本文共 7182 字,大约阅读时间需要 23 分钟。
2. SYSDBA/SYSOPER操作的审计 SQL>show parameter audit; NAME TYPE VALUE ------------------------------------ ----------- --------------- audit_file_dest string /oracle/PQ1/102_64/rdbms/audit audit_sys_operations boolean TRUE audit_syslog_level string audit_trail string OS 设置步骤 SQL> alter system set audit_trail=os scope=spfile; System altered. SQL> alter system set audit_sys_operations=true scope=spfile; System altered. SQL> alter system set audit_file_dest='C:\APP\tom\ADMIN\ORCL\ADUMP' scope=spfile; System altered. 重新启动数据库: SQL> shutdown immediate; Database closed. Database dismounted. ORACLE instance shut down. SQL> startup ORACLE instance started. Total System Global Area 523108352 bytes Fixed Size 1375704 bytes Variable Size 465568296 bytes Database Buffers 50331648 bytes Redo Buffers 5832704 bytes Database mounted. Database opened. 检查当前的审计参数: SQL> show parameter audit; NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ audit_file_dest string C:\APP\tom\ADMIN\ORCL\ADUMP audit_sys_operations boolean TRUE audit_trail string OS 请根据实际需要将C:\APP\tom\ADMIN\ORCL\ADUMP 修改为/oracle/PQ1/102_64/rdbms/audit 或其他审计目录 3. 语句级别的审计命令 脚本: audit create session by tom by access; audit SELECT TABLE by tom by access; audit INSERT TABLE by tom by access; audit UPDATE TABLE by tom by access; audit DELETE TABLE by tom by access; 请按照实际需要将tom修改为需要审计的数据库用户 示范: SQL> select * from dba_stmt_audit_opts; no rows selected SQL> audit create session by tom by access; Audit succeeded. SQL> audit SELECT TABLE by tom by access; Audit succeeded. SQL> audit INSERT TABLE by tom by access; Audit succeeded. SQL> audit UPDATE TABLE by tom by access; Audit succeeded. SQL> audit DELETE TABLE by tom by access; Audit succeeded. SQL> select * from dba_stmt_audit_opts; USER_NAME PROX AUDIT_OPTION SUCCESS FAILURE -------------------- ---- ------------------------------ ---------- ---------- tom CREATE SESSION BY ACCESS BY ACCESS tom DROP ANY TABLE BY ACCESS BY ACCESS tom SELECT ANY TABLE BY ACCESS BY ACCESS tom SELECT TABLE BY ACCESS BY ACCESS tom INSERT TABLE BY ACCESS BY ACCESS tom UPDATE TABLE BY ACCESS BY ACCESS tom DELETE TABLE BY ACCESS BY ACCESS 关闭语句审计 noaudit create session by tom; noaudit select table by tom; noaudit insert table by tom; noaudit update table by tom; noaudit delete table by tom; 4. 权限级别的审计 脚本: audit drop any table by tom by access; audit select any table by tom by access; audit create session by tom by access; 请按照实际需要将tom修改为需要审计的数据库用户 示范 SQL> audit drop any table by tom by access; Audit succeeded. SQL> audit select any table by tom by access; Audit succeeded. SQL> audit create session by tom by access; Audit succeeded. SQL> select * from dba_priv_audit_opts; USER_NAME PROX PRIVILEGE SUCCESS FAILURE -------------------- ---- ------------------------------ ---------- ---------- tom SELECT ANY TABLE BY ACCESS BY ACCESS tom DROP ANY TABLE BY ACCESS BY ACCESS tom CREATE SESSION BY ACCESS BY ACCESS 关闭权限审计 noaudit drop any table by tom; noaudit select any table by tom; noaudit create session by tom; 5. 默认对象的审计 脚本: audit alter on default by session; audit audit on default by session; audit delete on default by session; audit grant on default by access; audit lock on default by session; 示范: SQL> select * from all_def_audit_opts; ALT AUD COM DEL GRA IND INS LOC REN SEL UPD REF EXE FBK REA --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- SQL> audit alter on default by session; Audit succeeded. SQL> audit audit on default by session; Audit succeeded. SQL> audit delete on default by session; Audit succeeded. SQL> audit grant on default by access; Audit succeeded. SQL> audit lock on default by session; Audit succeeded. SQL> select * from all_def_audit_opts; ALT AUD COM DEL GRA IND INS LOC REN SEL UPD REF EXE FBK REA --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- S/S S/S -/- S/S A/A -/- -/- S/S -/- -/- -/- -/- -/- -/- -/- 关闭默认对象审计: noaudit alter on default ; noaudit audit on default ; noaudit delete on default ; noaudit grant on default; noaudit lock on default; 6. 其他注意事项 1. 审计命令选项 by session对每个session中发生的重复操作只记录一次,by access对每个session中发生的每次操作都记录,而不管是否重复 Whenever [not] successful/whenever successful 操作成功(dba_audit_trail中returncode字段为0) 才审计. whenever not successful 操作失败才设计. 省略该子句(Whenever [not] successful/whenever successful )的话,不管操作成功与否都会审计。 2. 审计数据库初始化参数文件中AUDIT_TRAIL=OS时,审计记录存在操作系统的文件中,即参数AUDIT_FILE_DEST 指定的值,如果是windows,审计记录存放在事件管理器的应用程序日志中。数据库初始化参数文件中AUDIT_TRAIL=DB时,审计记录存在数据库中 3. 审计信息相关的数据字典视图 DBA_AUDIT_TRAIL 所有审计记录 DBA_AUDIT_EXISTS NOT EXISTS 审计产生的记录 DBA_AUDIT_OBJECT 关于对象的审计记录 DBA_AUDIT_SESSION 连接和断开的记录 DBA_AUDIT_STATEMENT 语句级别的审计记录 SYS.AUD$ 是唯一保留审计结果的表。其它的都是视图 AUDIT_ACTIONS 包含对审计跟踪动作类型代码的说明 ALL_DEF_AUDIT_OPTS 包含默认对象审计选项。当创建对象时将应用这些选项 DBA_STMT_AUDIT_OPTS 由用户设置的跨系统的当前系统审计选项 DBA_PRIV_AUDIT_OPTS 由用户正在审计的跨系统的当前系统权限 DBA_OBJ_AUDIT_OPTS 在所有对象上的审计选项 USER_OBJ_AUDIT_OPTS USER 视图描述当前用户拥有的所有对象上的审计选项 4. 有时候“语句审计”和“权限审计”是相互重复的。并不需要明确的区分这2种类型。例如下面红色粗体部分: SQL> audit create table; Audit succeeded. SQL> SELECT * FROM DBA_STMT_AUDIT_OPTS; USER_NAME PROX AUDIT_OPTION SUCCESS FAILURE -------------------- ---- ------------------------------ ---------- ---------- tom CREATE SESSION BY ACCESS BY ACCESS CREATE TABLE BY ACCESS BY ACCESS CREATE ANY TABLE BY ACCESS BY ACCESS tom DROP ANY TABLE BY ACCESS BY ACCESS tom SELECT ANY TABLE BY ACCESS BY ACCESS tom SELECT TABLE BY ACCESS BY ACCESS tom INSERT TABLE BY ACCESS BY ACCESS tom UPDATE TABLE BY ACCESS BY ACCESS tom DELETE TABLE BY ACCESS BY ACCESS 9 rows selected. SQL> SELECT * FROM DBA_PRIV_AUDIT_OPTS; USER_NAME PROX PRIVILEGE SUCCESS FAILURE -------------------- ---- ------------------------------ ---------- ---------- tom SELECT ANY TABLE BY ACCESS BY ACCESS tom DROP ANY TABLE BY ACCESS BY ACCESS CREATE ANY TABLE BY ACCESS BY ACCESS CREATE TABLE BY ACCESS BY ACCESS tom CREATE SESSION BY ACCESS BY ACCESS 5. ALL_DEF_AUDIT_OPTS 数据字典视图说明 -/-: no default auditing S/-: auditing whenever successful -/S: auditing whenever not successful Column Datatype NULL Description ALT VARCHAR2(3) Auditing ALTER WHENEVER SUCCESSFUL / UNSUCCESSFUL AUD VARCHAR2(3) Auditing AUDIT WHENEVER SUCCESSFUL / UNSUCCESSFUL COM VARCHAR2(3) Auditing COMMENT WHENEVER SUCCESSFUL / UNSUCCESSFUL DEL VARCHAR2(3) Auditing DELETE WHENEVER SUCCESSFUL / UNSUCCESSFUL GRA VARCHAR2(3) Auditing GRANT WHENEVER SUCCESSFUL / UNSUCCESSFUL IND VARCHAR2(3) Auditing INDEX WHENEVER SUCCESSFUL / UNSUCCESSFUL INS VARCHAR2(3) Auditing INSERT WHENEVER SUCCESSFUL / UNSUCCESSFUL LOC VARCHAR2(3) Auditing LOCK WHENEVER SUCCESSFUL / UNSUCCESSFUL REN VARCHAR2(3) Auditing RENAME WHENEVER SUCCESSFUL / UNSUCCESSFUL SEL VARCHAR2(3) Auditing SELECT WHENEVER SUCCESSFUL / UNSUCCESSFUL UPD VARCHAR2(3) Auditing UPDATE WHENEVER SUCCESSFUL / UNSUCCESSFUL REF CHAR(3) This column is obsolete and maintained for backward compatibility. The value of this column is always -/- EXE VARCHAR2(3) Auditing EXECUTE WHENEVER SUCCESSFUL / UNSUCCESSFUL FBK VARCHAR2(3) Auditing FLASHBACK WHENEVER SUCCESSFUL / UNSUCCESSFUL REA VARCHAR2(3) Auditing READ WHENEVER SUCCESSFUL / UNSUCCESSFUL 转载于:https://my.oschina.net/sansom/blog/196180
