最近,在我们开发库要对一套实例做一个DDL审计触发器,触发器代码如下所示:
---- 存储DDL语句的表
create table audit_ddl
(
opertime timestamp PRIMARY KEY,
ip varchar2(20),
hostname varchar2(30),
operation varchar2(30),
object_type varchar2(30),
object_name varchar2(30),
sql_stmt clob,
db_schema varchar2(30)
);
---- 捕获DDL语句的触发器
create or replace trigger trg_audit_ddl
after create or drop or truncate ON DATABASE
DECLARE
PRAGMA AUTONOMOUS_TRANSACTION;
n NUMBER;
stmt clob := NULL;
sql_text ora_name_list_t;
BEGIN
n := ora_sql_txt(sql_text);
FOR i IN 1 .. n LOOP
stmt := stmt || sql_text(i);
END LOOP;
INSERT INTO audit_ddl
(opertime, ip, hostname, operation, object_type, object_name, sql_stmt,db_schema)
VALUES
(systimestamp,
sys_context('userenv', 'ip_address'),
sys_context('userenv', 'terminal'),
ora_sysevent,
ora_dict_obj_type,
ora_dict_obj_name,
stmt,
user
);
COMMIT;
END;
/
创建审计DDL的触发器成功,并且是生效的,如图:
但是,我用测试用户创建表、删除表、truncate表,都无法审计到,过程如下:
--具有或非DBA权限用户,执行建表
create table trg_ddl_test as select * from dba_data_files;
--然后用sys或创建ddl审计的用户,查询DDL审计表,无记录返回
[oracle@oradbs ~]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.3.0 Production on Thu May 19 19:31:16 2016
Copyright (c) 1982, 2011, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> select * from audit_ddl;
no rows selected
SQL>
但是,相同的触发器在相同服务器,相同版本的其他数据库实例上执行,都能捕获到DDL,如图所示:
后来,对DDL审计触发器做了修改,就是创建测试表,触发触发器,让触发器向DDL审计触发器插入一个1,没有成功;由此,怀疑,DDL审计触发器不起作用的数据库实例参数配置肯定有问题,通过对比发现:隐藏参数_system_trig_enabled在DDL审计触发器不起作用的服务器上被设置为了false:
SQL> show parameter _system_trig_enabled
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
_system_trig_enabled boolean FALSE
该参数是动态参数,执行alter system set " _system_trig_enabled"=true; 将参数设置为true
SQL> alter system set "_system_trig_enabled"=true;
System altered.
SQL> show parameter _system_trig_enabled
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
_system_trig_enabled boolean TRUE
设置完隐藏参数为true后,数据库实例可以正常审计数据库级别的DDL:
--test用户truncate表,drop表
SQL> select * from tab;
TNAME TABTYPE CLUSTERID
------------------------------ ------- ----------
CDBA_DATA_FILES TABLE
TRG_DDL_TEST TABLE
SQL> truncate table TRG_DDL_TEST;
Table truncated.
SQL> drop table TRG_DDL_TEST;
Table dropped.
--DDL审计用户查询审计记录:
需要注意的这里只审计了create、drop和truncate,如果需要审计所有DDL,只需要修改:after create or drop or truncate on database为after ddl on database即可。
---- 存储DDL语句的表
create table audit_ddl
(
opertime timestamp PRIMARY KEY,
ip varchar2(20),
hostname varchar2(30),
operation varchar2(30),
object_type varchar2(30),
object_name varchar2(30),
sql_stmt clob,
db_schema varchar2(30)
);
---- 捕获DDL语句的触发器
create or replace trigger trg_audit_ddl
after create or drop or truncate ON DATABASE
DECLARE
PRAGMA AUTONOMOUS_TRANSACTION;
n NUMBER;
stmt clob := NULL;
sql_text ora_name_list_t;
BEGIN
n := ora_sql_txt(sql_text);
FOR i IN 1 .. n LOOP
stmt := stmt || sql_text(i);
END LOOP;
INSERT INTO audit_ddl
(opertime, ip, hostname, operation, object_type, object_name, sql_stmt,db_schema)
VALUES
(systimestamp,
sys_context('userenv', 'ip_address'),
sys_context('userenv', 'terminal'),
ora_sysevent,
ora_dict_obj_type,
ora_dict_obj_name,
stmt,
user
);
COMMIT;
END;
/
创建审计DDL的触发器成功,并且是生效的,如图:
但是,我用测试用户创建表、删除表、truncate表,都无法审计到,过程如下:
--具有或非DBA权限用户,执行建表
create table trg_ddl_test as select * from dba_data_files;
--然后用sys或创建ddl审计的用户,查询DDL审计表,无记录返回
[oracle@oradbs ~]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.3.0 Production on Thu May 19 19:31:16 2016
Copyright (c) 1982, 2011, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> select * from audit_ddl;
no rows selected
SQL>
但是,相同的触发器在相同服务器,相同版本的其他数据库实例上执行,都能捕获到DDL,如图所示:
后来,对DDL审计触发器做了修改,就是创建测试表,触发触发器,让触发器向DDL审计触发器插入一个1,没有成功;由此,怀疑,DDL审计触发器不起作用的数据库实例参数配置肯定有问题,通过对比发现:隐藏参数_system_trig_enabled在DDL审计触发器不起作用的服务器上被设置为了false:
SQL> show parameter _system_trig_enabled
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
_system_trig_enabled boolean FALSE
该参数是动态参数,执行alter system set " _system_trig_enabled"=true; 将参数设置为true
SQL> alter system set "_system_trig_enabled"=true;
System altered.
SQL> show parameter _system_trig_enabled
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
_system_trig_enabled boolean TRUE
设置完隐藏参数为true后,数据库实例可以正常审计数据库级别的DDL:
--test用户truncate表,drop表
SQL> select * from tab;
TNAME TABTYPE CLUSTERID
------------------------------ ------- ----------
CDBA_DATA_FILES TABLE
TRG_DDL_TEST TABLE
SQL> truncate table TRG_DDL_TEST;
Table truncated.
SQL> drop table TRG_DDL_TEST;
Table dropped.
--DDL审计用户查询审计记录:
需要注意的这里只审计了create、drop和truncate,如果需要审计所有DDL,只需要修改:after create or drop or truncate on database为after ddl on database即可。
