Logon Failure Is Always Audited Without Evaluating Conditions Of Unified Auditing Policies
(Doc ID 2561677.1)
Last updated on APRIL 17, 2023
Applies to:
Oracle Database - Enterprise Edition - Version 12.1.0.1 and later Information in this document applies to any platform.
Symptoms
Logon failure is always audited whatever the conditions of Unified Auditing Policies meet or not, while logon success will be audited only all the conditions meet.
SQL> CREATE AUDIT POLICY ASP_AUDPOL_13 ACTIONS LOGON WHEN '( (SYS_CONTEXT(''USERENV'',''OS_USER'')= ''root'' ) <<<<<<<<<--- With condition that only OS USER: root is audited )' EVALUATE PER SESSION; 2 3 4 5 6
Warning: You are no longer connected to ORACLE. SQL> CONN / as sysdba Connected. SQL> select dbusername,event_timestamp,OS_USERNAME,ACTION_NAME,RETURN_CODE,UNIFIED_AUDIT_POLICIES from unified_audit_trail where UNIFIED_AUDIT_POLICIES like '%ASP_AUDPOL_13%'; 2 DBUSERNAME EVENT_TIMESTAMP OS_USERNAME ACTION_NAM RETURN_CODE UNIFIED_AUDIT_POLICIES ---------- ------------------------------ ------------------------------ ---------- ----------- ------------------------- SYSTEM 03-JUL-19 08.37.44.496241 AM oracle LOGON 1017 ASP_AUDPOL_13 <<<<<<<<<<<<<<<<<<<<<-------- Audit log generated though OS_USERNAME is “oracle”
SQL> conn system/<correct password> Connected. SQL> select dbusername,event_timestamp,OS_USERNAME,ACTION_NAME,RETURN_CODE,UNIFIED_AUDIT_POLICIES from unified_audit_trail where UNIFIED_AUDIT_POLICIES like '%ASP_AUDPOL_13%'; 2 DBUSERNAME EVENT_TIMESTAMP OS_USERNAME ACTION_NAM RETURN_CODE UNIFIED_AUDIT_POLICIES ---------- ------------------------------ ------------------------------ ---------- ----------- ------------------------- SYSTEM 03-JUL-19 08.37.44.496241 AM oracle LOGON 1017 ASP_AUDPOL_13 <<<<<<<<<<<<<<<<<<<<<--------No new audit log generated.
SQL>
Changes
Cause
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
