Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Oracle 23c Traditional Audit De-supported"] [Next entry: "Coding, Languages and Oracle"]

Re-Enable Traditional Audit in 23c

I wrote a post at the end of last week that told that Oracle deprecated traditional audit in 21c and de-supported it in 23c. Oracle honour the traditional audit settings in 23c if you migrated from an older database BUT they don't allow you to add new traditional audit rules in 23c. Also Oracle have deprecated the parameters such as audit_trail in 23c and they will be removed at some point in the future.

If we try and enable a traditional audit rule in 23c Free then we get:

SQL> audit create session;
audit create session
ERROR at line 1:
ORA-46401: No new traditional AUDIT configuration is allowed. Traditional auditing is de-supported, and you should use unified auditing in its place.


I was aware of new hidden parameters in 23c as I looked at them as soon as 23c came out months ago. I was aware of a parameter that allows traditional audit to be still used in 23c but refrained from mentioning it in my last blog - Oracle 23c Traditional Audit De-supported - because we cannot recommend to use de-supported features or use backdoors to allow access. BUT, someone asked a question on Linkedin in relation to that blog post as to whether it is possible to reenable traditional audit in 23c. They made a good point, that someone may need to do it. I thought a little more and it could be that you have an application that has traditional audit and the vendor doesn't yet support Unified audit BUT as part of an upgrade it sets, re-sets traditional audit. If the 23c is in its current state then that would fail and you would lose your audit. So, yes I can see a need to do this BUT you should not use underscore parameters as the norm and if its production as Oracle support first. Remember, you could enable traditional audit to add missing settings and then disable again.

So, yes it is possible to re-enable traditional audit BUT probably not supported unless you ask first. So here is the parameter for completeness:

SQL> l
1 SELECT ppi.ksppinm "Parameter",
2 ppcv.ksppstvl "Session Value",
3 psv.ksppstvl "Instance Value"
4 FROM x$ksppi ppi,
5 x$ksppcv ppcv,
6 x$ksppsv psv
7 WHERE ppi.indx = ppcv.indx
8 AND ppi.indx = psv.indx
9 AND ppi.ksppinm = '_allow_traditional_audit_configuration'
10* order by ppi.ksppinm
SQL> /
_allow_traditional_audit_configuration FALSE FALSE


If we set this parameter:

SQL> alter system set "_allow_traditional_audit_configuration"=true scope=both;

System altered.


Check it:

SQL> @hidden
_allow_traditional_audit_configuration TRUE TRUE


Now test adding a new traditional audit rule:

SQL> audit create session;

Audit succeeded.

SQL> select banner from v$version;
Oracle Database 23c Free, Release - Developer-Release


So, lets put it back to its correct setting:

SQL> alter system set "_allow_traditional_audit_configuration"=false scope=both;

System altered.

SQL> @hidden
_allow_traditional_audit_configuration FALSE FALSE


So, it is possible to still fully use traditional auditing in 23c

#oracleace #23c #oracle #database #security #audit #audittrail #databreach