This feature was just backported from Oracle 23ai. The new

ORA$MANDATORY<\/code> audit policy was added with the Oracle 19.26 RU. This policy is not visible at UNIFIED_AUDIT_POLICIES<\/code> or AUDIT_UNIFIED_ENABLED_POLICIES<\/code>. <\/p>\n\n\n\n

After patching the database to 19.26, then you see entries on UNIFIED_AUDIT_TRAIL<\/code>:<\/p>\n\n\n

\nSYS@CDB2.CDB$ROOT> select EVENT_TIMESTMAP, SYSTEM_PRIVILEGE_USED, ACTION_NAME \nfrom UNIFIED_AUDIT_TRAIL \nwhere UNIFIED_AUDIT_POLICIES='ORA$MANDATORY' \norder by EVENT_TIMESTMAP;\n\n                  EVENT_TIMESTAMP     SYSTEM_PRIVILEGE_USED       ACTION_NAME\n_________________________________ _________________________ _________________\n02-FEB-2025 21:54:56.192982000    SYSDBA                    LOGON\n02-FEB-2025 21:54:56.216549000    SYSDBA                    SELECT\n02-FEB-2025 21:55:00.381577000    SYSDBA, ALTER DATABASE    ALTER DATABASE\n02-FEB-2025 21:55:00.393882000    SYSDBA                    LOGOFF\n...\n<\/pre><\/div>\n\n\nThe actions that are audited by ORA$MANDATORY<\/code> policy are described on Oracle 23ai documentation<\/a>. <\/p>\n\n\n\n
What I find interesting, is that the “ALTER DATABASE MOUNT” during startup is audited, so we can have a good history of database startups.<\/p>\n\n\n\n\n\n\n\n
A bit of annoying is that few seconds before the “mount”, there is the internal query to show the amount of SGA at startup which is also audited:<\/p>\n\n\n
\nSELECT DECODE(null,'','Total System Global Area','') NAME_COL_PLUS_SHOW_SGA,   SUM(VALUE), DECODE (null,'', 'bytes','') units_col_plus_show_sga FROM V$SGA    \nUNION ALL    \nSELECT NAME NAME_COL_PLUS_SHOW_SGA , VALUE,    DECODE (null,'', 'bytes','') units_col_plus_show_sga FROM V$SGA\n<\/pre><\/div>\n\n\nThese are below summarized:<\/p>\n\n\n\n
\nActivities of administrative users such as SYSDBA<\/code>, SYSBACKUP<\/code>, and SYSKM<\/code> when the database is down is always audited.<\/li>\n\n\n\n
Any DDL or DML attempts on UNIFIED_AUDIT_TRAIL<\/code> or the underlying dictionary tables in AUDSYS<\/code> schema is always audited. <\/li>\n<\/ul>\n\n\n\nA bit more fine-grained it means:<\/p>\n\n\n\n
\nSQL Firewall administrative actions<\/li>\n\n\n\n
ORADEBUG<\/code> utility<\/li>\n\n\n\n
Audit-Related Activities\n\nCREATE AUDIT POLICY<\/code><\/li>\n\n\n\n
ALTER AUDIT POLICY<\/code><\/li>\n\n\n\n
DROP AUDIT POLICY<\/code><\/li>\n\n\n\n
AUDIT<\/code><\/li>\n\n\n\n
NOAUDIT<\/code><\/li>\n\n\n\n
EXECUTE<\/code> of the DBMS_FGA<\/code> PL\/SQL package<\/li>\n\n\n\n
EXECUTE<\/code> of the DBMS_AUDIT_MGMT<\/code> PL\/SQL package<\/li>\n\n\n\n
ALTER TABLE<\/code> attempts on the AUDSYS<\/code> audit trail table<\/li>\n<\/ul>\n<\/li>\n\n\n\n
Top level statements by the administrative users SYS<\/code>, SYSDBA<\/code>, SYSOPER<\/code>, SYSASM<\/code>, SYSBACKUP<\/code>, SYSDG<\/code>, and SYSKM<\/code>, until the database opens.<\/li>\n\n\n\n
All user-issued DML statements on the SYS.AUD$<\/code> and SYS.FGA_LOG$<\/code> dictionary tables<\/li>\n\n\n\n
Any attempts to modify the data or metadata of the unified audit internal table. <\/li>\n\n\n\n
All configuration changes that are made to Oracle Database Vault<\/li>\n\n\n\n
Operations on Blockchain and Immutable Tables\n\nCREATE TABLE<\/code><\/li>\n\n\n\n
DROP TABLE<\/code><\/li>\n\n\n\n
Failed ALTER TABLE<\/code> operations<\/li>\n\n\n\n
Failed DELETE<\/code> operations<\/li>\n\n\n\n
Failed FLASHBACK TABLE<\/code> operations<\/li>\n\n\n\n
Failed RENAME<\/code> operations<\/li>\n\n\n\n
Failed TRUNCATE TABLE<\/code> operations<\/li>\n\n\n\n
Failed UPDATE<\/code> operations<\/li>\n<\/ul>\n<\/li>\n\n\n\n
Access to Sensitive Columns in the Oracle Optimizer Dictionary Tables\n\nSYS.HIST_HEAD$<\/code> – minimum<\/code>, maximum<\/code>, lowval<\/code>, hival<\/code>
SYS.HISTGRM$<\/code> – endpoint<\/code>, epvalue_raw<\/code>
SYS.WRI$_OPSTAT_HISTGRM_HISTORY<\/code> – endpoint<\/code>, epvalue_raw<\/code>
SYS.WRI$_OPTSTAT_HISTHEAD_HISTORY<\/code> – minimum<\/code>, maximum<\/code>, lowval<\/code>, hival<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<\/p>\n","protected":false},"excerpt":{"rendered":"
This feature was just backported from Oracle 23ai. The new ORA$MANDATORY audit policy was added with the Oracle 19.26 RU. This policy is not visible at UNIFIED_AUDIT_POLICIES or AUDIT_UNIFIED_ENABLED_POLICIES. After patching the database to 19.26, then you see entries on UNIFIED_AUDIT_TRAIL: The actions that are audited by ORA$MANDATORY policy are described on Oracle 23ai documentation. What […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[32,6,39,81],"tags":[],"class_list":["post-971","post","type-post","status-publish","format-standard","category-audit","category-oracle","category-oracle-19c","category-oracle-23ai","czr-hentry"],"_links":{"self":[{"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/posts\/971","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/comments?post=971"}],"version-history":[{"count":2,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/posts\/971\/revisions"}],"predecessor-version":[{"id":974,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/posts\/971\/revisions\/974"}],"wp:attachment":[{"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/media?parent=971"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/categories?post=971"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/tags?post=971"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}