Oracle使用audit_trail参数控制审计是否启用
audit_trail的参数有下面几种:
NONE:不开启审计
OS:说明审计信息放在系统汇总,如果是Linux那么由audit_file_dest决定,如果是Windows 那么由事件查看器决定
DB 或 TRUE :表示审计信息存放在数据库里,也就是sys 用户的aud$ 表。
audit_sys_operations参数的含义:
false:不审计sys用户,默认不审计
true:审计sys用户
审计范围分为session 和 access两种
session:表示用户登录之后执行的相同SQL只记录一次,其他相同SQL不再记录;
access:表示每次执行的SQL都进行审计记录。
详细参考官方文档
http://docs.oracle.com/cd/B19306_01/network.102/b14266/cfgaudit.htm#CIHDICID
1、开启审计参数
|
1
2
3
4
5
6
7
8
9
10
|
SQL> show parameter audit
NAME
TYPE VALUE
----------------------------------------------- ------------------------------
audit_file_dest string /u01/app/oracle/admin/mydb/adump
audit_sys_operations boolean
FALSE
audit_syslog_level string
audit_trail string NONE
SQL>
alter
system setaudit_trail=db,extended scope=spfile;
|
2、重启数据库
静态参数,为了使参数生效,需要重启数据库
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
SQL> shutdown immediate;
Database
closed.
Database
dismounted.
ORACLE instance shut down.
SQL> startup
ORACLE instance started.
Total System
Global
Area 599785472 bytes
Fixed
Size
2085776 bytes
Variable
Size
192941168 bytes
Database
Buffers 398458880 bytes
Redo Buffers 6299648 bytes
Database
mounted.
Database
opened.
SQL> show parameter audit
NAME
TYPE VALUE
----------------------------------------------- ------------------------------
audit_file_dest string /u01/app/oracle/admin/mydb/adump
audit_sys_operations boolean
FALSE
audit_syslog_level string
audit_trail string DB, EXTENDED
|
3、设置对表进行审计
这样每次有用户对表进行操作,那么都会有相应的记录被添加到aud$中,而Oracle为了方便读取数据,创建了视图。
虽然会记录每个用户对表的操作,但是不会记录sys用户的操作,其他所有用户都会做记录。
|
1
2
3
4
5
6
7
8
9
10
11
12
|
SQL> conn /
as
sysdba
Connected.
SQL> audit
all
on
zx.num_t
by
accesswhenever successful;
Audit succeeded.
SQL>
set
linesize 200
SQL>
select
*
from
dba_obj_audit_opts;
OWNER OBJECT_NAME OBJECT_TYPE ALT AUD COM DEL GRA IND INS LOC REN SEL UPD REF EXE CRE REA WRI FBK
------------------------------------------------------------ ----------------- ----- ----- ----- ----- ---------- ----- ----- ----- ----- ----- --- ----- ----- ----- ----- -----
ZX NUM_T
TABLE
A/- A/- A/- A/- A/- A/- A/- A/- A/- A/- A/- -/- -/- -/- -/- -/- A/-
|
前面列中
A表示access,每次被审计的操作都会记录,比如开启了scott.emp的select审计,那么任何人select这张表都会触发一次审计,并且记录在aud$中。
S表示session,每个会话被审计的操作都记录一次。
使用不同用户对zx.num_t表做不同访问:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
SQL> conn zx/zx
Connected.
SQL>
select
count
(*)
from
zx.num_t;
COUNT
(*)
----------
0
SQL>
insert
into
zx.num_t (id1)
values
(1);
1 row created.
SQL>
commit
;
Commit
complete.
SQL> conn scott/tiger
Connected.
SQL>
select
count
(*)
from
zx.num_t;
COUNT
(*)
----------
1
SQL>
delete
from
zx.num_t;
1 row deleted.
SQL>
commit
;
Commit
complete.
SQL>
insert
into
zx.num_t (id2)
values
(2);
1 row created.
SQL>
rollback
;
Rollback
complete.
|
4、查询审计记录
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
SQL>
alter
session setnls_date_format=
'yyyymmdd hh24:mi:ss'
;
Session altered.
SQL>
set
lines 200
col OS_USERNAME
for
a10
col USERNAME
for
a11
col USERHOST
for
a10
col TERMINAL
for
a10
col
TIMESTAMP
for
a20
col obj_name
for
a10
col OWNER
for
a10
col ACTION_NAME
for
a11
col TRANSACTIONID
for
a16
col sql_text
for
a50
SELECT
USERNAME,
USERHOST,
TIMESTAMP
,
OWNER,
OBJ_NAME,
ACTION_NAME,
SQL_TEXT
FROM
DBA_AUDIT_TRAIL
WHERE
OBJ_NAME=
'NUM_T'
ORDER
BY
TIMESTAMP
;
USERNAME USERHOST
TIMESTAMP
OWNER OBJ_NAME ACTION_NAME SQL_TEXT
----------- ---------- ------------------------------ ---------- -------------------------------------------------------------
ZX rhel5 20161107 11:57:55 ZX NUM_T NOAUDIT OBJ noaudit
all
on
num_t
ECT
ZX rhel5 20161107 12:00:07 ZX NUM_T
SELECT
select
count
(*)
from
zx.num_t
ZX rhel5 20161107 12:00:21 ZX NUM_T
INSERT
insert
into
zx.num_t (id1)
values
(1)
SCOTT rhel5 20161107 12:00:37 ZX NUM_T
SELECT
select
count
(*)
from
zx.num_t
SCOTT rhel5 20161107 12:00:45 ZX NUM_T
DELETE
delete
from
zx.num_t
SCOTT rhel5 20161107 12:01:27 ZX NUM_T
INSERT
insert
into
zx.num_t (id2)
values
(2)
6
rows
selected.
|
5、取消审计
|
1
2
|
SQL> noaudit
all
on
num_t;
Noaudit succeeded.
|
6、清空aud$
这张系统表是可以使用TRUNCATE命令截断的。把它删掉之后那么视图中的记录也就相应消失了。
|
1
2
3
4
|
SQL>
truncate
table
aud$;
SQL>
SELECT
*
FROM
DBA_FGA_AUDIT_TRAIL;
no
rows
selected
|
更多详细信息参考官方文档
http://docs.oracle.com/cd/B19306_01/network.102/b14266/cfgaudit.htm#BABCFIHB
本文转自hbxztc 51CTO博客,原文链接:http://blog.51cto.com/hbxztc/1870181,如需转载请自行联系原作者
