 184 in CIS Benchmark (v2.0.0 - 12-28-2016). I don’t see where this control is being checked for in the current Oracle 12c policy in Qualys. I have included below screenshot from test database showing that this control has been implemented using Unified Auditing. Does anyone know which CID is checking for this and if it is by chance covered by the CIDs I have listed above, what could be the possible reason why this setting is not being picked up