Monday, December 21, 2020

"audit_option_type" difference in CIS audit policy and Oracle shipped CIS policy

CREATE AUDIT POLICY TEST_POLICY_1 PRIVILEGES CREATE USER, ALTER SYSTEM ACTIONS CREATE USER, ALTER SYSTEM;

select /*json-formatted*/ * from audit_unified_policies where policy_name='TEST_POLICY_1';
{
      "items" : [
        {
          "policy_name" : "TEST_POLICY_1",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "CREATE USER",
          "audit_option_type" : "SYSTEM PRIVILEGE",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "TEST_POLICY_1",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "ALTER SYSTEM",
          "audit_option_type" : "SYSTEM PRIVILEGE",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "TEST_POLICY_1",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "ALTER SYSTEM",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "TEST_POLICY_1",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "CREATE USER",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        }
      ]
    }
  ]
}

CIS hardening guide Audit policy for Oracle database

 List down currently enabled audit policy

select /*json-formatted*/ * from audit_unified_enabled_policies;
{
  "results" : [
    {
      "columns" : [
        {
          "name" : "POLICY_NAME",
          "type" : "VARCHAR2"
        },
        {
          "name" : "ENABLED_OPTION",
          "type" : "VARCHAR2"
        },
        {
          "name" : "ENTITY_NAME",
          "type" : "VARCHAR2"
        },
        {
          "name" : "ENTITY_TYPE",
          "type" : "VARCHAR2"
        },
        {
          "name" : "SUCCESS",
          "type" : "VARCHAR2"
        },
        {
          "name" : "FAILURE",
          "type" : "VARCHAR2"
        }
      ],
      "items" : [
        {
          "policy_name" : "ORA_SECURECONFIG",
          "enabled_option" : "BY USER",
          "entity_name" : "ALL USERS",
          "entity_type" : "USER",
          "success" : "YES",
          "failure" : "YES"
        },
        {
          "policy_name" : "ORA_LOGON_FAILURES",
          "enabled_option" : "BY USER",
          "entity_name" : "ALL USERS",
          "entity_type" : "USER",
          "success" : "NO",
          "failure" : "YES"
        },
        {
          "policy_name" : "CIS_UNIFIED_AUDIT_POLICY",
          "enabled_option" : "BY USER",
          "entity_name" : "ALL USERS",
          "entity_type" : "USER",
          "success" : "YES",
          "failure" : "YES"
        }
      ]
    }
  ]
}

List down existing audit policies

select distinct policy_name from audit_unified_policies;

POLICY_NAME                                                                                                                     
------------------------------------------------------------
ORA_DV_AUDPOL2
ORA_CIS_RECOMMENDATIONS
ORA_ACCOUNT_MGMT
ORA_DATABASE_PARAMETER
ORA_LOGON_FAILURES
ORA_DV_AUDPOL
ORA_SECURECONFIG
ORA_RAS_SESSION_MGMT
CIS_UNIFIED_AUDIT_POLICY
ORA_RAS_POLICY_MGMT

Get audit policy details (which created per CIS hardening guide for Oracle 18c)

select  /*json-formatted*/ * from audit_unified_policies where policy_name='CIS_UNIFIED_AUDIT_POLICY';
{
  "results" : [
    {
      "columns" : [
        {
          "name" : "POLICY_NAME",
          "type" : "VARCHAR2"
        },
        {
          "name" : "AUDIT_CONDITION",
          "type" : "VARCHAR2"
        },
        {
          "name" : "CONDITION_EVAL_OPT",
          "type" : "VARCHAR2"
        },
        {
          "name" : "AUDIT_OPTION",
          "type" : "VARCHAR2"
        },
        {
          "name" : "AUDIT_OPTION_TYPE",
          "type" : "VARCHAR2"
        },
        {
          "name" : "OBJECT_SCHEMA",
          "type" : "VARCHAR2"
        },
        {
          "name" : "OBJECT_NAME",
          "type" : "VARCHAR2"
        },
        {
          "name" : "OBJECT_TYPE",
          "type" : "VARCHAR2"
        },
        {
          "name" : "COMMON",
          "type" : "VARCHAR2"
        },
        {
          "name" : "INHERITED",
          "type" : "VARCHAR2"
        },
        {
          "name" : "AUDIT_ONLY_TOPLEVEL",
          "type" : "VARCHAR2"
        }
      ],
      "items" : [
        {
          "policy_name" : "CIS_UNIFIED_AUDIT_POLICY",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "SELECT ANY DICTIONARY",
          "audit_option_type" : "SYSTEM PRIVILEGE",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "YES",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "CIS_UNIFIED_AUDIT_POLICY",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "CREATE USER",
          "audit_option_type" : "SYSTEM PRIVILEGE",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "YES",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "CIS_UNIFIED_AUDIT_POLICY",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "CREATE SYNONYM",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "YES",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "CIS_UNIFIED_AUDIT_POLICY",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "DROP SYNONYM",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "YES",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "CIS_UNIFIED_AUDIT_POLICY",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "CREATE PROCEDURE",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "YES",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "CIS_UNIFIED_AUDIT_POLICY",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "ALTER PROCEDURE",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "YES",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "CIS_UNIFIED_AUDIT_POLICY",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "CREATE DATABASE LINK",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "YES",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "CIS_UNIFIED_AUDIT_POLICY",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "DROP DATABASE LINK",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "YES",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "CIS_UNIFIED_AUDIT_POLICY",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "ALTER USER",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "YES",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "CIS_UNIFIED_AUDIT_POLICY",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "ALTER SYSTEM",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "YES",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "CIS_UNIFIED_AUDIT_POLICY",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "CREATE ROLE",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "YES",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "CIS_UNIFIED_AUDIT_POLICY",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "DROP USER",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "YES",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "CIS_UNIFIED_AUDIT_POLICY",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "DROP ROLE",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "YES",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "CIS_UNIFIED_AUDIT_POLICY",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "CREATE TRIGGER",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "YES",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "CIS_UNIFIED_AUDIT_POLICY",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "ALTER TRIGGER",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "YES",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "CIS_UNIFIED_AUDIT_POLICY",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "DROP TRIGGER",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "YES",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "CIS_UNIFIED_AUDIT_POLICY",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "CREATE PROFILE",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "YES",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "CIS_UNIFIED_AUDIT_POLICY",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "DROP PROFILE",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "YES",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "CIS_UNIFIED_AUDIT_POLICY",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "ALTER PROFILE",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "YES",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "CIS_UNIFIED_AUDIT_POLICY",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "DROP PROCEDURE",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "YES",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "CIS_UNIFIED_AUDIT_POLICY",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "ALTER ROLE",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "YES",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "CIS_UNIFIED_AUDIT_POLICY",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "CREATE FUNCTION",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "YES",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "CIS_UNIFIED_AUDIT_POLICY",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "ALTER FUNCTION",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "YES",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "CIS_UNIFIED_AUDIT_POLICY",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "DROP FUNCTION",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "YES",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "CIS_UNIFIED_AUDIT_POLICY",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "CREATE PACKAGE",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "YES",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "CIS_UNIFIED_AUDIT_POLICY",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "ALTER PACKAGE",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "YES",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "CIS_UNIFIED_AUDIT_POLICY",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "DROP PACKAGE",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "YES",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "CIS_UNIFIED_AUDIT_POLICY",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "CREATE PACKAGE BODY",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "YES",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "CIS_UNIFIED_AUDIT_POLICY",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "ALTER PACKAGE BODY",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "YES",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "CIS_UNIFIED_AUDIT_POLICY",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "DROP PACKAGE BODY",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "YES",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "CIS_UNIFIED_AUDIT_POLICY",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "ALTER SYNONYM",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "YES",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "CIS_UNIFIED_AUDIT_POLICY",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "ALTER DATABASE LINK",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "YES",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "CIS_UNIFIED_AUDIT_POLICY",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "GRANT",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "YES",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "CIS_UNIFIED_AUDIT_POLICY",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "REVOKE",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "YES",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "CIS_UNIFIED_AUDIT_POLICY",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "LOGON",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "YES",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "CIS_UNIFIED_AUDIT_POLICY",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "LOGOFF",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "YES",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "CIS_UNIFIED_AUDIT_POLICY",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "ALL",
          "audit_option_type" : "OBJECT ACTION",
          "object_schema" : "AUDSYS",
          "object_name" : "AUD$UNIFIED",
          "object_type" : "TABLE",
          "common" : "YES",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        }
      ]
    }
  ]
}
37 rows selected. 

Get audit policy details (which is shipped by Oracle DB by default for 19c)

-- ORA_CIS_RECOMMENDATIONS is default policy shipped by Oracle
select  /*json-formatted*/ * from audit_unified_policies where policy_name='ORA_CIS_RECOMMENDATIONS';
{
  "results" : [
    {
      "columns" : [
        {
          "name" : "POLICY_NAME",
          "type" : "VARCHAR2"
        },
        {
          "name" : "AUDIT_CONDITION",
          "type" : "VARCHAR2"
        },
        {
          "name" : "CONDITION_EVAL_OPT",
          "type" : "VARCHAR2"
        },
        {
          "name" : "AUDIT_OPTION",
          "type" : "VARCHAR2"
        },
        {
          "name" : "AUDIT_OPTION_TYPE",
          "type" : "VARCHAR2"
        },
        {
          "name" : "OBJECT_SCHEMA",
          "type" : "VARCHAR2"
        },
        {
          "name" : "OBJECT_NAME",
          "type" : "VARCHAR2"
        },
        {
          "name" : "OBJECT_TYPE",
          "type" : "VARCHAR2"
        },
        {
          "name" : "COMMON",
          "type" : "VARCHAR2"
        },
        {
          "name" : "INHERITED",
          "type" : "VARCHAR2"
        },
        {
          "name" : "AUDIT_ONLY_TOPLEVEL",
          "type" : "VARCHAR2"
        }
      ],
      "items" : [
        {
          "policy_name" : "ORA_CIS_RECOMMENDATIONS",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "SELECT ANY DICTIONARY",
          "audit_option_type" : "SYSTEM PRIVILEGE",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "ORA_CIS_RECOMMENDATIONS",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "ALTER SYSTEM",
          "audit_option_type" : "SYSTEM PRIVILEGE",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "ORA_CIS_RECOMMENDATIONS",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "CREATE SYNONYM",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "ORA_CIS_RECOMMENDATIONS",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "DROP SYNONYM",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "ORA_CIS_RECOMMENDATIONS",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "CREATE PROCEDURE",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "ORA_CIS_RECOMMENDATIONS",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "ALTER PROCEDURE",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "ORA_CIS_RECOMMENDATIONS",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "CREATE DATABASE LINK",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "ORA_CIS_RECOMMENDATIONS",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "DROP DATABASE LINK",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "ORA_CIS_RECOMMENDATIONS",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "ALTER USER",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "ORA_CIS_RECOMMENDATIONS",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "ALTER SYSTEM",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "ORA_CIS_RECOMMENDATIONS",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "CREATE USER",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "ORA_CIS_RECOMMENDATIONS",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "CREATE ROLE",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "ORA_CIS_RECOMMENDATIONS",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "DROP USER",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "ORA_CIS_RECOMMENDATIONS",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "DROP ROLE",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "ORA_CIS_RECOMMENDATIONS",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "CREATE TRIGGER",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "ORA_CIS_RECOMMENDATIONS",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "ALTER TRIGGER",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "ORA_CIS_RECOMMENDATIONS",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "DROP TRIGGER",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "ORA_CIS_RECOMMENDATIONS",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "CREATE PROFILE",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "ORA_CIS_RECOMMENDATIONS",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "DROP PROFILE",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "ORA_CIS_RECOMMENDATIONS",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "ALTER PROFILE",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "ORA_CIS_RECOMMENDATIONS",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "DROP PROCEDURE",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "ORA_CIS_RECOMMENDATIONS",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "ALTER ROLE",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "ORA_CIS_RECOMMENDATIONS",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "CREATE FUNCTION",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "ORA_CIS_RECOMMENDATIONS",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "ALTER FUNCTION",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "ORA_CIS_RECOMMENDATIONS",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "DROP FUNCTION",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "ORA_CIS_RECOMMENDATIONS",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "CREATE PACKAGE",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "ORA_CIS_RECOMMENDATIONS",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "ALTER PACKAGE",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "ORA_CIS_RECOMMENDATIONS",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "DROP PACKAGE",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "ORA_CIS_RECOMMENDATIONS",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "CREATE PACKAGE BODY",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "ORA_CIS_RECOMMENDATIONS",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "ALTER PACKAGE BODY",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "ORA_CIS_RECOMMENDATIONS",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "DROP PACKAGE BODY",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "ORA_CIS_RECOMMENDATIONS",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "ALTER SYNONYM",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "ORA_CIS_RECOMMENDATIONS",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "ALTER DATABASE LINK",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "ORA_CIS_RECOMMENDATIONS",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "GRANT",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "policy_name" : "ORA_CIS_RECOMMENDATIONS",
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "REVOKE",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "common" : "NO",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        }
      ]
    }
  ]
}
35 rows selected. 

What is in CIS but NOT in Oracle shipped CIS policy?

select /*json-formatted*/ audit_condition ,
condition_eval_opt ,
audit_option ,
audit_option_type ,
object_schema ,
object_name ,
object_type ,
inherited ,
audit_only_toplevel
from audit_unified_policies
where policy_name='CIS_UNIFIED_AUDIT_POLICY'
minus
select audit_condition ,
condition_eval_opt ,
audit_option ,
audit_option_type ,
object_schema ,
object_name ,
object_type ,
inherited ,
audit_only_toplevel
from audit_unified_policies
where policy_name='ORA_CIS_RECOMMENDATIONS';

{
      "items" : [
        {
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "ALL",
          "audit_option_type" : "OBJECT ACTION",
          "object_schema" : "AUDSYS",
          "object_name" : "AUD$UNIFIED",
          "object_type" : "TABLE",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "CREATE USER",
          "audit_option_type" : "SYSTEM PRIVILEGE",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "LOGOFF",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "LOGON",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        }
      ]
    }
  ]
}

What is in Oracle shipped CIS but NOT in CIS policy?

select /*json-formatted*/ audit_condition ,
condition_eval_opt ,
audit_option ,
audit_option_type ,
object_schema ,
object_name ,
object_type ,
inherited ,
audit_only_toplevel
from audit_unified_policies
where policy_name='ORA_CIS_RECOMMENDATIONS'
minus
select audit_condition ,
condition_eval_opt ,
audit_option ,
audit_option_type ,
object_schema ,
object_name ,
object_type ,
inherited ,
audit_only_toplevel
from audit_unified_policies
where policy_name='CIS_UNIFIED_AUDIT_POLICY';

{
      "items" : [
        {
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "ALTER SYSTEM",
          "audit_option_type" : "SYSTEM PRIVILEGE",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        },
        {
          "audit_condition" : "NONE",
          "condition_eval_opt" : "NONE",
          "audit_option" : "CREATE USER",
          "audit_option_type" : "STANDARD ACTION",
          "object_schema" : "NONE",
          "object_name" : "NONE",
          "object_type" : "NONE",
          "inherited" : "NO",
          "audit_only_toplevel" : "NO"
        }
      ]
    }
  ]
}