Call: +44 (0)1904 557620 Call
Blog
Home / Archives / August 2023 / Re-Enable Traditional Audit in 23c

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Oracle 23c Traditional Audit De-supported"] [Next entry: "Coding, Languages and Oracle"]

Re-Enable Traditional Audit in 23c

August 14th, 2023 by Pete


I wrote a post at the end of last week that told that Oracle deprecated traditional audit in 21c and de-supported it in 23c. Oracle honour the traditional audit settings in 23c if you migrated from an older database BUT they don't allow you to add new traditional audit rules in 23c. Also Oracle have deprecated the parameters such as audit_trail in 23c and they will be removed at some point in the future.

If we try and enable a traditional audit rule in 23c Free then we get:

SQL> audit create session;
audit create session
      *
ERROR at line 1:
ORA-46401: No new traditional AUDIT configuration is allowed. Traditional auditing is de-supported, and you should use unified auditing in its place.


SQL>

I was aware of new hidden parameters in 23c as I looked at them as soon as 23c came out months ago. I was aware of a parameter that allows traditional audit to be still used in 23c but refrained from mentioning it in my last blog - Oracle 23c Traditional Audit De-supported - because we cannot recommend to use de-supported features or use backdoors to allow access. BUT, someone asked a question on Linkedin in relation to that blog post as to whether it is possible to reenable traditional audit in 23c. They made a good point, that someone may need to do it. I thought a little more and it could be that you have an application that has traditional audit and the vendor doesn't yet support Unified audit BUT as part of an upgrade it sets, re-sets traditional audit. If the 23c is in its current state then that would fail and you would lose your audit. So, yes I can see a need to do this BUT you should not use underscore parameters as the norm and if its production as Oracle support first. Remember, you could enable traditional audit to add missing settings and then disable again.

So, yes it is possible to re-enable traditional audit BUT probably not supported unless you ask first. So here is the parameter for completeness:

SQL> l
  1  SELECT ppi.ksppinm "Parameter",
  2         ppcv.ksppstvl "Session Value",
  3         psv.ksppstvl "Instance Value"
  4  FROM   x$ksppi ppi,
  5         x$ksppcv ppcv,
  6         x$ksppsv psv
  7  WHERE  ppi.indx = ppcv.indx
  8  AND    ppi.indx = psv.indx
  9  AND    ppi.ksppinm = '_allow_traditional_audit_configuration'
 10* order by ppi.ksppinm
SQL> /
_allow_traditional_audit_configuration   FALSE                          FALSE

SQL>

If we set this parameter:

SQL> alter system set "_allow_traditional_audit_configuration"=true scope=both;

System altered.

SQL>

Check it:

SQL> @hidden
_allow_traditional_audit_configuration   TRUE                           TRUE

SQL>

Now test adding a new traditional audit rule:

SQL> audit create session;

Audit succeeded.

SQL> select banner from v$version;
Oracle Database 23c Free, Release 23.0.0.0.0 - Developer-Release

SQL>

So, lets put it back to its correct setting:

SQL> alter system set "_allow_traditional_audit_configuration"=false scope=both;

System altered.

SQL> @hidden
_allow_traditional_audit_configuration   FALSE                          FALSE

SQL>

So, it is possible to still fully use traditional auditing in 23c

#oracleace #23c #oracle #database #security #audit #audittrail #databreach

August 2023

Archives

Weblog Home
Weblog Archives

Syndication

RSS 1.0 FEED RSS 2.0 FEED Atom 0.3 FEED Powered by gm-rss 2.0.0