利用Oracle審計功能記錄資料庫操作
阿新 • • 發佈:2019-01-26
8.1、啟用審計 sqlplus / as sysdba SQL> show parameter audit
NAME TYPE VALUE ------------------------------------ ----------- ------------------------------
audit_file_dest string /u01/app/oracle/admin/ORCL/adump audit_sys_operations boolean FALSE audit_syslog_level string
audit_trail string NONE
SQL> alter system set audit_sys_operations=TRUE scope=spfile; --審計管理使用者(以sysdba/sysoper角色登陸)
SQL> alter system set audit_trail=db_extended scope=spfile; SQL> startup force; SQL> show parameter audit
NAME TYPE VALUE ------------------------------------ ----------- ------------------------------
audit_file_dest string /u01/app/oracle/admin/ORCL/adump audit_sys_operations boolean TRUE audit_syslog_level string
SQL> insert into u_test.t_test (c2,c5) values ('test1','2'); SQL> commit;
SQL> delete from u_test.t_test; SQL> commit; SQL> conn /as sysdba SQL> select
OS_USERNAME,username,USERHOST,TERMINAL,TIMESTAMP,OWNER,obj_name,ACTION_NAME,sessionid,os_process,sql_bind,sql_text from dba_audit_trail; sql> audit select table by u_test by access;
如果在命令後面新增by user則只對user的操作進行審計,如果省去by使用者,則對系統中所有的使用者進行審計(不包含sys使用者). 例:
AUDIT DELETE ANY TABLE; --審計刪除表的操作
審計連線或斷開連線: AUDIT SESSION;
AUDIT SESSION BY jeff, lori; -- 指定使用者 審計許可權(使用該許可權才能執行的操作):
AUDIT DELETE ANY TABLE BY ACCESS WHENEVER NOT SUCCESSFUL; AUDIT DELETE ANY TABLE;
AUDIT SELECT TABLE, INSERT TABLE, DELETE TABLE, EXECUTE PROCEDURE BY ACCESS WHENEVER NOT SUCCESSFUL; 物件審計:
AUDIT DELETE ON jeff.emp;
AUDIT SELECT, INSERT, DELETE ON jward.dept BY ACCESS WHENEVER SUCCESSFUL; 取消審計: NOAUDIT session;
NOAUDIT session BY jeff, lori; NOAUDIT DELETE ANY TABLE;
NOAUDIT SELECT TABLE, INSERT TABLE, DELETE TABLE,EXECUTE PROCEDURE; NOAUDIT ALL; -- 取消所有statement審計 NOAUDIT ALL PRIVILEGES; -- 取消所有許可權審計 NOAUDIT ALL ON DEFAULT; -- 取消所有物件審計 10、清除審計資訊
DELETE FROM SYS.AUD$;
AUDIT_ACTIONS -- action程式碼
ALL_DEF_AUDIT_OPTS -- 物件建立時預設的物件審計選項 DBA_STMT_AUDIT_OPTS -- 當前資料庫系統審計選項 DBA_PRIV_AUDIT_OPTS -- 許可權審計選項 DBA_OBJ_AUDIT_OPTS USER_OBJ_AUDIT_OPTS ; -- 物件審計選項 DBA_AUDIT_TRAIL
USER_AUDIT_TRAIL -- 審計記錄 DBA_AUDIT_OBJECT
USER_AUDIT_OBJECT -- 審計物件列表 DBA_AUDIT_SESSION
USER_AUDIT_SESSION -- session審計 DBA_AUDIT_STATEMENT
USER_AUDIT_STATEMENT -- 語句審計
DBA_AUDIT_EXISTS -- 使用BY AUDIT NOT EXISTS選項的審計 DBA_AUDIT_POLICIES -- 審計POLICIES
alter table sys.aud$ move tablespace users;
alter table sys.aud$ move lob(sqlbind) store as( tablespace USERS); alter table sys.aud$ move lob(SQLTEXT) store as( tablespace USERS);
alter index sys.I_AUD1 rebuild tablespace u
NAME TYPE VALUE ------------------------------------ ----------- ------------------------------
audit_file_dest string /u01/app/oracle/admin/ORCL/adump audit_sys_operations boolean FALSE audit_syslog_level string
audit_trail string NONE
SQL> alter system set audit_sys_operations=TRUE scope=spfile; --審計管理使用者(以sysdba/sysoper角色登陸)
SQL> alter system set audit_trail=db_extended scope=spfile; SQL> startup force; SQL> show parameter audit
NAME TYPE VALUE ------------------------------------ ----------- ------------------------------
audit_file_dest string /u01/app/oracle/admin/ORCL/adump audit_sys_operations boolean TRUE audit_syslog_level string
audit_trail string DB_EXTENDED
8.2、開始審計 sqlplus / as sysdba --記錄對一個表的所有操作
SQL> insert into u_test.t_test (c2,c5) values ('test1','2'); SQL> commit;
SQL> delete from u_test.t_test; SQL> commit; SQL> conn /as sysdba SQL> select
OS_USERNAME,username,USERHOST,TERMINAL,TIMESTAMP,OWNER,obj_name,ACTION_NAME,sessionid,os_process,sql_bind,sql_text from dba_audit_trail; sql> audit select table by u_test by access;
如果在命令後面新增by user則只對user的操作進行審計,如果省去by使用者,則對系統中所有的使用者進行審計(不包含sys使用者). 例:
AUDIT DELETE ANY TABLE; --審計刪除表的操作
AUDIT DELETE ANY TABLE WHENEVER NOT SUCCESSFUL; --只審計刪除失敗的情況 AUDIT DELETE ANY TABLE WHENEVER SUCCESSFUL; --只審計刪除成功的情況 AUDIT DELETE,UPDATE,INSERT ON user.table by test; --審計test使用者對錶user.table的delete,update,insert操作
8.3、撤銷審計
SQL> noaudit all on t_test;
9、審計語句
多層環境下的審計:appserve-應用伺服器,jackson-client AUDIT SELECT TABLE BY appserve ON BEHALF OF jackson;審計連線或斷開連線: AUDIT SESSION;
AUDIT SESSION BY jeff, lori; -- 指定使用者 審計許可權(使用該許可權才能執行的操作):
AUDIT DELETE ANY TABLE BY ACCESS WHENEVER NOT SUCCESSFUL; AUDIT DELETE ANY TABLE;
AUDIT SELECT TABLE, INSERT TABLE, DELETE TABLE, EXECUTE PROCEDURE BY ACCESS WHENEVER NOT SUCCESSFUL; 物件審計:
AUDIT DELETE ON jeff.emp;
AUDIT SELECT, INSERT, DELETE ON jward.dept BY ACCESS WHENEVER SUCCESSFUL; 取消審計: NOAUDIT session;
NOAUDIT session BY jeff, lori; NOAUDIT DELETE ANY TABLE;
NOAUDIT SELECT TABLE, INSERT TABLE, DELETE TABLE,EXECUTE PROCEDURE; NOAUDIT ALL; -- 取消所有statement審計 NOAUDIT ALL PRIVILEGES; -- 取消所有許可權審計 NOAUDIT ALL ON DEFAULT; -- 取消所有物件審計 10、清除審計資訊
DELETE FROM SYS.AUD$;
DELETE FROM SYS.AUD$ WHERE obj$name='EMP';
11、審計檢視
STMT_AUDIT_OPTION_MAP -- 審計選項型別程式碼AUDIT_ACTIONS -- action程式碼
ALL_DEF_AUDIT_OPTS -- 物件建立時預設的物件審計選項 DBA_STMT_AUDIT_OPTS -- 當前資料庫系統審計選項 DBA_PRIV_AUDIT_OPTS -- 許可權審計選項 DBA_OBJ_AUDIT_OPTS USER_OBJ_AUDIT_OPTS ; -- 物件審計選項 DBA_AUDIT_TRAIL
USER_AUDIT_TRAIL -- 審計記錄 DBA_AUDIT_OBJECT
USER_AUDIT_OBJECT -- 審計物件列表 DBA_AUDIT_SESSION
USER_AUDIT_SESSION -- session審計 DBA_AUDIT_STATEMENT
USER_AUDIT_STATEMENT -- 語句審計
DBA_AUDIT_EXISTS -- 使用BY AUDIT NOT EXISTS選項的審計 DBA_AUDIT_POLICIES -- 審計POLICIES
DBA_COMMON_AUDIT_TRAIL -- 標準審計+精細審計
12、將審計結果表從system表空間裡移動到別的表空間上
實際上sys.aud$表上包含了兩個lob欄位,並不是簡單的move table就可以。 下面是具體的過程:alter table sys.aud$ move tablespace users;
alter table sys.aud$ move lob(sqlbind) store as( tablespace USERS); alter table sys.aud$ move lob(SQLTEXT) store as( tablespace USERS);
alter index sys.I_AUD1 rebuild tablespace u