Hi
I'm struggling with the default setting for unified auditing in Oracle 12c (12.1.0.2):
I didn't change anything so the following setting is active:
- AUDIT_TRAIL=DB (I know that this is useless)
- Parameter 'Unified Auditing' = FALSE in v$option
No changes to ORA_SECURECONFIG!
I did the following test:
1. create user
2. alter user (change password)
3. drop user
If I'm logged in with SYSTEM, everything is audited as expected
but if I'm logged in with SYS only the ALTER USER Is being audited.
Here's the layout:
SQL> SELECT policy_name, audit_option, audit_option_type FROM audit_unified_policies
2 WHERE policy_name IN ('ORA_SECURECONFIG')
3 AND audit_option LIKE '%USER%'
4* ORDER BY AUDIT_OPTION_type
POLICY_NAME AUDIT_OPTION AUDIT_OPTION_TYPE
-------------------- --------------- --------------------
ORA_SECURECONFIG ALTER USER STANDARD ACTION
ORA_SECURECONFIG DROP USER SYSTEM PRIVILEGE
ORA_SECURECONFIG CREATE USER SYSTEM PRIVILEGE
SQL> SELECT * FROM audit_unified_enabled_policies
USER_NAME POLICY_NAME ENABLED_ SUC FAI
-------------------- -------------------- -------- --- ---
ALL USERS ORA_SECURECONFIG BY YES YES
ALL USERS ORA_LOGON_FAILURES BY NO YES
SQL> SELECT audit_type,dbusername, action_name,sql_text
2 FROM unified_audit_trail
3 WHERE event_timestamp > sysdate - 1/24
4* ORDER BY event_timestamp desc
AUDIT_TYPE DBUSERNAME ACTION_NAME SQL_TEXT
--------------- ------------------------------ --------------- --------------------------------------------------
Standard SYS ALTER USER ALTER USER johannes IDENTIFIED BY *
Standard SYSTEM DROP USER DROP USER JOHANNES
Standard SYSTEM ALTER USER ALTER USER johannes IDENTIFIED BY *
Standard SYSTEM CREATE USER CREATE USER johannes IDENTIFIED BY *
Any idea why some commands are audited while others are not?