使用Oracle的審計功能監控資料庫中的可疑操作
看一下Oracle的審計功能(包括FGA細粒度審計)能給我們帶來些什麼的強悍效果。
我將通過這個小文兒向您展示一下Oracle很牛的審計功能。Follow me.
1.使用審計,需要先啟用審計功能
1)檢視系統中預設的與審計相關的引數設定
[email protected]> conn / as sysdba
Connected.
[email protected]> show parameter audit
NAME TYPE VALUE
--------------------- --------- --------------------------------------
audit_file_dest string /oracle/app/oracle/admin/ora10g/adump
audit_sys_operations boolean FALSE
audit_syslog_level string
audit_trail string NONE
2)對上面所列的引數進行一下解釋
(1)AUDIT_FILE_DEST = 路徑
指示出審計的檔案存放的路徑資訊,我們這裡顯示的是“/oracle/app/oracle/admin/ora10g/adump”
不管開啟還是不開啟審計功能,這個目錄項都會記錄以sysdba身份的每次登入資訊,有興趣的朋友可以到這個目錄中檢視一下。
例如:
$ cat ora_9915.aud
Audit file /oracle/app/oracle/admin/ora10g/adump/ora_9915.aud
Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP and Data Mining Scoring Engine options
ORACLE_HOME = /oracle/app/oracle/product/10.2.0/db_1
System name: Linux
Node name: testdb183
Release: 2.6.18-128.el5
Version: #1 SMP Wed Dec 17 11:41:38 EST 2008
Machine: x86_64
Instance name: ora10g
Redo thread mounted by this instance: 1
Oracle process number: 13
Unix process pid: 9915, image:
Wed Aug 26 19:24:11 2009
ACTION : 'CONNECT'
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: oracle
CLIENT TERMINAL: pts/1
STATUS: 0
(2)audit_sys_operations
預設值是FALSE,如果開啟審計功能,這個引數需要修改為TRUE。
(3)audit_syslog_level
語句:指定審計語句或特定型別的語句組,象審計表的語句 CREATE TABLE, TRUNCATE TABLE, COMMENT ON TABLE, and DELETE [FROM] TABLE
許可權:使用審計語句指定系統許可權,象AUDIT CREATE ANY TRIGGER
物件:在指定物件上指定審計語句,象ALTER TABLE on the emp table
(4)AUDIT_TRAIL = NONE|DB|OS
DB--審計資訊記錄到資料庫中
OS--審計資訊記錄到作業系統檔案中
NONE--關閉審計(預設值)
3)修改引數audit_sys_operations為“TRUE”,開啟審計的功能
System altered.
4)修改引數audit_trail為“db”,審計資訊記錄到資料庫中
[email protected]> alter system set audit_trail=db scope=spfile;
System altered.
5)注意,到這裡如果需要使這些引數生效,必須重新啟動一下資料庫
[email protected]> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
ORACLE instance started.
Total System Global Area 1073741824 bytes
Fixed Size 2078264 bytes
Variable Size 293603784 bytes
Database Buffers 771751936 bytes
Redo Buffers 6307840 bytes
Database mounted.
Database opened.
6)驗證一些引數修改後的結果,這裡顯示已經修改完成
[email protected]> show parameter audit;
NAME TYPE VALUE
--------------------- -------- --------------------------------------
audit_file_dest string /oracle/app/oracle/admin/ora10g/adump
audit_sys_operations boolean TRUE
audit_syslog_level string
audit_trail string DB
2.開啟了審計功能後,這裡有一個有趣的效果,就是所有sysdba許可權下的操作都會被記錄到這個/oracle/app/oracle/admin/ora10g/adump審計目錄下。這也是為什麼開啟了審計功能後會存在一些開銷和風險。
1)假如我們在sysdba許可權使用者下執行下面三條命令
[email protected]> alter session set nls_date_format='yyyy-mm-dd hh24:mi:ss';
Session altered.
[email protected]> select * From dual;
D
-
X
[email protected]> show parameter spfile
NAME TYPE VALUE
------ ------ ------------------------------------------------------------
spfile string /oracle/app/oracle/product/10.2.0/db_1/dbs/spfileora10g.ora
2)使用tail命令可以看到在相應的trace檔案中有如下的詳細記錄資訊,有點意思的發現,可以看到“show parameter spfile”命令背後真正執行了什麼樣的SQL語句
Wed Aug 26 20:04:03 2009
ACTION : 'alter session set nls_date_format='yyyy-mm-dd hh24:mi:ss''
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: oracle
CLIENT TERMINAL: pts/2
STATUS: 0
Wed Aug 26 20:04:03 2009
ACTION : 'BEGIN DBMS_OUTPUT.GET_LINES(:LINES, :NUMLINES); END;'
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: oracle
CLIENT TERMINAL: pts/2
STATUS: 0
Wed Aug 26 20:04:16 2009
ACTION : 'select * From dual'
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: oracle
CLIENT TERMINAL: pts/2
STATUS: 0
Wed Aug 26 20:04:16 2009
ACTION : 'BEGIN DBMS_OUTPUT.GET_LINES(:LINES, :NUMLINES); END;'
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: oracle
CLIENT TERMINAL: pts/2
STATUS: 0
Wed Aug 26 20:07:21 2009
ACTION : 'SELECT NAME NAME_COL_PLUS_SHOW_PARAM,DECODE(TYPE,1,'boolean',2,'string',3,'integer',4,'file',5,'number', 6,'big integer', 'unknown') TYPE,DISPLAY_VALUE VALUE_COL_PLUS_SHOW_PARAM FROM V$PARAMETER WHERE UPPER(NAME) LIKE UPPER('%spfile%') ORDER
BY NAME_COL_PLUS_SHOW_PARAM,ROWNUM'
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: oracle
CLIENT TERMINAL: pts/2
STATUS: 0
3.演示一下對sec使用者的t_audit表delete操作的審計效果
1)表t_audit資訊如下
[email protected]> select * from t_audit order by 1;
X
----------
1
2
3
4
5
6
6 rows selected.
2)這裡僅僅開啟對錶t_audit的delete操作的審計
[email protected]> audit delete on t_audit;
Audit succeeded.
3)檢視審計設定可以通過查詢dba_obj_audit_opts檢視來完成
[email protected]> select OWNER,OBJECT_NAME,OBJECT_TYPE,DEL,INS,SEL,UPD from dba_obj_audit_opts;
OWNER OBJECT_NAME OBJECT_TYPE DEL INS SEL UPD
------ ------------ ------------ --------- --------- --------- ---------
SEC T_AUDIT TABLE S/S -/- -/- -/-
4)嘗試插入資料
[email protected]> insert into t_audit values (7);
1 row created.
5)因為我們沒有對insert語句進行審計,所以沒有審計資訊可以得到
[email protected]> select count(*) from dba_audit_trail;
COUNT(*)
----------
0
6)再嘗試delete操作
[email protected]> delete from t_audit where x=1;
1 row deleted.
7)不出所料,delete操作被資料庫捕獲
這裡可以通過查詢dba_audit_trail檢視或者sys.aud$檢視得到詳細的審計資訊,這種審計方法可以得到操作的時間,操作使用者等較粗的資訊(相對後面介紹的細粒度審計來說)
[email protected]> select count(*) from dba_audit_trail;
COUNT(*)
----------
1
select * from dba_audit_trail;
select * from sys.aud$;
4.如想要取消對錶t_audit的全部審計,需要使用手工方式來完成
[email protected]> noaudit all on t_audit;
Noaudit succeeded.
通過查詢dba_obj_audit_opts檢視,確認確實已經取消的審計
[email protected]> select * from dba_obj_audit_opts;
no rows selected
5.【FGA】【細粒度審計】上面得到的審計資訊是較粗的,我們進一步演示一下“細粒度審計FGA”的效果:可以通過FGA得到操作的SQL語句級別的資訊
1)細粒度審計t_audit表上的增刪改查的一切操作
[email protected]> conn / as sysdba
Connected.
[email protected]> exec dbms_fga.add_policy(object_schema=>'SEC', object_name=> 't_audit', policy_name=> 'check_t_audit',statement_types => 'INSERT, UPDATE, DELETE, SELECT');
PL/SQL procedure successfully completed.
2)對t_audit表增刪改查操作一番
[email protected]> conn sec/sec
Connected.
[email protected]> select * from t_audit;
X
----------
2
3
4
5
6
7
6 rows selected.
[email protected]> delete from t_audit where x=5;
1 row deleted.
[email protected]> update t_audit set x=8 where x=7;
1 row updated.
[email protected]> insert into t_audit values (1);
1 row created.
[email protected]> commit;
Commit complete.
3)OK,檢視dba_fga_audit_trail檢視得到了4條審計記錄
[email protected]> select count(*) from dba_fga_audit_trail;
COUNT(*)
----------
4
4)詳細檢視一下對應的SQL操作,FGA還是很強悍的
[email protected]> col DB_USER for a10
[email protected]> col SQL_TEXT for a50
[email protected]> select db_user,sql_text from dba_fga_audit_trail;
DB_USER SQL_TEXT
---------- --------------------------------------------------
SEC select * from t_audit
SEC delete from t_audit where x=5
SEC update t_audit set x=8 where x=7
SEC insert into t_audit values (1)
5)最後再看一下這個dba_fga_audit_trail檢視的結構,可以看到這個檢視中記錄了非常詳盡的審計資訊列
[email protected]> desc dba_fga_audit_trail
Name Null? Type
------------------- -------- ----------------------------
SESSION_ID NOT NULL NUMBER
TIMESTAMP DATE
DB_USER VARCHAR2(30)
OS_USER VARCHAR2(255)
USERHOST VARCHAR2(128)
CLIENT_ID VARCHAR2(64)
ECONTEXT_ID VARCHAR2(64)
EXT_NAME VARCHAR2(4000)
OBJECT_SCHEMA VARCHAR2(30)
OBJECT_NAME VARCHAR2(128)
POLICY_NAME VARCHAR2(30)
SCN NUMBER
SQL_TEXT NVARCHAR2(2000)
SQL_BIND NVARCHAR2(2000)
COMMENT$TEXT VARCHAR2(4000)
STATEMENT_TYPE VARCHAR2(7)
EXTENDED_TIMESTAMP TIMESTAMP(6) WITH TIME ZONE
PROXY_SESSIONID NUMBER
GLOBAL_UID VARCHAR2(32)
INSTANCE_NUMBER NUMBER
OS_PROCESS VARCHAR2(16)
TRANSACTIONID RAW(8)
STATEMENTID NUMBER
ENTRYID NUMBER
6)針對上面新增的審計策略進行調整:disable_policy、enable_policy和drop_policy的方法
使策略失效的方法:
[email protected]> exec dbms_fga.disable_policy(object_schema=>'SEC', object_name=> 't_audit', policy_name=> 'check_t_audit');
使策略生效的方法:
[email protected]> exec dbms_fga.enable_policy(object_schema=>'SEC', object_name=> 't_audit', policy_name=> 'check_t_audit');
徹底刪除策略的方法:
[email protected]> exec dbms_fga.drop_policy(object_schema=>'SEC', object_name=> 't_audit', policy_name=> 'check_t_audit');
PL/SQL procedure successfully completed.
最後列一下dbms_fga提供給我們使用的方法都有哪些
[email protected]> desc dbms_fga
PROCEDURE ADD_POLICY
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
OBJECT_SCHEMA VARCHAR2 IN DEFAULT
OBJECT_NAME VARCHAR2 IN
POLICY_NAME VARCHAR2 IN
AUDIT_CONDITION VARCHAR2 IN DEFAULT
AUDIT_COLUMN VARCHAR2 IN DEFAULT
HANDLER_SCHEMA VARCHAR2 IN DEFAULT
HANDLER_MODULE VARCHAR2 IN DEFAULT
ENABLE BOOLEAN IN DEFAULT
STATEMENT_TYPES VARCHAR2 IN DEFAULT
AUDIT_TRAIL BINARY_INTEGER IN DEFAULT
AUDIT_COLUMN_OPTS BINARY_INTEGER IN DEFAULT
PROCEDURE DISABLE_POLICY
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
OBJECT_SCHEMA VARCHAR2 IN DEFAULT
OBJECT_NAME VARCHAR2 IN
POLICY_NAME VARCHAR2 IN
PROCEDURE DROP_POLICY
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
OBJECT_SCHEMA VARCHAR2 IN DEFAULT
OBJECT_NAME VARCHAR2 IN
POLICY_NAME VARCHAR2 IN
PROCEDURE ENABLE_POLICY
Argument Name Type In/Out Default?
------------------------------ ----------------------- ------ --------
OBJECT_SCHEMA VARCHAR2 IN DEFAULT
OBJECT_NAME VARCHAR2 IN
POLICY_NAME VARCHAR2 IN
ENABLE BOOLEAN IN DEFAULT
6.小結
以上的實驗展示了Oracle的審計功能,包括Oracle引以為傲的FGA細粒度審計。
警告:這種審計的方法是需要付出一定的代價的,如磁碟的開銷,效能的開銷,以及您的系統是否允許反覆的停啟資料庫例項等等。在生產環境中使用之前需要多方面評估。