Unified Auditing – is it ON or OFF in Oracle Database 12.2.0.1?

Posted on May 16, 2017 by Auditing Oracle Database 12.2.0.1 9

Just a quick update to my blog post from September 2014:

Unified Auditing – is it ON or OFF in Oracle 12c?

Any changes in Oracle Database 12.2.0.1?

Yes. Significant changes happen to Unified Auditing in Oracle Database 12.2.0.1. Mostly internally as the mechanism used to dump the audit records in Oracle 12.1.0.x when Unified Auditing was on turned out to be very good for write performance, but not so good when you tried to read data. See my blog post from a few weeks ago how to deal with this performance implication and a potential patch:

Unified Auditing – Performance Improvements in Oracle 12.1.0.2

But I’d like to understand if the so called “Mixed Mode” is still existent in Oracle Database 12.2.0.1, meaning you can have the old audit trail enabled but the database is still auditing some activities via the newer Unified Auditing policies.

Comparison Oracle 12.1.0.2 vs Oracle 12.2.0.1

Quick check in Oracle 12.1.0.2:

SQL> column policy_name format a25
SQL> column user_name format a14
SQL> column enabled format a7
SQL> set line 200
SQL> set pages 1000
SQL> SELECT policy_name, enabled_opt, user_name FROM audit_unified_enabled_policies;

POLICY_NAME		  ENABLED_ USER_NAME
------------------------- -------- --------------
ORA_SECURECONFIG	  BY	   ALL USERS
ORA_LOGON_FAILURES	  BY	   ALL USERS

And now the same query in Oracle 12.2.0.1:

SQL> column policy_name format a25
SQL> column user_name format a14
SQL> column enabled format a7
SQL> set line 200
SQL> set pages 0
SQL> SELECT policy_name, enabled_opt, user_name
  FROM audit_unified_enabled_policies  2  ;
ORA_SECURECONFIG	  BY	   ALL USERS
ORA_LOGON_FAILURES	  BY	   ALL USERS

SQL> set pages 1000
SQL> r
  1  SELECT policy_name, enabled_opt, user_name
  2*   FROM audit_unified_enabled_policies

POLICY_NAME		  ENABLED_ USER_NAME
------------------------- -------- --------------
ORA_SECURECONFIG	  BY	   ALL USERS
ORA_LOGON_FAILURES	  BY	   ALL USERS

No change.

As in Oracle 12.1.0.x, in Oracle Database 12.2.0.1 two default Unified Auditing Policies are enabled. And still I’d recommend to turn them off if you are either going to use the old auditing via audit_trail or don’t want to have auditing at all.

SQL> noaudit policy ORA_SECURECONFIG;
Noaudit succeeded.

SQL> noaudit policy ORA_LOGON_FAILURES;
Noaudit succeeded.

SQL> SELECT policy_name, enabled_opt, user_name FROM audit_unified_enabled_policies;
no rows selected

Again, to be clear, I’m not saying that you shouldn’t use the new Unified Auditing. But disable the Mixed Mode. Use the real (and enabled, i.e. linked into your kernel) Unified Auditing instead if you would like to audit in Oracle Database 12.2.0.1. Or stay with the old auditing if it does what you want and expect.

–Mike

Share this:

Tags:

You may also like...

9 Responses

  1. Tim Barton says:
    November 16, 2017 at 20:41

    Sorry but what you posted is not determining whether UNIFIED Auditing is on in 12c. What you are showind is mealry that in 12c there are two audit_policies enabled. Thes audit_policies are to replace the audit_sys_operation parameter.
    TO chedk if unified auditing is enabled chece the show parameter “%Audit%”

    Reply
  2. William Laverde says:
    April 6, 2020 at 17:30

    Hi Mike,
    I have some doubts, on Standby Site, Do i need to enable Unified Audit Trail too?, there’s a procedure first on primary and then on standby? Do i need to disable transport redo?

    Btw, my env is Oracle 18c RDBMS on linux 7.6, two nodes RAC Primary and two nodes RAC Standby (ADG)

    Thanks in advance

    Reply
    • Mike.Dietrich says:
      April 8, 2020 at 21:21

      Hi William,

      the settings from the primary should be automatically propagated to the standby. Otherwise you’d miss a lot of things after a switchover or failover.
      Nothing extra to be set except for making sure that you have linked UNIAUD into the kernel on both sides if you use it beyond the mixed mode.

      Cheers,
      Mike

      Reply
  3. Laverde Williams says:
    April 9, 2020 at 18:15

    Thanks Mike. You’re right. First activate UAT on Prym site (both nodes) and did some audit test and then check that both sites were having same records of audit trail in unified_audit_trail view. After that activate UAT on the binaries of stby site.
    Best Regards

    Reply
  4. Nicolas says:
    September 28, 2020 at 09:28

    Hi Mike,
    Thank you for this post. Is it possible to check if oracle executable has been linking with uniaud_on from the executable itself (without starting the instance)? And how?
    Nicolas

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Mike Dietrich
Oracle Senior Director of Product Manager for Database Upgrade, Migrations and Patching writing just another blog.

Opinions certainly are my own as is this page.

Archives

Categories

Upgrade @YouTube

Subscribe via Email

Join 7,849 other subscribers

Follow me on Twitter