http://blog.itpub.net/9399028/viewspace-712457/
審計(Audit) 用於監視用戶所執行的數據庫操作,審計記錄可存在數據字典表(稱為審計記錄:存儲在system表空間中的 SYS.AUD$ 表中,可通過視圖dba_audit_trail查看)或操作系統審計記錄中(默認位置為$ORACLE_BASE/admin/$ORACLE_SID/adump/).。默認情況下審計是沒有開啟的。 不管你是否打開數據庫的審計功能,以下這些操作系統會強制記錄:用管理員權限連接Instance;啟動數據庫;關閉數據庫。 和審計相關的兩個主要參數 1、audit_sys_operations AUDIT_SYS_OPERATIONS enables or disables the auditing of top-level operations, which are SQL statements directly issued by users when connecting with SYSDBA or SYSOPER privileges.(SQL statements run from within PL/SQL procedures or functions are not considered top-level.) The audit records are written to the operating system'saudit trail. The audit records will be written in XML format if the AUDIT_TRAIL initialization parameter is set to xml or xml, extended. On UNIX platforms, if the AUDIT_SYSLOG_LEVEL parameter has also been set, then it overrides the AUDIT_TRAIL parameter and SYS audit records are written to the system audit log using the SYSLOG utility. 默認為false,當設置為true時,所有sys用戶(包括以sysdba, sysoper身份登錄的用戶)的操作都會被記錄,audit trail不會寫在aud$表中,這個很好理解,如果數據庫還未啟動aud$不可用,那么像conn /as sysdba這樣的連接信息,只能記錄在其它地方。如果是windows平台,audti trail會記錄在windows的事件管理中,如果是linux/unix平台則會記錄在audit_file_dest參數指定的文件中。 2、audit_trail AUDIT_TRAIL = { none | os | db | db,extended | xml | xml,extended } none or false - Auditing is disabled. 是默認值,不做審計; db or true - Auditing is enabled, with all audit records stored in the database audit trial (SYS.AUD$). 將audit trail 記錄在數據庫的審計相關表中,如aud$,審計的結果只有連接信息; db,extended - As db, but the SQL_BIND and SQL_TEXT columns are also populated. 審計結果里面除了連接信息還包含了當時執行的具體語句; xml- Auditing is enabled, with all audit records stored as XML format OS files. 10g里新增的。 xml,extended - As xml, but the SQL_BIND and SQL_TEXT columns are also populated. 10g里新增的。 os- Auditing is enabled, with all audit records directed to the operating system's audit trail. 將audit trail 記錄在操作系統文件中,文件名由audit_file_dest參數指定; 注:這兩個參數是static參數,需要重新啟動數據庫才能生效。 當開啟審計功能后,可在三個級別對數據庫進行審計:Statement(語句)、Privilege(權限)、object(對象)。 1、 Statement(語句審計) 對某種類型的SQL語句審計,不指定結構或對象。比如audit table 會審計數據庫中所有的create table、drop table、truncate table語句,alter session by cmy會審計cmy用戶所有的數據庫連接。 2、 Privilege(權限審計) 當用戶使用了該權限則被審計,如執行grant select any table to a,當執行了audit select any table語句后,當用戶a 訪問了用戶b的表時(如select * from b.t)會用到select any table權限,故會被審計。 注意:用戶是自己表的所有者,所以用戶訪問自己的表不會被審計。 3 、 Object(對象審計) 對一特殊模式對象上的指定語句的審計。 如審計on關鍵字指定對象的相關操作,如aduit alter, delete, drop, insert on cmy.t by scott; 這里會對cmy用戶的t表進行審計,但同時使用了by子句,所以只會對scott用戶發起的操作進行審計。 注意:Oracle沒有提供對schema中所有對象的審計功能,只能一個一個對象審計,對於后面創建的對象,Oracle則提供on default子句來實現自動審計,比如執行audit drop on default by access;后,對於隨后創建的對象的drop操作都會審計。但這個default會對之后創建的所有數據庫對象有效,似乎沒辦法指定只對某個用戶創建的對象有效,相比 trigger 可以對schema的DDL進行“審計”,這個功能稍顯不足。 審計的一些其他選項: 1、by access / by session by access 每一個被審計的操作都會生成一條audit trail。 by session 一個會話里面同類型的操作只會生成一條audit trail,默認為by session。 2、whenever [not] successful whenever successful 操作成功(dba_audit_trail中returncode字段為0) 才審計, whenever not successful 反之。省略該子句的話,不管操作成功與否都會審計。 和審計相關的視圖 1、dba_audit_trail 保存所有的audit trail,實際上它只是一個基於aud$的視圖。其它的視圖dba_audit_session,dba_audit_object,dba_audit_statement都只是dba_audit_trail的一個子集。 2、dba_stmt_audit_opts 可以用來查看statement審計級別的audit options,即數據庫設置過哪些statement級別的審計。dba_obj_audit_opts,dba_priv_audit_opts視圖功能與之類似。 3、all_def_audit_opts 用來查看數據庫用on default子句設置了哪些默認對象審計。 取消審計 將對應審計語句的 audit 改為noaudit即可。如audit session whenever successful;取消審計noaudit session whenever successful; 試驗如下: 首先,檢查審計功能是否開啟。 SQL> SHOW PARAMETER AUDIT NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ audit_file_dest string C:\ORACLE\PRODUCT\10.2.0\ADMIN \DB10G\ADUMP audit_sys_operations boolean FALSE audit_trail string NONE SQL> 審計相關的表安裝 SQL> connect / AS SYSDBA SQL> select * from sys.aud$; --沒有記錄返回 SQL> select * from dba_audit_trail; - 沒有記錄返回 如果做上述查詢的時候發現表不存在,說明審計相關的表還沒有安裝,需要安裝。 SQL> connect / as sysdba SQL> @$ORACLE_HOME/rdbms/admin/cataudit.sql 審計表安裝在SYSTEM表空間。所以要確保SYSTEM表空間又足夠的空間存放審計信息。 安裝后要重啟數據庫 基於Oracle的穩定性及性能考慮,可以將審計相關的表移動到其他表空間。 connect / as sysdba; alter table aud$ move tablespace ; alter index I_aud1 rebuild online tablespace ; alter table audit$ move tablespace; alter index i_audit rebuild online tablespace ; alter table audit_actions move tablespace ; alter index i_audit_actions rebuild online tablespace ; 開啟審計功能。 SQL> alter system set audit_sys_operations=TRUE scope=spfile; --審計管理用戶(以sysdba/sysoper角色登陸) SQL> alter system set audit_trail=db,extended scope=spfile; SQL> startup force; SQL> show parameter audit NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ audit_file_dest string C:\ORACLE\PRODUCT\10.2.0\ADMIN \DB10G\ADUMP audit_sys_operations boolean TRUE audit_trail string DB, EXTENDED SQL> 1、對創建表的審計 會話1中(已sysdba登錄) SQL> audit create table by user1; 審計已成功。 會話2中(已user1用戶登錄) SQL> create table test (id number); Table created SQL> create table test (id number); create table test (id number) ORA-00955: 名稱已由現有對象使用 SQL> select username,returncode,action_name from dba_audit_trail; USERNAME RETURNCODE ACTION_NAME ------------------------------ ---------- ---------------------------- USER1 0 CREATE TABLE USER1 955 CREATE TABLE SQL> 2、對修改、刪除表的審計 由於沒有對drop table進行單獨審計的操作,需要添加audit table by user(此命令將對create table ,drop table, truncate table 進行審計) 會話1中: SQL> audit table by user1; 審計已成功。 會話2中: SQL> create table test(id number); Table created SQL> alter table test add name varchar2(100); Table altered SQL> drop table test; Table dropped SQL> select username,returncode,action_name from dba_audit_trail; USERNAME RETURNCODE ACTION_NAME ------------------------------ ---------- ---------------------------- USER1 0 CREATE TABLE USER1 0 ALTER TABLE USER1 0 DROP TABLE 3、對視圖的審計 對創建視圖(create view)進行審計 會話1中: SQL> audit create view by USER1; 審計已成功。 會話2中: SQL> create view test0 as select * from test; SQL> create view test0 as select * from test; 名稱已由現有對象使用 SQL>select username,returncode,action_name from dba_audit_trail; USERNAME RETURNCODE ACTION_NAME ------------------------------ ---------- ---------------------------- USER1 0 CREATE VIEW USER1 955 CREATE VIEW 會話1中: SQL> audit view by USER1; 審計已成功。 會話2中: SQL> drop view test0; View dropped SQL> drop view test0; drop view test0 ORA-00942: 表或視圖不存在 SQL> select username,returncode,action_name from dba_audit_trail; USERNAME RETURNCODE ACTION_NAME ------------------------------ ---------- ---------------------------- USER1 0 DROP VIEW USER1 942 DROP VIEW 4、對程序包的審計 會話1中: SQL> audit procedure by user1; 審計已成功。 SQL> truncate table aud$; 表被截斷。 會話2中: SQL> create procedure test1 as 2 begin 3 null; 4 end; 5 / Procedure created SQL> drop procedure test1; Procedure dropped SQL> drop procedure test1; drop procedure test1 ORA-04043: 對象 TEST1 不存在 SQL> select username,returncode,action_name from dba_audit_trail; USERNAME RETURNCODE ACTION_NAME ------------------------------ ---------- ---------------------------- USER1 0 CREATE PROCEDURE USER1 0 DROP PROCEDURE USER1 4043 DROP PROCEDURE 5、對用戶的審計 audit user by user 綜上所述: 1. 對表的審計:可以單獨對表的create,alter進行審計,如果要對drop操作進行審計需要對表加audit table(該命令包含有create table,drop table,truncate table). 2. 對視圖的審計:可以單獨對視圖的create進行審計,如果要對drop操作進行審計需要對視圖加audit view(該命令包含有create view,drop view). 3. 對程序包的審計:可以對包(函數,存儲過程等)的create進行審計,如果需要對drop操作進行審計需要加audit procedure(該命令對CREATE FUNCTION, CREATE LIBRARY , CREATE PACKAGE, CREATE PACKAGE BODY, CREATE PROCEDURE, DROP FUNCTION, DROP LIBRARY, DROP PACKAGE, DROP PROCEDURE進行審計) 4. 對用戶的審計:可以通過audit user(該命令包含 create user,alter user,drop user)進行審計 以下是對上面內容的一個補充。 Maintenance and Security Auditing should be planned carefully to control the quantity of audit information. Only audit specific operations or objects of interest. Over time you can refine the level of auditing to match your requirements. The database audit trail must be deleted, or archived, on a regular basis to prevent the SYS.AUD$ table growing to an unnacceptable size.Only DBAs should have maintenance access to the audit trail. Auditing modifications of the data in the audit trail itself can be achieved using the following statement: AUDIT INSERT, UPDATE, DELETE ON sys.aud$ BY ACCESS; The OS and XML audit trails are managed through the OS. These files should be secured at the OS level by assigning the correct file permissions. Fine Grained Auditing (FGA) Fine grained auditing extends Oracle standard auditing capabilities by allowing the user to audit actions based on user-defined predicates. It is independant of the AUDIT_TRAIL parameter setting and all audit records are stored in the FGA_LOG$ table, rather than the AUD$ table. The following example illustrates how fine grained auditing is used. First, create a test table. CONN audit_test/password CREATE TABLE emp ( empno NUMBER(4) NOT NULL, ename VARCHAR2(10), job VARCHAR2(9), mgr NUMBER(4), hiredate DATE, sal NUMBER(7,2), comm NUMBER(7,2), deptno NUMBER(2) ); INSERT INTO emp (empno, ename, sal) VALUES (9999, 'Tim', 1); INSERT INTO emp (empno, ename, sal) VALUES (9999, 'Larry', 50001); COMMIT; The following policy audits any queries of salaries greater than £50,000. CONN sys/password AS sysdba BEGIN DBMS_FGA.add_policy( object_schema => 'AUDIT_TEST', object_name => 'EMP', policy_name => 'SALARY_CHK_AUDIT', audit_condition => 'SAL > 50000', audit_column => 'SAL'); END; / Querying both employees proves the auditing policy works as expected. CONN audit_test/password SELECT sal FROM emp WHERE ename = 'Tim'; SELECT sal FROM emp WHERE ename = 'Larry'; CONN sys/password AS SYSDBA SELECT sql_text FROM dba_fga_audit_trail; SQL_TEXT ------------------------------------------ SELECT sal FROM emp WHERE ename = 'Larry' 1 row selected. SQL> Extra processing can be associated with an FGA event by defining a database procedure and associating this to the audit event. The following example assumes the FIRE_CLERK procedure has been defined: BEGIN DBMS_FGA.add_policy( object_schema => 'AUDIT_TEST', object_name => 'EMP', policy_name => 'SALARY_CHK_AUDIT', audit_condition => 'SAL > 50000', audit_column => 'SAL', handler_schema => 'AUDIT_TEST', handler_module => 'FIRE_CLERK', enable => TRUE); END; / The DBMS_FGA package contains the following procedures: ADD_POLICY DROP_POLICY ENABLE_POLICY DISABLE_POLICY In Oracle9i fine grained auditing was limited queries, but in Oracle 10g it has been extended to include DML statements, as shown by the following example. -- Clear down the audit trail. CONN sys/password AS SYSDBA TRUNCATE TABLE fga_log$; SELECT sql_text FROM dba_fga_audit_trail; no rows selected. -- Apply the policy to the SAL column of the EMP table. BEGIN DBMS_FGA.add_policy( object_schema => 'AUDIT_TEST', object_name => 'EMP', policy_name => 'SAL_AUDIT', audit_condition => NULL, -- Equivalent to TRUE audit_column => 'SAL', statement_types => 'SELECT,INSERT,UPDATE,DELETE'); END; / -- Test the auditing. CONN audit_test/password SELECT * FROM emp WHERE empno = 9998; INSERT INTO emp (empno, ename, sal) VALUES (9998, 'Bill', 1); UPDATE emp SET sal = 10 WHERE empno = 9998; DELETE emp WHERE empno = 9998; ROLLBACK; -- Check the audit trail. CONN sys/password AS SYSDBA SELECT sql_text FROM dba_fga_audit_trail; SQL_TEXT -------------------------------------- SELECT * FROM emp WHERE empno = 9998 INSERT INTO emp (empno, ename, sal) VALUES (9998, 'Bill', 1) UPDATE emp SET sal = 10 WHERE empno = 9998 DELETE emp WHERE empno = 9998 4 rows selected. -- Drop the policy. CONN sys/password AS SYSDBA BEGIN DBMS_FGA.drop_policy( object_schema => 'AUDIT_TEST', object_name => 'EMP', policy_name => 'SAL_AUDIT'); END; /
