CREATE AUDIT POLICY AUDIT_DB_SCHEMA_CHANGES
PRIVILEGES
CREATE EXTERNAL JOB, CREATE JOB, CREATE ANY JOB
ACTIONS
CREATE PACKAGE, ALTER PACKAGE, DROP PACKAGE,
CREATE PACKAGE BODY, ALTER PACKAGE BODY, DROP PACKAGE BODY,
CREATE PROCEDURE, DROP PROCEDURE, ALTER PROCEDURE,
CREATE FUNCTION, DROP FUNCTION, ALTER FUNCTION,
CREATE TRIGGER, ALTER TRIGGER, DROP TRIGGER,
CREATE LIBRARY, ALTER LIBRARY, DROP LIBRARY,
CREATE SYNONYM, DROP SYNONYM, ALTER SYNONYM,
CREATE TABLE, ALTER TABLE, DROP TABLE, TRUNCATE TABLE,
CREATE DATABASE LINK, ALTER DATABASE LINK, DROP DATABASE LINK,
CREATE INDEX, ALTER INDEX, DROP INDEX,
CREATE INDEXTYPE, ALTER INDEXTYPE, DROP INDEXTYPE,
CREATE OUTLINE, ALTER OUTLINE, DROP OUTLINE,
CREATE CONTEXT, DROP CONTEXT,
CREATE ATTRIBUTE DIMENSION, ALTER ATTRIBUTE DIMENSION, DROP ATTRIBUTE DIMENSION,
CREATE DIMENSION, ALTER DIMENSION, DROP DIMENSION,
CREATE MINING MODEL, ALTER MINING MODEL, DROP MINING MODEL,
CREATE OPERATOR, ALTER OPERATOR, DROP OPERATOR,
CREATE JAVA, ALTER JAVA, DROP JAVA,
CREATE TYPE BODY, ALTER TYPE BODY, DROP TYPE BODY,
CREATE TYPE, ALTER TYPE, DROP TYPE,
CREATE VIEW, ALTER VIEW, DROP VIEW,
CREATE MATERIALIZED VIEW, ALTER MATERIALIZED VIEW, DROP MATERIALIZED VIEW,
CREATE MATERIALIZED VIEW LOG, ALTER MATERIALIZED VIEW LOG, DROP MATERIALIZED VIEW LOG,
CREATE MATERIALIZED ZONEMAP, ALTER MATERIALIZED ZONEMAP, DROP MATERIALIZED ZONEMAP,
CREATE ANALYTIC VIEW, ALTER ANALYTIC VIEW, DROP ANALYTIC VIEW,
CREATE SEQUENCE, ALTER SEQUENCE, DROP SEQUENCE,
CREATE CLUSTER, ALTER CLUSTER, DROP CLUSTER, TRUNCATE CLUSTER;
AUDIT POLICY AUDIT_DB_SCHEMA_CHANGES;
Audit activities with system privileges
When someone is granted database privileges that exceed the requirements of their job function, these privileges can
be abused. Sometimes, administrators grant excessive system privileges just to avoid the risk of failures due to lack of
access privileges, or users may simply accumulate such privileges over time. System privileges are very powerful as
they allow access to objects across multiple schemas or allow you to make changes that impacts the entire database.
Such privileges should be granted only when necessary, preferably to roles and trusted users of the database. Use of
system privileges should be monitored very closely.
The first step is to identify the system privileges granted to the database users that are currently in-use. Then
configure audit policies to track the activities that makes use of the privileges.
Identify system privileges and their grantee information using Privilege Analysis (PA)–a feature of Oracle Database
Enterprise Edition. PA dynamically analyzes privilege and role usage for database users and application service
accounts. PA generates reports on which roles/privileges were used as well as those granted roles/privileges that