`

Oracle Database Audit 10g(原创)

 
阅读更多

Server Setup
Auditing is a default feature of the Oracle server. The initialization parameters that influence its behaviour can be displayed using the SHOW PARAMETER SQL*Plus command.
SQL> SHOW PARAMETER AUDIT
NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest                      string      C:\ORACLE\PRODUCT\10.2.0\ADMIN
                                                 \DB10G\ADUMP
audit_sys_operations                 boolean     FALSE
audit_trail                          string      NONE
Auditing is disabled by default, but can enabled by setting the AUDIT_TRAIL static parameter, which has the following allowed values.
AUDIT_TRAIL = { none | os | db | db,extended | xml | xml,extended }
The following list provides a description of each setting:

  • none or false - Auditing is disabled.
  • db or true - Auditing is enabled, with all audit records stored in the database audit trial (SYS.AUD$).
  • db,extended - As db, but the SQL_BIND and SQL_TEXT columns are also populated.
  • xml- Auditing is enabled, with all audit records stored as XML format OS files.
  • xml,extended - As xml, but the SQL_BIND and SQL_TEXT columns are also populated.
  • os- Auditing is enabled, with all audit records directed to the operating system's audit trail.

Note. In Oracle 10g Release 1, db_extended was used in place of db,extended. The XML options are new to Oracle 10g Release 2.

The AUDIT_SYS_OPERATIONS static parameter enables or disables the auditing of operations issued by users connecting with SYSDBA or SYSOPER privileges, including the SYS user. All audit records are written to the OS audit trail. After enable sys operation audit, you'll find below context in OS audit file.

Sat Apr 26 15:50:41 2014 +08:00
LENGTH : '218'
ACTION :[64] 'select count(*) from dba_tables
where table_name='AQ$_SCHEDULES''
DATABASE USER:[1] '/'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[6] 'oracle'
CLIENT TERMINAL:[5] 'pts/4'
STATUS:[1] '0'
DBID:[10] '1348048916'
The AUDIT_FILE_DEST parameter specifies the OS directory used for the audit trail when the os, xml and xml,extended options are used. It is also the location for all mandatory auditing specified by the AUDIT_SYS_OPERATIONS parameter.
To enable auditing and direct audit records to the database audit trail, we would do the following.
SQL> ALTER SYSTEM SET audit_trail=db SCOPE=SPFILE;
System altered.
SQL> SHUTDOWN
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> STARTUP
ORACLE instance started.
Total System Global Area  289406976 bytes
Fixed Size                  1248600 bytes
Variable Size              71303848 bytes
Database Buffers          213909504 bytes
Redo Buffers                2945024 bytes
Database mounted.
Database opened.

审计级别
当开启审计功能后,可在三个级别对数据库进行审计:Statement(语句)、Privilege(权限)、object(对象)。
语句审计,对某种类型的SQL语句审计,不指定结构或对象。比如audit table 会审计数据库中所有的create table,drop table,truncate table语句,alter session by cmy会审计cmy用户所有的数据库连接。
权限审计,当用户使用了该权限则被审计,如执行grant selectany table to a,当执行了audit select any table语句后,当用户a 访问了用户b的表时(如select * from b.t)会用到select any table权限,故会被审计。注意用户是自己表的所有者,所以用户访问自己的表不会被审计。
对象审计,对一特殊模式对象上的指定语句的审计. 如审计on关键字指定对象的相关操作,如aduit alter,delete,drop,insert on cmy.t by scott; 这里会对cmy用户的t表进行审计,但同时使用了by子句,所以只会对scott用户发起的操作进行审计。
注意:Oracle没有提供对schema中所有对象的审计功能,只能一个一个对象审计,对于后面创建的对象,Oracle则提供on default子句来实现自动审计,比如执行

audit create on default by access;

后,对于随后创建的对象的create操作都会审计。但这个default会对之后创建的所有数据库对象有效,似乎没办法指定只对某个用户创建的对象有效,可以使用 trigger可以对schema的DDL进行“审计”,这个功能稍显不足。
审计的一些其他选项
by access / by session
by access  每一个被审计的操作都会生成一条audit trail。
by session 一个会话里面同类型的操作只会生成一条audit trail,默认为by session。
whenever [not] successful
whenever successful 操作成功(dba_audit_trail中returncode字段为0) 才审计,
whenever not successful 反之。省略该子句的话,不管操作成功与否都会审计。

审计相关的视图
dba_audit_trail:保存所有的audit trail,实际上它只是一个基于aud$的视图。其它的视图dba_audit_session,dba_audit_object,dba_audit_statement都只是dba_audit_trail的一个子集。
dba_stmt_audit_opts:可以用来查看statement审计级别的audit options,即数据库设置过哪些statement级别的审计。dba_obj_audit_opts,dba_priv_audit_opts视图功能与之类似
all_def_audit_opts:用来查看数据库用on default子句设置了哪些默认对象审计。
取消审计
将对应审计语句的audit改为noaudit即可,
audit session whenever successful;
对应的取消审计语句为

noaudit session whenever successful;
Audit Options
One look at the AUDIT command syntax should give you an idea of how flexible Oracle auditing is. There is no point repeating all this information, so instead we will look at a simple example.
First we create a new user called AUDIT_TEST.
CONNECT sys/password AS SYSDBA
CREATE USER audit_test IDENTIFIED BY password
      DEFAULT TABLESPACE users
      TEMPORARY TABLESPACE temp
      QUOTA UNLIMITED ON users;
GRANT connect TO audit_test;
GRANT create table, create procedure TO audit_test;
Next we audit all operations by the AUDIT_TEST user.
CONNECT sys/password AS SYSDBA
AUDIT ALL BY audit_test BY ACCESS;
AUDIT SELECT TABLE, UPDATE TABLE, INSERT TABLE, DELETE TABLE BY audit_test BY ACCESS;
AUDIT EXECUTE PROCEDURE BY audit_test BY ACCESS;
These options audit all DDL and DML, along with some system events.

  • DDL (CREATE, ALTER & DROP of objects)
  • DML (INSERT UPDATE, DELETE, SELECT, EXECUTE).
  • SYSTEM EVENTS (LOGON, LOGOFF etc.)

Next, we perform some operations that will be audited.
    CONN audit_test/password
    CREATE TABLE test_tab (
      id  NUMBER
    );
    INSERT INTO test_tab (id) VALUES (1);
    UPDATE test_tab SET id = id;
    SELECT * FROM test_tab;
    DELETE FROM test_tab;
    DROP TABLE test_tab;
View Audit Trail
The audit trail is stored in the SYS.AUD$ table. Its contents can be viewed directly or via the following views.
The three main audit related views are shown below.
    DBA_AUDIT_TRAIL - Standard auditing only (from AUD$).
    DBA_FGA_AUDIT_TRAIL - Fine-grained auditing only (from FGA_LOG$).
    DBA_COMMON_AUDIT_TRAIL - Both standard and fine-grained auditing.
The most basic view of the database audit trail is provided by the DBA_AUDIT_TRAIL view, which contains a wide variety of information. The following query displays the some of the information from the database audit trail.
    COLUMN username FORMAT A10
    COLUMN owner    FORMAT A10
    COLUMN obj_name FORMAT A10
    COLUMN extended_timestamp FORMAT A35
    SELECT username,
           extended_timestamp,
           owner,
           obj_name,
           action_name
    FROM   dba_audit_trail
    WHERE  owner = 'AUDIT_TEST'
    ORDER BY timestamp;
    USERNAME   EXTENDED_TIMESTAMP                  OWNER      OBJ_NAME   ACTION_NAME
    ---------- ----------------------------------- ---------- ---------- ----------------------------
    AUDIT_TEST 16-FEB-2006 14:16:55.435000 +00:00  AUDIT_TEST TEST_TAB   CREATE TABLE
    AUDIT_TEST 16-FEB-2006 14:16:55.514000 +00:00  AUDIT_TEST TEST_TAB   INSERT
    AUDIT_TEST 16-FEB-2006 14:16:55.545000 +00:00  AUDIT_TEST TEST_TAB   UPDATE
    AUDIT_TEST 16-FEB-2006 14:16:55.592000 +00:00  AUDIT_TEST TEST_TAB   SELECT
    AUDIT_TEST 16-FEB-2006 14:16:55.670000 +00:00  AUDIT_TEST TEST_TAB   DELETE
    AUDIT_TEST 16-FEB-2006 14:17:00.045000 +00:00  AUDIT_TEST TEST_TAB   DROP TABLE
    6 rows selected.
When the audit trail is directed to an XML format OS file, it can be read using a text editor or via the V$XML_AUDIT_TRAIL view, which contains similar information to the DBA_AUDIT_TRAIL view.
    COLUMN db_user       FORMAT A10
    COLUMN object_schema FORMAT A10
    COLUMN object_name   FORMAT A10
    COLUMN extended_timestamp FORMAT A35
    SELECT db_user,
           extended_timestamp,
           object_schema,
           object_name,
           action
    FROM   v$xml_audit_trail
    WHERE  object_schema = 'AUDIT_TEST'
    ORDER BY extended_timestamp;
    DB_USER    EXTENDED_TIMESTAMP                  OBJECT_SCH OBJECT_NAM     ACTION
    ---------- ----------------------------------- ---------- ---------- ----------
    AUDIT_TEST 16-FEB-2006 14:14:33.417000 +00:00  AUDIT_TEST TEST_TAB            1
    AUDIT_TEST 16-FEB-2006 14:14:33.464000 +00:00  AUDIT_TEST TEST_TAB            2
    AUDIT_TEST 16-FEB-2006 14:14:33.511000 +00:00  AUDIT_TEST TEST_TAB            6
    AUDIT_TEST 16-FEB-2006 14:14:33.542000 +00:00  AUDIT_TEST TEST_TAB            3
    AUDIT_TEST 16-FEB-2006 14:14:33.605000 +00:00  AUDIT_TEST TEST_TAB            7
    AUDIT_TEST 16-FEB-2006 14:14:34.917000 +00:00  AUDIT_TEST TEST_TAB           12
    6 rows selected.
Several fields were added to both the standard and fine-grained audit trails in Oracle 10g, including the following.
EXTENDED_TIMESTAMP - A more precise value than the exising TIMESTAMP column.
PROXY_SESSIONID - Proxy session serial number when an enterprise user is logging in via the proxy method.
    GLOBAL_UID - Global Universal Identifier for an enterprise user.
    INSTANCE_NUMBER - The INSTANCE_NUMBER value from the actioning instance.
    OS_PROCESS - Operating system process id for the oracle process.
    TRANSACTIONID - Transaction identifier for the audited transaction. This column can be used to join to the XID column on the FLASHBACK_TRANSACTION_QUERY view.
    SCN - System change number of the query. This column can be used in flashback queries.
    SQL_BIND - The values of any bind variables if any.
    SQL_TEXT - The SQL statement that initiated the audit action.
The SQL_BIND and SQL_TEXT columns are only populated when the AUDIT_TRAIL parameter is set to db,extended or xml,extended.
Maintenance and Security
Auditing should be planned carefully to control the quantity of audit information. Only audit specific operations or objects of interest. Over time you can refine the level of auditing to match your requirements.
The database audit trail must be deleted, or archived, on a regular basis to prevent the SYS.AUD$ table growing to an unnacceptable size.Only DBAs should have maintenance access to the audit trail. Auditing modifications of the data in the audit trail itself can be achieved using the following statement.
    AUDIT INSERT, UPDATE, DELETE ON sys.aud$ BY ACCESS;
The OS and XML audit trails are managed through the OS. These files should be secured at the OS level by assigning the correct file permissions.
Fine-grained auditing(FGA) 细粒度审计
前面所提到的审计都是针对操作进行审计,如果需要对表的特定数据进行审计则应使用FGA来实现。Fine-grained auditing在Oracle 9i 中引入,10g 之后版本可以audit 所有DML。FGA的实现基于DBMS_FGA包,它属于SYS用户。
增加 FGA 策略
-- 审计表
SQL>grant resource,connect to bank identified by bank;
create table bank.accounts
(
  acct_no number primary key,
  cust_id number not null ,
  balance number(15,2) null
);
insert into bank.accounts values(1,1,10000);
insert into bank.accounts values(2,2,20000);
commit;
Begin
dbms_fga.drop_policy (
  object_schema=>'BANK',
  object_name=>'ACCOUNTS',
  policy_name=>'ACCOUNTS_ACCESS');
dbms_fga.add_policy (
  object_schema=>'BANK',
  object_name=>'ACCOUNTS',
  policy_name=>'ACCOUNTS_ACCESS');
end;
/
select * from bank.accounts;
select timestamp, db_user,os_user,object_schema,object_name,sql_text  from dba_fga_audit_trail;
-- 审计列和审计条件, 在add_policy中加入
--   audit_column => 'BALANCE'
--   audit_condition => 'BALANCE >=11000'
Begin
dbms_fga.drop_policy (
  object_schema=>'BANK',
  object_name=>'ACCOUNTS',
  policy_name=>'ACCOUNTS_ACCESS');
dbms_fga.add_policy (
  object_schema=>'BANK',
  object_name=>'ACCOUNTS',
  audit_column => 'BALANCE',
  audit_condition => 'BALANCE >=11000',
  policy_name=>'ACCOUNTS_ACCESS');
end;
/
select BALANCE from bank.accounts;
select timestamp, db_user,os_user,object_schema,object_name,sql_text  from dba_fga_audit_trail;
管理 FGA 策略
--要删除策略,您可以使用以下语句:
begin
dbms_fga.drop_policy (
object_schema => 'BANK',
object_name => 'ACCOUNTS',
policy_name => 'ACCOUNTS_ACCESS'
   );
end;
/
-- 对于更改策略而言,没有随取随用的解决方案。要更改策略中的任何参数,必须删除策略,再使用更改后的参数添加策略。
-- 需要临时禁用审计收集
例如,如果您希望将线索表移动到不同的表空间或者要删除线索表。您可以按如下方法禁用 FGA 策略:
begin
dbms_fga.enable_policy (
object_schema => 'BANK',
object_name => 'ACCOUNTS',
policy_name => 'ACCOUNTS_ACCESS',
enable => FALSE );
end;
/
-- 重新启用很简单 enable =>TRUE;
FGA 数据字典视图
FGA 策略的定义位于数据字典视图 DBA_AUDIT_POLICIES 中。
审计线索收集在SYS 拥有的表 FGA_LOG$ 中。对于 SYS 拥有的任何原始表,此表上的某些视图以对用户友好的方式显示信息。DBA_FGA_AUDIT_TRAIL是该表上的一个视图。
一个重要的列是SQL_BIND,它指定查询中使用的绑定变量的值,这是显著增强该工具功能的一项信息。
另一个重要的列是 SCN,当发生特定的查询时,它记录系统更改号。此信息用于识别用户在特定时间看到了什么,而不是现在的值,它使用了闪回查询,这种查询能够显示在指定的 SCN 值时的数据。
审计表的管理
SQLPLUS> connect / AS SYSDBA
SQLPLUS> select * from sys.aud$;     --没有记录返回
SQLPLUS> select * from dba_audit_trail;   - 没有记录返回
如果做上述查询的时候发现表不存在,说明审计相关的表还没有安装,需要安装。
SQLPLUS> connect / as sysdba
SQLPLUS> @$ORACLE_HOME/rdbms/admin/cataudit.sql
审计表安装在SYSTEM表空间。所以要确保SYSTEM表空间又足够的空间存放审计信息。
安装后要重启数据库
将审计相关的表移动到其他表空间
由于AUD$表等审计相关的表存放在SYSTEM表空间,因此为了不影响系统的性能,保护SYSTEM表空间,最好把AUD$移动到其他的表空间上。可以使用下面的语句来进行移动:
sql>connect / as sysdba;
sql>alter table aud$ move tablespace<new tablespace>;
sql>alter index I_aud1 rebuild onlinetablespace <new tablespace>;
SQL> alter table audit$ move tablespace<new tablespace>;
SQL> alter index i_audit rebuild onlinetablespace <new tablespace>;
SQL> alter table audit_actions movetablespace <new tablespace>;
SQL> alter index i_audit_actions rebuildonline tablespace <new tablespace>;

 

参考至:http://blog.csdn.net/tianlesoftware/article/details/4712932

             http://www.oracle-base.com/articles/10g/auditing-10gr2.php

             http://docs.oracle.com/cd/E11882_01/server.112/e41084/statements_4007.htm#SQLRF53734

本文原创,转载请注明出处、作者

如有错误,欢迎指正

邮箱:czmcj@163.com

0
0
分享到:
评论

相关推荐

    Oracle Database 10g: The Top 20 Features for DBAs

    ### Oracle Database 10g: The Top 20 Features for DBAs #### 1. Flashback Versions Query **Description:** This feature allows database administrators (DBAs) to query the history of data changes within ...

    Oracle database 11g 说明

    在审计方面,Oracle提供了增强的审计功能,包括Enterprise Database Audit Settings和Oracle Audit Vault Reporting,这些工具可以收集、分析并报告数据库活动,以满足合规性要求。审计仓库和数据挖掘预定义角色...

    Oracle Database 10g:Administration Workshop II

    ### Oracle Database 10g:Administration Workshop II #### 核心知识点概述 Oracle Database 10g Administration Workshop II 是一个高级的数据库管理课程,旨在帮助IT专业人士深入理解Oracle Database 10g的各项...

    Oracle Database12c 各功能选件介绍

    Oracle Database 12c还提供了一系列的相关产品,例如Airline Data Model、Communications Data Model、Oracle Audit Vault and Database Firewall、Oracle 大数据机、Oracle Big Data Connectors、Oracle 云文件系统...

    Oracle数据库11g各版本介绍及功能比较

    Oracle 数据库 11g 企业版提供了多种安全性功能,包括 Oracle Database Vault、Oracle Audit Vault、Oracle 标签安全性、细粒度审计、代理验证和数据加密工具包等。 可扩展性 Oracle 数据库 11g 企业版提供了可...

    A.Brief.Look.at.Oracle.Database.11g

    Oracle Database 11g是Oracle公司推出的一个重要版本,它在数据库管理、安全、性能优化以及信息生命周期管理等方面都有显著的提升。以下是针对这个版本的一些关键知识点的详细说明: 1. **新特性与产品发布**: - ...

    Oracle 10g数据库基础教程数据库脚本

    Oracle 10g数据库是Oracle公司推出的一款关系型数据库管理系统,尤其适合大型企业级应用。在本基础教程中,我们主要关注的是通过脚本进行数据库操作,这将帮助初学者快速掌握Oracle 10g的基本功能和管理技巧。 1. *...

    oracle 11g新特性

    10. Oracle Audit Vault Reporting:Oracle 11g 引入了 Oracle 审计 Vault 报告功能,能够对数据库中的操作进行实时监控和报告,提高数据库的安全性和合规性。 Oracle 11g 是一个功能强大且安全的数据库管理系统,...

    官方资料:用Oracle Audit Vault发现威胁.pdf

    官方资料:用Oracle Audit Vault...访问控制(Oracle Database Vault、Oracle Label Security) 数据保护(Oracle Advanced Security、Oracle Secure Backup) 安全监控(Oracle Audit Vault、EM Configuration Pack)

    Oracle-10g与11g的区别.docx

    Oracle 10g 支持许多新 EE 选件,加强数据库内部管理的“Database Vault”,数据库活动的审计的(Audit Vault),数据仓库构建高级功能(Warehouse Builder Enterprise ETL, Warehouse Builder DataQuality)。...

    zabbix监控oracle模版

    - Oracle11g:Oracle数据库的第11个主要版本,提供了一套全面的数据管理和云计算解决方案,包括高性能、高可用性、安全性等特性。 2. **Zabbix监控Oracle11g模板配置** - 模板下载:首先,你需要找到适用于Zabbix...

    oracle10g concepts

    根据提供的文件信息,我们可以深入探讨Oracle 10g的一些核心概念和关键知识点。尽管原始描述指出这是一本英文版的经典Oracle图书,但我们将基于这些信息用中文进行详细解读。 ### Oracle 10g 核心概念 #### 一、...

    Oracle 11g rman 异机还原再升级到 12c PDB

    Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production PL/SQL Release 11.2.0.4.0 - Production CORE 11.2.0.4.0 Production TNS for Linux: Version 11.2.0.4.0 - Production NLSRTL ...

    官方资料:Oracle Database 12c最新的数据库安全创新.pdf

    官方资料:Oracle Database 12c最新的数据库安全创新 可预防(加密与屏蔽、特权用户控制、多因素授权)、可检测(活动监视、数据库防火墙、审计和报告)、可管理(数据库生命周期管理、数据发现和分类、漏洞扫描)...

    Oracle10gDBA两日速成经典教程完整版

    Oracle 10g DBA(数据库管理员)是Oracle数据库系统管理的重要角色,它涉及数据库的安装、配置、性能优化、安全管理和故障排查等多方面工作。本教程“Oracle10g DBA两日速成经典教程完整版”显然是为了帮助初学者在...

    Oracle 9i 10g 11g 区别.pdf

    这里我们将深入探讨Oracle 9i、10g和11g的主要区别。 Oracle 10g相对于9i的显著提升: 1. **网格计算**:10g引入了网格计算的概念,允许多台服务器通过高速网络构成一个虚拟的高性能系统,实现负载均衡和容错能力...

    oracle数据库11g简介PPT

    Oracle Database Vault是11g中的一个重要安全特性,它通过多因素认证和角色分离,实现了对敏感数据的访问控制。这个功能使得不同的DBA只能查看他们被授权的数据,如财务DBA无法访问人力资源数据,反之亦然。在3点的...

    手动创建Oracle11g数据库

    "手动创建Oracle11g数据库" Oracle数据库是当前市场上最流行的关系型数据库管理系统之一。手动创建Oracle数据库可以让用户更好地理解Oracle数据库的工作机制,从而更好地管理和维护数据库。下面是手动创建Oracle11g...

Global site tag (gtag.js) - Google Analytics