Poke switched from Oracle Database Auditing

Poke switched from Oracle Database Auditing
At this year's conference in Budapest hacktivity security researcher László Tóth has demonstrated a method which will be the auditing functions, and authentication in all versions of Oracle database can paralyze. Instead, it uses the undocumented, but in every Oracle installation oradebug existing command. Auditing to ensure the reliable logging of database actions, so that tampering can be traced back.
Inter alia, the oradebug decades ago in Basic for changing memory contents used command Poke. This makes it possible, according to Tóth stop auditing for system user with SYSDBA and SYSOPER privileges as. Condition is only that the attacker could execute oradebug - enough to the SYSDBA privilege that is easily obtained for a database administrator. Tóth also shows the presentation.
For the shutdown of the auditing, it is sufficient to read by SQL statement, the memory address of a system variable from the internal table X $ KSMFSV. Then set it to zero:
SQL> oradebug poke 60031bb0 0 × 1 0
 BEFORE: [060031BB0, 060031BB4) = 00000001
 AFTER: [060031BB0, 060031BB4) = 00000000
Oracle security expert Alexander Kornbrust therefore considers products like Oracle Audit Vault [6] which are based on the auditing capabilities of the database and log according to its own advertising and the actions of privileged users to, for "almost useless". A SYSDBA / SYSOPER user can disable the auditing short, perform some operations and enable it again.