The policy used for this purpose is ORA_LOGON_FAILURES, and it will audit both privileged and non-privileged users' attempts to logon to the database.
If you want to audit all privileged users that have successfully logged onto the database, you need to create a new policy.
Here is how:
CREATE AUDIT POLICY PRIVILEGED_USER_LOGONS
ACTIONS LOGON
WHEN 'SYS_CONTEXT (''USERENV'',''CURRENT_USER'') IN (''SYS'',''SYSTEM'')'
EVALUATE PER SESSION;
Start using it:
AUDIT POLICY PRIVILEGED_USER_LOGONS;The resulting audit record can be found immediately afterwards, with this query against UNIFIED_AUDIT_TRAIL:
select os_username "os user",
userhost "host",
authentication_type "authtype",
dbusername "db user",
client_program_name "client",
event_timestamp "time",
action_name "action",
system_privilege_used "sys priv",
unified_audit_policies "aud pol"
from UNIFIED_AUDIT_TRAIL
where event_Timestamp = (select max(event_Timestamp) from UNIFIED_AUDIT_TRAIL)
order by event_timestamp desc;
Result:
| os user | host | authtype | db user | client | time | action | sys priv | aud pol |
|---|---|---|---|---|---|---|---|---|
| oracle | myserver.mydomain.com | (TYPE=(OS));(CLIENT ADDRESS=((PROTOCOL=beq)(HOST=192.168.0.34))); | SYS | sqlplus@myserver.mydomain.com (TNS V1-V3) | 10.03.2022 11:38:14,972147 | LOGON | SYSDBA | PRIVILEGED_USER_LOGONS |
No comments:
Post a Comment