Mixed mode auditing – 12c

auditoracleoracle-12c

Oracle 12c database comes with default Unified auditing enabled even if we set it to FALSE which has ORA_SECURECONFIG policy enabled by default.

Apparently, the audit options for that particular policy captures many default options such as Alter and create statements.

My question is, by default for any new installation, mixed mode is enabled which means that the traditional auditing is enabled and also Unified auditing is enabled as well both capturing the same audit_options.

Why is it that way? What is the point of Mixed mode? When by default tradionally Oracle audits certain user actions, why should ORA_SECURECONFIG should also audit the same default user actions and write to AUDSYS schema?

And if I need to keep only Unified auditing, then how to disable traditional auditing? Should I change audit_trail from DB to NONE?

Best Answer

In Oracle 12c Mixed Mode is enabled by default which makes the use familiar with Unified Auditing prior to switching to full Unified Auditing. Mixed Mode allows to pre-12c audit functionality to co-exist with new Unified Auditing functionality.

Using Mixed Mode audit data can be found both in the traditional locations as well as in SYS.UNIFIED_AUDIT_TRAIL. This is because the Unified Auditing Policy ORA_SECURECONFIG is enabled by default.

You can use the following commands to disable Unified Audit.

NOAUDIT POLICY ORA_SECURECONFIG; noaudit policy ORA_LOGON_FAILURES;

Unified Auditing is not included in the Oracle 12c kernel so you have enable to manually. But in Mixed Mode it is on though it is not included in the kernel. You can check whether the Unified Auditing is enabled or not using the following query.

select VALUE from V$OPTION where PARAMETER='Unified Auditing'; If you wish to linked the Unified Auditing to kernel then use the following commands.

cd $ORACLE_HOME/rdbms/lib make -f ins_rdbms.mk uniaud_on ioracle ORACLE_HOME=$ORACLE_HOME

If you dont set AUDIT_TRAIL=NONE then both auditing mechanisms will run concurrently.

Reference

Link to Oracle Official Documentation.

Mixed Mode Auditing

Related Solutions

Sql-server – SQL Server Audit not tracking changes at the database level

I think the main problem here - and please don't take offense - is that you're pointing and clicking in a GUI but not really sure what you're pointing and clicking at.

Here is an example that creates a server-level audit, then adds a database-level audit specification to track multiple operations on any object in the dbo schema.

USE master;
GO

-- create aserver audit
CREATE SERVER AUDIT Test_Server_Audit 
  TO FILE ( FILEPATH = 'C:\temp\' ); -- you may need to change that'
GO

-- turn it on
ALTER SERVER AUDIT Test_Server_Audit WITH (STATE = ON);
GO

-- create a demo database    
CREATE DATABASE floob;
GO
USE floob;
GO
CREATE TABLE dbo.blat(x INT);
GO

-- create a database audit specification that monitors for activity
-- against any dbo object:
CREATE DATABASE AUDIT SPECIFICATION Test_Database_Audit
    FOR SERVER AUDIT Test_Server_Audit
    ADD (SELECT, UPDATE, DELETE, INSERT, EXECUTE ON SCHEMA::dbo BY PUBLIC)
    WITH (STATE = ON);
GO

-- do a couple of things:
SELECT * FROM dbo.blat;
DELETE dbo.blat;
GO

-- you should see those couple of things in the audit file:
SELECT * FROM sys.fn_get_audit_file('C:\temp\*.sqlaudit', NULL, NULL);
GO

Now, clean up:

ALTER DATABASE AUDIT SPECIFICATION Test_Database_Audit
    WITH (STATE = OFF);
GO
DROP DATABASE AUDIT SPECIFICATION Test_Database_Audit;
GO
USE master;
GO
ALTER DATABASE floob SET SINGLE_USER WITH ROLLBACK IMMEDIATE;
GO
DROP DATABASE floob;
GO

ALTER SERVER AUDIT Test_Server_Audit
    WITH (STATE = OFF);
GO
DROP SERVER AUDIT Test_Server_Audit;
GO

I'd start at perhaps a higher conceptual level before pressing a bunch of buttons and hoping that they work.

Oracle Unified Auditing – How to Track Failed Logon Attempts on Windows

You have enabled ORA_LOGON_FAILURES, but have you enabled Unified Auditing properly?

With the default, mixed-mode auditing, setting audit_trail to none, prevents logon failures to be audited with ORA_LOGON_FAILURES enabled.

This is how it works with everything set to default (audit_trail set to DB by DBCA):

SQL> audit policy ora_logon_failures;

Audit succeeded.

SQL> select count(*) from unified_audit_trail 
     where unified_audit_policies = 'ORA_LOGON_FAILURES' and return_code = 1017;

  COUNT(*)
----------
         0

SQL> connect 1/1
ERROR:
ORA-01017: invalid username/password; logon denied


Warning: You are no longer connected to ORACLE.
SQL> connect / as sysdba
Connected.
SQL> select count(*) from unified_audit_trail
     where unified_audit_policies = 'ORA_LOGON_FAILURES' and return_code = 1017;

  COUNT(*)
----------
         1

Also, Unified Audit entires can be buffered in the SGA and be written to disk later and not immediately, in that case, flush manually before querying:

EXEC DBMS_AUDIT_MGMT.flush_unified_audit_trail;

Still, if you configured everything properly, you may have hit:

BUG 19383839 - UNIFIED AUDIT - NO LOGON OR FAILED LOGON ACTION CAPTURED

Edit:

Ok, so I had to test it myself, else I would not have believed it. Opposing to what the documentation states (AUDIT_TRAIL), setting the audit_trail to none does have an effect even when using pure Unified Auditing. But this is not intended, it is a bug. The fix is not included in the latest PSU (12.1.0.2.170117), but installing the above one-off patch (19383839) indeed resolved the issue. The problem is, this patch is not available to Windows platform. (I have tested this both on Linux and Windows, because Windows is always a factor you need to consider when working with Oracle.)

Setting audit_trail to DB does not reenable mixed-mode, relinking (renaming the DLL) enables pure Unified Auditing and that overrides this, you can confirm this by selecting from AUD$ or DBA_AUDIT_SESSION. So I suggest that you set audit_trail to DB.

Best Answer

Related Solutions

Sql-server – SQL Server Audit not tracking changes at the database level

Oracle Unified Auditing – How to Track Failed Logon Attempts on Windows

Related Question