Versions: 12.1 - 21c

Beginning with Oracle Database version 12.1 Oracle added a new file named secconf.sql to the $ORACLE_HOME/rdbms/admin directory that is run by default when a new database is created by not when a database is upgraded using DBUA (Database Upgrade Assistant).

Due to the above it is easily possible to have two different Oracle Databases, both version 12.1, 12.2, 18.3, 19.3, or above and have differences in the security configuration. You must read the full secconf.sql file for the version you are using as a roadmap to understand the differences that may exist in different databases with the exact same version number and, equally important, execsec.sql.

From our standpoint, we find the new Container architecture substantially more secure than the previous legacy architecture and the new Unified Audit Policies created by this script better than legacy auditing.

Use the following to information to help you understand the impact of leveraging secure configuration.
Source Code
File Header
Rem $Header: rdbms/admin/execsec.sql /main/5 2020/07/20 01:06:26 dgoddard Exp $
Rem execsec.sql
Rem Copyright (c) 2006, 2014, Oracle and/or its affiliates.
Rem All rights reserved.
Rem execsec.sql - secure configuration settings

Rem Secure configuration settings for the database include a reasonable
Rem default password profile, password complexity checks, audit settings
Rem (enabled, with admin actions audited), and as many revokes from PUBLIC
Rem as possible. In the first phase, only the default password profile is
Rem included.

Note that even though the file header references revokes from PUBLIC ... none take place.
Auditing Version
PROMPT Do you wish to configure 11g style Audit Configuration OR
PROMPT Do you wish to configure 12c Unified Audit Policies?
PROMPT Enter RDBMS_11G for former or RDBMS_UNIAUD for latter

When the script is running there will be 3 prompts for input. 11g style Audit Configuration means legacy auditing. 12c Unified Audit Policies is an indication that the new 12c technology should be deployed.
We recommend, in the strongest terms, moving forward from Oracle's legacy architecture to the new Container Database (CDB & PDB) architecture. As part of that move be sure that you improve the manageability and maintainability of your databases by replacing legacy auditing with the new Unified Audit Policies and upgrade using a technique that includes executing the secconf.sql script with or without execsec.sql.

Related Topics