Re: Unified audit pure mode pros and cons

From: Neil Chandler <neil_chandler_at_hotmail.com>
Date: Wed, 9 Aug 2023 21:39:07 +0000
Message-ID: <AM8P194MB1628A9555B6579DB23D997388512A_at_AM8P194MB1628.EURP194.PROD.OUTLOOK.COM>

my preference is to use Unified Audit if on 12.2, 18 or 19 in pure mode. From 21, you have no choice as traditional audit is deprecated. Don't use it on 12.1 unless you've patched to the 12.2 version of Unified (MOS 2063340.1)

Advantages of Pure mode:
a). Everything is in 1 location** - SYSAUD.AUD$UNIFIED table (** plus the overspill area in $ORACLE_BASE/audit if you can't write to the table for any reasons, such as on Active Dataguard or if the tablespace is full). That's all audit policies, Fine Grained Audit, SYS audit, Label Security, Database Vault, Real Application Security, RMAN, Datapump - all in 1 place. In traditional audit on a 2 node RAC cluster, that could quite a few locations and formats to pull together in several tables and O/S locations. That makes Unified much simpler, and harder to circumvent.

b) Unless you've explicitly disabled it, you're already using Unified Audit to some degree.

c) it's better as you have conditional audit clauses in the policies, giving more granular audit.

d) Enabling several of the supplied policies almost cover most companies basic audit requirement.

e) housekeeping is only via the packages - you can't directly change the tables (without hacking), and you can restrict access to the packages to a security team and remove from the DBAs.

Disadvantages:
a) You need to keep the overspill area tidy otherwise you can hit performance issues on disk (every 30 minutes if you use OEM). Frequent (at least daily) loading of the overspill into the table is a good idea (dbms_audit_mgmt.load_unified_audit_files does this quickly and easily, although you may have to copy from an active DG standby to the primary).

If you have traditional audit, check MOS 2909718.1 for a program to help convert this to audit policies

regards

Neil Chandler

From: oracle-l-bounce_at_freelists.org <oracle-l-bounce_at_freelists.org> on behalf of Tahon Dirk [GTSBE] <dmarc-noreply_at_freelists.org> Sent: 09 August 2023 16:51
To: ORACLE-L <oracle-l_at_freelists.org> Subject: Unified audit pure mode pros and cons

Hi all,

Standard comes Oracle with mixed mode which allows us to use both the traditional auditing as well as unified audit policies.

In case one only wants to use unified auditing, there are two options:

Just use the default mixed mode, configure unified audit policies (and not issue any traditional AUDIT statements)
Relink the binaries to enable pure mode and configure unified audit policies

Questions:

Are there any benefits of option 2 (pure mode)? I.e., why bother going through the relinking burden if unified auditing can be used in mixed mode as well?
Assuming there are benefits, are there also disadvantages in using pure mode?

Regards,

Dirk

--
http://www.freelists.org/webpage/oracle-l

Received on Wed Aug 09 2023 - 23:39:07 CEST

This message: [ Message body ]
Next message: yudhi s: "Re: High Buffer busy waits"
Previous message: Pap: "Open cursor error"
In reply to: Tahon Dirk [GTSBE]: "Unified audit pure mode pros and cons"
Next in thread: Tahon Dirk [GTSBE]: "RE: Unified audit pure mode pros and cons"
Reply: Tahon Dirk [GTSBE]: "RE: Unified audit pure mode pros and cons"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message