Oracle 12c comes with two auditing policies enabled by default: ORA_SECURECONFIG and ORA_LOGON_FAILURES.
You can find the currently enabled policies in the AUDIT_UNIFIED_ENABLED_POLICIES view.
The query below will reveal what the currently enabled policies will actually audit
select policy_name,audit_option,condition_eval_opt from audit_unified_policies where policy_name in ( select policy_name from audit_unified_enabled_policies);
The result shows that the default Unfied Auditing Setup covers many of the actions you would certainly want to audit, like DROP USER, ALTER SYSTEM etc:
POLICY_NAME | AUDIT_OPTION | CONDITION_EVAL_OPT |
---|---|---|
ORA_SECURECONFIG | LOGMINING | NONE |
ORA_SECURECONFIG | TRANSLATE ANY SQL | NONE |
ORA_SECURECONFIG | EXEMPT REDACTION POLICY | NONE |
ORA_SECURECONFIG | PURGE DBA_RECYCLEBIN | NONE |
ORA_SECURECONFIG | ADMINISTER KEY MANAGEMENT | NONE |
ORA_SECURECONFIG | DROP ANY SQL TRANSLATION PROFILE | NONE |
ORA_SECURECONFIG | ALTER ANY SQL TRANSLATION PROFILE | NONE |
ORA_SECURECONFIG | CREATE ANY SQL TRANSLATION PROFILE | NONE |
ORA_SECURECONFIG | CREATE SQL TRANSLATION PROFILE | NONE |
ORA_SECURECONFIG | CREATE EXTERNAL JOB | NONE |
ORA_SECURECONFIG | CREATE ANY JOB | NONE |
ORA_SECURECONFIG | GRANT ANY OBJECT PRIVILEGE | NONE |
ORA_SECURECONFIG | EXEMPT ACCESS POLICY | NONE |
ORA_SECURECONFIG | CREATE ANY LIBRARY | NONE |
ORA_SECURECONFIG | GRANT ANY PRIVILEGE | NONE |
ORA_SECURECONFIG | DROP ANY PROCEDURE | NONE |
ORA_SECURECONFIG | ALTER ANY PROCEDURE | NONE |
ORA_SECURECONFIG | CREATE ANY PROCEDURE | NONE |
ORA_SECURECONFIG | ALTER DATABASE | NONE |
ORA_SECURECONFIG | GRANT ANY ROLE | NONE |
ORA_SECURECONFIG | DROP PUBLIC SYNONYM | NONE |
ORA_SECURECONFIG | CREATE PUBLIC SYNONYM | NONE |
ORA_SECURECONFIG | DROP ANY TABLE | NONE |
ORA_SECURECONFIG | ALTER ANY TABLE | NONE |
ORA_SECURECONFIG | CREATE ANY TABLE | NONE |
ORA_SECURECONFIG | DROP USER | NONE |
ORA_SECURECONFIG | CREATE USER | NONE |
ORA_SECURECONFIG | AUDIT SYSTEM | NONE |
ORA_SECURECONFIG | ALTER SYSTEM | NONE |
ORA_LOGON_FAILURES | LOGON | NONE |
ORA_SECURECONFIG | CREATE DATABASE LINK | NONE |
ORA_SECURECONFIG | DROP DATABASE LINK | NONE |
ORA_SECURECONFIG | ALTER USER | NONE |
ORA_SECURECONFIG | CREATE ROLE | NONE |
ORA_SECURECONFIG | DROP ROLE | NONE |
ORA_SECURECONFIG | SET ROLE | NONE |
ORA_SECURECONFIG | CREATE PROFILE | NONE |
ORA_SECURECONFIG | DROP PROFILE | NONE |
ORA_SECURECONFIG | ALTER PROFILE | NONE |
ORA_SECURECONFIG | ALTER ROLE | NONE |
ORA_SECURECONFIG | CREATE DIRECTORY | NONE |
ORA_SECURECONFIG | DROP DIRECTORY | NONE |
ORA_SECURECONFIG | ALTER DATABASE LINK | NONE |
ORA_SECURECONFIG | CREATE PLUGGABLE DATABASE | NONE |
ORA_SECURECONFIG | ALTER PLUGGABLE DATABASE | NONE |
ORA_SECURECONFIG | DROP PLUGGABLE DATABASE | NONE |
ORA_SECURECONFIG | EXECUTE | NONE |
If the $ORACLE_HOME/rdbms/admin/secconf.sql script was created during database creation, you will have some other policies in your database, too, but they won't be enabled by default. These can be found by executing the following statement:
select policy_name,count(audit_option) "number of audits" from AUDIT_UNIFIED_POLICIES where policy_name not in (select unique policy_name from audit_unified_enabled_policies ) group by policy_name order by 2 desc;In my database, the following collection shows up as being created, but not yet enabled:
POLICY_NAME | number of audits |
---|---|
ORA_RAS_POLICY_MGMT | 33 |
ORA_CIS_RECOMMENDATIONS | 26 |
ORA_RAS_SESSION_MGMT | 14 |
ORA_ACCOUNT_MGMT | 9 |
ORA_DATABASE_PARAMETER | 3 |