Steps to Set up Auditing

AUDIT_SYS_OPERATIONS Audit connections by sys and sysdba to .aud files. When you enable the parameter audit_sys_operations the database will write a trace file of the session actions to the udump directory. This parameter should be enabled on ALL production databases. Enable It alter system set audit_sys_operations=TRUE scope=spfile; -- then restart shutdown immediate; startup Verify it show parameter audit_sys_operations;

AUDIT_TRAIL Audit SESSION, DCL, DDL, DML, Select statements to table AUD$ or OS files. Setting up Oracle Audit using audit_trail parameter will cause the database to write audit records to table SYS.AUD$ or OS files. The DBA can then choose which audit options to enable to capture information about SESSION, DDL, DCL, DML, and select statements. This is the easiest and most common method of auditing an oracle database, and this parameter should be set on ALL production databases. Usually there will be a lot more DML statements than DDL and DCL, so many companies choose to only audit SESSION, DDL, and DCL. AUDIT_TRAIL settings Parameter Value Meaning DB :- Enables database auditing and directs all audit records to the database audit trail (SYS.AUD$), except for records that are always written to the operating system audit trail DB_EXTENDED :- Does all actions of AUDIT_TRAIL=DB and also populates the SQL bind and SQL text columns of the SYS.AUD$ table XML :- Enables database auditing and directs all audit records in XML format to an operating system file XML_EXTENDED Does all actions of AUDIT_TRAIL=XML, adding the SQL bind and SQL text columns OS :- (recommended) Enables database auditing and directs all audit records to an operating system file

Enable it alter system set audit_trail=DB, EXTENDED scope=spfile; shutdown immediate; startup; # Audit logon, DDL and DCL (Run this to Audit DDL and DCL ) audit create session by access; -- (this collects login details including OSUSER, HOST etc, but -----unfortunately not program.) audit audit system by access; audit grant any privilege by access; audit grant any object privilege by access; audit grant any role by access; audit create user by access; audit create any table by access; audit create public database link by access; audit create any procedure by access; audit alter user by access; audit alter any table by access; audit alter any procedure by access; audit alter database by access; audit alter system by access; audit alter profile by access; audit drop user by access; audit drop any procedure by access; audit drop any table by access; audit drop profile by access; # If you choose to audit DML on a schema then it may generate a lot of data. Enable DML audit selectively. audit select table, insert table, update table, delete table by username by access; Verify it show parameter audit_trail; select * from dba_stmt_audit_opts union select * from dba_priv_audit_opts; What does it give me ? Select from the AUD$, DBA_AUDIT_TRAIL, DBA_AUDIT_SESSION tables/views to find records relating to audited SESSION, DDL, DML, DCL, Select statements.

-- Basic audit output listing user actions select os_username,username,timestamp,action_name,returncode from dba_audit_session; -- Audit report including the transaction statement for user XYZ select os_username,username,timestamp,action_name,sql_text from dba_audit_trail where username = 'XYZ' order by timestamp; # Remember that any information that identifies client information such as module and osuser could be faked from the client, so should be separately verified.