Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Recovering PL/SQL Source Code"] [Next entry: "Re-Enable Traditional Audit in 23c"]

Oracle 23c Traditional Audit De-supported

It has been a long time coming. Traditional audit has been around since Oracle 6 and the new unified audit was added 10 years ago in Oracle 12c; at first unified audit was in a secure file and was slow. Lots of conversations with customers and at conferenced lead to the conclusion at least from what I heard that most people were sticking with traditional audit for now. Since 19c the unified audit is back in a normal table and is fast and more reliable. I am starting to hear more people using Unified audit in their databases. Bear in mind that a show of hands at conferences for years as to "who has audit enabled in the database to capture abuse of the database - i.e. not just because the application vendor enabled it" and then a second question, keep your hand up "if you do have audit enabled then do you actually do anything with the audit trail or just keep it in case?"

The first question usually gets a response of between 10% and 30% of the audience and the second (from those who raised a hand to the first question) is again around 10%. This is bad but consistent at least when I ask these questions. This means that between 1% and 3% of people create an audit trail of the database engine (not the applications - usually that is a much bigger percentage) to detect if anyone is hacking it in real time or semi-real time; and 10% to 30% who just collect and hope that they have enough audit to assist an investigation.

So, back to the story; Oracle added unified audit back in 2013 to 12c and they deprecated standard audit in 21c and announced that its de-supported in 23c. Its not gone completely. The parameters AUDIT_TRAIL, AUDIT_SYS_OPERATIONS, AUDIT_FILE_DEST and AUDIT_SYSLOG_LEVEL are deprecated in 23c and Oracle recommends that you move to Unified Audit as soon as possible.

If you used traditional audit in an earlier release and migrated to 23c then the traditional audit settings are honoured and the settings will write audit to their audit trails BUT you cannot add new traditional audit settings.

There is a need to start to think about Unified audit and migrating traditional audit to Unified Audit and if you are not using either then start to think about using Unified Audit to capture abuse of the database by anyone. You will find it useful to have a well designed audit trail to do two things; one; react to the audit and take action immediately if an attack looks like it could be happening and two; have enough evidence should an attack get through

If you try and set new traditional audit in 23c you get this:

SQL> audit create session;
audit create session
ERROR at line 1:
ORA-46401: No new traditional AUDIT configuration is allowed. Traditional
auditing is de-supported, and you should use unified auditing in its place.


#oracleace #23c #audit #oracle #unified #database #databreach