For example, create a policy to audit the "create session" privilege:
create audit policy audit_cre_session
privileges create session;
Start auditing of the policy:
audit policy audit_cre_session;
In the next example, I am creating a policy to audit DML statements on a specific table:
create audit policy audit_dml_emp
actions delete on scott.emp,
insert on scott.emp,
update on scott.emp
;
Create a separate policy for auditing of queries against a specific table:
create audit policy audit_select_emp
actions select on scott.emp
;
Finally, start auditing both policies:
audit policy audit_dml_emp;
audit policy audit_select_emp;
The results of the auditing can be observed through the unified_audit_trail view:
select audit_type,
os_username,
userhost,
terminal,
authentication_type,
dbusername,
client_program_name,
event_timestamp,
action_name,
return_code,
object_name,
sql_text,
system_privilege_used,
unified_audit_policies
from unified_audit_trail
order by event_timestamp desc;
If you later need to modify a policy, use
alter audit policy audit_dml_emp drop actions delete on scott.emp;
to reverse your change back to its original state:
alter audit policy audit_dml_emp add actions delete on scott.emp;
12.2 documentation
here
19c documentation
here