Yes u cannot audit DROP TABLE.This is because when you create a table you are the owner of the table and so you have all the priveleges.If you want to audit CREATE,DROP and other DDL commands write a database trigger on it.The database trigger works fine on Oracle 8.1.5 and higher versions.
In case of any help please be free to ask me at firstname.lastname@example.org
well I want to audit statement (statement auditing) drop, alter, truncate & alter table,
according to 8.1.7 SQL Ref table 8-3 when you do
it audits DROP, TRUNCATE & ALTER
From 8.1.7 Concept guide, Chapter 28
Statement auditing is the selective auditing of related groups of statements that fall into two categories:
DDL statements, regarding a particular type of database structure or schema object, but not a specifically named structure or schema object (for example, AUDIT TABLE audits all CREATE and DROP TABLE statements)"
Pando, I think you are mixing two auditing concepts: one is "SQL statement auditing" and other is "priviledge usage auditing". In your last post you are quoting statement auditing, while in your first post you are complaining about priviledge auditing not working.
audit drop any table by user1
This is example of priviledge usage auditing. An audit trail record will be recorded only if the user1 will use drop any table system priviledge when droping the table. That means that if he drops one of his own tables the audit trail will not be created, because he doesn't need "drop any table" priviledge for that. So did you test this by droping a table from some other user's schema? It should write an audit trail.
audit drop any table
Same as the abowe but this time valid for any user. Again audit trail is created only when table from someone elses schema is droped.
audit create table by user1
This is another type of auditing - statement auditing. This time audit trail will be created whenever user1 uses "drop table" statement, no matter if the table is in his own's schema or not.
I think you performed those DROPs and CREATEs on user's own schema, that is why it seemed that the first two are not working while the last one is.
There is one odd thing with DROP TABLE and TRUNCATE TABLE statement auditing. You can't specify any of those two actions to be audited explicitely (ORA-956), like you can with CRATE TABLE. So you can't use "AUDIT DROP TABLE;" command. You can only set auditing for DROP and TRUNCATE by isuing "AUDIT TABLE;", which incorporates CREATE, TRUNCATE and DROP. So by setting "AUDIT TABLE;" audit trial will be created whenever someone isues CREATE TABLE, DROP TABLE or TRUNCATE TABLE statement.
BTW, I just noticed one strange thing on my test DB (188.8.131.52.2). AUDIT_TRIAL is set to TRUE. When I started auditing logins/logoffs by isuing "AUDIT SESSION", every new session has been audited immediately. But if I use any other auditing command (like "AUDIT TABLE;"), the table statements ussage was not audited until I restarted the database. After that everything went normal and audit trail has started to reflect the changes. I found this to be true for every auditing statement, except for AUDIT SESSION. I haven't found anything regarding this unusual behaviour in the documentation, so I think this is a bug. Can anyone else reproduce this?
Jurij Modic ASCII a stupid question, get a stupid ANSI
24 hours in a day .... 24 beer in a case .... coincidence?