How to enable Unified Auditing in Oracle 12c

Actually one of our slides gives a parameter recommendation to set AUDIT_TRAIL since Oracle 11g explicitly to the value you want as otherwise it may switch to “DB” and you may not be aware of it. In conjunction with this setting we explain the new Oracle Database 12c feature Unified Auditing – which is not linked into the kernel and therefore should be off.

  • Unified Auditing is not linked into the Oracle 12c kernel by default to offer people the choice to use it and to avoid conflicts in case somebody has auditing ON already – so neither during an upgrade nor with a fresh 12c database you’ll see it included into the kernel. It will have to be linked in manually.
    • Check if Unified Auditing is present in your environment:
      SQL> select VALUE from V$OPTION where PARAMETER=’Unified Auditing’;
    • In case you’ll link it into the kernel
      cd $ORACLE_HOME/rdbms/lib
      make -f uniaud_on ioracle ORACLE_HOME=$ORACLE_HOME
  • But even though it is not linked into the kernel a bit of Unified Auditing is ON by default in MIXED MODE when you create a fresh Oracle 12c database.
    • MIXED MODE auditing?
      • See the documentation for further information
      • Just two policies are enabled by default: ORA_SECURECONFIG and ORA_LOGON_FAILURES
  • What about security?
    • The audit table is in a new Oracle maintained schema, and not even SYS can tamper with it:
SQL> conn / as sysdba
SQL> select table_name from dba_tables where owner='AUDSYS';

SQL> delete from audsys."CLI_SWP$67b5bb1a$1$1";
delete from audsys."CLI_SWP$67b5bb1a$1$1"
ERROR at line 1:
ORA-55941: DML and DDL operations are not allowed on table "AUDSYS"."CLI_SWP$67b3hb1a$1$1"
SQL> drop user audsys cascade;
drop user audsys cascade
ERROR at line 1:
ORA-28050: specified user or role cannot be dropped

  • Turn Unfiied Auditing OFF?
    • If is has been linked in into the kernel, unlink it:
      cd $ORACLE_HOME/rdbms/lib
      make -f uniaud_off ioracle ORACLE_HOME=$ORACLE_HOME
    • Disable the two default policies – this will turn off any Unified Auditing features:
      SQL> noaudit policy ORA_SECURECONFIG;
      Noaudit succeeded.
      SQL> noaudit policy ORA_LOGON_FAILURES;
      Noaudit succeeded.

Leave a Reply

Your email address will not be published. Required fields are marked *