Oracle 23c 03

A Closer Look at
Photo by Tobias Tullius on Unsplash

Unified Auditing vs Traditional
Auditing
Oracle Database 19c and 23c
1 Copyright © 2023, Oracle and/or its affiliates

Mike Dietrich
Senior Director Product Management
Database Upgrade, Migration and Patching
MikeDietrich
@MikeDietrichDE
https://MikeDietrichDE.com

Daniel Overby
Roy Swonger Hansen
Klaus Gronau
William
Beauregard . Mike Dietrich
Rodrigo Jorge

Upgrade Blog
Subscribe

Recorded Web Seminars
https://MikeDietrichDE.com/video
s
More than 30 hours of technical content,

on-demand, anytime, anywhere

Oracle Database 19c and 23c
Photo by Edryc James P. Binoya on Unsplash

Introduction

Lifetime Support Policy
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
MARKET
Oracle 11.2 WAIVED EXTENDED EXTENDED DRIVEN
MARKE
Oracle 12.1 EXTENDED T
DRIVEN
LIMITE
Oracle 12.2.0.1 D
Oracle 18
(12.2.0.2)
Oracle 19 EXTENDED
(12.2.0.3)
Oracle 21
Premier Support Waived Extended Support Paid Extended Support Market Driven Support Limited Error Correction

Release Strategy | Make Your Plan
We are here
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
MARKET
11.2.0.4 DRIVEN
12.1.0.2 MDS
12.2.0.1
18c
Oracle 19
(12.2.0.3) EXTENDED
Oracle 21
EXTENDED
Oracle Database 23c Support

Release Types
LONG TERM INNOVATION

SUPPORT 2 years of Premier Support
5+ years of Premier Support No Extended Support
followed by
3+ years of Extended Support
Innovation
Long Term Support Extended
Innovation
9 Copyright © 2023, Oracle and/or its affiliates Long Term Support Extended
Move production databases from one
Long Term Support release to the

next

Next Long Term Support release
Oracle Database
23c
Upgrade possible only from:
• Oracle Database 19c

• Oracle Database 21c

Do you want to upgrade?
Oracle Database
11.2.0.4
Oracle Database
12.1.0.2
Oracle Database
12.2.0.1
Oracle Database 18c

Oracle Database 11.2.0.4
Oracle Database 12.1.0.2 Oracle Database
Oracle Database 19c
Oracle Database 12.2.0.1 23c
Oracle Database 18c

Direct upgrade is NOTOracle
Oracle
Database
Database
Oracle Database 23c
11.2.0.4
12.1.0.2
Oracle Database 12.2.0.1
possible!! Oracle Database 18c

Your path to successful database upgrades / migrations
1 2 3
Install Oracle Home Download and deploy Collect performance
including RU and MRP the most recent information from
AutoUpgrade current source and
MOS Note: 2118136.2 test thoroughly
MOS Note: 555.1 MOS Note: 2485457.1
MOS Note: 2781612.2

From Oracle Database 21c onwards
there is no non-CDB architecture
anymore
AutoUpgrade does the migration for you, end-to-end

What makes
me talk about
Auditing
Photo by Ian Stauffer on Unsplash

?
Oracle Database Auditing
An Overview
Photo by Bermix Studio on Unsplash

Auditing
COMPLIANCE ANALYSIS DETECTION

Regulatory Forensic Suspicions activities
Assurance Who did what Anomalies
User activity when

Auditing Evolution
1992
Traditional 2013
Auditing Unified
Oracle 6 Auditing
Mixed Mode
Oracle 12c
2023
2002 Unified Auditing
Fine Grained Pure Mode
Auditing Oracle 23c
Oracle 9i

Photo by nine koepfer on Unsplash
21
Copyright © 2023, Oracle and/or its affiliates
Photo by
Photo by Arno Senoner
Bermix Studio Unsplash
onon Unsplash
Traditional Auditing
From Oracle 11g – 21c

Traditional Auditing | Parameters
Initialization parameters
• AUDIT_TRAIL
• Enabled by default since Oracle Database 11g via DBCA
• Adjustment requires restart of the database
• Defines where and how audit information gets stored
• AUDIT_TRAIL=DB uses SYSTEM.AUD$ in SYSTEM tablespace
• Growth of system tablespace
• Undefined situation for moving AUD$ into another tablespace
• Database halts when audit records can't be written anymore
• Changing the parameter requires database restart
• AUDIT_SYS_OPERATIONS
• AUDIT_FILE_DEST
• AUDIT_SYSLOG_LEVEL

Traditional Auditing | Audit Trails
One separate audit trail per component
• SYS.AUD$
 database audit trail
• SYS.FGA_LOG$
 fine-grained auditing
• DVSYS.AUDIT_TRAIL$
 Database Vault, Oracle Label Security

Traditional Auditing | Default in Oracle 11g
AUDIT_TRAIL=DB

AUDIT_TRAIL=DB

AUDIT_TRAIL=DB

Traditional Auditing | Default in Oracle 19c
AUDIT_TRAIL=DB

AUDIT_TRAIL=DB

AUDIT_TRAIL=DB

AUDIT_TRAIL=DB

Traditional Auditing | Upgrade from 11g to Oracle 12c –
19c
• AUDIT_TRAIL
• With the upgrade to Oracle Database 12c or higher, AUD$ has to be moved from SYSTEM to SYS
• AutoUpgrade does this for you automatically
• olspreupgrade.sql allows manual migration pre-upgrade
• AUDIT_FILE_DEST

Traditional Auditing | Upgrade to Oracle 12c – 19c
Auditing table in SYSTEM user schema
• Fixup is available
• AutoUpgrade will handle this migration automatically

Traditional Auditing | Parameters
• AUDIT_TRAIL
• Audit operations of SYSDBA and SYSOPER
• AUDIT_FILE_DEST
• Write into the OS' SYSLOG

Traditional Auditing | Oracle Database 23c
These initialization parameters will be deprecated in Oracle 23c

• AUDIT_TRAIL
• AUDIT_FILE_DEST
• BUG 35113642 - Deprecate traditional audit init.ora parameters - AUDIT_TRAIL

AUDIT_SYS_OPERATIONS AUDIT_FILE_DEST AUDIT_SYSLOG_LEVEL
• SQL> startup
ORA-32006: AUDIT_TRAIL initialization parameter has been deprecated
ORACLE instance started.
Database mounted.
Database opened.

Traditional Auditing | File System
AUDIT_TRAIL=OS
NAME TYPE VALUE

------------------------------------- --------------------------------
audit_file_dest string /u01/app/oracle/admin/UPGR/adump
audit_sys_operations boolean FALSE
audit_syslog_level string
audit_trail string OS
 UPGR_ora_24088_20230510231115067867143795.aud

Traditional Auditing | File System
Unix process pid: 24088, image: oracle@hol.localdomain (TNS V1-V3)
Wed May 10 23:11:15 2023 +02:00

LENGTH : '157'
ACTION :[7] 'CONNECT'
DATABASE USER:[1] '/'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[6] 'oracle'
CLIENT TERMINAL:[5] 'pts/4'
STATUS:[1] '0'
DBID:[8] '72245725'

Traditional Auditing | Audit Objects and Actions
Examples
• AUDIT ALL ON tab1
• AUDIT table WHENEVER SUCCESSFUL
• DML and DDL
• AUDIT update table BY user1, user2
• AUDIT session
• AUDIT alter system

Traditional Auditing | Monitoring
DBA_AUDIT_TRAIL
• All entries from AUD$
DBA_OBJ_AUDIT_OPTS
• All audit options activated for certain objects
DBA_PRIV_AUDIT_OPTS
• All system privileges being audited

Traditional Auditing | Policies
Examples
• CREATE AUDIT POLICY dp_operations

ACTIONS COMPONENT = DATAPUMP IMPORT, EXPORT;
AUDIT POLICY dp_operations BY system;
• exec DBMS_FGA.ADD_POLICY(
object_name => 'tabname',
policy_name => 'community_policy',
audit_condition => 'sensitive_column > 100',
statement_types => 'select');

Traditional Auditing | Some Thoughts
Typical issues
• Contention
• Login storms
• Excessive growth
• Technology from the past
• Security flaws
• Audit record protection possible only with DV

Unified Auditing
From Oracle Database 12c to 21c
by Arno
Photo by
Photo Senoner
Bermix onon
Studio Unsplash
Unsplash

Unified Auditing | Oracle Database 12c Release 1
Introduced in Oracle Database 12c Release 1
• Combine multiple audit trails into one
• Who? AUDSYS
• Where? SYSAUX
• Where exactly (from 12.2 onward)? AUD$UNIFIED
• How to access audit data? SYS.UNIFIED_AUDIT_TRAIL

Unified Auditing | Oracle Database 12c Release 2
Improved in Oracle Database 12c Release 2
• Relational structures added

• In Oracle 12.1 only available via an extra fix (22782757) – but at the price of performance
impact (Blog Post)
• Queueing mechanism deprecated

Unified Auditing | Mixed Mode
By default, Auditing operates in mixed mode
• Traditional Auditing still works

• Depends on parameters, e.g. AUDIT_TRAIL=DB
• Unified Auditing is somehow ON

• Standard policies are enabled by default
• Option is not linked into the kernel

SQL> SELECT PARAMETER, VALUE FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';
PARAMETER VALUE
___________________ ________
Unified Auditing FALSE
SQL> show parameter audit

NAME TYPE VALUE
------------------------------ ------- --------------------------------
audit_file_dest string /u01/app/oracle/admin/UP19/adump
audit_sys_operations boolean TRUE
audit_syslog_level string
audit_trail string DB

M ix ed M ode?? ?

SQL> select * from audit_unified_enabled_policies;
POLICY_NAME ENABLED_OPTION ENTITY_NAME ENTITY_TYPE SUCCESS FAILURE

_____________________ _________________ ______________ ______________ __________ __________
ORA_SECURECONFIG BY USER ALL USERS USER YES YES
ORA_LOGON_FAILURES BY USER ALL USERS USER NO YES
SQL> select count(*) from unified_audit_trail;
COUNT(*)
___________
8475

Unified Auditing | Examine Policies
SQL> SELECT policy_name, audit_option, condition_eval_opt, audit_condition

FROM audit_unified_policies
WHERE policy_name in ('ORA_SECURECONFIG','ORA_LOGON_FAILURES')
ORDER BY 1,2;
POLICY_NAME AUDIT_OPTION CONDITION_EVAL_OPT AUDIT_CONDITION

_____________________ _____________________________________ _____________________ __________________
ORA_LOGON_FAILURES LOGON NONE NONE
ORA_SECURECONFIG ADMINISTER KEY MANAGEMENT NONE NONE
ORA_SECURECONFIG ALTER ANY PROCEDURE NONE NONE
ORA_SECURECONFIG ALTER ANY SQL TRANSLATION PROFILE NONE NONE
ORA_SECURECONFIG ALTER ANY TABLE NONE NONE
ORA_SECURECONFIG ALTER DATABASE NONE NONE
ORA_SECURECONFIG ALTER DATABASE DICTIONARY NONE NONE
ORA_SECURECONFIG ALTER DATABASE LINK NONE NONE
ORA_SECURECONFIG ALTER PLUGGABLE DATABASE NONE NONE
...

Unified Auditing | Turning off standard policies?
SQL> noaudit policy ORA_SECURECONFIG;

Noaudit succeeded.
SQL> noaudit policy ORA_LOGON_FAILURES;

Noaudit succeeded.
SQL> select * from audit_unified_enabled_policies;

no rows selected

Unified Auditing | Purging the Unified Audit Trail?
BEGIN
DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP(
AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,
LAST_ARCHIVE_TIME => '11-MAY-2023 06:30:00.00',
RAC_INSTANCE_NUMBER => 1,
CONTAINER => DBMS_AUDIT_MGMT.CONTAINER_CURRENT);
END;
/
BEGIN
DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL(
AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,
USE_LAST_ARCH_TIMESTAMP => TRUE,
CONTAINER => DBMS_AUDIT_MGMT.CONTAINER_CURRENT );
END;
/

default, every database since Oracle Database 12c
ites audit records.
gardless of whether you linked it in, or not.
Photo by Kaleidico on Unsplash

Unified Auditing | Pure Mode
SHUTDOWN your database
$ cd $ORACLE_HOME/rdbms/lib
$ make -f ins_rdbms.mk uniaud_on ioracle
STARTUP your database
PARAMETER VALUE
___________________ ________
Unified Auditing TRUE

If you want to use auditing,
link Unified Auditing
into the kernel
Use Pure Mode
Photo by Alvis Taurēns on Unsplash

In Pure Mode, these initialization parameters have no function

anymore
• AUDIT_TRAIL
• AUDIT_FILE_DEST
Please remove them from your SPFILEs

To prevent SYSAUX from growing uncontrolled, have a separate

tablespace
• Create a new tablespace
• BEGIN
DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_LOCATION(
audit_trail_type => dbms_audit_mgmt.audit_trail_unified,
audit_trail_location_value => 'TBS_AUDIT_DATA');
END;
/
• select owner, table_name, interval, partitioning_type, partition_count, def_tablespace_name

from DBA_PART_TABLES where owner='AUDSYS';
OWNER TABLE_NAME INTERVAL PARTITIONING_TYPE PARTITION_COUNT DEF_TABLESPACE_NAME

_________ ______________ _____________________ ____________________ __________________ ______________________
AUDSYS AUD$UNIFIED INTERVAL '1' MONTH RANGE 1048575 TBS_AUDIT_DATA
Unified Auditing | Predefined Policies
Out of the box, the database offers predefined UA policies
• SQL> select distinct policy_name from audit_unified_policies order by 1;
POLICY_NAME
__________________________
ORA_ACCOUNT_MGMT
ORA_CIS_RECOMMENDATIONS
ORA_DATABASE_PARAMETER
ORA_LOGON_FAILURES
ORA_RAS_POLICY_MGMT
ORA_RAS_SESSION_MGMT
ORA_SECURECONFIG

Unified Auditing | Performance Impact?
What is the trade-off when you enable Unified Auditing?
• Please enable Pure Mode, don't have Mixed Mode

• Overhead in lab environment
Unified Audit Vs NoAudit

% Overhead CPU/Txn
10
8 8.5
6.8
6 5.8
5.1 5.2
4
2
0
0.3K 3K 6K 12K 30K
Audit records per minute

Unified Auditing | Another Performance Impact?
Should you have both, TA and UA turned ON at the same time?
• At first, it is not harmful – but does not make much sense

• Try to avoid it since it may cause issues when you patch
• Contention during datapatch
• Read this blog post

Unified Auditing
Going to Oracle Database 23c

Photo by Hennie Stander on Unsplash

Traditional Auditing
Photo by Roman Synkevych on Unsplash

is desupported
in Oracle Database 23c

Unified Auditing | Oracle Database 23c
Unified Auditing is linked into the kernel by default
PARAMETER VALUE
___________________ ________
Unified Auditing TRUE
Traditional Auditing parameters will be still honoured

Unified Auditing | Oracle Database 23c
Goal
• Don't introduce interruptions for customers still using Traditional Auditing
• Encourage customers to move to the far better and more secure Unified
Auditing
Implementation
• Traditional Auditing can be still used
• No new TA policies can be created
• Existing TA policies can't be updated
• Can be enforced with an underscore parameter
• Migration procedure for TA policies
• Unified Auditing can't be linked off anymore

Unified Auditing | Policy Migration
It doesn't happen automatically
• See: MOS Note: 2909718.1

Traditional to Unified Audit Syntax Converter - Generate Unified Audit Policies
from Current Traditional Audit Configuration
• UA_CreatePolicy.sql
• Generates CREATE AUDIT POLICY statements to create unified audit policies
• UA_EnablePolicy.sql
• Generates AUDIT POLICY statements to enable unified audit policies, based on current traditional audit configuration
• UA_DisablePolicy.sql
• Generates NOAUDIT POLICY statements to disable those unified audit policies
• UA_DropPolicy.sql
• Use this script to drop the unified audit policies, in case you no longer require them.
• UA_ConvertPolicySummary.txt
• Summary of created unified audit policies. Lists also incomplete creations.

Unified Auditing | Policy Migration
Documentation

Unified Auditing | Upgrade and Migration to Oracle 23c
For most environments, the upgrade to 23c will be a migration to

Multitenant
What if you use TA before?
Upgrade:
• You must be on the CDB architecture
• If you upgrade "everything at once", it stays as is
Migration:
• You migrate a non-CDB to a PDB
• Be aware of the audit parameters in your freshly created CDB
Photo by Wil Stewart on Unsplash
Recorded Web Seminars
https://MikeDietrichDE.com/video
s
More than 30 hours of technical content,

on-demand, anytime, anywhere

YouTube | Oracle Database Upgrades and Migrations
• 300+ videos
• New videos every week
• No marketing
• No buzzword
• All tech
Link

THANK
YOU
Visit our blogs:
https://DOHdatabase.com
https://www.dbarj.com.br/en

THANK
YOU
Webinars:
https://MikeDietrichDE.com/videos
YouTube channel:
OracleDatabaseUpgradesandMigrations

THANK
YOU

Oracle 23c 03

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Oracle 23c 03

Uploaded by

Copyright:

Available Formats

A Closer Look at

Photo by Tobias Tullius on Unsplash

1 Copyright © 2023, Oracle and/or its affiliates

2 Copyright © 2023, Oracle and/or its affiliates

3 Copyright © 2023, Oracle and/or its affiliates

4 Copyright © 2023, Oracle and/or its affiliates

More than 30 hours of technical content,

5 Copyright © 2023, Oracle and/or its affiliates

Photo by Edryc James P. Binoya on Unsplash

6 Copyright © 2023, Oracle and/or its affiliates

7 Copyright © 2023, Oracle and/or its affiliates

8 Copyright © 2023, Oracle and/or its affiliates

LONG TERM INNOVATION

Long Term Support Extended

Long Term Support release to the

10 Copyright © 2023, Oracle and/or its affiliates

• Oracle Database 19c

11 Copyright © 2023, Oracle and/or its affiliates

12 Copyright © 2023, Oracle and/or its affiliates

13 Copyright © 2023, Oracle and/or its affiliates

possible!! Oracle Database 18c

14 Copyright © 2023, Oracle and/or its affiliates

15 Copyright © 2023, Oracle and/or its affiliates

16 Copyright © 2023, Oracle and/or its affiliates

17 Copyright © 2023, Oracle and/or its affiliates

Photo by Bermix Studio on Unsplash

18 Copyright © 2023, Oracle and/or its affiliates

COMPLIANCE ANALYSIS DETECTION

19 Copyright © 2023, Oracle and/or its affiliates

20 Copyright © 2023, Oracle and/or its affiliates

From Oracle 11g – 21c

22 Copyright © 2023, Oracle and/or its affiliates

One separate audit trail per component

23 Copyright © 2023, Oracle and/or its affiliates

24 Copyright © 2023, Oracle and/or its affiliates

25 Copyright © 2023, Oracle and/or its affiliates

26 Copyright © 2023, Oracle and/or its affiliates

27 Copyright © 2023, Oracle and/or its affiliates

28 Copyright © 2023, Oracle and/or its affiliates

29 Copyright © 2023, Oracle and/or its affiliates

30 Copyright © 2023, Oracle and/or its affiliates

31 Copyright © 2023, Oracle and/or its affiliates

Auditing table in SYSTEM user schema

32 Copyright © 2023, Oracle and/or its affiliates

33 Copyright © 2023, Oracle and/or its affiliates

These initialization parameters will be deprecated in Oracle 23c

• BUG 35113642 - Deprecate traditional audit init.ora parameters - AUDIT_TRAIL

34 Copyright © 2023, Oracle and/or its affiliates

NAME TYPE VALUE

35 Copyright © 2023, Oracle and/or its affiliates

Unix process pid: 24088, image: oracle@hol.localdomain (TNS V1-V3)

Wed May 10 23:11:15 2023 +02:00

36 Copyright © 2023, Oracle and/or its affiliates

37 Copyright © 2023, Oracle and/or its affiliates

38 Copyright © 2023, Oracle and/or its affiliates

• CREATE AUDIT POLICY dp_operations

AUDIT POLICY dp_operations BY system;

39 Copyright © 2023, Oracle and/or its affiliates

40 Copyright © 2023, Oracle and/or its affiliates

From Oracle Database 12c to 21c

41 Copyright © 2023, Oracle and/or its affiliates

Introduced in Oracle Database 12c Release 1

• Combine multiple audit trails into one