This article is applicable to Oracle database versions 12.1 and onwards.
For newly created databases, mixed mode auditing is enabled by default through the predefined policy ORA_SECURECONFIG.
Verify that the database is using "Mixed Mode" auditing
select parameter, value from v$option where parameter='Unified Auditing';
| PARAMETER | VALUE |
|---|---|
| Unified Auditing | FALSE |
Check for any enabled unified audit policies:
select policy_name, enabled_option from audit_unified_enabled_policies;
| POLICY_NAME | ENABLED_OPTION |
|---|---|
| ORA_SECURECONFIG | BY USER |
If v$option shows FALSE for unified auditing AND the database have at least one enabled unified auditing policy, we are running in "Mixed Mode" auditing.
In Mixed Mode Auditing, all of the existing auditing startup parameters for the database are still valid: AUDIT_TRAIL, AUDIT_FILE_DEST, AUDIT_SYS_OPERATIONS, and AUDIT_SYSLOG_LEVEL.
So if your AUDIT_TRAIL is set to "DB", you can still use all the expected data dictionary views to obtain your audit information. If AUDIT_TRAIL is set to "OS", your auditing information will be sent to the location specified by the parameter AUDIT_FILE_DEST.
3. Enable at least one unified audit policy. By default, two unified auditing policies are created when you create your a 12.2 database: ORA_SECURECONFIG and ORA_LOGON_FAILURES. The first one is enabled by the default, the last one is not. Let's enable the ORA_LOGIN_FAILURES, too:
To enable "pure" Unified Auditing
1. Shutdown the database:shutdown immediate2. Relink the Oracle database binaries:
cd $ORACLE_HOME/rdbms/lib make -f ins_rdbms.mk uniaud_on ioracle ORACLE_HOME=$ORACLE_HOME
3. Enable at least one unified audit policy. By default, two unified auditing policies are created when you create your a 12.2 database: ORA_SECURECONFIG and ORA_LOGON_FAILURES. The first one is enabled by the default, the last one is not. Let's enable the ORA_LOGIN_FAILURES, too:
audit policy ORA_LOGON_FAILURES;Verify:
select parameter, value from v$option where parameter='Unified Auditing';
| PARAMETER | VALUE |
|---|---|
| Unified Auditing | TRUE |
select user_name, policy_name, enabled_opt, enabled_option from audit_unified_enabled_policies;
| USER_NAME | POLICY_NAME | ENABLED_OPT | ENABLED_OPTION |
|---|---|---|---|
| ALL USERS | ORA_LOGON_FAILURES | BY | BY USER |
| ALL USERS | ORA_SECURECONFIG | BY | BY USER |
If v$option shows TRUE for Unified Auditing AND we have at least one enabled unified auditing policy, we are using "Pure" Unified Auditing.
It doesn't matter what all the Traditional Auditing parameters are set to at this point; they will not have any effect.
Your audit information will from now on be written to the table AUDSYS.AUD$UNIFIED.
The SYS.AUD$ and SYS.FGA_LOG$ tables will still be accessible, but not used by the Oracle instance. They will only contain auditing records from before unified auditing was enabled. Consequently, your previously used queries based on familiar data dictionary views such as dba_audit_trail will only return information from before Unified Auditing was enabled.
The Oracle documentation provides a table which is very helpfull in determining the pros and cons of migrating to Unified Auditing.
In my opinion, the most important drawback with Unfied Auditing is that it doesn't allow the auditing data to be written to the operating system.
To enable traditional Auditing
1. First, disable any unified audit policies that are currently enabled. Find the currently enabled policies:select user_name, policy_name, enabled_opt, enabled_option from audit_unified_enabled_policies;
| USER_NAME | POLICY_NAME | ENABLED_OPT | ENABLED_OPTION |
|---|---|---|---|
| ALL USERS | ORA_LOGON_FAILURES | BY | BY USER |
| ALL USERS | ORA_SECURECONFIG | BY | BY USER |
2. Take them out of audit. This step prevents the database from going into mixed mode auditing after you complete this procedure:
noaudit policy ORA_SECURECONFIG; noaudit policy ORA_LOGON_FAILURES;3. Shutdown the database:
shutdown immediate4. Relink the Oracle database binaries:
cd $ORACLE_HOME/rdbms/lib make -f ins_rdbms.mk uniaud_off ioracle ORACLE_HOME=$ORACLE_HOME5. Start the database
sqlplus / as sysdba startupThe database should now be in Traditional Auditing mode. There will be no more entries logged to the unified_audit_trail. Your audit records will go to the SYS.AUD$ and SYS.FGA_LOG$ tables, or to the operating system, depending on your value for the parameter AUDIT_TRAIL.
More about disabling unified auditing policies can be found here
Another good source for more information about Unified Auditing is this article found at oracle-base.com
No comments:
Post a Comment