Okay, so we configure all the encryption at rest/transport and put these fancy security measures in place (in our case, Oracle 12c on Solaris 11). I thought about "what other ways I could get information from the database and squirrel it away?(playing the role of the "insider threat")". SPOOL! Well, I then added spool to a list of things (in the public user profile) that can't be run from sqlplus and that does block it. Now, there is a legitimate case or two where we would need to run spool. I figured that spool very well might use utl_file (internally) to fopen a file within the operating system, so why not just audit execute on "util_file" then? So I traced a session that spooled to /tmp and tkprof'd that (to include sys level calls) and nothing showed up (only my query!). Hmmm. I then turned my attention to using the operating system (Dtrace) to detect "fopen" activities in the system and it does detect when Oracle (through SQLPLus) opens a file. I'd have to tweak the Dtrace "predicate" in Solaris 11(this is what I used to detect opened files) so that I don't see tons of other files opening up in the OS. I'm sure I'm not the only one to think about watching spool activities. Does anyone else have any ideas about how to observe spooling activities? I know I'm being paranoid, but I'm also sick of hearing about people just walking out the door (in general) with critical data.