Oracle標準資料庫稽核

llnnmc發表於2017-09-21

Oracle標準資料庫稽核可以對一般使用者(不包括SYS)的各種許可權操作進行稽核和跟蹤。


一、標準資料庫稽核的基本方法


1、開啟標準資料庫稽核


初始化引數audit_trail是一個靜態引數,該引數確定如何啟用稽核,不同的值表示是否開啟稽核以及如何記錄稽核。

該引數可以設定為如下的值:

noneflase10g為預設):不稽核;

dbtrue11g為預設):稽核結果記錄到資料庫表sys.aud$,可以透過檢視dba_audit_trail來檢視結果;

os:稽核結果記錄到作業系統檔案中,Unixaudit_file_dest引數中指定,Windows則在應用程式日誌中(事件檢視器eventvwr);

db_extended:與db大致相同,但稽核結果包含了具有繫結變數的SQL語句;

xml:與os大致相同,但使用xml來標記;

xml_extended:與xml大致相同,但稽核結果包含了具有繫結變數的SQL語句。


2、指定稽核選項


使用audit命令可以配置資料庫稽核,標準資料庫稽核包含以下幾類:


1)系統許可權稽核


稽核系統許可權的操作,如

audit create any table;

audit create any trigger;

稽核某使用者的系統許可權操作,如

audit select any table by scott;

訪問自己的表時不會做稽核。

稽核使用者的建立和刪除

audit create user, drop user;

查開啟的系統許可權稽核,透過資料字典dba_priv_audit_opts11g預設會開啟以下稽核

col user_name for a20

col proxy_name for a20

col privilege for a30

col success for a20

col failure for a20

select * from dba_priv_audit_opts;


USER_NAME       PROXY_NAME      PRIVILEGE                                SUCCESS    FAILURE

--------------- --------------- ---------------------------------------- ---------- ----------

                                CREATE EXTERNAL JOB                      BY ACCESS  BY ACCESS

                                CREATE ANY JOB                           BY ACCESS  BY ACCESS

                                GRANT ANY OBJECT PRIVILEGE               BY ACCESS  BY ACCESS

                                EXEMPT ACCESS POLICY                     BY ACCESS  BY ACCESS

                                CREATE ANY LIBRARY                       BY ACCESS  BY ACCESS

                                GRANT ANY PRIVILEGE                      BY ACCESS  BY ACCESS

                                DROP PROFILE                             BY ACCESS  BY ACCESS

                                ALTER PROFILE                            BY ACCESS  BY ACCESS

                                DROP ANY PROCEDURE                       BY ACCESS  BY ACCESS

                                ALTER ANY PROCEDURE                      BY ACCESS  BY ACCESS

                                CREATE ANY PROCEDURE                     BY ACCESS  BY ACCESS

                                ALTER DATABASE                           BY ACCESS  BY ACCESS

                                GRANT ANY ROLE                           BY ACCESS  BY ACCESS

                                CREATE PUBLIC DATABASE LINK              BY ACCESS  BY ACCESS

                                DROP ANY TABLE                           BY ACCESS  BY ACCESS

                                ALTER ANY TABLE                          BY ACCESS  BY ACCESS

                                CREATE ANY TABLE                         BY ACCESS  BY ACCESS

                                DROP USER                                BY ACCESS  BY ACCESS

                                ALTER USER                               BY ACCESS  BY ACCESS

                                CREATE USER                              BY ACCESS  BY ACCESS

                                CREATE SESSION                           BY ACCESS  BY ACCESS

                                AUDIT SYSTEM                             BY ACCESS  BY ACCESS

                                ALTER SYSTEM                             BY ACCESS  BY ACCESS


2)物件許可權稽核


對所有使用者(不包括syssys是不稽核的),如

aduit alter, delete, drop, insert on scott.emp;

對某個使用者,如

audit select on hr.employees by scott;

對所有操作,如

audit all on hr.employees;

查開啟的物件稽核,透過資料字典dba_obj_audit_opts,預設是都沒有開啟

select * from dba_obj_audit_opts;


OWNER      OBJECT_NAME     OBJECT_TYPE     ALT   AUD   COM   DEL   GRA   IND   INS   LOC   REN   SEL   UPD   REF EXE   CRE   REA   WRI   FBK

---------- --------------- --------------- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- --- ----- ----- ----- ----- -----


3)語句稽核


如稽核表的所有DDL操作

audit table;

查開啟的語句稽核,透過資料字典dba_stmt_audit_opts11g預設會開啟以下稽核,其中也包含了上述屬於系統許可權的稽核

col user_name for a20

col proxy_name for a20

col audit_option for a30

col success for a20

col failure for a20

select * from dba_stmt_audit_opts;


USER_NAME       PROXY_NAME      AUDIT_OPTION                             SUCCESS    FAILURE

--------------- --------------- ---------------------------------------- ---------- ----------

                                ALTER SYSTEM                             BY ACCESS  BY ACCESS

                                SYSTEM AUDIT                             BY ACCESS  BY ACCESS

                                CREATE SESSION                           BY ACCESS  BY ACCESS

                                CREATE USER                              BY ACCESS  BY ACCESS

                                ALTER USER                               BY ACCESS  BY ACCESS

                                DROP USER                                BY ACCESS  BY ACCESS

                                PUBLIC SYNONYM                           BY ACCESS  BY ACCESS

                                DATABASE LINK                            BY ACCESS  BY ACCESS

                                ROLE                                     BY ACCESS  BY ACCESS

                                PROFILE                                  BY ACCESS  BY ACCESS

                                CREATE ANY TABLE                         BY ACCESS  BY ACCESS

                                ALTER ANY TABLE                          BY ACCESS  BY ACCESS

                                DROP ANY TABLE                           BY ACCESS  BY ACCESS

                                CREATE PUBLIC DATABASE LINK              BY ACCESS  BY ACCESS

                                GRANT ANY ROLE                           BY ACCESS  BY ACCESS

                                SYSTEM GRANT                             BY ACCESS  BY ACCESS

                                ALTER DATABASE                           BY ACCESS  BY ACCESS

                                CREATE ANY PROCEDURE                     BY ACCESS  BY ACCESS

                                ALTER ANY PROCEDURE                      BY ACCESS  BY ACCESS

                                DROP ANY PROCEDURE                       BY ACCESS  BY ACCESS

                                ALTER PROFILE                            BY ACCESS  BY ACCESS

                                DROP PROFILE                             BY ACCESS  BY ACCESS

                                GRANT ANY PRIVILEGE                      BY ACCESS  BY ACCESS

                                CREATE ANY LIBRARY                       BY ACCESS  BY ACCESS

                                EXEMPT ACCESS POLICY                     BY ACCESS  BY ACCESS

                                GRANT ANY OBJECT PRIVILEGE               BY ACCESS  BY ACCESS

                                CREATE ANY JOB                           BY ACCESS  BY ACCESS

                                CREATE EXTERNAL JOB                      BY ACCESS  BY ACCESS


4)其它稽核配置


稽核會話登入

audit session;

這與稽核create session許可權的使用效果相同。

取消稽核,透過noaudit命令指定

noaudit session;

noaudit all on scott.emp;

稽核成功的操作,透過whenever successful選項指定,如稽核表的成功插入

audit insert on scott.emp whenever successful;

稽核不成功的操作,透過whenever not successful選項指定,如稽核失敗的會話登入

audit session whenever not successful;

預設情況下是稽核所有的操作,不論成功與否。

會話級別上的稽核,透過by session選項指定

audit update on scott.emp by session;

操作級別上的稽核,透過by access選項指定

audit update on scott.emp by access;

物件許可權稽核預設是by session

系統許可權稽核預設是by access


3、檢視稽核記錄


如果稽核針對資料庫(audit_trail=dbdb_extended),則稽核記錄寫入資料字典表sys.aud$中,雖然可以直接檢視,但透過建立在其上的檢視來檢視將更加方便。

常用的檢視是dba_audit_trail,其常用列的解釋如下:

os_username:執行操作的使用者的作業系統使用者名稱

username:執行操作的使用者的Oracle使用者名稱

userhost:執行使用者程式的計算機名稱

timestamp:稽核事件的發生時間

ownerobj_name:受影響物件的模式和名稱

actionaction_name:稽核的操作,操作程式碼action的對照含義可查資料字典表audit_actions

priv_used:使用的系統許可權

sql_text:執行的語句

如果沒有表aud$及檢視dba_audit_trail,則需要執行稽核相關的資料字典表的安裝指令碼,安裝後要重啟資料庫,安裝指令碼位於

%ORACLE_HOME%\rdbms\admin\cataudit.sql

其它稽核檢視顯示了dba_audit_trail檢視的一個子集:

dba_audit_object

dba_audit_statement

dba_audit_session


二、標準資料庫稽核實驗


1、建立實驗用表

create table scott.emp1 as select * from scott.emp;

grant all on scott.emp1 to hr;


2、啟用稽核

audit all on scott.emp1 by access;

audit table;

alter system set audit_sys_operations=true scope=spfile;

alter system set audit_trail='db_extended' scope=spfile;

重啟資料庫例項

shutdown immediate

startup

實驗前可先清除稽核結果表的所有記錄

truncate table sys.aud$;


3、進行sysdba的活動,並檢視稽核結果

以sysdba身份登入並操作

select * from dba_users;

select * from scott.emp1;

create user audr1 identified by audr1;

drop user audr1;

create table scott.emp2 as select * from scott.emp1;

select * from scott.emp2;

drop table scott.emp2 purge;

檢視sysdba的稽核結果,由於開啟了sysdba稽核,所以可以在作業系統檔案和日誌中看到所有操作記錄。Unix檢視audit_file_dest指定的目標檔案,Windows透過事件檢視器eventvwr檢視應用程式日誌。另外可以看到SYS管理員的操作不會記入aud$中,檢視dba_audit_trail沒有相關記錄。


4、用system使用者登入操作,並檢視稽核結果

select * from scott.emp;

select * from scott.emp1;

create user audr1 identified by audr1;

grant connect to audr1;

create table audr1.t1(n number);

select * from audr1.t1;

drop table audr1.t1 purge;

drop user audr1;

退出system的登入

檢視稽核結果

col os_username for a20

col username for a20

col userhost for a20

col owner for a10

col obj_name for a20

col action_name for a20

col priv_used for a20

col sql_text for a50

select os_username, username, userhost, timestamp, owner, obj_name, action, action_name, priv_used, sql_text from dba_audit_trail order by timestamp desc;


OS_USERNAME          USERNAME             USERHOST             TIMESTAMP           OWNER      OBJ_NAME                 ACTION ACTION_NAME          PRIV_USED            SQL_TEXT

-------------------- -------------------- -------------------- ------------------- ---------- -------------------- ---------- -------------------- -------------------- --------------------------------------------------

Administrator        SYSTEM               WORKGROUP\MYPC       2017-09-20 10:36:05                                101 LOGOFF

Administrator        SYSTEM               WORKGROUP\MYPC       2017-09-20 10:35:59            AUDR1                53 DROP USER            DROP USER            drop user audr1

Administrator        SYSTEM               WORKGROUP\MYPC       2017-09-20 10:35:49 AUDR1      T1                   12 DROP TABLE           DROP ANY TABLE       drop table audr1.t1 purge

Administrator        SYSTEM               WORKGROUP\MYPC       2017-09-20 10:35:32 AUDR1      T1                    1 CREATE TABLE         CREATE ANY TABLE     create table audr1.t1(n number)

Administrator        SYSTEM               WORKGROUP\MYPC       2017-09-20 10:35:24            CONNECT                     114 GRANT ROLE           GRANT ANY ROLE       grant connect to audr1

Administrator        SYSTEM               WORKGROUP\MYPC       2017-09-20 10:35:14            AUDR1                51 CREATE USER          CREATE USER          create user audr1 identified by *****

Administrator        SYSTEM               WORKGROUP\MYPC       2017-09-20 10:35:04 SCOTT      EMP1                  3 SELECT               SELECT ANY TABLE     select * from scott.emp1

Administrator        SYSTEM               WORKGROUP\MYPC       2017-09-20 10:34:33                                100 LOGON                CREATE SESSION


由於沒有對錶scott.emp加入稽核,因此對它的查詢未計入表中,而會話的登入登出、建表、刪表、授權是預設開啟的系統許可權稽核,因此這些操作被記入表中,同樣對錶audr1.t1的查詢也不會加入稽核。


5、清空aud$記錄,在sys下建立使用者audr1,並分別用audr1和hr使用者登入操作,檢視稽核結果

sys的操作

create user audr1 identified by audr1;

grant connect to audr1;

audr1使用者登入操作

select * from scott.emp1;

由於沒有給audr1訪問scott.emp1的許可權,因此以上查詢將失敗

audr1使用者退出登入

hr使用者登入操作

select * from scott.emp1;

update scott.emp1 set sal=2000 where empno=7369;

commit;

update scott.emp1 set sal=2500 where empno=7369;

rollback;

hr使用者退出登入

檢視稽核記錄

col os_username for a20

col username for a20

col userhost for a20

col owner for a10

col obj_name for a20

col action_name for a20

col priv_used for a20

col sql_text for a50

select os_username, username, userhost, timestamp, owner, obj_name, action, action_name, priv_used, sql_text from dba_audit_trail order by timestamp desc;


OS_USERNAME          USERNAME             USERHOST             TIMESTAMP           OWNER      OBJ_NAME                 ACTION ACTION_NAME          PRIV_USED            SQL_TEXT

-------------------- -------------------- -------------------- ------------------- ---------- -------------------- ---------- -------------------- -------------------- --------------------------------------------------

Administrator        HR                   WORKGROUP\MYPC       2017-09-20 10:42:29                                101 LOGOFF

Administrator        HR                   WORKGROUP\MYPC       2017-09-20 10:45:33 SCOTT      EMP1                  6 UPDATE                                    update scott.emp1 set sal=2500 where empno=7369

Administrator        HR                   WORKGROUP\MYPC       2017-09-20 10:42:17 SCOTT      EMP1                  6 UPDATE                                    update scott.emp1 set sal=2000 where empno=7369

Administrator        HR                   WORKGROUP\MYPC       2017-09-20 10:42:09 SCOTT      EMP1                  3 SELECT                                    select * from scott.emp1

Administrator        HR                   WORKGROUP\MYPC       2017-09-20 10:41:49                                100 LOGON                CREATE SESSION

Administrator        AUDR1                WORKGROUP\MYPC       2017-09-20 10:41:41                                101 LOGOFF

Administrator        AUDR1                WORKGROUP\MYPC       2017-09-20 10:41:29 SCOTT      EMP1                  3 SELECT                                    select * from scott.emp1

Administrator        AUDR1                WORKGROUP\MYPC       2017-09-20 10:41:01                                100 LOGON                CREATE SESSION


由於預設是操作不論成功與否都會納入稽核,因此audr1使用者失敗的查詢也被記錄,commit和rollback語句並沒有記錄,不管執行的語句最後是被提交還是回滾,更新操作總是被稽核的。


6、取消物件稽核

noaudit all on scott.emp1;

hr使用者再次登入操作

select * from scott.emp1;

hr使用者退出登入

檢視稽核記錄,確認稽核只有使用者的登入登出,其它已取消。如果要將會話的登入登出記錄也取消,則執行noaudit session,但這樣一來,預設的系統許可權稽核將不再包括該項,除非執行audit session重新加入。


7、清空aud$記錄,改為會話級別的稽核,並檢視結果

audit all on scott.emp1 by session;

再次以hr使用者登入並操作

select * from scott.emp1;

update scott.emp1 set sal=800 where empno=7369;

commit;

hr使用者退出登入

檢視稽核記錄

col os_username for a20

col username for a20

col userhost for a20

col owner for a10

col obj_name for a20

col action_name for a20

col priv_used for a20

col sql_text for a50

select os_username, username, userhost, timestamp, owner, obj_name, action, action_name, priv_used, sql_text from dba_audit_trail order by timestamp desc;


OS_USERNAME          USERNAME             USERHOST             TIMESTAMP           OWNER      OBJ_NAME                 ACTION ACTION_NAME          PRIV_USED            SQL_TEXT

-------------------- -------------------- -------------------- ------------------- ---------- -------------------- ---------- -------------------- -------------------- --------------------------------------------------

Administrator        HR                   WORKGROUP\MYPC       2017-09-20 10:54:55                                101 LOGOFF

Administrator        HR                   WORKGROUP\MYPC       2017-09-20 10:54:44 SCOTT      EMP1                103 SESSION REC                               update scott.emp1 set sal=800 where empno=7369

Administrator        HR                   WORKGROUP\MYPC       2017-09-20 10:54:36 SCOTT      EMP1                103 SESSION REC                               select * from scott.emp1

Administrator        HR                   WORKGROUP\MYPC       2017-09-20 10:54:29                                100 LOGON                CREATE SESSION


比較可知,操作級別的稽核明確記錄了action_name為select、update等,而會話級別的稽核action_name只標明為session rec,但sql_text仍記錄了會話中每一步操作的SQL語句。


8、取消稽核,清理恢復

noaudit all on scott.emp1;

drop user audr1;

drop table scott.emp1 purge;

alter system set audit_trail=false scope=spfile;

alter system set audit_sys_operations=false scope=spfile;

重啟資料庫例項

清空aud$記錄


來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/28974745/viewspace-2145264/,如需轉載,請註明出處,否則將追究法律責任。

相關文章