審計DBA使用者操作
審計對於普通dba使用者而言,沒有什麼特別之處,如果是dba使用者觸發了審計條件,一樣會被記錄到審計日誌中。
但是SYS使用者是不同的,因為普通審計對於SYS使用者無效。
看一個簡單的例子:
SQL> show parameter audit_trail
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_trail string DB
SQL> audit create table;
Audit succeeded.
SQL> conn test/test
Connected.
SQL> select * from session_roles;
ROLE
------------------------------
CONNECT
RESOURCE
DBA
SELECT_CATALOG_ROLE
HS_ADMIN_ROLE
EXECUTE_CATALOG_ROLE
DELETE_CATALOG_ROLE
EXP_FULL_DATABASE
IMP_FULL_DATABASE
GATHER_SYSTEM_STATISTICS
SCHEDULER_ADMIN
WM_ADMIN_ROLE
JAVA_ADMIN
JAVA_DEPLOY
XDBADMIN
XDBWEBSERVICES
OLAP_DBA
17 rows selected.
SQL> create table t_audit (id number);
Table created.
SQL> select owner, obj_name, action_name, to_char(timestamp, 'yyyy-mm-dd hh24:mi:ss')
2 from dba_audit_trail
3 where obj_name = 'T_AUDIT';
OWNER OBJ_NAME ACTION_NAME TO_CHAR(TIMESTAMP,'
--------------- -------------------- ---------------------------- -------------------
TEST T_AUDIT CREATE TABLE 2010-11-15 21:59:23
如果是SYS執行CREATE TABLE,則不會留下audit記錄:
SQL> conn / as sysdba
Connected.
SQL> show user
USER is "SYS"
SQL> create table t_sys_audit (id number);
Table created.
SQL> select owner, obj_name, action_name, to_char(timestamp, 'yyyy-mm-dd hh24:mi:ss')
2 from dba_audit_trail
3 where obj_name = 'T_SYS_AUDIT';
no rows selected
Oracle為了解決SYS使用者的審計問題,引入了初始化引數AUDIT_SYS_OPERATIONS,如果這個引數設定為TRUE,所有SYS操作都會寫入到作業系統的AUDIT記錄中:
SQL> show parameter audit_sys_operations
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_sys_operations boolean FALSE
SQL> alter system set audit_sys_operations = true scope = spfile;
System altered.
SQL> shutdown immediate
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> startup
ORACLE instance started.
Total System Global Area 2835349504 bytes
Fixed Size 2075432 bytes
Variable Size 671089880 bytes
Database Buffers 2147483648 bytes
Redo Buffers 14700544 bytes
Database mounted.
Database opened.
SQL> drop table t_sys_audit;
Table dropped.
SQL> select * from dual;
D
-
X
SQL> show parameter audit_file_dest
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest string /opt/ora10g/admin/test08/adump
SQL> select spid from v$process
2 where addr in (select paddr from v$session
3 where sid in (select sid from v$mystat where rownum = 1));
SPID
------------
3021
下面檢查對應的audit記錄:
SQL> host more /opt/ora10g/admin/test08/adump/ora_3021.aud
Audit file /opt/ora10g/admin/test08/adump/ora_3021.aud
Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - 64bit Production
With the Partitioning, OLAP and Data Mining options
ORACLE_HOME = /opt/ora10g/product/10.2.0/db_1
System name: Linux
Node name: yans1
Release: 2.6.9-42.0.0.0.1.ELsmp
Version: #1 SMP Sun Oct 15 15:13:57 PDT 2006
Machine: x86_64
Instance name: test08
Redo thread mounted by this instance: 1
Oracle process number: 15
Unix process pid: 3021, image: oracle@yans1 (TNS V1-V3)
Mon Nov 15 22:38:41 2010
ACTION : 'CONNECT'
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: oracle
CLIENT TERMINAL: pts/1
STATUS: 0
Mon Nov 15 22:38:44 2010
ACTION : 'ALTER DATABASE OPEN'
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: oracle
CLIENT TERMINAL: pts/1
STATUS: 0
Mon Nov 15 22:43:38 2010
ACTION : 'drop table t_sys_audit'
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: oracle
CLIENT TERMINAL: pts/1
STATUS: 0
Mon Nov 15 22:43:42 2010
ACTION : 'select * from dual'
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: oracle
CLIENT TERMINAL: pts/1
STATUS: 0
Mon Nov 15 22:43:50 2010
ACTION : 'SELECT NAME NAME_COL_PLUS_SHOW_PARAM,DECODE(TYPE,1,'boolean',2,'string',3,'integer',4,'file',5,'number', 6,'big int
eger', 'unknown') TYPE,DISPLAY_VALUE VALUE_COL_PLUS_SHOW_PARAM FROM V$PARAMETER WHERE UPPER(NAME) LIKE UPPER('%audit_file_dest%') OR
DER BY NAME_COL_PLUS_SHOW_PARAM,ROWNUM'
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: oracle
CLIENT TERMINAL: pts/1
STATUS: 0
Mon Nov 15 22:44:48 2010
ACTION : 'select spid from v$process
where addr in (select paddr from v$session
where sid in (select sid from v$mystat where rownum = 1))'
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: oracle
CLIENT TERMINAL: pts/1
STATUS: 0
可以看到,從以SYS身份登陸開始,到開啟資料庫,執行drop table語句,執行select語句都記錄到audit記錄中,甚至連show parameter引發的sqlplus內部執行的sql語句都記錄了下來。
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/4227/viewspace-678187/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- SQL Server 審計操作概念SQLServer
- Oracle 審計的初步操作Oracle
- Oracle 審計和測試操作Oracle
- 資料庫DDL操作審計資料庫
- Java審計之檔案操作漏洞Java
- linux下使用者操作記錄審計環境的部署記錄Linux
- DBA必讀:Oracle資料庫審計七宗罪Oracle資料庫
- 程式碼審計是什麼?程式碼審計操作流程分為幾步?
- oracle10g audit--審計sys使用者(as sysdba或者sysoper)特權操作行為Oracle
- 【實驗】【審計】【FGA】使用Oracle的審計功能監控資料庫中的可疑操作Oracle資料庫
- DBA ORACLE連線操作Oracle
- Oracle中審計刪除(DELETE)操作的觸發器Oracledelete觸發器
- DBA使用者查詢
- DM7審計之物件審計物件
- 【審計】標準資料庫審計資料庫
- [20141202]11g審計sys.dba_audit_sessionSession
- Oracle審計Oracle
- audit審計
- 審計--audit
- oracle 審計Oracle
- 難以忘懷DBA誤操作
- Linux版對sys使用者進行審計的示例Linux
- Oracle10G審計失敗的使用者登陸Oracle
- oracle資料庫sys使用者的審計(網文摘錄)Oracle資料庫
- 再談審計專案審計質量(轉)
- Oracle Database標準審計和細粒度審計功能OracleDatabase
- Oracle 11g開啟只讀使用者和管理員使用者SQL審計OracleSQL
- 網路安全程式碼審計是什麼?操作流程有哪些?
- openGauss 5.0.0支援使用者級全量審計解密解密
- 【AUDIT】審計並記錄使用者連線資料庫資訊資料庫
- Oracle審計(轉)Oracle
- MySQL審計auditMySql
- Oracle:審計清理Oracle
- AUDIT審計(2)
- Oracle審計列表Oracle
- 審計簡介
- Oracle 審計 auditOracle
- Oracle審計例子Oracle