Oracle Database Auditing Scripts - Audit Configuration & Monitoring
Oracle Database Auditing Scripts
Section titled “Oracle Database Auditing Scripts”Complete guide to Oracle database auditing with ready-to-run scripts for configuring, monitoring, and analyzing audit data.
Quick Audit Status Check
Section titled “Quick Audit Status Check”-- Check auditing mode (Traditional vs Unified)SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';
-- Current audit configurationSELECT * FROM DBA_AUDIT_MGMT_CONFIG_PARAMS;
-- Audit trail statusSELECT AUDIT_TRAIL, STATUS FROM DBA_AUDIT_MGMT_CLEANUP_JOBS;Unified Auditing (12c+)
Section titled “Unified Auditing (12c+)”Enable Unified Auditing
Section titled “Enable Unified Auditing”-- Check if unified auditing is enabledSELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';
-- Create audit policyCREATE AUDIT POLICY security_policyACTIONS CREATE TABLE, DROP TABLE, ALTER TABLE, CREATE USER, DROP USER, ALTER USER, GRANT, REVOKE;
-- Enable policy for all usersAUDIT POLICY security_policy;
-- Enable policy for specific usersAUDIT POLICY security_policy BY hr, scott;View Unified Audit Trail
Section titled “View Unified Audit Trail”-- Recent audit eventsSELECT EVENT_TIMESTAMP, DBUSERNAME, ACTION_NAME, OBJECT_SCHEMA, OBJECT_NAME, SQL_TEXT, RETURN_CODEFROM UNIFIED_AUDIT_TRAILWHERE EVENT_TIMESTAMP > SYSDATE - 1ORDER BY EVENT_TIMESTAMP DESCFETCH FIRST 100 ROWS ONLY;
-- Failed login attemptsSELECT EVENT_TIMESTAMP, DBUSERNAME, OS_USERNAME, USERHOST, AUTHENTICATION_TYPE, RETURN_CODEFROM UNIFIED_AUDIT_TRAILWHERE ACTION_NAME = 'LOGON' AND RETURN_CODE != 0 AND EVENT_TIMESTAMP > SYSDATE - 7ORDER BY EVENT_TIMESTAMP DESC;
-- Privilege usageSELECT EVENT_TIMESTAMP, DBUSERNAME, ACTION_NAME, SYSTEM_PRIVILEGE_USED, OBJECT_SCHEMA, OBJECT_NAMEFROM UNIFIED_AUDIT_TRAILWHERE SYSTEM_PRIVILEGE_USED IS NOT NULL AND EVENT_TIMESTAMP > SYSDATE - 1ORDER BY EVENT_TIMESTAMP DESC;Audit Policies Management
Section titled “Audit Policies Management”-- View all audit policiesSELECT POLICY_NAME, ENABLED_OPT, USER_NAME, SUCCESS, FAILUREFROM AUDIT_UNIFIED_ENABLED_POLICIES;
-- View policy detailsSELECT * FROM AUDIT_UNIFIED_POLICIESWHERE POLICY_NAME = '&policy_name';
-- Disable audit policyNOAUDIT POLICY security_policy;
-- Drop audit policyDROP AUDIT POLICY security_policy;Traditional Auditing (Pre-12c Compatible)
Section titled “Traditional Auditing (Pre-12c Compatible)”Configure Traditional Auditing
Section titled “Configure Traditional Auditing”-- Check audit_trail parameterSHOW PARAMETER audit_trail;
-- Enable auditing (requires restart)ALTER SYSTEM SET audit_trail = DB SCOPE=SPFILE;-- Options: NONE, OS, DB, DB_EXTENDED, XML, XML_EXTENDED
-- Audit specific statementsAUDIT CREATE TABLE BY ACCESS;AUDIT DROP ANY TABLE BY ACCESS;AUDIT ALTER USER BY ACCESS;AUDIT GRANT ANY PRIVILEGE BY ACCESS;
-- Audit object accessAUDIT SELECT ON hr.employees BY ACCESS;AUDIT INSERT, UPDATE, DELETE ON hr.employees BY ACCESS;
-- Audit by userAUDIT ALL BY scott BY ACCESS;View Traditional Audit Trail
Section titled “View Traditional Audit Trail”-- DBA audit trailSELECT TIMESTAMP, USERNAME, ACTION_NAME, OBJ_NAME, SQL_TEXT, RETURNCODEFROM DBA_AUDIT_TRAILWHERE TIMESTAMP > SYSDATE - 1ORDER BY TIMESTAMP DESC;
-- Count by action typeSELECT ACTION_NAME, COUNT(*) AS event_countFROM DBA_AUDIT_TRAILWHERE TIMESTAMP > SYSDATE - 7GROUP BY ACTION_NAMEORDER BY COUNT(*) DESC;Security Monitoring Scripts
Section titled “Security Monitoring Scripts”Privileged User Activity
Section titled “Privileged User Activity”-- DBA activity monitoringSELECT EVENT_TIMESTAMP, DBUSERNAME, ACTION_NAME, OBJECT_SCHEMA, OBJECT_NAME, SQL_TEXTFROM UNIFIED_AUDIT_TRAILWHERE DBUSERNAME IN ( SELECT GRANTEE FROM DBA_ROLE_PRIVS WHERE GRANTED_ROLE = 'DBA')AND EVENT_TIMESTAMP > SYSDATE - 1ORDER BY EVENT_TIMESTAMP DESC;
-- SYS user activitySELECT EVENT_TIMESTAMP, ACTION_NAME, OBJECT_NAME, SQL_TEXTFROM UNIFIED_AUDIT_TRAILWHERE DBUSERNAME = 'SYS' AND EVENT_TIMESTAMP > SYSDATE - 1ORDER BY EVENT_TIMESTAMP DESC;DDL Changes Tracking
Section titled “DDL Changes Tracking”-- All DDL operationsSELECT EVENT_TIMESTAMP, DBUSERNAME, ACTION_NAME, OBJECT_SCHEMA, OBJECT_NAME, SQL_TEXTFROM UNIFIED_AUDIT_TRAILWHERE ACTION_NAME IN ( 'CREATE TABLE', 'DROP TABLE', 'ALTER TABLE', 'CREATE INDEX', 'DROP INDEX', 'CREATE VIEW', 'DROP VIEW', 'CREATE PROCEDURE', 'DROP PROCEDURE', 'CREATE TRIGGER', 'DROP TRIGGER')AND EVENT_TIMESTAMP > SYSDATE - 7ORDER BY EVENT_TIMESTAMP DESC;Data Access Monitoring
Section titled “Data Access Monitoring”-- Access to sensitive tablesSELECT EVENT_TIMESTAMP, DBUSERNAME, ACTION_NAME, OBJECT_NAME, SQL_TEXTFROM UNIFIED_AUDIT_TRAILWHERE OBJECT_NAME IN ('EMPLOYEES', 'SALARIES', 'CREDIT_CARDS') AND EVENT_TIMESTAMP > SYSDATE - 1ORDER BY EVENT_TIMESTAMP DESC;Audit Trail Management
Section titled “Audit Trail Management”Cleanup Old Audit Records
Section titled “Cleanup Old Audit Records”-- Set cleanup intervalBEGIN DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP( audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, last_archive_time => SYSTIMESTAMP - 90 -- Keep 90 days );END;/
-- Manual cleanupBEGIN DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL( audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, use_last_arch_timestamp => TRUE );END;/
-- Create automated cleanup jobBEGIN DBMS_AUDIT_MGMT.CREATE_PURGE_JOB( audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, audit_trail_purge_interval => 24, -- Hours audit_trail_purge_name => 'AUDIT_CLEANUP_JOB', use_last_arch_timestamp => TRUE );END;/Audit Trail Space Usage
Section titled “Audit Trail Space Usage”-- Unified audit trail sizeSELECT OCCUPANT_NAME, OCCUPANT_SIZE/1024/1024 AS size_mbFROM V$SYSAUX_OCCUPANTSWHERE OCCUPANT_NAME LIKE '%AUDIT%';
-- Traditional audit trail sizeSELECT SEGMENT_NAME, BYTES/1024/1024 AS size_mbFROM DBA_SEGMENTSWHERE SEGMENT_NAME LIKE 'AUD$%'ORDER BY BYTES DESC;Common Audit Policies
Section titled “Common Audit Policies”SOX Compliance Policy
Section titled “SOX Compliance Policy”CREATE AUDIT POLICY sox_complianceACTIONS LOGON, CREATE USER, ALTER USER, DROP USER, GRANT, REVOKE, CREATE ROLE, DROP ROLE, ALTER SYSTEM;
AUDIT POLICY sox_compliance;GDPR Data Access Policy
Section titled “GDPR Data Access Policy”CREATE AUDIT POLICY gdpr_data_accessACTIONS SELECT ON hr.employees, SELECT ON hr.personal_data, UPDATE ON hr.employees, DELETE ON hr.employees;
AUDIT POLICY gdpr_data_access;Privileged Access Policy
Section titled “Privileged Access Policy”CREATE AUDIT POLICY priv_accessPRIVILEGES ALTER SYSTEM, CREATE USER, DROP USER, ALTER DATABASE, GRANT ANY PRIVILEGE;
AUDIT POLICY priv_access;