You may have to audit a database for the following suspicious activities:
AUDIT ALTER, INDEX, RENAME ON DEFAULT
BY SESSION;
CREATE TABLE scott.emp . . . ;
CREATE VIEW scott.employee AS SELECT * FROM scott.emp;
AUDIT SESSION BY jward, swilliams;
AUDIT ALTER USER;
AUDIT LOCK TABLE
BY ACCESS
WHENEVER SUCCESSFUL;
AUDIT DELETE ON scott.emp
BY ACCESS
WHENEVER SUCCESSFUL;
The following statements are subsequently issued by the user JWARD:
ALTER USER tsmith QUOTA 0 ON users;
DROP USER djones;
The following statements are subsequently issued by the user SWILLIAMS:
LOCK TABLE scott.emp IN EXCLUSIVE MODE;
DELETE FROM scott.emp WHERE mgr = 7698;
ALTER TABLE scott.emp ALLOCATE EXTENT (SIZE 100K);
CREATE INDEX scott.ename_index ON scott.emp (ename);
CREATE PROCEDURE scott.fire_employee (empid NUMBER) AS
BEGIN
DELETE FROM scott.emp WHERE empno = empid;
END;
/
EXECUTE scott.fire_employee(7902);
The following sections show the information that can be listed using the audit trail views in the data dictionary.
SELECT * FROM sys.dba_stmt_audit_opts;
USER_NAME AUDIT_OPTION SUCCESS FAILURE
-------------------- -------------------- ---------- ----------
JWARD SESSION BY SESSION BY SESSION
SWILLIAMS SESSION BY SESSION BY SESSION
LOCK TABLE BY ACCESS NOT SET
Notice that the view reveals the statement audit options set, whether they are set for success or failure (or both), and whether they are set for BY SESSION or BY ACCESS.
SELECT * FROM sys.dba_priv_audit_opts;
USER_NAME AUDIT_OPTION SUCCESS FAILURE
-------------------- -------------------- ---------- ----------
ALTER USER BY SESSION BY SESSION
SELECT * FROM sys.dba_obj_audit_opts
WHERE owner = 'SCOTT' AND object_name LIKE 'EMP%';
OWNER OBJECT_NAME OBJECT_TY ALT AUD COM DEL GRA IND INS LOC ...
------ ----------- --------- --- --- --- --- --- --- --- --- ...
SCOTT EMP TABLE S/S -/- -/- A/- -/- S/S -/- -/- ...
SCOTT EMPLOYEE VIEW -/- -/- -/- -/- -/- -/- -/- -/- ...
Notice that the view returns information about all the audit options for the specified object. The information in the view is interpreted as follows:
SELECT * FROM all_def_audit_opts;
ALT AUD COM DEL GRA IND INS LOC REN SEL UPD REF EXE
--- --- --- --- --- --- --- --- --- --- --- --- ---
S/S -/- -/- -/- -/- S/S -/- -/- S/S -/- -/- -/- -/-
Notice that the view returns information similar to the USER_OBJ_AUDIT_OPTS and DBA_OBJ_AUDIT_OPTS views (see previous example).
SELECT username, obj_name, action_name, ses_actions
FROM sys.dba_audit_object;
SELECT username, logoff_time, logoff_lread, logoff_pread,
logoff_lwrite, logoff_dlock
FROM sys.dba_audit_session;
USERNAME LOGOFF_TI LOGOFF_LRE LOGOFF_PRE LOGOFF_LWR LOGOFF_DLO
---------- --------- ---------- ---------- ---------- ----------
JWARD 02-AUG-91 53 2 24 0
SWILLIAMS 02-AUG-91 3337 256 630 0