Oracle 審計和測試操作

eymit發表於2013-05-02
Oracle

1.1  相關引數

1.1.1  AUDIT_SYS_OPERATIONS引數

預設為false,當設定為true時,所有以sysdba,sysoper身份登入的使用者的操作都會被記錄至作業系統中,sysdba相關操作和普通使用者不同,它是記錄在作業系統中不會放在aud$表中,注意這個引數修改後需要重啟才生效

1.1.2  AUDIT_TRAIL 引數

AUDIT_TRAIL  用於開啟和禁用審計,預設值為DB,當值為db的情況不會記錄相關操作的具體SQL,只有為DB,EXTENDED時才會記錄具體執行什麼SQL(aud$表中sql_text才不為空),注意這個引數需要重啟後才生效,這個引數有以下值可以設定,分別含義如下

Parameter Value

Meaning

DB

Enables database auditing and directs all audit records to the database audit trail (SYS.AUD$), except for records that are always written to the operating system audit trail

XML

All elements of the AuditRecord node except Sql_Text and Sql_Bind will be printed to the operating system XML audit file.

DB,EXTENDED

Performs all actions of AUDIT_TRAIL=DB, and also populates the SQL bind and SQL text CLOB-type columns of the SYS.AUD$ table, when available. These two columns are populated only when this parameter is specified.

DB,EXTENDED captures the SQL triggered by an audit. You can capture both the SQL statement that caused the audit, and any associated bind variables. However, be aware that you only can capture data from the following column datatypes: CHARNCHARVARCHARVARCHAR2NVARCHAR2NUMBERFLOATBINARY_FLOAT,BINARY_DOUBLEDATELONGROWID, and TIMESTAMP.

XML,EXTENDED

Does all actions of AUDIT_TRAIL=XML and also populates the SQL bind and SQL text CLOB-type columns of theSYS.AUD$ table, wherever possible. (These columns are populated only when this parameter is specified.)

OS

Enables database auditing and directs all audit records to an operating system file

NONE

Disables standard auditing (This value is the default.)

1.2  審計型別

分為審計按SQL語句審計,按許可權審計,按物件審計和按網路進行審計

審計型別

作用

Statement

記錄所有指定型別的審計語句,如 CREATE TABLETRUNCATE TABLECOMMENT ON TABLE DELETE TABLE等相關的語句.

Privilege

審計所有相關的系統許可權,AUDIT CREATE ANY TRIGGER, CREATE ANY TRIGGER等系統許可權.

Object

根據指定的物件進行審計,如只審計emp表的delete操作.

Network

審計網路錯誤.

 

1.3  審計的觸發條件

1.3.1  根據語句執行是否成功進行審計

不管是語句,許可權和物件都可以根據語句執行是否成功在審計語句後面加判斷詞,語法如下:

在審計語句後面加WHENEVER SUCCESSFUL or WHENEVER NOT SUCCESSFUL

:

AUDIT CREATE TABLE WHENEVER NOT SUCCESSFUL;
AUDIT TRUNCATE TABLE WHENEVER NOT SUCCESSFUL;

1.3.2  根據指定使用者進行審計

在做語句和許可權進行審計的時候可以在審計語句後面加by再加指定使用者名稱,多個使用者用逗號隔開例如下面語句為開啟對scott,blake兩個使用者的所有select tableupdate table許可權

AUDIT SELECT TABLE, UPDATE TABLE  BY scott, blake;

 

1.4  審計相關的檢視

可以通過dba_views檢視所有相關的檢視

select * from dba_views where view_name like '%AUDIT%'

最常用的檢視如下:

---審計系統檢視

select  *  from  STMT_AUDIT_OPTION_MAP    -- 審計選項型別程式碼

select  *  from  AUDIT_ACTIONS    -- action程式碼

select  *  from  ALL_DEF_AUDIT_OPTS    -- 物件建立時預設的物件審計選項

---三種審計已啟用審計選項

select  *  from  DBA_STMT_AUDIT_OPTS    -- 當前資料庫系統審計選項

select  *  from  DBA_PRIV_AUDIT_OPTS    -- 當前許可權審計選項

select  *  from  DBA_OBJ_AUDIT_OPTS     ---檢視當前審計了哪些物件

---審計結果,也可以直接查詢sys.aud$

select  *  from  DBA_AUDIT_TRAIL  ---檢視審計記錄,呼叫的sys.aud$

select  *  from  DBA_AUDIT_OBJECT   ---檢視物件審計記錄

select  *  from  DBA_AUDIT_SESSION  -- session審計記錄

select  *  from  DBA_AUDIT_STATEMENT   -- 檢視語句審計記錄 

select  *  from  DBA_AUDIT_EXISTS    -- 使用BY AUDIT NOT EXISTS選項的審計

select  *  from  DBA_AUDIT_POLICIES    -- 審計POLICIES

select  *  from  DBA_COMMON_AUDIT_TRAIL  -- 標準審計+精細審計記錄


1.5  設定預設表空間不為system


alter table aud$ move tablespace audit_tbs;
alter table aud$ move  LOB ("SQLBIND") store as ( tablespace audit_tbs);
alter table aud$ move  LOB ("SQLTEXT") store as ( tablespace audit_tbs);

 

 

1.6  測試過程

1.6.1  修改audit_trail引數並重啟資料庫

SQL> alter system set audit_trail=DB,EXTENDED  scope=spfile;

System altered.

SQL> shutdown immediate;

Database closed.

Database dismounted.

ORACLE instance shut down.

SQL>

SQL> startup

ORACLE instance started.

Total System Global Area 1640484864 bytes

Fixed Size                  1345296 bytes

Variable Size             973080816 bytes

Database Buffers          654311424 bytes

Redo Buffers               11747328 bytes

Database mounted.

Database opened.

SQL>

1.6.2  測試按語句審計

1)在sys使用者下面開啟語句審計

SQL> AUDIT delete any TABLE, UPDATE any TABLE,insert any table, ALTER any table BY eymit;

Audit succeeded.

SQL>

SQL> AUDIT table BY eymit;

Audit succeeded

 

2)在eymit使用者下建立相關的表和執行部分操作

create table eymit.T_EYMIT

(

  ID   NUMBER,

  NAME VARCHAR2(20)

);

SQL> insert into t_eymit values(1,'aaaa');

1 row inserted

SQL> insert into t_eymit values(2,'bbbbbb');

1 row inserted

SQL> insert into t_eymit values(3,'cccccc');

1 row inserted

SQL> commit;

Commit complete

SQL> update t_eymit set name='bbbbb2' where id=2;

1 row updated

SQL> commit;

Commit complete

SQL>

SQL> alter table T_EYMIT

  2    add constraint pk_eymit primary key (ID);

Table altered

3)檢視新增的審計

SQL> select * from DBA_STMT_AUDIT_OPTS where USER_NAME='EYMIT';

 

USER_NAME             PROXY_NAME             AUDIT_OPTION         SUCCESS    FAILURE

--------------------- -------------- ------------------------- ---------- ----------

EYMIT                                   DELETE ANY TABLE        BY ACCESS   BY ACCESS

EYMIT                                   UPDATE ANY TABLE        BY ACCESS   BY ACCESS

EYMIT                                   INSERT ANY TABLE        BY ACCESS   BY ACCESS

EYMIT                                   ALTER ANY TABLE         BY ACCESS   BY ACCESS

 

SQL> select * from DBA_PRIV_AUDIT_OPTS  where USER_NAME='EYMIT';

 

USER_NAME           PROXY_NAME          PRIVILEGE               SUCCESS    FAILURE

----------------- ----------------- ----------------------- ---------- ----------

EYMIT                                 DELETE ANY TABLE          BY ACCESS   BY ACCESS

EYMIT                                 UPDATE ANY TABLE          BY ACCESS   BY ACCESS

EYMIT                                 INSERT ANY TABLE          BY ACCESS   BY ACCESS

EYMIT                                 ALTER ANY TABLE           BY ACCESS   BY ACCESS

 

 

SQL> select owner,object_name,object_type from DBA_OBJ_AUDIT_OPTS  where wner='EYMIT';

 

OWNER                          OBJECT_NAME                    OBJECT_TYPE

--------------------------- --------------------------------------------------


SQL>

(4)檢視有沒有記錄具體的SQL

測試下來發現,上面語句並沒有記錄相關的操作包括DDLDML都不會記錄具體執行什麼SQL,但是會記錄操作型別

SQL> SELECT T.USERID,T.SQLBIND,T.SQLTEXT FROM AUD$ T WHERE userid='EYMIT';

 

USERID         SQLBIND           SQLTEXT

------- ------------------- ----------------------

EYMIT                                                                                                          

EYMIT                                                                                                           

EYMIT                                                                                                          

EYMIT                                                                                                           

(5)再次測試,發現還是沒有記錄具體的SQL

SQL> create table t_eymit2 as select * from t_eymit;

Table created

SQL>  alter table T_EYMIT2  add constraint pk_eymit2 primary key (ID);

Table altered

SQL> alter table T_EYMIT2 add name2 varchar2(20);

Table altered

sys下面檢視是否生成審計記錄

SQL> select sql_text from DBA_AUDIT_TRAIL where username='EYMIT' ;

 

SQL_TEXT

----------------------------

 

SQL>

(6)重設audit_sys_operations,並進行測試

按文件說明audit_trail=DB,EXTENDED應該會記錄具體的SQL,檢視測試過程都沒有什麼問題,為什麼不生成相關的詳細SQL呢,會不會是許可權問題呢,設定一下audit_sys_operations=true,並重啟了資料庫,發現sql_text記錄了具體的SQL,為了驗證是不是audit_sys_operations的問題,重新設定audit_sys_operations=false再重啟資料庫,sql_text還是會記錄操作的SQL,說明不是audit_sys_operations的問題

 

SQL>  alter system set  audit_sys_operations=true  scope=spfile;

 

System altered.

SQL> startup force

ORACLE instance started.

Total System Global Area 1640484864 bytes

Fixed Size                  1345296 bytes

Variable Size             973080816 bytes

Database Buffers          654311424 bytes

Redo Buffers               11747328 bytes

Database mounted.

Database opened.

SQL>

eymit使用者下面執行建立表的操作

SQL> create table t_eymit3 as select * from t_eymit;

Table created

再使用sys使用者檢視審計資訊,發現已經有記錄了

SQL>  select sql_text from DBA_AUDIT_TRAIL where username='EYMIT' ;

SQL_TEXT

------------------

create table t_eymit3 as select * from t_eymit

SQL>

1.6.3  測試指定物件

使用sys使用者執行下面操作

SQL> audit delete,insert,update on eymit.t_eymit by session;

Audit succeeded

SQL> delete FROM AUD$;

16 rows delete

SQL> commit;

eymit使用者下面作部分操作

SQL> update t_eymit set name='ffffff1' where id=5;

1 row updated

SQL> update t_eymit set name='ffffff2' where id=5;

1 row updated

SQL> commit;

sys下面檢視是否記錄了相關的SQL

SQL> select sql_text from DBA_AUDIT_TRAIL where username='EYMIT' ;

 

SQL_TEXT

----------------

update t_eymit set name='ffffff1' where id=5

update t_eymit set name='ffffff2' where id=5

SQL>

下面操作只記錄新建物件的DDL操作,對新表的操作審計並沒有記錄,注意Oracle沒有提供對schema中所有物件的審計功能,只能一個一個物件審計,對於後面建立的物件,Oracle則提供on default子句來實現自動審計,比如執行audit drop on default by access後,對於隨後建立的物件的drop操作都會審計。但這個default會對之後建立的所有資料庫物件有效,似乎沒辦法指定只對某個使用者建立的物件有效

sys下面清除的審計

SQL> delete FROM AUD$;

SQL> commit;

eymit使用者下新表上執行DML操作

SQL> create table eymit2 as select * from t_eymit;

Table created

SQL> delete eymit2 where id=5;

1 row deleted

SQL> commit;

Commit complete

SQL> insert into eymit2 values(5,'cccccc5');

1 row inserted

SQL> commit;

Commit complete

 

使用sys檢視審計

SQL> select sql_text from DBA_AUDIT_TRAIL where username='EYMIT' ;

 

SQL_TEXT

--------------------------------------------------------------------------

create table eymit2 as select * from t_eymit

 

SQL>

 

來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/21605631/viewspace-759640/,如需轉載,請註明出處,否則將追究法律責任。

相關文章