RE: Unified audit pure mode pros and cons
Date: Thu, 10 Aug 2023 05:32:21 +0000
Message-ID: <CY4PR0701MB370072C442776F9F7D67F8A48313A_at_CY4PR0701MB3700.namprd07.prod.outlook.com>
Hi Neil,
Thanks for your feedback.
Two thoughts though:
- I know that traditional audit is deprecated as of 21c but it is still there and as far as I know, you still have the choice between pure and mixed mode. Also the documentation still talks about mixed-mode (heavily in 21c docs, less but still in 23c docs).
- About the advantages and disadvantages you mentioned: I think these apply to “unified auditing” and not specifically to pure-mode unified auditing, i.e. they also apply if you’re running in mixed-mode but use the unified audit policies. I’m not questioning unified audit; only wondering if using it in mixed-mode is as good as using it in pure-mode.
Regards,
Dirk Tahon
From: Neil Chandler <neil_chandler_at_hotmail.com>
Sent: Wednesday, 9 August 2023 23:39
To: ORACLE-L <oracle-l_at_freelists.org>; Tahon, Dirk [GTSBE] <dtahon_at_ITS.JNJ.COM>
Subject: [EXTERNAL] Re: Unified audit pure mode pros and cons
my preference is to use Unified Audit if on 12.2, 18 or 19 in pure mode. From 21, you have no choice as traditional audit is deprecated. Don't use it on 12.1 unless you've patched to the 12.2 version of Unified (MOS 2063340.1)
Advantages of Pure mode:
a). Everything is in 1 location** - SYSAUD.AUD$UNIFIED table (** plus the overspill area in $ORACLE_BASE/audit if you can't write to the table for any reasons, such as on Active Dataguard or if the tablespace is full).
That's all audit policies, Fine Grained Audit, SYS audit, Label Security, Database Vault, Real Application Security, RMAN, Datapump - all in 1 place.
In traditional audit on a 2 node RAC cluster, that could quite a few locations and formats to pull together in several tables and O/S locations. That makes Unified much simpler, and harder to circumvent.
b) Unless you've explicitly disabled it, you're already using Unified Audit to some degree. c) it's better as you have conditional audit clauses in the policies, giving more granular audit.
d) Enabling several of the supplied policies almost cover most companies basic audit requirement.
e) housekeeping is only via the packages - you can't directly change the tables (without hacking), and you can restrict access to the packages to a security team and remove from the DBAs.
Disadvantages:
a) You need to keep the overspill area tidy otherwise you can hit performance issues on disk (every 30 minutes if you use OEM).
Frequent (at least daily) loading of the overspill into the table is a good idea
(dbms_audit_mgmt.load_unified_audit_files does this quickly and easily, although you may have to copy from an active DG standby to the primary).
If you have traditional audit, check MOS 2909718.1 for a program to help convert this to audit policies
regards
Neil Chandler
From: oracle-l-bounce_at_freelists.org<mailto:oracle-l-bounce_at_freelists.org> <oracle-l-bounce_at_freelists.org<mailto:oracle-l-bounce_at_freelists.org>> on behalf of Tahon Dirk [GTSBE] <dmarc-noreply_at_freelists.org<mailto:dmarc-noreply_at_freelists.org>> Sent: 09 August 2023 16:51
To: ORACLE-L <oracle-l_at_freelists.org<mailto:oracle-l_at_freelists.org>> Subject: Unified audit pure mode pros and cons
Hi all,
Standard comes Oracle with mixed mode which allows us to use both the traditional auditing as well as unified audit policies.
In case one only wants to use unified auditing, there are two options:
- Just use the default mixed mode, configure unified audit policies (and not issue any traditional AUDIT statements)
- Relink the binaries to enable pure mode and configure unified audit policies
Questions:
- Are there any benefits of option 2 (pure mode)? I.e., why bother going through the relinking burden if unified auditing can be used in mixed mode as well?
- Assuming there are benefits, are there also disadvantages in using pure mode?
Regards,
Dirk
-- http://www.freelists.org/webpage/oracle-lReceived on Thu Aug 10 2023 - 07:32:21 CEST