Topics
This appendix maps audit event names used in the Oracle Database to their equivalent values in the Command Class and Target Type fields in the Oracle Audit Vault and Database Firewall audit record. The audit events are organized in useful categories, for example, Account Management events. You can use the audit events mapped here to create custom audit reports using other Oracle Database reporting products or third-party tools.
See Also:
Oracle Audit Vault and Database Firewall Database Schemas for Oracle Audit Vault and Database Firewall data warehouse details that may be useful in designing your own reports.
Account management events track SQL statements that affect user accounts, such as creating users or altering their profiles.
Table D-1 lists the Oracle Database account management audit events and the equivalent Oracle AVDF events.
Table D-1 Oracle Database Account Management Audit Events
Source Event | Event Description | Command Class | Target Type |
---|---|---|---|
|
Alter Profile |
|
|
|
Alter User |
|
|
|
Create Profile |
|
|
|
Create User |
|
|
|
Drop Profile |
|
|
|
Drop User |
|
|
Application management events track actions that were performed on the underlying PL/SQL procedures or functions of system services and applications, such as ALTER FUNCTION
statements.
Table D-2 lists the Oracle Database application management audit events and the equivalent Oracle AVDF events.
Table D-2 Oracle Database Application Management Audit Events
Source Event | Event Description | Command Class | Target Type |
---|---|---|---|
|
Alter Assembly (Release 11.2) |
|
|
|
Alter Function |
|
|
|
Alter Java |
|
|
|
Alter Package |
|
|
|
Alter Package Body |
|
|
|
Alter Procedure |
|
|
|
Alter Resource Cost |
|
|
|
Alter Rewrite Equivalence |
|
|
|
Alter Trigger |
|
|
|
Alter Type |
|
|
|
Alter Type Body |
|
|
|
Analyze Index |
|
|
|
Analyze Table |
|
|
|
Associate Statistics |
|
|
|
Create Assembly (Release 11.2) |
|
|
|
Create Context |
|
|
|
Create Function |
|
|
|
Create IndexType |
|
|
|
Create Java |
|
|
|
Create Library |
|
|
|
Create Operator |
|
|
|
Create Package |
|
|
|
Create Package Body |
|
|
|
Create Procedure |
|
|
|
Create Trigger |
|
|
|
Create Type |
|
|
|
Create Type Body |
|
|
|
Declare Rewrite Equivalence |
|
|
|
Disable Trigger |
|
|
|
Disassociate Statistics |
|
|
|
Drop Assembly (Release 11.2) |
|
|
|
Drop Context |
|
|
|
Drop Function |
|
|
|
Drop Indextype |
|
|
|
Drop Java |
|
|
|
Drop Library |
|
|
|
Drop Operator |
|
|
|
Drop Package |
|
|
|
Drop Package Body |
|
|
|
Drop Procedure |
|
|
|
Drop Rewrite Equivalence |
|
|
|
Drop Trigger |
|
|
|
Drop Type |
|
|
|
Drop Type Body |
|
|
|
Enable Trigger |
|
|
|
Execute Type |
|
|
|
Explain |
|
|
Audit command events track the use of AUDIT
SQL statements on other SQL statements and on database objects.
Table D-3 lists the Oracle Database audit command audit events and the equivalent Oracle AVDF events.
Table D-3 Oracle Database Audit Command Audit Events
Source Event | Event Description | Command Class | Target Type |
---|---|---|---|
|
Audit Default |
|
|
|
Audit Object |
|
|
|
NoAudit default |
|
|
|
NoAudit Subject |
|
|
|
System Audit |
|
|
|
System No Audit |
|
|
Data access events track audited data manipulation language (DML) activities, for example, all SELECT
, INSERT
, UPDATE
, or DROP
SQL statements. The Data Access Report uses these events.
Table D-4 lists the Oracle Database data access audit events and the equivalent Oracle Audit Vault and Database Firewall events.
Table D-4 Oracle Database Data Access Audit Events
Source Event | Event Description | Command Class | Target Type |
---|---|---|---|
|
Delete |
|
|
|
Insert |
|
|
|
Select |
|
|
|
Select Mining Model (Release 11.2) |
|
|
|
Truncate Table |
|
|
|
Update |
|
|
See Also:
Table D-5 lists Database Vault events for Oracle Database 11g databases that have Database Vault enabled.
Table D-5 Database Vault Audit Events in Oracle Database 11g
Source Event | Event Description | Command Class | Target Type |
---|---|---|---|
|
Factor Evaluation |
|
|
|
Factor Assignment |
|
|
|
Factor Expression |
|
|
|
Realm Violation |
|
|
|
Realm Authorization |
|
|
|
Command Authorization |
|
|
|
Secure Role |
|
|
|
Access Control Session Initialization |
|
|
|
Access Control Command Authorization |
|
|
|
Label Security Session Initialization |
|
|
|
Label Security Attempt to Upgrade |
|
|
Table D-6 lists Database Vault events for Oracle Database 12c databases that have Database Vault enabled.
Table D-6 Database Vault Audit Events in Oracle Database 12c
Source Event | Event Description | Command Class | Target Type |
---|---|---|---|
|
Factor Evaluation Audit |
|
|
|
Factor Assignment Audit |
|
|
|
Factor Expression Audit |
|
|
|
Realm Violation Audit |
|
|
|
Realm Authorization Audit |
|
|
|
Command Authorization Audit |
|
|
|
Secure Role Audit |
|
|
|
Session Initialization Audit |
|
|
|
OLS Session Initialization Audit |
|
|
|
OLS Attempt To Upgrade Label Audit |
|
|
|
Enable DV Enforcement Audit |
|
|
|
Disable DV Enforcement Audit |
|
|
|
Realm Creation Audit |
|
|
|
REALM UPDATE AUDIT |
|
|
|
Realm Rename Audit |
|
|
|
Realm Deletion Audit |
|
|
|
Add Realm Auth Audit |
|
|
|
Delete Realm Auth Audit |
|
|
|
Update Realm Auth Audit |
|
|
|
Add Realm Object Audit |
|
|
|
Update Realm Object Audit |
|
|
|
Delete Realm Object Audit |
|
|
|
Enable Event Audit |
|
|
|
Disable Event Audit |
|
|
|
Rule Set Creation Audit |
|
|
|
Rule Set Update Audit |
|
|
|
Rule Set Rename Audit |
|
|
|
Rule Set Deletion Audit |
|
|
|
Add Rule to Rule Set Audit |
|
|
|
Delete Rule from Rule Set Audit |
|
|
|
Rule Creation Audit |
|
|
|
Rule Update Audit |
|
|
|
Rule Rename Audit |
|
|
|
Rule Deletion Audit |
|
|
|
Command Rule Creation Audit |
|
|
|
Command Rule Update Audit |
|
|
|
Command Rule Deletion Audit |
|
|
|
Authorize Datapump User Audit |
|
|
|
Unauthorize Datapump User Audit |
|
|
|
Authorize Job User Audit |
|
|
|
Unauthorize Job User Audit |
|
|
|
Factor Type Creation Audit |
|
|
|
Factor Type Deletion Audit |
|
|
|
Factor Type Update Audit |
|
|
|
Factor Type Rename Audit |
|
|
|
Factor Creation Audit |
|
|
|
Factor Deletion Audit |
|
|
|
Factor Update Audit |
|
|
|
Factor Rename Audit |
|
|
|
Add Factor Link Audit |
|
|
|
Delete Factor Link Audit |
|
|
|
Add Policy Factor Audit |
|
|
|
Delete Policy Factor Audit |
|
|
|
Create Identity Audit |
|
|
|
Delete Identity Audit |
|
|
|
Update Identity Audit |
|
|
|
Change Identity Factor Audit |
|
|
|
Change Identity Value Audit |
|
|
|
Create Identity Map Audit |
|
|
|
Delete Identity Map Audit |
|
|
|
Create Policy Label Audit |
|
|
|
Delete Policy Label Audit |
|
|
|
Create Mac Policy Audit |
|
|
|
Update MAC Policy Audit |
|
|
|
Delete MAC Policy Audit |
|
|
|
Create Role Audit |
|
|
|
Delete Role Audit |
|
|
|
Update Role Audit |
|
|
|
Rename Role Audit |
|
|
|
Create Domain Identity Audit |
|
|
|
Drop Domain Identity Audit |
|
|
|
Enable ORADEBUG Audit |
|
|
|
Disable ORADEBUG Audit |
|
|
|
Command Failure Audit |
|
|
|
Authorize Proxy User Audit |
|
|
|
Unauthorize Proxy User Audit |
|
|
|
Enable DV Dictionary Accounts Audit |
|
|
|
Disable DV Dictionary Accounts Audit |
|
|
|
Authorize DDL Audit |
|
|
|
Unauthorize DDL Audit |
|
|
|
Authorize Transportable Tablespace Audit |
|
|
|
Unauthorize Transportable Tablespace Audit |
|
|
Exception events track audited error and exception activity, such as network errors. Table D-7 lists the Oracle Database exception audit events and the equivalent Oracle Audit Vault and Database Firewall event.
Table D-7 Oracle Database Exception Audit Event
Source Event | Event Description | Command Class | Target Type |
---|---|---|---|
|
Network Error |
|
|
Invalid record events track audited activity that Oracle AVDF cannot recognize, possibly due to a corrupted audit record.
Table D-8 lists the Oracle Database invalid record audit events and the equivalent Oracle AVDF event.
Table D-8 Oracle Database Invalid Record Audit Event
Source Event | Event Description | Command Class | Target Type |
---|---|---|---|
|
Invalid Record |
|
|
Object management events track audited actions performed on database objects, such as CREATE TABLE
statements.
Table D-9 lists the Oracle Database object management audit events and the equivalent Oracle AVDF events.
Table D-9 Oracle Database Object Management Audit Events
Source Event | Event Description | Command Class | Target Type |
---|---|---|---|
|
Alter Dimension |
|
|
|
Alter Edition (Release 11.2) |
|
|
|
Alter Index |
|
|
|
Alter Materialized View |
|
|
|
Alter Materialized View Log |
|
|
|
Alter Mining Model (Release 11.2) |
|
|
|
Alter Operator |
|
|
|
Alter Outline |
|
|
|
Alter Public Synonym (Release 11.2) |
|
|
|
Alter Sequence |
|
|
|
Alter Synonym (Release 11.2) |
|
|
|
Alter Table |
|
|
|
Apply Table or Schema PolicyFoot 1 |
|
|
|
Create Mining Model (Release 11.2) |
|
|
|
Create Dimension |
|
|
|
Create Directory |
|
|
|
Create Edition (Release 11.2 |
|
|
|
Create Index |
|
|
|
Create Materialized View |
|
|
|
Create Materialized View Log |
|
|
|
Create Outline |
|
|
|
Create Public Database Link |
|
|
|
Create Public Synonym |
|
|
|
Create Schema |
|
|
|
Create Sequence |
|
|
|
Create Synonym |
|
|
|
Create Table |
|
|
|
Create View |
|
|
|
Drop Dimension |
|
|
|
Drop Directory |
|
|
|
Drop Edition (Release 11.2) |
|
|
|
Drop Index |
|
|
|
Drop Materialized View |
|
|
|
Drop Materialized View Log |
|
|
|
Drop Outline |
|
|
|
Drop Public Database Link |
|
|
|
Drop Public Synonym |
|
|
|
Drop Sequence |
|
|
|
Drop Synonym |
|
|
|
Drop Table |
|
|
|
Drop View |
|
|
|
Flashback Table |
|
|
|
Lock |
|
|
|
Purge Index |
|
|
|
Purge Table |
|
|
|
Remove Table or SchemaFoot 2 |
|
|
|
Rename |
|
|
|
Undrop Object |
|
|
|
Update Indexes |
|
|
|
Validate Index |
|
|
Footnote 1
APPLY TABLE OR SCHEMA POLICY
is an Oracle Label Security audit event.
Footnote 2
REMOVE TABLE OR SCHEMA
is an Oracle Label Security audit event.
Peer association events track database link statements. Table D-10 lists the Oracle Database peer association audit events and the equivalent Oracle AVDF events.
Table D-10 Oracle Database Peer Association Audit Events
Source Event | Event Description | Command Class | Target Type |
---|---|---|---|
|
Create Database Link |
|
|
|
Drop Database Link |
|
|
Role and privilege management events track audited role and privilege management activity, such as granting object permissions to a user.
Table D-11 lists the Oracle Database role and privilege management audit events and the equivalent Oracle AVDF events.
Table D-11 Oracle Database Role and Privilege Management Audit Events
Source Event | Event Description | Command Class | Target Type |
---|---|---|---|
|
Alter Role |
|
|
|
Create Role |
|
|
|
Drop Role |
|
|
|
Grant Object |
|
|
|
Grant Role |
|
|
|
Object Exists ErrorsFoot 3 |
|
|
|
Revoke Object |
|
|
|
Revoke Role |
|
|
|
Set User or Program Unit Label1 |
|
|
|
Privileged Operation |
|
|
|
Privileged Action1 |
|
|
Footnote 3
OBJECT EXISTS ERRORS
, SET USER OR PROGRAM UNIT LABEL
, and PRIVILEGED ACTION
are Oracle Label Security events.
Service and application utilization events track audited application access activity, such as the execution of PL/SQL procedures or functions.
Table D-12 lists the Oracle Database service and application utilization audit events and the equivalent Oracle Audit Vault and Database Firewall events.
Table D-12 Oracle Database Service and Application Utilization Audit Events
Source Event | Event Description | Command Class | Target Type |
---|---|---|---|
|
Call Method |
|
|
|
Execute Procedure |
|
|
|
PL/SQL Execute |
|
|
System management events track audited system management activity, such as STARTUP
and SHUTDOWN
operations. Table D-13 lists the Oracle Database system management audit events and the equivalent Oracle Audit Vault and Database Firewall events.
Table D-13 Oracle Database System Management Audit Events
Source Event | Event Description | Command Class | Target Type |
---|---|---|---|
|
Alter Cluster |
|
|
|
Alter Database |
|
|
|
Alter Flashback Archive (Release 11.2) |
|
|
|
Alter Rollback Seg |
|
|
|
Alter System |
|
|
|
Alter Tablespace |
|
|
|
Analyze Cluster |
|
|
|
Create Cluster |
|
|
|
Create Control File |
|
|
|
Create Database |
|
|
|
Create Flashback Archive (Release 11.2) |
|
|
|
Create Rollback Seg |
|
|
|
Create Tablespace |
|
|
|
Disable All Triggers |
|
|
|
Drop Cluster |
|
|
|
Drop Flashback Archive (Release 11.2) |
|
|
|
Drop Rollback Seg |
|
|
|
Drop Tablespace |
|
|
|
Enable All Triggers |
|
|
|
Flashback |
|
|
|
Flashback Database |
|
|
|
Purge DBA Recycle Bin |
|
|
|
Purge Tablespace |
|
|
|
Shutdown |
|
DATABASE |
|
Startup |
|
|
|
Super User Transaction Control (Release 11.2) |
|
|
|
Super User DDL |
|
|
|
Super User DML |
|
|
|
System Grant |
|
|
|
System Revoke |
|
|
|
Truncate Cluster |
|
|
Unknown or uncategorized events track audited activity that cannot be categorized, such as ALTER SUMMARY
statements.
Table D-14 lists the Oracle Database unknown or uncategorized audit events and the equivalent Oracle Audit Vault and Database Firewall events.
Table D-14 Oracle Database Unknown or Uncategorized Audit Events
Source Event | Event Description | Command Class | Target Type |
---|---|---|---|
|
Alter Summary |
|
|
|
Comment |
|
|
|
Create Summary |
|
|
|
Drop Summary |
|
|
|
No-Op |
|
|
|
Super User Unknown |
|
|
|
Unknown |
|
|
|
User Comment |
|
|
User session events track audited authentication events for users who log in to the database.
Table D-15 lists the Oracle Database user session audit events and the equivalent Oracle Audit Vault and Database Firewall events.
Table D-15 Oracle Database User Session Audit Events
Source Event | Event Description | Command Class | Target Type |
---|---|---|---|
|
Alter Session |
|
|
|
Commit |
|
|
|
Create Restore Point |
|
|
|
Create Session |
|
|
|
Drop Restore Point |
|
|
|
Logoff |
|
|
|
Logoff by Cleanup |
|
|
|
Logon |
|
|
|
Proxy Authentication Only |
|
|
|
Purge User Recycle Bin |
|
|
|
Rollback |
|
|
|
Savepoint |
|
|
|
Session Record |
|
|
|
Set Role |
|
|
|
Set Transaction |
|
|
|
Super User Logon |
|
|