Thanks for quick response and as always a new direction to explore.
I'll study making audit policy like this(was not aware of it).
Now as an alternate i was searching I built a simple trigger on LOGON with if condition as below.
create TRIGGER user_auditing
AFTER LOGON ON DATABASE
IF (upper(SYS_CONTEXT('USERENV','OS_USER')) NOT IN ( 'abc','xyx','ABC','XYZ'))
execute immediate 'AUDIT ALL STATEMENTS IN SESSION CURRENT BY ACCESS WHENEVER SUCCESSFUL';
WHEN OTHERS THEN
it was working fine for 90% case but user is logging through SQL developer tool so when executing "
select sysdate from dual
" it is generating 400 rows in auditing.
so question :: Can I exclude select from this audit (and how as i didn't get any syntax)
and seen in your code "action all" will audit all system actions and select also as in above case but as per table entry it says do not use 184 185 186 .
select * from AUDITABLE_SYSTEM_ACTIONS where action in ('184','185','186') and component='Standard';
so question 2 :: Should we use "ALL" option.
Question 3 :: is there any big difference in above 2 method.