Re: [EXTERNAL]-RE: [EXTERNAL]-RE: [EXTERNAL]-database audit trail and unified audit trail

From: Al B. <albert.y.balbekov_at_gmail.com>
Date: Sun, 30 Jan 2022 12:23:43 -0800
Message-ID: <CACKN2vFgufgPAi-9b5zbrjXm38d3E1y8ZTPOGhvM1dH_AX9CGw_at_mail.gmail.com>

That's what I am seeing too after 19c upgrade: the records are now in UNIFIED_AUDIT_TRAIL, instead of the old SYS.AUD$. (In my case AUDIT_TRAIL parameter is DB). The new unified trail has to be explicitly and independently cleaned with DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL using parameter AUDIT_TRAIL_TYPE set to DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED.

Also noticed that in 19c default no longer logs successful logons. It only logs failed logons. In pre-19c the default was logging successful logons too, which I relied upon to troubleshoot connection storms.

One other audit change gotcha I hit when moving to 19c - the two Unified policies that are supposed to be enabled by default on all 19c databases ( ORA_SECURECONFIG and ORA_LOGON_FAILURES) , were not enabled in 19c PDB when the PDB was created by remote cloning from pre-19c and then upgrading to 19c. In contrast, the two policies did get enabled when a new PDB was created from scratch by dbca. This document has some confusing wording on this :
https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/configuring-audit-policies.html#GUID-AC30632D-80E0-40BB-91AF-0416A904A707 . It is easy to check with AUDIT_UNIFIED_ENABLED_POLICIES while in PDB.

One other audit consideration to keep an eye on, when switching from non-CDB to CDB architecture in combination with 19c upgrade: with CDB the unified policies have to be enabled in each PDB. Enabling them in root will only audit root.

And as was already mentioned before, it makes sense in each PDB to manually update partitioning interval from pre-19c 1-month to 1 day, using DBMS_AUDIT_MGMT.ALTER_PARTITION_INTERVAL. I read somewhere that 1-day interval was supposed to be a 19c new default, but on all of my upgraded 19c it was 1-month.

Cheers,
Albert Balbekov

On Fri, Jan 28, 2022 at 11:00 AM Beckstrom, Jeffrey <jbeckstrom_at_gcrta.org> wrote:

> System was linked with installation defaults. Apparently, in 19c, unified
> is on by default and overrides the database audit trail parameters since we
> are seeing the statement level auditing in the unified view and not the OS
> files.
>
>
>
> *From:* Douglas Dunyan <dmdunyan_at_gmail.com>
> *Sent:* Friday, January 28, 2022 1:40 PM
> *To:* Beckstrom, Jeffrey <jbeckstrom_at_gcrta.org>
> *Cc:* Amit Grover <amitgrover27_at_gmail.com>; oracle-l_at_freelists.org
> *Subject:* Re: [EXTERNAL]-RE: [EXTERNAL]-database audit trail and unified
> audit trail
>
>
>
> Greets -
>
> I think I read the default configuration is Mixed Mode unified
> auditing. For pure unified auditing, you have to relink oracle with
> uniaud_on. Have you relinked yet ? Maybe that's your issue....
>
> FWIW unified audit trail is a view, and you can only remove records
> using the supplied packages. As far as unified audit goes, I am stumped,
> trying to figure out a system that has 130,000+ records in the view, but
> event_timestamp is null, so the package doesn't purge those rows...
>
>
>
> HTH
>
> D
>
>
>
> On Fri, Jan 28, 2022 at 11:31 AM Beckstrom, Jeffrey <jbeckstrom_at_gcrta.org>
> wrote:
>
> We have a logon trigger that turns on statement auditing for selected
> sessions. Looks like those are now going to the unified audit table instead
> of the os dest specified by the init.ora parameter. Does that make sense
> since unified is on?
>
>
>
> *From:* Amit Grover <amitgrover27_at_gmail.com>
> *Sent:* Friday, January 28, 2022 1:17 PM
> *To:* Beckstrom, Jeffrey <jbeckstrom_at_gcrta.org>
> *Subject:* Re: [EXTERNAL]-database audit trail and unified audit trail
>
>
>
> Remove the default Unified audit policies or set up a job to clear the
> unified audit trail, would be two options to go.
>
>
>
> Also check the location of the unified audit, get it moved outside of
> Sysaux and maybe change the table partition from default(monthly) to daily,
> if you do want to use it, as a start.
>
>
>
> Best Regards
>
> Amit Grover
> 2065966629
>
>
>
>
>
> On Fri, Jan 28, 2022 at 9:14 AM Beckstrom, Jeffrey <jbeckstrom_at_gcrta.org>
> wrote:
>
> Prior to upgrading to 19c, we were generating a database audit trail.
>
>
>
> With 19c, seems like unified audit trail is turned on.
>
>
>
> Do we have to purge BOTH the database audit trail and the unified audit
> trail. The database audit trail was going to OS files.
>
>
>
> Jeffrey Beckstrom
>
> Greater Cleveland Regional Transit Authority
>
> 1240 W. 6th Street
>
> Cleveland, Ohio 44113
>
>
>
>

--
http://www.freelists.org/webpage/oracle-l

Received on Sun Jan 30 2022 - 21:23:43 CET

This message: [ Message body ]
Next message: Mark W. Farnham: "RE: Need design suggestion , whether index organized table is good choice here"
Previous message: Pap: "Re: Need design suggestion , whether index organized table is good choice here"
Maybe in reply to: Beckstrom, Jeffrey: "[EXTERNAL]-RE: [EXTERNAL]-RE: [EXTERNAL]-database audit trail and unified audit trail"
In reply to Beckstrom, Jeffrey: "[EXTERNAL]-RE: [EXTERNAL]-RE: [EXTERNAL]-database audit trail and unified audit trail"
Next in thread: Mikhail Velikikh: "Re: tracing sql by force matching signature"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message