Unified Auditing – is it ON or OFF in Oracle Database 12.2.0.1?

Just a quick update to my blog post from September 2014:

Unified Auditing – is it ON or OFF in Oracle 12c?

Any changes in Oracle Database 12.2.0.1?

Yes. Significant changes happen to Unified Auditing in Oracle Database 12.2.0.1. Mostly internally as the mechanism used to dump the audit records in Oracle 12.1.0.x when Unified Auditing was on turned out to be very good for write performance, but not so good when you tried to read data. See my blog post from a few weeks ago how to deal with this performance implication and a potential patch:

Unified Auditing – Performance Improvements in Oracle 12.1.0.2

But I’d like to understand if the so called “Mixed Mode” is still existent in Oracle Database 12.2.0.1, meaning you can have the old audit trail enabled but the database is still auditing some activities via the newer Unified Auditing policies.

Comparison Oracle 12.1.0.2 vs Oracle 12.2.0.1

Quick check in Oracle 12.1.0.2:

SQL> column policy_name format a25
SQL> column user_name format a14
SQL> column enabled format a7
SQL> set line 200
SQL> set pages 1000
SQL> SELECT policy_name, enabled_opt, user_name FROM audit_unified_enabled_policies;

POLICY_NAME		  ENABLED_ USER_NAME
------------------------- -------- --------------
ORA_SECURECONFIG	  BY	   ALL USERS
ORA_LOGON_FAILURES	  BY	   ALL USERS

And now the same query in Oracle 12.2.0.1:

SQL> column policy_name format a25
SQL> column user_name format a14
SQL> column enabled format a7
SQL> set line 200
SQL> set pages 0
SQL> SELECT policy_name, enabled_opt, user_name
  FROM audit_unified_enabled_policies  2  ;
ORA_SECURECONFIG	  BY	   ALL USERS
ORA_LOGON_FAILURES	  BY	   ALL USERS

SQL> set pages 1000
SQL> r
  1  SELECT policy_name, enabled_opt, user_name
  2*   FROM audit_unified_enabled_policies

POLICY_NAME		  ENABLED_ USER_NAME
------------------------- -------- --------------
ORA_SECURECONFIG	  BY	   ALL USERS
ORA_LOGON_FAILURES	  BY	   ALL USERS

No change.

As in Oracle 12.1.0.x, in Oracle Database 12.2.0.1 two default Unified Auditing Policies are enabled. And still I’d recommend to turn them off if you are either going to use the old auditing via audit_trail or don’t want to have auditing at all.

SQL> noaudit policy ORA_SECURECONFIG;
Noaudit succeeded.

SQL> noaudit policy ORA_LOGON_FAILURES;
Noaudit succeeded.

SQL> SELECT policy_name, enabled_opt, user_name FROM audit_unified_enabled_policies;
no rows selected

Again, to be clear, I’m not saying that you shouldn’t use the new Unified Auditing. But disable the Mixed Mode. Use the real (and enabled, i.e. linked into your kernel) Unified Auditing instead if you would like to audit in Oracle Database 12.2.0.1. Or stay with the old auditing if it does what you want and expect.

–Mike

Leave a Reply

Your email address will not be published. Required fields are marked *