查看审计的对象select user_name,audit_option,success,failure from dba_stmt_audit_optsunionselect USER_NAME,privilege,success,failure from dba_priv_audit_opts;ALTER ANY PROCEDUREBY ACCESSBY ACCESSALTER ANY TABLEBY ACCESSBY ACCESSALTER DATABASEBY ACCESSBY ACCESSALTER PROFILEBY ACCESSBY ACCESSALTER SYSTEMBY ACCESSBY ACCESSALTER TABLEBY ACCESSBY ACCESSALTER USERBY ACCESSBY ACCESSAUDIT SYSTEMBY ACCESSBY ACCESSCREATE ANY JOBBY ACCESSBY ACCESSCREATE ANY LIBRARYBY ACCESSBY ACCESSCREATE ANY PROCEDUREBY ACCESSBY ACCESSCREATE ANY TABLEBY ACCESSBY ACCESSCREATE EXTERNAL JOBBY ACCESSBY ACCESSCREATE PUBLIC DATABASE LINKBY ACCESSBY ACCESSCREATE SESSIONBY ACCESSBY ACCESSCREATE USERBY ACCESSBY ACCESSDATABASE LINKBY ACCESSBY ACCESSDROP ANY PROCEDUREBY ACCESSBY ACCESSDROP ANY TABLEBY ACCESSBY ACCESSDROP PROFILEBY ACCESSBY ACCESSDROP USERBY ACCESSBY ACCESSEXEMPT ACCESS POLICYBY ACCESSBY ACCESSGRANT ANY OBJECT PRIVILEGEBY ACCESSBY ACCESSGRANT ANY PRIVILEGEBY ACCESSBY ACCESSGRANT ANY ROLEBY ACCESSBY ACCESSINDEXBY ACCESSBY ACCESSMATERIALIZED VIEWBY ACCESSBY ACCESSPROCEDUREBY ACCESSBY ACCESSPROFILEBY ACCESSBY ACCESSPUBLIC SYNONYMBY ACCESSBY ACCESSROLEBY ACCESSBY ACCESSSYNONYMBY ACCESSBY ACCESSSYSTEM AUDITBY ACCESSBY ACCESSSYSTEM GRANTBY ACCESSBY ACCESSTABLEBY ACCESSBY ACCESSTRIGGERBY ACCESSBY ACCESSTYPEBY ACCESSBY ACCESSVIEWBY ACCESSBY ACCESS根据结果,数据库开启了如上审计记录.使用 sqlplus / as sysdba 进行登陆SQL> create user test identified by test;User created.SQL> drop user test;User dropped.之后进行查询SQL> select * from DBA_AUDIT_TRAIL s WHERE s.action_name = 'CREATE USER' and s.username = 'SYS'2 ;no rows selected却没有找到这一条 create 记录.之后使用system 进行用户的创建SQL> create user test identified by test;User created.SQL> drop user test;User dropped.SQL> select count(*) from DBA_AUDIT_TRAIL s WHERE s.action_name = 'CREATE USER' and s.username = 'SYSTEM';COUNT(*)----------1发现得到了审计记录因为就算审计记录被写到了aud$或者dba_audit_trail中,sysdba用户依然可以对其进行delete.因此推断aud$或者dba_audit_trail不记录sysdba,sysoper用户的操作.