Oracle Cloud Infrastructure Documentation

Admin Activity Auditing Policy

The Admin Activity Auditing policy lets you audit all activities by privileged administrators. These administrators can make significant changes to the wider system. A database administrator (DBA) can have access to sensitive data that is not protected by realms, and can exfiltrate. The Admin Activity auditing policy audits all activities for any user who has one of the following privileges or roles:

  • Admin privileges:

    SYSOPER, SYSDG, SYSKM, SYSRAC, and SYSBACKUP
  • Roles:

    DBA, DATAPUMP_EXP_FULL_DATABASE, DATAPUMP_IMP_FULL_DATABASE, EXP_FULL_DATABASE, IMP_FULL_DATABASE

The following audit policy gets provisioned on the cloud database target:

CREATE AUDIT POLICY ORA_ADS$_ADMIN_USER_ACTIVITY ACTIONS ALL
WHEN 'SYS_CONTEXT(''USERENV'', ''CURRENT_USER'') NOT IN (''DIP'',''WMSYS'',''XDB'',
''ORDDATA'',''OLAPSYS'',''MDSYS'',''ORDPLUGINS'',''GSMADMIN_INTERNAL'',
''SI_INFORMTN_SCHEMA'',''ANONYMOUS'',''GGSYS'',''DBSFWUSER'',''APPQOSSYS'',''DBSNMP'',
''GSMUSER'',''SYSDG'',''SYS$UMF'',''ORACLE_OCM'',''OUTLN'',''SYSKM'',''SYS'',''SYSTEM'',
''XS$NULL'',''GSMCATUSER'',''MDDATA'',''SYSBACKUP'',''REMOTE_SCHEDULER_AGENT'',''SYSRAC'',
''CTXSYS'',''DVF'',''OJVMSYS'',''DVSYS'',''AUDSYS'',''ORDSYS'',''LBACSYS'')' 
EVALUATE PER STATEMENT;

AUDIT POLICY ORA_ADS$_ADMIN_USER_ACTIVITY BY USERS WITH GRANTED ROLES DBA,
DATAPUMP_EXP_FULL_DATABASE, DATAPUMP_IMP_FULL_DATABASE, EXP_FULL_DATABASE, 
IMP_FULL_DATABASE;

AUDIT POLICY ORA_ADS$_ADMIN_USER_ACTIVITY BY PUBLIC, SYSDG, SYSKM, SYSRAC, SYSBACKUP;

If the version of the cloud database target is 19c, the following audit policy also gets provisioned:

CREATE AUDIT POLICY ORA_ADS$_SYS_TOP_ACTIVITY ACTIONS ALL ONLY TOPLEVEL;
AUDIT POLICY ORA_ADS$_SYS_TOP_ACTIVITY by SYS;