.
\nOracle enables some auditing by default, and if you don’t do anything, the tables where it is stored will grow in SYSAUX. Don’t wait to get an alert when it is too late. Everything that fills something automatically must be managed to archive or purge automatically. If not, one day you will have a problem.
\n
\nImagine that you have 5 features doing something similar but in a different way because they were implemented one at a time. You want to stop this and have only 1 unified feature. That’s great. But you are also required to maintain compatibility with previous version, which means that you actually implemented a 5+1=6th feature \ud83d\ude41<\/p>\n
This exactly what happens with Unified Auditing. Because of this compatibility requirement, it is declined in two modes:<\/p>\n
You are in ‘mixed mode’ by default and you see it as if there is nothing new enabled:<\/p>\n
\nSQL> select parameter,value from v$option where parameter='Unified Auditing';\n \nPARAMETER VALUE\n--------- -----\nUnified Auditing FALSE\n<\/code><\/pre>\nBut there may be something enabled if the old auditing is enabled, because it is actually a mixed mode.<\/p>\n
AUDIT_TRAIL=DB<\/h3>\n
Let me explain. I use the old auditing:<\/p>\n
SQL> show parameter audit\nNAME TYPE VALUE\n---------------------------- ------- --------------------------------\naudit_trail string DB<\/code><\/pre>\nThis means that I have the default audits (such as logon, logoff, ALTER\/CREATE\/DROP\/GRANT ANY, and so on.
\nIn addition to that, I enabled the audit of create table:<\/p>\n
\nSQL> audit create table;\nAudit succeeded.\n<\/code><\/pre>\nI do some of these stuff and I can see info in the old audit trail:<\/p>\n
SQL> select action_name,sql_text from dba_audit_trail;\n \nACTION_NAME SQL_TEXT\n----------- --------\nCREATE TABLE\nLOGON\nSELECT\nLOGON\nLOGOFF<\/code><\/pre>\nIf you are in that case, you probably manage this trail. Our recommandation is either to disable audit, or to manage it.<\/p>\n
But once upgraded to 12c, did you think about managing the new unified audit trail?<\/p>\n
SQL> select audit_type,unified_audit_policies,action_name,return_code,count(*) from unified_audit_trail group by audit_type,unified_audit_policies,action_name,return_code order by 1,2,3;\n---- ------ ------------------------------------------------------------------ ---- ------------------- ----- -- --------------------------------------------------------- ----- -- ------\nAUDIT_TYPE UNIFIED_AUDIT_POLICIES ACTION_NAME RETURN_CODE COUNT(*)\nStandard ORA_LOGON_FAILURES LOGON 0 2\nStandard ORA_LOGON_FAILURES LOGON 1017 1\nStandard ORA_SECURECONFIG CREATE ROLE 0 1\nStandard ORA_SECURECONFIG DROP ROLE 0 1\nStandard EXECUTE 0 1<\/code><\/pre>\nEven with Unified Auditing set to off, some operations are audited when AUDIT_TRAIL=DB. If you don’t want them you have to disable them:<\/p>\n
noaudit policy ORA_SECURECONFIG;\nnoaudit policy ORA_LOGON_FAILURES;<\/code><\/pre>\nAs you see, in mixed mode the new unified auditing is enabled, and AUDIT_TRAIL is not ignored. This is the mode to use until you have migrated all your policies and audit trail queries to the new one. However you can see that in mixed mode, there is no double auditing but only new default policies. The old policies are only logged to the old audit trail.<\/p>\n
But if you don’t use auditing, then you don’t want the mixed mode.<\/p>\n
uniaud_on<\/h3>\n
This is done with an instance shutdown, relinking onLinux or renaming a ddl on Windows.<\/p>\n
\nSQL> shutdown immediate;\nORACLE instance shut down.\nSQL> host ( cd $ORACLE_HOME\/rdbms\/lib ; make -f ins_rdbms.mk uniaud_&2 ioracle ORACLE_HOME=$ORACLE_HOME )\n\/usr\/bin\/ar d \/u01\/app\/oracle\/product\/12.2.0\/dbhome_1\/rdbms\/lib\/libknlopt.a kzanang.o\n\/usr\/bin\/ar cr \/u01\/app\/oracle\/product\/12.2.0\/dbhome_1\/rdbms\/lib\/libknlopt.a \/u01\/app\/oracle\/product\/12.2.0\/dbhome_1\/rdbms\/lib\/kzaiang.o\nchmod 755 \/u01\/app\/oracle\/product\/12.2.0\/dbhome_1\/bin\n \n - Linking Oracle\n...\n<\/code><\/pre>\nAnd then you are in ‘pure mode’:<\/p>\n
\nSQL> select parameter,value from v$option where parameter='Unified Auditing';\n \nPARAMETER VALUE\n--------- -----\nUnified Auditing TRUE\n<\/code><\/pre>\nIn that mode, AUDIT_TRAIL is ignored and you will never see new rows in the old AUD$:<\/p>\n
SQL> select action_name,sql_text from dba_audit_trail;\n \nno rows selected<\/code><\/pre>\nHowever, as in the mixed mode you will have to manage the new audit trail. My best recommandation is to keep it and add a purge job. One day you may want to have a look at unsuccessful logins of the past few days. But you still have the choice to disable the default polices, and then the only things you will see are the operations done on the trail:<\/p>\n
\nAUDIT_TYPE UNIFIED_AUDIT_POLICIES ACTION_NAME SQL_TEXT\n---------- ---------------------- ----------- --------\nStandard EXECUTE BEGIN dbms_audit_mgmt.flush_unified_audit_trail; END;^@\nStandard EXECUTE BEGIN dbms_audit_mgmt.clean_audit_trail(audit_trail_type => dbms_audit_mgmt.audi\nStandard EXECUTE BEGIN dbms_audit_mgmt.flush_unified_audit_trail; END;^@\n<\/code><\/pre>\nThe reason is that if a hacker getting super administrator rights has tried to whipe his traces, then at least this suspect operation remains.<\/p>\n
Test it<\/h3>\n
To validate this blog post, I’ve tested all scenarios on 12.2.0.1 with the combination of:<\/p>\n
\n- audit_trail=db or audit_trail=none<\/li>\n
- uniaud_on or uniaud_off<\/li>\n
- audit or noaudit policy for ORA_SECURECONFIG and ORA_LOGON_FAILURES<\/li>\n<\/ul>\n
For each combination, I’ve purged both audit trails (AUD$ and AUD$UNIFIED) and run a few statements that are logged by default or by explicit audit.<\/p>\n
So what?<\/h3>\n
Basically, the recommandation is still the same as before: either disable the audit or schedule a purge. There is no purge by default because auditing is different than logging. When your security policy is to audit some operations, they must not be purged before being archived, or processed.<\/p>\n
When you upgrade to 12c<\/em>:<\/p>\n\n- If you want to manage only the old audit, then you should disable ORA_LOGON_FAILURES and ORA_SECURECONFIG.<\/li>\n
- If you want to manage both, then add a job to purge the unified audit trail (audit_trail_type=>dbms_audit_mgmt.audit_trail_unified).<\/li>\n
- If you don’t use the old auditing, then enable the ‘pure mode’. But then, AUDIT_TRAIL=NONE is ignored, so:<\/li>\n
- If you don’t use the new unified auditing, then disable ORA_LOGON_FAILURES and ORA_SECURECONFIG.<\/li>\n
- Or use the new unified auditing and set a job to purge it regularly.<\/li>\n<\/ol>\n
And control the growth of SYSAUX:<\/p>\n
\nSQL> select occupant_name,schema_name,occupant_desc,space_usage_kbytes from v$sysaux_occupants where occupant_name like 'AUD%';\n \nOCCUPANT_NAME SCHEMA_NAME OCCUPANT_DESC SPACE_USAGE_KBYTES\n------------- ----------- ------------- ------------------\nAUDSYS AUDSYS AUDSYS schema objects 1280\nAUDIT_TABLES SYS DB audit tables 0\n<\/code><\/pre>\nSYS ‘DB audit tables’ is the old one, filled in ‘mixed mode’ only. AUDSYS ‘AUDSYS schema objects’ is the new unified one, filled in both modes.<\/p>\n
But I have something to add. The default policies do not audit something that you are supposed to do so frequently, it should not fills hundreds of MB before several decades.
\nIf you get this during the last hour:<\/p>\n
SQL> select audit_type,unified_audit_policies,action_name,return_code,count(*) \n 2 from unified_audit_trail where event_timestamp>sysdate-1\n 3 group by audit_type,unified_audit_policies,action_name,return_code\n 4 order by count(*);\nAUDIT_TYPE UNIFIED_AUDIT_POLICIES ACTION_NAME RETURN_CODE COUNT(*) \n---------- ---------------------- ----------- ----------- --------\nStandard AUDIT 0 2 \nStandard EXECUTE 0 4 \nStandard ORA_SECURECONFIG CREATE ROLE 0 9268 \nStandard ORA_LOGON_FAILURES LOGON 1017 348 <\/code><\/pre>\nthen the problem is not auditing but an attack, either from a hacker of because of your application design connecting for each execution or running DDL all the time.<\/p>\n","protected":false},"excerpt":{"rendered":"
By Franck Pachot . Oracle enables some auditing by default, and if you don’t do anything, the tables where it is stored will grow in SYSAUX. Don’t wait to get an alert when it is too late. Everything that fills something automatically must be managed to archive or purge automatically. If not, one day you […]<\/p>\n","protected":false},"author":27,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[229],"tags":[1042,209],"type_dbi":[],"class_list":["post-9819","post","type-post","status-publish","format-standard","hentry","category-database-administration-monitoring","tag-auditing","tag-oracle-12c"],"acf":[],"yoast_head":"\n
12c Unified Auditing and AUDIT_TRAIL=DB in mixed mode - dbi Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.dbi-services.com\/blog\/12c-unified-auditing-and-audit_traildb-in-mixed-mode\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"12c Unified Auditing and AUDIT_TRAIL=DB in mixed mode\" \/>\n<meta property=\"og:description\" content=\"By Franck Pachot . Oracle enables some auditing by default, and if you don’t do anything, the tables where it is stored will grow in SYSAUX. Don’t wait to get an alert when it is too late. Everything that fills something automatically must be managed to archive or purge automatically. If not, one day you […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.dbi-services.com\/blog\/12c-unified-auditing-and-audit_traildb-in-mixed-mode\/\" \/>\n<meta property=\"og:site_name\" content=\"dbi Blog\" \/>\n<meta property=\"article:published_time\" content=\"2017-02-23T18:34:53+00:00\" \/>\n<meta name=\"author\" content=\"Oracle Team\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Oracle Team\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/12c-unified-auditing-and-audit_traildb-in-mixed-mode\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/12c-unified-auditing-and-audit_traildb-in-mixed-mode\/\"},\"author\":{\"name\":\"Oracle Team\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee\"},\"headline\":\"12c Unified Auditing and AUDIT_TRAIL=DB in mixed mode\",\"datePublished\":\"2017-02-23T18:34:53+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/12c-unified-auditing-and-audit_traildb-in-mixed-mode\/\"},\"wordCount\":876,\"commentCount\":0,\"keywords\":[\"Auditing\",\"Oracle 12c\"],\"articleSection\":[\"Database Administration & Monitoring\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/12c-unified-auditing-and-audit_traildb-in-mixed-mode\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/12c-unified-auditing-and-audit_traildb-in-mixed-mode\/\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/12c-unified-auditing-and-audit_traildb-in-mixed-mode\/\",\"name\":\"12c Unified Auditing and AUDIT_TRAIL=DB in mixed mode - dbi Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\"},\"datePublished\":\"2017-02-23T18:34:53+00:00\",\"author\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/12c-unified-auditing-and-audit_traildb-in-mixed-mode\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/12c-unified-auditing-and-audit_traildb-in-mixed-mode\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/12c-unified-auditing-and-audit_traildb-in-mixed-mode\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.dbi-services.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"12c Unified Auditing and AUDIT_TRAIL=DB in mixed mode\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/\",\"name\":\"dbi Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee\",\"name\":\"Oracle Team\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g\",\"caption\":\"Oracle Team\"},\"url\":\"https:\/\/www.dbi-services.com\/blog\/author\/oracle-team\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"12c Unified Auditing and AUDIT_TRAIL=DB in mixed mode - dbi Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.dbi-services.com\/blog\/12c-unified-auditing-and-audit_traildb-in-mixed-mode\/","og_locale":"en_US","og_type":"article","og_title":"12c Unified Auditing and AUDIT_TRAIL=DB in mixed mode","og_description":"By Franck Pachot . Oracle enables some auditing by default, and if you don’t do anything, the tables where it is stored will grow in SYSAUX. Don’t wait to get an alert when it is too late. Everything that fills something automatically must be managed to archive or purge automatically. If not, one day you […]","og_url":"https:\/\/www.dbi-services.com\/blog\/12c-unified-auditing-and-audit_traildb-in-mixed-mode\/","og_site_name":"dbi Blog","article_published_time":"2017-02-23T18:34:53+00:00","author":"Oracle Team","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Oracle Team","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.dbi-services.com\/blog\/12c-unified-auditing-and-audit_traildb-in-mixed-mode\/#article","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/12c-unified-auditing-and-audit_traildb-in-mixed-mode\/"},"author":{"name":"Oracle Team","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee"},"headline":"12c Unified Auditing and AUDIT_TRAIL=DB in mixed mode","datePublished":"2017-02-23T18:34:53+00:00","mainEntityOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/12c-unified-auditing-and-audit_traildb-in-mixed-mode\/"},"wordCount":876,"commentCount":0,"keywords":["Auditing","Oracle 12c"],"articleSection":["Database Administration & Monitoring"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.dbi-services.com\/blog\/12c-unified-auditing-and-audit_traildb-in-mixed-mode\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.dbi-services.com\/blog\/12c-unified-auditing-and-audit_traildb-in-mixed-mode\/","url":"https:\/\/www.dbi-services.com\/blog\/12c-unified-auditing-and-audit_traildb-in-mixed-mode\/","name":"12c Unified Auditing and AUDIT_TRAIL=DB in mixed mode - dbi Blog","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/#website"},"datePublished":"2017-02-23T18:34:53+00:00","author":{"@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee"},"breadcrumb":{"@id":"https:\/\/www.dbi-services.com\/blog\/12c-unified-auditing-and-audit_traildb-in-mixed-mode\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.dbi-services.com\/blog\/12c-unified-auditing-and-audit_traildb-in-mixed-mode\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.dbi-services.com\/blog\/12c-unified-auditing-and-audit_traildb-in-mixed-mode\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.dbi-services.com\/blog\/"},{"@type":"ListItem","position":2,"name":"12c Unified Auditing and AUDIT_TRAIL=DB in mixed mode"}]},{"@type":"WebSite","@id":"https:\/\/www.dbi-services.com\/blog\/#website","url":"https:\/\/www.dbi-services.com\/blog\/","name":"dbi Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee","name":"Oracle Team","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g","caption":"Oracle Team"},"url":"https:\/\/www.dbi-services.com\/blog\/author\/oracle-team\/"}]}},"_links":{"self":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/9819","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/users\/27"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/comments?post=9819"}],"version-history":[{"count":0,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/9819\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/media?parent=9819"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/categories?post=9819"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/tags?post=9819"},{"taxonomy":"type","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/type_dbi?post=9819"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}