4 Replies Latest reply: Apr 2, 2014 3:19 PM by Maki RSS

    Unified Auditing Documentation Confusion

    Matthew Morris

      In the Oracle® Database Security Guide 12c Release 1, "Chapter 21 Introduction to Auditing"

       

      Under the section "Benefits of the Unified Audit Trail" is a bullet point: "The unified auditing functionality is always enabled and does not depend on the initialization parameters that were used in previous releases..."

       

      A few lines below that under the section "Checking if Your Database Has Migrated to Unified Auditing" is a query to see if Unified Auditing has been configured and the statement: "This output shows that unified auditing is enabled."

       

      If you need to run a SQL command to determine whether or not Unified Auditing has been enabled... then it is not always enabled. So... what does the first statement really mean?

        • 1. Re: Unified Auditing Documentation Confusion
          Matthew Morris

          OK -- another statement a bit later that makes no sense.  Under the section "How Database Creation Determines the Type of Auditing You Have Enabled" is the following:

           

          "Unified auditing uses the $ORACLE_BASE/audit directory as the location for the new format operating system files. For newly created databases, mixed mode auditing is enabled by default through the predefined policy ORA_SECURECONFIG.

           

          To start using mixed mode auditing, you must enable at least one unified audit policy, and to stop using it, disable all unified audit policies."

           

          I'm pretty sure the underlined section should be 'unified auditing'.

          • 2. Re: Unified Auditing Documentation Confusion
            Pat Huey-Oracle

            Hi Matthew,

             

            Apologies for these errors! Thanks for catching them. I've made the following corrections:

            • Under "Benefits of the Unified Audit Trail," I changed the first sentence to say, "After unified auditing is enabled, it does not depend on the initialization parameters that were used in previous releases."
            • Under "How Database Creation Determines the Type of Auditing You Have Enabled," I changed the second paragraph to say, "To start using unified auditing, you must enable at least one unified audit policy, and to stop using it, disable all unified audit policies."

            These changes will appear the next time the book is refreshed on OTN.

            Best,

            Pat Huey

            • 3. Re: Unified Auditing Documentation Confusion
              Zoran Pavlovic

              "To start using unified auditing, you must enable at least one unified audit policy, and to stop using it, disable all unified audit policies."

               

              This is not correct. There are two mods: Mixed mode and Unified mode. Unified mode is enabled as database option (by relinking Oracle). Mixed mode is enabled by enabling unified audit policy. In mixed mode, both old initialization parameters, and new configuration are active. In unified mode, old initialization parameters are inactive.

               

              If you upgraded to Oracle Database 12c, then you should enable one of the predefined policies, or create a new one and enable it in order for mixed mode to work.

               

              In newly created Oracle Database 12c, mixed mode is enabled by default. (ORA_SECURECONFIG is enabled by default).

               

              So it should state: "To start using mixed mode auditing, if no polices are enabled, then you must enable at least one unified audit policy, and to stop using it, disable all unified audit policies."

               

              -Zoran

              • 4. Re: Unified Auditing Documentation Confusion
                Maki

                Hi,

                 

                I agree with Zoran.

                 

                This is also stated in http://www.oracle.com/webfolder/technetwork/tutorials/obe/db/12c/r1/security/sec_uni_audit/sec_uni_audit.html?cid=6777&ssid=0

                 

                • " When a database is upgraded from a previous release, before you decide to switch to the unified auditing mode,  you can use the mixed mode by creating a policy with CREATE AUDIT POLICY command and then enabling it with AUDIT command. If you do not wish to create a new policy, you can simply enable one of the predefined policies - ORA_SECURECONFIG or ORA_ACCOUNT_MGMT or ORA_DATABASE_PARAMETER. Either of this puts the database in mixed auditing mode. The old audit syntax continues to work and the old audit destinations continues to be written to.
                • When a database is created, mixed auditing mode is used by default through the predefined enabled policy ORA_SECURECONFIG. But unified auditing mode is not yet enabled."

                 

                Kind regards,

                Maja