【安全】oracle 標準審計

renjixinchina發表於2013-03-14
Oracle

oracle 標準審計

1 開啟和關閉審計(Enabling and Disabling Standard Auditing)

設定AUDIT_TRAIL引數,引數選型如下:

 

 DB  啟動審計功能,並且把審計結果存放在資料庫的 SYS.AUD$ 表中 

 XML  啟動審計功能,並把審計結果存放在作業系統的xml檔案裡

 DB,EXTENDED 具有DB/TRUE的功能,另外填寫AUD$SQLBINDSQLT EXT欄位

 XML,EXTENDED 具有XML/TRUE的功能,另外SQLBINDSQLT EXT欄位

 OS  啟動審計功能,並把審計結果存放在作業系統的審計資訊中

 NONE 關閉審計功能

 ORACLE 10G 預設選項是NONE

 ORACLE 11G 預設選項是OS

設定AUDIT_FILE_DEST引數

如果設定了AUDIT_TRAIL=OS or AUDIT_TRAIL=XML or AUDIT_TRAIL=XML,EXTENDED 需要該引數AUDIT_FILE_DEST

設定AUDIT_SYSLOG_LEVEL引數 

可以參考maclean 的一片文章

2 審計分類

Level

Effect

Statement

Causes auditing of specific SQL statements or groups of statements that affect a particular type of database object. For example, AUDIT TABLE audits the CREATE TABLETRUNCATE TABLECOMMENT ON TABLE, and DELETE [FROM] TABLE statements.

Privilege

Audits SQL statements that are authorized by the specified system privilege. For example, AUDIT CREATE ANY TRIGGER audits statements issued using the CREATE ANY TRIGGER system privilege.

Object

Audits specific statements on specific objects, such as ALTER TABLE on the emp table.

Network

Audits unexpected errors in network protocol or internal errors in the network layer.

  審計選項

    BY SESSION/BY ACCESS

         BY SESSION 每個會話記錄一次

         BY ACCESS 每訪問一次記錄一次

         BY USER   指定使用者

         WHENEVER SUCCESSFUL/WHENEVER NOT SUCCESSFUL

         成功/失敗

        

 (1) 語句審計 Statement

  --session

  AUDIT SESSION;

  AUDIT SESSION BY jeff, lori;

  --DDL

  AUDIT CREATE TABLE

  --DML 

  AUDIT SELECT TABLE 

  取消審計

  NOAUDIT SESSION;

  NOAUDIT SESSION BY jeff, lori;

  --DDL

  NOAUDIT CREATE TABLE

  --DML 

  NOAUDIT SELECT TABLE   

  

  

  AUDIT ALL;---開啟全部語句審計

  NOAUDIT ALL;--關閉全部審計

  

  查詢設定選項檢視--DBA_STMT_AUDIT_OPTS

  審計記錄查詢檢視--DBA_AUDIT_TRAIL,DBA_AUDIT_SESSION,DBA_AUDIT_STATEMENT

  (2) 許可權審計 Privilege

 

  審計語句

  AUDIT DELETE ANY TABLE

    BY ACCESS

    WHENEVER NOT SUCCESSFUL;

  AUDIT DELETE ANY TABLE;

  AUDIT SELECT TABLE, INSERT TABLE, DELETE TABLE, EXECUTE PROCEDURE

      BY ACCESS

      WHENEVER NOT SUCCESSFUL;

  取消審計

  NOAUDIT DELETE ANY TABLE

    BY ACCESS

    WHENEVER NOT SUCCESSFUL;

  NOAUDIT DELETE ANY TABLE;

  NOAUDIT SELECT TABLE, INSERT TABLE, DELETE TABLE, EXECUTE PROCEDURE

      BY ACCESS

      WHENEVER NOT SUCCESSFUL;

           

           AUDIT ALL PRIVILEGES;--開啟全部許可權審計

           NOAUDIT ALL PRIVILEGES;--關閉全部許可權審計

           

           

  --查詢設定選項檢視--DBA_PRIV_AUDIT_OPTS

  -- 審計記錄查詢檢視--DBA_AUDIT_TRAIL

 注意改審計是使用該許可權時觸發 而不是首選觸發 當與語句審計重複是 語句審計優先

  (3) 物件審計

  審計語句:

  AUDIT DELETE ON jeff.emp;

  AUDIT SELECT, INSERT, DELETE

     ON jward.dept

     BY ACCESS

     WHENEVER SUCCESSFUL;

  AUDIT SELECT

     ON DEFAULT

     WHENEVER NOT SUCCESSFUL;

  取消審計語句 

  NOAUDIT DELETE ON jeff.emp;

  NOAUDIT SELECT, INSERT, DELETE

     ON jward.dept

     BY ACCESS

     WHENEVER SUCCESSFUL;

  NOAUDIT SELECT

     ON DEFAULT

     WHENEVER NOT SUCCESSFUL;

          

          AUDIT ALL

   ON emp;     

   NOAUDIT ALL

   ON emp;

          

  查詢設定選項檢視--DBA_OBJ_AUDIT_OPTS

  審計記錄查詢檢視--DBA_AUDIT_TRAIL,DBA_AUDIT_OBJECT

  (4) 網路審計

   

3 刪除審計記錄

DELETE FROM SYS.AUD$;

DELETE FROM SYS.AUD$

     WHERE obj$name='EMP';  

4 相關檢視:

 

View

Description

STMT_AUDIT_OPTION_MAP

Contains information about auditing option type codes. Created by the SQL.BSQ script. at CREATE DATABASE time.

AUDIT_ACTIONS

Contains descriptions for audit trail action type codes.

ALL_DEF_AUDIT_OPTS

Contains default object-auditing options that will be applied when objects are created.

DBA_STMT_AUDIT_OPTS

Describes current system auditing options across the system and by user.

DBA_PRIV_AUDIT_OPTS

Describes current system privileges being audited across the system and by user.

DBA_OBJ_AUDIT_OPTS

USER_OBJ_AUDIT_OPTS

Describes auditing options on all objects. The USER view describes auditing options on all objects owned by the current user.

DBA_AUDIT_TRAIL

USER_AUDIT_TRAIL

Lists all audit trail entries. The USER view shows audit trail entries relating to current user.

DBA_AUDIT_OBJECT

USER_AUDIT_OBJECT

Contains audit trail records for all objects in the system. The USER view lists audit trail records for statements concerning objects that are accessible to the current user.

DBA_AUDIT_SESSION

USER_AUDIT_SESSION

Lists all audit trail records concerning CONNECT and DISCONNECT. The USER view lists all audit trail records concerning connections and disconnections for the current user.

DBA_AUDIT_STATEMENT

USER_AUDIT_STATEMENT

Lists audit trail records concerning GRANTREVOKEAUDITNOAUDIT, and ALTER SYSTEM statements throughout the database, or for the USER view, issued by the user.

DBA_AUDIT_EXISTS

Lists audit trail entries produced BY AUDIT NOT EXISTS.

DBA_AUDIT_POLICIES

Shows all the auditing policies on the system.

DBA_FGA_AUDIT_TRAIL

Lists audit trail records for value-based auditing.

DBA_COMMON_AUDIT_TRAIL

Combines standard and fine-grained audit log records, and includes SYS and mandatory audit records written in XML format.

 

 

          

  

  

  

  

  

 

 

 

 

 

 

 

 

   

 

來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/15747463/viewspace-756164/,如需轉載,請註明出處,否則將追究法律責任。

相關文章