Oracle Unified Auditing – How to Track Failed Logon Attempts on Windows

auditoracleoracle-12cwindows

I activated a ORA_LOGON_FAILURES policy and I've tried to execute

select * from unified_audit_trail where unified_audit_policies = 'ORA_LOGON_FAILURES';

But it doesn't work. All my failed attempts to log in weren't audited. So what do I do wrong?

Best Answer

You have enabled ORA_LOGON_FAILURES, but have you enabled Unified Auditing properly?

With the default, mixed-mode auditing, setting audit_trail to none, prevents logon failures to be audited with ORA_LOGON_FAILURES enabled.

This is how it works with everything set to default (audit_trail set to DB by DBCA):

SQL> audit policy ora_logon_failures;

Audit succeeded.

SQL> select count(*) from unified_audit_trail 
     where unified_audit_policies = 'ORA_LOGON_FAILURES' and return_code = 1017;

  COUNT(*)
----------
         0

SQL> connect 1/1
ERROR:
ORA-01017: invalid username/password; logon denied


Warning: You are no longer connected to ORACLE.
SQL> connect / as sysdba
Connected.
SQL> select count(*) from unified_audit_trail
     where unified_audit_policies = 'ORA_LOGON_FAILURES' and return_code = 1017;

  COUNT(*)
----------
         1

Also, Unified Audit entires can be buffered in the SGA and be written to disk later and not immediately, in that case, flush manually before querying:

EXEC DBMS_AUDIT_MGMT.flush_unified_audit_trail;

Still, if you configured everything properly, you may have hit:

BUG 19383839 - UNIFIED AUDIT - NO LOGON OR FAILED LOGON ACTION CAPTURED

Edit:

Ok, so I had to test it myself, else I would not have believed it. Opposing to what the documentation states (AUDIT_TRAIL), setting the audit_trail to none does have an effect even when using pure Unified Auditing. But this is not intended, it is a bug. The fix is not included in the latest PSU (12.1.0.2.170117), but installing the above one-off patch (19383839) indeed resolved the issue. The problem is, this patch is not available to Windows platform. (I have tested this both on Linux and Windows, because Windows is always a factor you need to consider when working with Oracle.)

Setting audit_trail to DB does not reenable mixed-mode, relinking (renaming the DLL) enables pure Unified Auditing and that overrides this, you can confirm this by selecting from AUD$ or DBA_AUDIT_SESSION. So I suggest that you set audit_trail to DB.

Related Solutions

Sql-server – Tracking object use using SQL Auditing

To track object use with the SQL Server Audit feature, it’s necessary to set up the auditing. In order to do so, an audit object must be created first.

This can be done using SQL Server Management Studio or T-SQL.

The next step is to set up the auditing in the particular database on specific objects. This is where availability of the SQL Server Audit feature is required on the database level (the database level auditing is available in SQL Server Enterprise and Developer editions only).

To continue setting up the auditing, it’s required to create a database level audit specification. Such database level audit specification will belong to the audit object previously created.

Although SQL Server provides a built-in feature (the View Audit Logs context menu option of an audit object) to view captured information, this is not a convenient way for creating comprehensive reports, and it provides basic filtering only.

So, in order to provide tracked information for any deeper analysis or documenting, use the fn_get_file_audit SQL Server function to read repository .sqlaudit files used by the audit object.

How to reduce sysaux tablespace size with Audit Trail Unified enabled

SQL> select owner||'."'||table_name||'"' t from dba_tables where table_name like 'CLI_SWP$%';

T
-----------------------------
AUDSYS."CLI_SWP$18c7c2a9$1$1"

SQL> truncate table AUDSYS."CLI_SWP$18c7c2a9$1$1";
truncate table AUDSYS."CLI_SWP$18c7c2a9$1$1"
*
FEHLER in Zeile 1:
ORA-55941: DML- und DDL-Vorgänge sind auf Tabelle
"AUDSYS"."CLI_SWP$18c7c2a9$1$1" nicht zulässig

SQL> shutdown immediate;
…
ORACLE-Instanz heruntergefahren.
SQL> startup upgrade;
…
Datenbank geöffnet.
SQL> truncate table AUDSYS."CLI_SWP$18c7c2a9$1$1";

Tabelle mit TRUNCATE geleert.

SQL> shutdown immediate;
SQL> startup;

Best Answer

Related Solutions

Sql-server – Tracking object use using SQL Auditing

How to reduce sysaux tablespace size with Audit Trail Unified enabled

Related Question