【FGA】將FGA細粒度審計功能的審計結果記錄在資料庫中

secooler發表於2011-06-02
資料庫
  Oracle引以為傲的FGA細粒度審計功能為監控系統中的異常操作提供了非常便捷的手段。本文給出使用FGA功能將審計資訊記錄到資料庫中的方法。

1.初始化環境
1)清理環境
sys@ora10g> conn / as sysdba
Connected.
sys@ora10g> exec DBMS_FGA.DROP_POLICY ( object_schema => 'SEC', object_name => 'T', policy_name => 'audit_t');

PL/SQL procedure successfully completed.

sys@ora10g> conn sec/sec
Connected.
sec@ora10g> drop table t purge;

Table dropped.

2)建立待審計表T
sys@ora10g> create table t (x number(10), y varchar2(10));

Table created.

2.建立FGA審計策略
1)audit_trail引數設定說明
①audit_trail引數設定為“DBMS_FGA.DB”:審計資訊記錄到資料庫的SYS.FGA_LOG$中,但不包含SQL語句和SQL的繫結變數資訊;
②audit_trail引數設定為“DBMS_FGA.DB + DBMS_FGA.EXTENDED”(預設值):審計資訊記錄到資料庫的SYS.FGA_LOG$中,同時包含SQL語句和SQL的繫結變數資訊;
③audit_trail引數設定為“DBMS_FGA.XML”:審計資訊記錄到AUDIT_FILE_DEST引數對應的作業系統目錄下,為XML格式,但不包含SQL語句和SQL的繫結變數資訊;
④audit_trail引數設定為“DBMS_FGA.XML + DBMS_FGA.EXTENDED”:審計資訊記錄到AUDIT_FILE_DEST引數對應的作業系統目錄下,為XML格式,同時包含SQL語句和SQL的繫結變數資訊;

這裡重點介紹審計記錄到資料庫中的方法。

2)審計結果記錄到資料庫的建立方法
sec@ora10g> conn / as sysdba
Connected.
sys@ora10g> begin
  2  DBMS_FGA.ADD_POLICY (
  3  object_schema => 'SEC',
  4  object_name => 'T',
  5  policy_name => 'audit_t',
  6  audit_condition => 'X < 100',
  7  audit_column => 'X',
  8  enable => TRUE,
  9  statement_types => 'SELECT, INSERT, UPDATE, DELETE',
 10  audit_trail => DBMS_FGA.DB + DBMS_FGA.EXTENDED,
 11  audit_column_opts => DBMS_FGA.ANY_COLUMNS
 12  );
 13  end;
 14  /

PL/SQL procedure successfully completed.

以上建立審計規則中audit_trail和audit_column_opts採用的是預設值,因此上面的審計策略也可以用以下命令實現。
begin
DBMS_FGA.ADD_POLICY (
object_schema => 'SEC',
object_name => 'T',
policy_name => 'audit_t',
audit_condition => 'X < 100',
audit_column => 'X',
enable => TRUE,
statement_types => 'SELECT, INSERT, UPDATE, DELETE'
);
end;
/

3.查詢確認FGA審計策略
透過DBA_AUDIT_POLICIES檢視可以檢視資料庫中的審計規則。
sys@ora10g> col OBJECT_SCHEMA for a3
sys@ora10g> col OBJECT_NAME for a2
sys@ora10g> col POLICY_NAME for a7
sys@ora10g> col POLICY_TEXT for a10
sys@ora10g> col POLICY_COLUMN for a2
sys@ora10g> col PF_SCHEMA for a2
sys@ora10g> col PF_PACKAGE for a2
sys@ora10g> col PF_FUNCTION for a2
sys@ora10g> select * from dba_audit_policies;

OBJ OB POLICY_ POLICY_TEX PO PF PF PF ENA SEL INS UPD DEL AUDIT_TRAIL  POLICY_COLU
--- -- ------- ---------- -- -- -- -- --- --- --- --- --- ------------ -----------
SEC T  AUDIT_T X < 100    X           YES YES YES YES YES DB+EXTENDED  ANY_COLUMNS

我們建立的審計規則盡收眼底。

4.觸發審計規則並檢視審計結果
1)觸發審計規則
向表T中插入一條x列值小於100的記錄。
sys@ora10g> conn sec/sec
Connected.
sec@ora10g> insert into t values (1,'secooler');

1 row created.

sec@ora10g> commit;

Commit complete.

2)檢視審計結果
審計資訊記錄此時已經記錄到了資料庫中,我們可以透過檢索SYS.FGA_LOG$檢視獲得審計資訊。
sec@ora10g> conn / as sysdba
Connected.
sys@ora10g> select count(*) from SYS.FGA_LOG$;

  COUNT(*)
----------
         1

sys@ora10g> set FEEDBACK 1
sys@ora10g> select LSQLTEXT,LSQLBIND from SYS.FGA_LOG$;

LSQLTEXT
------------------------------------------------------
LSQLBIND
------------------------------------------------------
insert into t values (:"SYS_B_0",:"SYS_B_1")
 #1(1):1 #2(8):secooler

1 row selected.

以上選取了LSQLTEXT和LSQLBIND欄位,這兩個欄位記錄了被審計表對應的SQL語句以及繫結變數具體值,這便是audit_trail引數的DBMS_FGA.EXTENDED內容在起作用。

5.測試審計規則不帶DBMS_FGA.EXTENDED引數內容的審計效果
若審計規則中不帶DBMS_FGA.EXTENDED引數,則觸發審計規則後,SQL語句和繫結變數值將不被記錄。
1)刪除審計策略
sys@ora10g> exec DBMS_FGA.DROP_POLICY ( object_schema => 'SEC', object_name => 'T', policy_name => 'audit_t');

PL/SQL procedure successfully completed.

2)建立不帶DBMS_FGA.EXTENDED引數僅含有DBMS_FGA.DB引數的審計規則
sys@ora10g> begin
  2  DBMS_FGA.ADD_POLICY (
  3  object_schema => 'SEC',
  4  object_name => 'T',
  5  policy_name => 'audit_t',
  6  audit_condition => 'X < 100',
  7  audit_column => 'X',
  8  enable => TRUE,
  9  statement_types => 'SELECT, INSERT, UPDATE, DELETE',
 10  audit_trail => DBMS_FGA.DB,
 11  audit_column_opts => DBMS_FGA.ANY_COLUMNS
 12  );
 13  end;
 14  /

PL/SQL procedure successfully completed.

3)確認審計規則
sys@ora10g> col OBJECT_SCHEMA for a3
sys@ora10g> col OBJECT_NAME for a2
sys@ora10g> col POLICY_NAME for a7
sys@ora10g> col POLICY_TEXT for a10
sys@ora10g> col POLICY_COLUMN for a2
sys@ora10g> col PF_SCHEMA for a2
sys@ora10g> col PF_PACKAGE for a2
sys@ora10g> col PF_FUNCTION for a2
sys@ora10g> select * from dba_audit_policies;

OBJ OB POLICY_ POLICY_TEX PO PF PF PF ENA SEL INS UPD DEL AUDIT_TRAIL  POLICY_COLU
--- -- ------- ---------- -- -- -- -- --- --- --- --- --- ------------ -----------
SEC T  AUDIT_T X < 100    X           YES YES YES YES YES DB           ANY_COLUMNS

注意此時AUDIT_TRAIL欄位顯示的內容僅為“DB”。

4)觸發審計規則
sys@ora10g> conn sec/sec
Connected.
sec@ora10g> insert into t values (2, 'Andy');

1 row created.

sec@ora10g> commit;

Commit complete.

5)檢視審計結果
sec@ora10g> conn / as sysdba
Connected.
sys@ora10g> set FEEDBACK 1
sys@ora10g> select LSQLTEXT,LSQLBIND from SYS.FGA_LOG$;

LSQLTEXT
-------------------------------------------------------
LSQLBIND
-------------------------------------------------------
insert into t values (:"SYS_B_0",:"SYS_B_1")
 #1(1):1 #2(8):secooler





2 rows selected.

sys@ora10g> select count(*) from SYS.FGA_LOG$;

  COUNT(*)
----------
         2

1 row selected.

可見此時第二次觸發的審計資訊沒有記錄SQL和繫結變數的資訊。以下是獲取到的全部審計資訊。
sys@ora10g> set head off
sys@ora10g> select * from SYS.FGA_LOG$;

     27595                   SEC
oracle
secdb

oracle
SEC
T
AUDIT_T                                 0

insert into t values (:"SYS_B_0",:"SYS_B_1")



         2 28-MAY-11 08.11.33.914507 AM
         0 5100             0700280096060000                                                                           9     1

 #1(1):1 #2(8):secooler

     27596                   SEC
oracle
secdb

oracle
SEC
T
AUDIT_T                                 0





         2 28-MAY-11 08.12.34.629837 AM
         0 5106             07000B0097060000                                                                           9     1




2 rows selected.

這裡清晰的記錄兩次審計觸發的內容。

6.小結
  本文給出了使用FGA細粒度審計功能實現將審計資訊記錄在資料庫中的方法,這也是Oracle預設採用的方法。
  與此對應的便是將審計資訊以XML格式記錄到檔案中。下回分解。

Good luck.

secooler
11.06.02

-- The End --

來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/519536/viewspace-697205/,如需轉載,請註明出處,否則將追究法律責任。

相關文章