As we mentioned earlier in this chapter, some actions will be stored to operating system files whether auditing is enabled or not. These actions are:
Connection to the database from a privileged account
Structural changes made to the database, like adding a tablespace datafile, etc.
When the database is started up, a record is written automatically to an operating system file. If the database was started with either sys or internal, the user information will not be recorded. The information recorded is the operating system username of the process starting the database, the terminal identifier, the timestamp (date and time) when the database was started, and whether or not auditing was enabled. The purpose of writing this information is to create a record of anyone attempting to start the database and disable auditing in order to hide their actions. At the time of database startup, the database audit trail is not yet available, so the startup information is always written to an operating system audit file.
In all of the auditing situations listed above, the information is recorded to an operating system log. If the operating system does not enable Oracle to access its audit facility, Oracle will record the information in a log in the same directory in which the background processes record their activities.
The first type of default auditing occurs during database startup. An example of operating ...