audit審計
一、審計簡介
審計(Audit)用於監視使用者所執行的資料庫操作,審計記錄可存在資料字典表(稱為審計記錄:儲存在system表空間中的 SYS.AUD$表中,可通過檢視dba_audit_trail檢視)或作業系統審計記錄中(預設位置為$ORACLE_BASE/admin/$ORACLE_SID/adump/).。預設情況下審計是沒有開啟的。
當資料庫的審計是使能的,在語句執行階段產生審計記錄。審計記錄包含有審計的操作、使用者執行的操作、操作的日期和時間等資訊。
不管你是否開啟資料庫的審計功能,以下這些作業系統會強制記錄:用管理員許可權連線Instance;啟動資料庫;關閉資料庫。
預設為false,當設定為true時,所有sys使用者(包括以sysdba, sysoper身份登入的使用者)的操作都會被記錄,audit trail不會寫在aud$表中,這個很好理解,如果資料庫還未啟動aud$不可用,那麼像conn /as sysdba這樣的連線資訊,只能記錄在其它地方。如果是windows平臺,audti trail會記錄在windows的事件管理中,如果是linux/unix平臺則會記錄在audit_file_dest引數指定的檔案中。
None:是預設值,不做審計;
DB:將audit trail 記錄在資料庫的審計相關表中,如aud$,審計的結果只有連線資訊;
DB,Extended:這樣審計結果裡面除了連線資訊還包含了當時執行的具體sql語句;
OS:將audit trail 記錄在作業系統檔案中,檔名由audit_file_dest引數指定;
XML:10g裡新增的。
注:這兩個引數是static引數,需要重新啟動資料庫才能生效。
--設定開啟審計功能(DB模式)
SQL> alter system set audit_trail=DB;
alter system set audit_trail=DB
*
ERROR at line 1:
ORA-02095: specified initialization parameter cannot be modified
因為audit_trail是靜態引數,需要修改初始化引數檔案才行。
SQL> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
--修改初始化引數檔案
[oracle@gc1 audit]$ cd $ORACLE_HOME/dbs
[oracle@gc1 dbs]$ vi initPROD.ora
SQL> startup
ORACLE instance started.
Total System Global Area 419430400 bytes
Fixed Size 1219760 bytes
Variable Size 113247056 bytes
Database Buffers 301989888 bytes
Redo Buffers 2973696 bytes
Database mounted.
Database opened.
SQL> show parameter audit
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest string /u01/app/oracle/product/10.2.0
/db_1/rdbms/audit
audit_sys_operations boolean FALSE
audit_syslog_level string
audit_trail string DB
三、審計分類
審計分類:
1)session:在同一個session,相同的語句只產生一個審計結果(預設)
2)access:在同一個session,每一個語句產生一個審計結果。
by 使用者名稱,只審計某個特定使用者的,whenever not succesful審計失敗的,whenever successful審計成功的,不加就是對所有不論成功失敗都審計。
3.1 基於語句
審計關鍵字 table
SQL> audit table ;
Audit succeeded.
--scott使用者建立刪除一個表
SQL> conn scott/tiger
Connected.
SQL> create table emp1 as select * from emp;
Table created.
SQL> drop table emp1 purge;
Table dropped.
--檢視審計資訊
SQL> col USERNAME for a10;
SQL> col ACTION_NAME for a20
SQL> col OBJ_NAME for a10
SQL> select USERNAME,ACTION_NAME,OBJ_NAME,to_char(TIMESTAMP,'yyyy-mm-dd hh24:mi:ss') from dba_audit_trail;
USERNAME ACTION_NAME OBJ_NAME TO_CHAR(TIMESTAMP,'
---------- -------------------- ---------- -------------------
SCOTT CREATE TABLE EMP1 2014-04-21 22:53:33
SCOTT DROP TABLE EMP1 2014-04-21 22:53:40
由此可見,剛才scott使用者的create table與drop table操作都被審計記下來
--刪除審計資訊(先檢視dba_audit_trail對應的基表,然後刪除基表資訊即可)
SQL> delete from dba_audit_trail;
delete from dba_audit_trail
*
ERROR at line 1:
ORA-01752: cannot delete from view without exactly one key-preserved table
SQL> set autotrace traceonly;
SQL> select USERNAME,ACTION_NAME,OBJ_NAME,to_char(TIMESTAMP,'yyyy-mm-dd hh24:mi:ss') from dba_audit_trail;
Execution Plan
----------------------------------------------------------
Plan hash value: 3419024717
-------------------------------------------------------------------------------------------------
| Id | Operation | Name | Rows | Bytes | Cost (%CPU)| Time |
-------------------------------------------------------------------------------------------------
| 0 | SELECT STATEMENT | | 1 | 167 | 6 (0)| 00:00:01 |
| 1 | NESTED LOOPS OUTER | | 1 | 167 | 6 (0)| 00:00:01 |
| 2 | NESTED LOOPS OUTER | | 1 | 163 | 5 (0)| 00:00:01 |
| 3 | NESTED LOOPS OUTER | | 1 | 158 | 4 (0)| 00:00:01 |
| 4 | NESTED LOOPS OUTER| | 1 | 153 | 3 (0)| 00:00:01 |
| 5 | TABLE ACCESS FULL| AUD$ | 1 | 135 | 2 (0)| 00:00:01 |
|* 6 | INDEX RANGE SCAN | I_AUDIT_ACTIONS | 1 | 18 | 1 (0)| 00:00:01 |
|* 7 | INDEX RANGE SCAN | I_SYSTEM_PRIVILEGE_MAP | 1 | 5 | 1 (0)| 00:00:01 |
|* 8 | INDEX RANGE SCAN | I_SYSTEM_PRIVILEGE_MAP | 1 | 5 | 1 (0)| 00:00:01 |
|* 9 | INDEX RANGE SCAN | I_STMT_AUDIT_OPTION_MAP | 1 | 4 | 1 (0)| 00:00:01 |
-------------------------------------------------------------------------------------------------
Predicate Information (identified by operation id):
---------------------------------------------------
6 - access("AUD"."ACTION#"="ACT"."ACTION"(+))
7 - access("SPM"."PRIVILEGE"(+)=(-"AUD"."LOGOFF$DEAD"))
8 - access("SPX"."PRIVILEGE"(+)=(-"AUD"."PRIV$USED"))
9 - access("AUD"."LOGOFF$DEAD"="AOM"."OPTION#"(+))
Statistics
----------------------------------------------------------
0 recursive calls
0 db block gets
9 consistent gets
0 physical reads
0 redo size
729 bytes sent via SQL*Net to client
385 bytes received via SQL*Net from client
2 SQL*Net roundtrips to/from client
0 sorts (memory)
0 sorts (disk)
2 rows processed
SQL> set autotrace off;
SQL> delete from AUD$;
2 rows deleted.
SQL> commit;
Commit complete.
SQL> select USERNAME,ACTION_NAME,OBJ_NAME,to_char(TIMESTAMP,'yyyy-mm-dd hh24:mi:ss') from dba_audit_trail;
no rows selected
--關閉審計
SQL> noaudit table;
Noaudit succeeded.
--審計特定使用者的某些操作
SQL> audit table by scott whenever not successful;
Audit succeeded.
SQL> conn scott/tiger
Connected.
SQL> create table emp as select * from emp;
create table emp as select * from emp
*
ERROR at line 1:
ORA-00955: name is already used by an existing object
SQL> select USERNAME,ACTION_NAME,OBJ_NAME,to_char(TIMESTAMP,'yyyy-mm-dd hh24:mi:ss') from dba_audit_trail;
USERNAME ACTION_NAME OBJ_NAME TO_CHAR(TIMESTAMP,'
---------- -------------------- ---------- -------------------
SCOTT CREATE TABLE EMP 2014-04-21 23:23:10
3.2 基於許可權
SQL> audit select any table;
Audit succeeded.
SQL> grant select any table to tom;
Grant succeeded.
--tom使用者查詢自身表
SQL> conn tom/tom
Connected.
SQL> select * from tab;
no rows selected
--查詢審計資訊(不觸發審計,因為沒有用到select any table許可權)
SQL> select USERNAME,ACTION_NAME,OBJ_NAME,to_char(TIMESTAMP,'yyyy-mm-dd hh24:mi:ss') from dba_audit_trail;
no rows selected
--tom使用者查詢scott表資訊
SQL> select * from scott.emp;
EMPNO ENAME JOB MGR HIREDATE SAL COMM DEPTNO
---------- ---------- --------- ---------- --------- ---------- ---------- ----------
7369 SMITH CLERK 7902 17-DEC-80 800 20
7499 ALLEN SALESMAN 7698 20-FEB-81 1600 300 30
7521 WARD SALESMAN 7698 22-FEB-81 1250 500 30
7566 JONES MANAGER 7839 02-APR-81 2975 20
7654 MARTIN SALESMAN 7698 28-SEP-81 1250 1400 30
7698 BLAKE MANAGER 7839 01-MAY-81 2850 30
7782 CLARK MANAGER 7839 09-JUN-81 2450 10
7788 SCOTT ANALYST 7566 19-APR-87 3000 20
7839 KING PRESIDENT 17-NOV-81 5000 10
7844 TURNER SALESMAN 7698 08-SEP-81 1500 0 30
7876 ADAMS CLERK 7788 23-MAY-87 1100 20
EMPNO ENAME JOB MGR HIREDATE SAL COMM DEPTNO
---------- ---------- --------- ---------- --------- ---------- ---------- ----------
7900 JAMES CLERK 7698 03-DEC-81 950 30
7902 FORD ANALYST 7566 03-DEC-81 3000 20
7934 MILLER CLERK 7782 23-JAN-82 1300 10
14 rows selected.
--再次查詢審計資訊(有記錄,因為使用了select any table的許可權)
SQL> select USERNAME,ACTION_NAME,OBJ_NAME,to_char(TIMESTAMP,'yyyy-mm-dd hh24:mi:ss') from dba_audit_trail;
USERNAME ACTION_NAME OBJ_NAME TO_CHAR(TIMESTAMP,'
---------- -------------------- ---------- -------------------
TOM SESSION REC EMP 2014-04-21 23:30:56
--tom檢視系統使用者表
SQL> select * from dba_users;
select * from dba_users
*
ERROR at line 1:
ORA-00942: table or view does not exist
注意:為什麼有select any table許可權,卻不能訪問dba使用者表,因為o7引數設定為false,如下:
SQL> show parameter o7;
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
O7_DICTIONARY_ACCESSIBILITY boolean FALSE
若O7_DICTIONARY_ACCESSIBILITY為true,只要有select any table許可權就可訪問所有使用者表,反之則不能訪問系統使用者外所有表。
--檢視剛剛tom使用者檢視系統使用者表是否觸發了審計功能
SQL> select USERNAME,ACTION_NAME,OBJ_NAME,to_char(TIMESTAMP,'yyyy-mm-dd hh24:mi:ss') from dba_audit_trail;
no rows selected
由此可見,只有當對dba系統表查詢失敗後,不觸發審計。
--關掉審計
SQL> noaudit select any table;
Noaudit succeeded.
SQL> delete from aud$;
0 rows deleted.
SQL> commit;
Commit complete.
--再次用tom使用者使用select any table許可權
SQL> select * from scott.emp;
EMPNO ENAME JOB MGR HIREDATE SAL COMM DEPTNO
---------- ---------- --------- ---------- --------- ---------- ---------- ----------
7369 SMITH CLERK 7902 17-DEC-80 800 20
7499 ALLEN SALESMAN 7698 20-FEB-81 1600 300 30
7521 WARD SALESMAN 7698 22-FEB-81 1250 500 30
7566 JONES MANAGER 7839 02-APR-81 2975 20
7654 MARTIN SALESMAN 7698 28-SEP-81 1250 1400 30
7698 BLAKE MANAGER 7839 01-MAY-81 2850 30
7782 CLARK MANAGER 7839 09-JUN-81 2450 10
7788 SCOTT ANALYST 7566 19-APR-87 3000 20
7839 KING PRESIDENT 17-NOV-81 5000 10
7844 TURNER SALESMAN 7698 08-SEP-81 1500 0 30
7876 ADAMS CLERK 7788 23-MAY-87 1100 20
EMPNO ENAME JOB MGR HIREDATE SAL COMM DEPTNO
---------- ---------- --------- ---------- --------- ---------- ---------- ----------
7900 JAMES CLERK 7698 03-DEC-81 950 30
7902 FORD ANALYST 7566 03-DEC-81 3000 20
7934 MILLER CLERK 7782 23-JAN-82 1300 10
14 rows selected.
--檢視審計資訊(按理關掉了,應該無相關記錄)
SQL> select USERNAME,ACTION_NAME,OBJ_NAME,to_char(TIMESTAMP,'yyyy-mm-dd hh24:mi:ss') from dba_audit_trail;
USERNAME ACTION_NAME OBJ_NAME TO_CHAR(TIMESTAMP,'
---------- -------------------- ---------- -------------------
TOM SESSION REC EMP 2014-04-21 23:41:20
注意:雖然關掉了審計,但再次操作時,還是會記審計資訊,網上查了下原因,有人解釋“audit對當前的session沒有作用,只對新建session有效 ,按照這個推理,noaudit對當前的session也沒有作用,等所有的session都退出重連應該就不會新增審計資訊了”。
3.3 基於物件
--建立審計scott.emp物件的審計
SQL> audit all on scott.emp;
Audit succeeded.
SQL> show user
USER is "TOM"
SQL> delete from scott.emp;
delete from scott.emp
*
ERROR at line 1:
ORA-01031: insufficient privileges
--檢視審計資訊(新增ses_actions列資訊)
SQL> select USERNAME,ACTION_NAME,OBJ_NAME,SES_ACTIONS,to_char(TIMESTAMP,'yyyy-mm-dd hh24:mi:ss') from dba_audit_trail;
USERNAME ACTION_NAME OBJ_NAME SES_ACTIONS TO_CHAR(TIMESTAMP,'
---------- -------------------- ---------- ------------------- -------------------
TOM SESSION REC EMP ---F------------ 2014-04-21 23:52:19
注意:ses_actions列包括16個短槓,分別代表含義如下:
1 更改,2審計,3註釋,4刪除,5授權,6索引,7插入,8鎖定,9重新命名,10選擇,11更新,12引用,13執行,14未使用,15未使用,16未使用。
值S表示成功,F表示失敗,B代表都有。
由此可見,上面查詢結果第四個短槓F表示,刪除失敗,對應之前的操作。
注意,前三種審計稱為一般審計,預設都看不到具體的sql語句資訊(sql_text列資訊為空),除非設定audit_trail引數為DB,Extended,下面講精細審計,精細審計可看到詳細的操作語句。
四、精細審計
審計的時候,加上條件過濾,使用包來做。
--查官方精細審計文件,找到Oracle Database PL/SQL Packages and Types Reference中dbms_FGA包內容,複製範例內容如下:
做相應修改後,執行即可,如:
SQL> begin
2 DBMS_FGA.ADD_POLICY (
3 object_schema => 'scott',
4 object_name => 'emp',
5 policy_name => 'mypolicy1',
6 audit_condition => 'sal > 1000',
7 audit_column => 'sal',
8 handler_schema => NULL,
9 handler_module => NULL,
10 enable => TRUE,
11 statement_types => 'INSERT, UPDATE,select',
12 audit_trail => DBMS_FGA.DB + DBMS_FGA.EXTENDED,
13 audit_column_opts => DBMS_FGA.ANY_COLUMNS);
14 end;
15 /
PL/SQL procedure successfully completed.
--檢視精細審計資訊
select DB_USER,SQL_TEXT,OBJECT_NAME,to_char(TIMESTAMP,'yyyy-mm-dd hh24:mi:ss') from dba_fga_audit_trail;
--scott使用者執行相關操作(不觸發精細審計)
SQL> conn scott/tiger
Connected.
SQL> select * from emp where sal<=1000;
EMPNO ENAME JOB MGR HIREDATE SAL COMM DEPTNO
---------- ---------- --------- ---------- --------- ---------- ---------- ----------
7369 SMITH CLERK 7902 17-DEC-80 800 20
7900 JAMES CLERK 7698 03-DEC-81 950 30
--檢視審計資訊(應該是無相關記錄,因為查詢條件得到的結果不在審計範圍內)
SQL> select DB_USER,SQL_TEXT,OBJECT_NAME,to_char(TIMESTAMP,'yyyy-mm-dd hh24:mi:ss') from dba_fga_audit_trail;
no rows selected
--scott使用者再次執行相關操作(觸發精細審計)
SQL> select * from emp where comm is not null;
EMPNO ENAME JOB MGR HIREDATE SAL COMM DEPTNO
---------- ---------- --------- ---------- --------- ---------- ---------- ----------
7499 ALLEN SALESMAN 7698 20-FEB-81 1600 300 30
7521 WARD SALESMAN 7698 22-FEB-81 1250 500 30
7654 MARTIN SALESMAN 7698 28-SEP-81 1250 1400 30
7844 TURNER SALESMAN 7698 08-SEP-81 1500 0 30
--檢視精細審計資訊
SQL> col DB_USER for a10;
SQL> col SQL_TEXT for a50;
SQL> col OBJECT_NAME for a10;
SQL> select DB_USER,SQL_TEXT,OBJECT_NAME,to_char(TIMESTAMP,'yyyy-mm-dd hh24:mi:ss') from dba_fga_audit_trail;
DB_USER SQL_TEXT OBJECT_NAM TO_CHAR(TIMESTAMP,'
---------- -------------------------------------------------- ---------- -------------------
SCOTT select * from emp where comm is not null EMP 2014-04-22 00:21:44
注意:這回有精細審計內容了,雖然查詢條件中不是設定的精細審計條件,但是查詢結果中有sal>1000的值的記錄,因此精細審計條件不是針對查詢條件設定的,而是針對查詢結果內容的篩選。
--刪除精細審計資訊(同理,也是先查詢基表,然後刪除基表資訊即可)
SQL> set autotrace traceonly;
SQL> select DB_USER,SQL_TEXT,OBJECT_NAME,to_char(TIMESTAMP,'yyyy-mm-dd hh24:mi:ss') from dba_fga_audit_trail;
Execution Plan
----------------------------------------------------------
Plan hash value: 1613626607
------------------------------------------------------------------------------
| Id | Operation | Name | Rows | Bytes | Cost (%CPU)| Time |
------------------------------------------------------------------------------
| 0 | SELECT STATEMENT | | 1 | 2098 | 2 (0)| 00:00:01 |
| 1 | TABLE ACCESS FULL| FGA_LOG$ | 1 | 2098 | 2 (0)| 00:00:01 |
------------------------------------------------------------------------------
Statistics
----------------------------------------------------------
0 recursive calls
12 db block gets
4 consistent gets
0 physical reads
0 redo size
728 bytes sent via SQL*Net to client
385 bytes received via SQL*Net from client
2 SQL*Net roundtrips to/from client
0 sorts (memory)
0 sorts (disk)
1 rows processed
SQL> set autotrace off;
SQL> delete from FGA_LOG$;
1 row deleted.
SQL> commit;
Commit complete.
--刪除精細審計
修改官方案例
修改後如下:
直接執行會報錯,可採用
begin
DBMS_FGA.DROP_POLICY (
object_schema => 'scott',
object_name => 'emp',
policy_name => 'mypolicy1');
end;
/
或者換行後面加上-符號,如下:
exec DBMS_FGA.DROP_POLICY (-
object_schema => 'scott',-
object_name => 'emp',-
policy_name => 'mypolicy1');
--執行刪除精細審計操作
SQL> exec DBMS_FGA.DROP_POLICY (-
> object_schema => 'scott',-
> object_name => 'emp',-
> policy_name => 'mypolicy1');
PL/SQL procedure successfully completed.
--再次執行剛剛產生精細審計的語句
SQL> select * from emp where comm is not null;
EMPNO ENAME JOB MGR HIREDATE SAL COMM DEPTNO
---------- ---------- --------- ---------- --------- ---------- ---------- ----------
7499 ALLEN SALESMAN 7698 20-FEB-81 1600 300 30
7521 WARD SALESMAN 7698 22-FEB-81 1250 500 30
7654 MARTIN SALESMAN 7698 28-SEP-81 1250 1400 30
7844 TURNER SALESMAN 7698 08-SEP-81 1500 0 30
--檢視精細審計資訊
SQL> select DB_USER,SQL_TEXT,OBJECT_NAME,to_char(TIMESTAMP,'yyyy-mm-dd hh24:mi:ss') from dba_fga_audit_trail;
no rows selected
由此可見,精細審計drop後,當前session不再產生審計資訊,不同於一般審計,雖然刪除了,但當前session還是會產生審計資訊
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/21251711/viewspace-1148940/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- 審計--audit
- MySQL審計auditMySql
- AUDIT審計(2)
- Oracle 審計 auditOracle
- oracle 審計(Audit)Oracle
- SQL Server 審計(Audit)SQLServer
- ORACLE AUDIT審計(1)Oracle
- oracle開啟audit(審計)Oracle
- Oracle Audit 審計 說明Oracle
- RHEL審計內容/etc/audit/audit.rules
- Oracle audit 審計功能說明Oracle
- 【AUDIT]Oracle審計配置及常用sqlOracleSQL
- AUDIT審計的一些使用
- MySQL審計外掛-MariaDB Audit PluginMySqlPlugin
- FGA審計及audit_trail引數AI
- SSH服務審計工具ssh-audit
- mysql 5.7新增server_audit 安全審計功能MySqlServer
- Oracle Audit 審計功能的認識與使用Oracle
- RHEL審計配置/etc/audit/auditd.conf
- MySQL5.6 audit審計外掛安裝初探MySql
- AUDIT_TRAIL設定及審計日誌清理AI
- Audit裡審計SQL語句與審計系統許可權的區別SQL
- Oracle中審計引數audit_trail的討論(轉)OracleAI
- Oracle 標準審計,設定AUDIT_SYSLOG _LEVEL引數Oracle
- 管理AUDIT_TRAIL初始化引數配置標準審計AI
- 語句審計相關的表是stmt_audit_option_map
- 【AUDIT】審計並記錄使用者連線資料庫資訊資料庫
- [20141202]11g審計sys.dba_audit_sessionSession
- oracle10g audit--審計sys使用者(as sysdba或者sysoper)特權操作行為Oracle
- DM7審計之物件審計物件
- 【審計】標準資料庫審計資料庫
- Database Audit and Audit trail purgingDatabaseAI
- Oracle審計Oracle
- oracle 審計Oracle
- FN_AUDIT - Name of security audit file
- 再談審計專案審計質量(轉)
- Oracle Database標準審計和細粒度審計功能OracleDatabase
- ORACLE AUDITOracle