【FGA】將FGA細粒度審計功能的審計結果記錄在XML檔案中

secooler發表於2011-06-05
  Oracle引以為傲的FGA細粒度審計功能為監控系統中的異常操作提供了非常便捷的手段。本文給出使用FGA功能將審計資訊記錄到XML檔案的方法。審計資訊記錄到資料庫中的方法參考文章:  《【FGA】將FGA細粒度審計功能的審計結果記錄在資料庫中》(http://space.itpub.net/519536/viewspace-697205)。

1.初始化環境
1)清理環境
sys@ora10g> conn / as sysdba
Connected.
sys@ora10g> exec DBMS_FGA.DROP_POLICY ( object_schema => 'SEC', object_name => 'T', policy_name => 'audit_t');

PL/SQL procedure successfully completed.

sys@ora10g> conn sec/sec
Connected.
sec@ora10g> drop table t purge;

Table dropped.

2)建立待審計表T
sys@ora10g> create table t (x number(10), y varchar2(10));

Table created.

2.建立FGA審計策略
1)audit_trail引數設定說明
①audit_trail引數設定為“DBMS_FGA.DB”:審計資訊記錄到資料庫的SYS.FGA_LOG$中,但不包含SQL語句和SQL的繫結變數資訊;
②audit_trail引數設定為“DBMS_FGA.DB + DBMS_FGA.EXTENDED”(預設值):審計資訊記錄到資料庫的SYS.FGA_LOG$中,同時包含SQL語句和SQL的繫結變數資訊;
③audit_trail引數設定為“DBMS_FGA.XML”:審計資訊記錄到AUDIT_FILE_DEST引數對應的作業系統目錄下,為XML格式,但不包含SQL語句和SQL的繫結變數資訊;
④audit_trail引數設定為“DBMS_FGA.XML + DBMS_FGA.EXTENDED”:審計資訊記錄到AUDIT_FILE_DEST引數對應的作業系統目錄下,為XML格式,同時包含SQL語句和SQL的繫結變數資訊;

這裡重點介紹審計記錄到資料庫中的方法。

2)審計結果記錄到XML檔案的建立方法
sec@ora10g> conn / as sysdba
Connected.
sys@ora10g> begin
  2  DBMS_FGA.ADD_POLICY (
  3  object_schema => 'SEC',
  4  object_name => 'T',
  5  policy_name => 'audit_t',
  6  audit_condition => 'X < 100',
  7  audit_column => 'X',
  8  enable => TRUE,
  9  statement_types => 'SELECT, INSERT, UPDATE, DELETE',
 10  audit_trail => DBMS_FGA.XML + DBMS_FGA.EXTENDED,
 11  audit_column_opts => DBMS_FGA.ANY_COLUMNS
 12  );
 13  end;
 14  /

PL/SQL procedure successfully completed.

3.查詢確認FGA審計策略
透過DBA_AUDIT_POLICIES檢視可以檢視資料庫中的審計規則。
sys@ora10g> col OBJECT_SCHEMA for a3
sys@ora10g> col OBJECT_NAME for a2
sys@ora10g> col POLICY_NAME for a7
sys@ora10g> col POLICY_TEXT for a10
sys@ora10g> col POLICY_COLUMN for a2
sys@ora10g> col PF_SCHEMA for a2
sys@ora10g> col PF_PACKAGE for a2
sys@ora10g> col PF_FUNCTION for a2
sys@ora10g> select * from dba_audit_policies;

OBJ OB POLICY_ POLICY_TEX PO PF PF PF ENA SEL INS UPD DEL AUDIT_TRAIL  POLICY_COLU
--- -- ------- ---------- -- -- -- -- --- --- --- --- --- ------------ -----------
SEC T  AUDIT_T X < 100    X           YES YES YES YES YES XML+EXTENDED ANY_COLUMNS


我們建立的審計規則盡收眼底。

4.觸發審計規則並檢視審計結果
1)觸發審計規則
連線到sec使用者向表T中插入一條x列值小於100的記錄。
sys@ora10g> conn sec/sec
Connected.
sec@ora10g> insert into t values (1,'secooler');

1 row created.

sec@ora10g> commit;

Commit complete.

注意,這裡我們重新連線sec使用者再插入一條資料
sec@ora10g> conn sec/sec
Connected.
sec@ora10g> insert into t values (2,'Andy');

1 row created.

sec@ora10g> commit;

Commit complete.

2)檢視V$XML_AUDIT_TRAIL中記錄的審計資訊
sec@ora10g> conn / as sysdba
Connected.
sys@ora10g> set feedback 1
sys@ora10g> select SQL_TEXT,SQL_BIND from V$XML_AUDIT_TRAIL;

SQL_TEXT
----------------------------------------------------------
SQL_BIND
----------------------------------------------------------
insert into t values (:"SYS_B_0",:"SYS_B_1")
 #1(1):1 #2(8):secooler

insert into t values (:"SYS_B_0",:"SYS_B_1")
 #1(1):2 #2(4):Andy


2 rows selected.

3)檢視XML審計檔案中的內容
(1)檢視並進入到審計檔案存放目錄
ora10g@secdb /home/oracle$ sqlplus / as sysdba

SQL*Plus: Release 10.2.0.1.0 - Production on Sun Jun 5 21:00:24 2011

Copyright (c) 1982, 2005, Oracle.  All rights reserved.


Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options

sys@ora10g> show parameter user_dump_dest

sys@ora10g> show parameter audit_file_dest

NAME              TYPE    VALUE
----------------- ------- -------------------------------------
audit_file_dest   string  /oracle/ora10gR2/admin/ora10g/adump

sys@ora10g> exit
Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
ora10g@secdb /home/oracle$ cd /oracle/ora10gR2/admin/ora10g/adump
ora10g@secdb /oracle/ora10gR2/admin/ora10g/adump$

(2)檢視生成的XML審計檔案種類
ora10g@secdb /oracle/ora10gR2/admin/ora10g/adump$ ls -tlr
total 20K
-rw-r----- 1 oracle oinstall 634 Jun  5 21:05 ora_5367.aud
-rw-r--r-- 1 oracle oinstall 970 Jun  5 21:06 ora_3217384196.xml
-rw-r--r-- 1 oracle oinstall 110 Jun  5 21:07 adx_ora10g.txt
-rw-r----- 1 oracle oinstall 634 Jun  5 21:11 ora_5400.aud
-rw-r--r-- 1 oracle oinstall 966 Jun  5 21:11 ora_3217745444.xml

其中兩個.aud結尾的檔案記錄了登入資訊,與審計具體內容無關;
adx_ora10g.txt檔案中記錄了多次登入生成的審計檔案列表;
以.xml結尾的檔案詳細記錄了被審計到的資訊。

(3)檢視adx_ora10g.txt檔案中的內容
ora10g@secdb /oracle/ora10gR2/admin/ora10g/adump$ cat adx_ora10g.txt
/oracle/ora10gR2/admin/ora10g/adump
ora_3217384196.xml
/oracle/ora10gR2/admin/ora10g/adump
ora_3217745444.xml
這裡表示記錄了兩次審計觸發過程。

(4)XML格式的審計資訊內容
ora10g@secdb /oracle/ora10gR2/admin/ora10g/adump$ cat ora_3217384196.xml

 
   xmlns:xsi=""
   xsi:schemaLocation="">
   10.2
227598912011-06-05T21:06:55.028121SECoracleoraclesecdb53780SECTAUDIT_T201002D008E060000
0
#1(1):1 #2(8):secooler

insert into t values (:"SYS_B_0",:"SYS_B_1")



ora10g@secdb /oracle/ora10gR2/admin/ora10g/adump$ cat ora_3217745444.xml

 
   xmlns:xsi=""
   xsi:schemaLocation="">
   10.2
227599912011-06-05T21:07:01.368908SECoracleoraclesecdb53790SECTAUDIT_T20600160080060000
0
#1(1):2 #2(4):Andy

insert into t values (:"SYS_B_0",:"SYS_B_1")




在以上的XML檔案中以XML格式記錄兩次被審計的內容。

5.測試審計規則不帶DBMS_FGA.EXTENDED引數內容的審計效果
若審計規則中不帶DBMS_FGA.EXTENDED引數,則觸發審計規則後,SQL語句和繫結變數值將不被記錄。
1)刪除審計策略
sys@ora10g> exec DBMS_FGA.DROP_POLICY ( object_schema => 'SEC', object_name => 'T', policy_name => 'audit_t');

PL/SQL procedure successfully completed.


2)建立不帶DBMS_FGA.EXTENDED引數僅含有DBMS_FGA.XML引數的審計規則
sys@ora10g> begin
  2   DBMS_FGA.ADD_POLICY (
  3   object_schema => 'SEC',
  4   object_name => 'T',
  5   policy_name => 'audit_t',
  6   audit_condition => 'X < 100',
  7   audit_column => 'X',
  8   enable => TRUE,
  9   statement_types => 'SELECT, INSERT, UPDATE, DELETE',
 10   audit_trail => DBMS_FGA.XML,
 11   audit_column_opts => DBMS_FGA.ANY_COLUMNS
 12   );
 13   end;
 14   /

PL/SQL procedure successfully completed.

3)確認審計規則
sys@ora10g> col OBJECT_SCHEMA for a3
sys@ora10g> col OBJECT_NAME for a2
sys@ora10g> col POLICY_NAME for a7
sys@ora10g> col POLICY_TEXT for a10
sys@ora10g> col POLICY_COLUMN for a2
sys@ora10g> col PF_SCHEMA for a2
sys@ora10g> col PF_PACKAGE for a2
sys@ora10g> col PF_FUNCTION for a2
sys@ora10g> select * from dba_audit_policies;

OBJ OB POLICY_ POLICY_TEX PO PF PF PF ENA SEL INS UPD DEL AUDIT_TRAIL  POLICY_COLU
--- -- ------- ---------- -- -- -- -- --- --- --- --- --- ------------ -----------
SEC T  AUDIT_T X < 100    X           YES YES YES YES YES XML          ANY_COLUMNS


4)觸發審計規則
sys@ora10g> conn sec/sec
Connected.
sec@ora10g> insert into t values (3, 'HOU');

1 row created.

sec@ora10g> commit;

Commit complete.

5)檢視V$XML_AUDIT_TRAIL檢視中記錄的審計結果
sec@ora10g> conn / as sysdba
Connected.
sys@ora10g> set feedback 1
sys@ora10g> select SQL_TEXT,SQL_BIND from V$XML_AUDIT_TRAIL;

SQL_TEXT
----------------------------------------------------------------
SQL_BIND
----------------------------------------------------------------
insert into t values (:"SYS_B_0",:"SYS_B_1")
 #1(1):1 #2(8):secooler

insert into t values (:"SYS_B_0",:"SYS_B_1")
 #1(1):2 #2(4):Andy





3 rows selected.

此處顯示返回三行資訊,最後一行空內容就說明了審計資訊中沒有記錄SQL意義SQL的繫結變數資訊。

6)檢視XML檔案中記錄的審計結果
(1)審計檔案生成列表
ora10g@secdb /oracle/ora10gR2/admin/ora10g/adump$ ls -ltr
total 32K
-rw-r----- 1 oracle oinstall 634 Jun  5 21:05 ora_5367.aud
-rw-r--r-- 1 oracle oinstall 970 Jun  5 21:06 ora_3217384196.xml
-rw-r----- 1 oracle oinstall 634 Jun  5 21:11 ora_5400.aud
-rw-r--r-- 1 oracle oinstall 966 Jun  5 21:11 ora_3217745444.xml
-rw-r----- 1 oracle oinstall 634 Jun  5 22:08 ora_5638.aud
-rw-r--r-- 1 oracle oinstall 165 Jun  5 22:09 adx_ora10g.txt
-rw-r----- 1 oracle oinstall 634 Jun  5 22:09 ora_5644.aud
-rw-r--r-- 1 oracle oinstall 857 Jun  5 22:09 ora_3218245620.xml

(2)檢視adx_ora10g.txt檔案中的XML檔案列表
ora10g@secdb /oracle/ora10gR2/admin/ora10g/adump$ cat adx_ora10g.txt
/oracle/ora10gR2/admin/ora10g/adump
ora_3217384196.xml
/oracle/ora10gR2/admin/ora10g/adump
ora_3217745444.xml
/oracle/ora10gR2/admin/ora10g/adump
ora_3218245620.xml

(3)這裡我們僅需檢視最後一個XML檔案即可
這個檔案記錄了我們最後一次被觸發的審計資訊。
ora10g@secdb /oracle/ora10gR2/admin/ora10g/adump$ cat ora_3218245620.xml

 
   xmlns:xsi=""
   xsi:schemaLocation="">
   10.2
227600912011-06-05T22:09:23.529200SECoracleoraclesecdb56410SECTAUDIT_T204001400AA060000
0



XML檔案中同樣也沒有記錄SQL以及SQL繫結變數資訊。效果得現。

6.小結
  本文給出了將FGA細粒度審計結果資訊記錄在XML檔案中的方法,到此我們已經將FGA的四種審計結果記錄方式瞭然於胸。

Good luck.

secooler
11.06.05

-- The End --

來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/519536/viewspace-697209/,如需轉載,請註明出處,否則將追究法律責任。

相關文章