Database Reference
In-Depth Information
This CONTAINER=ALL statement
is only executable from a container database. Without the
CONTAINER=ALL
keywords the policy would only apply to the local, pluggable database. You'll get an error like the following if you try
to execute that clause from a pluggable database:
SQL> CREATE AUDIT POLICY dba_pol ROLES DBA CONTAINER = ALL;
CREATE AUDIT POLICY dba_pol ROLES DBA CONTAINER = ALL
*
ERROR at line 1:
ORA-65040: operation not allowed from within a pluggable database
Having created an audit policy, you can now query to verify that it exists as you have intended. For example:
select * from AUDIT_UNIFIED_ENABLED_POLICIES;
USER_NAME POLICY_NAME ENABLED_OPT SUCCESS FAILURE
-------------------- ------------------- ------------ -------- ----------
ALL USERS ORA_SECURECONFIG BY YES YES
ALL USERS DBA_POL BY YES YES
Notice that
ORA_SECURECONFIG
is already present as an audit policy. Let's try to disable.
SQL> noaudit policy ORA_SECURECONFIG;
Noaudit succeeded.
And the secure config is no more, as confirmed by the following query:
select * from AUDIT_UNIFIED_ENABLED_POLICIES;
USER_NAME POLICY_NAME ENABLED_OPT SUCCESS FAILURE
-------------------- ------------------- ------------ -------- ----------
ALL USERS DBA_POL BY YES YES
But the best feature of the default audit trail is that all auditing actions are audited and can't be turned off through
the documented interfaces. This means that it should be difficult for even an administrator to hide tampering to the
audit-trail configurations. Here is a query to see who has turned off audit trail with the NOAUDIT command.
select DBUSERNAME
from UNIFIED_AUDIT_TRAIL
WHERE ACTION_NAME = 'NOAUDIT';
DBUSERNAME
------------
SYS
