Server Setup
Auditing is a default feature of the Oracle server. The initialization parameters that influence its behaviour can be displayed using the SHOW PARAMETER SQL*Plus command.
SQL> SHOW PARAMETER AUDIT
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest string C:\ORACLE\PRODUCT\10.2.0\ADMIN
\DB10G\ADUMP
audit_sys_operations boolean FALSE
audit_trail string NONE
Auditing is disabled by default, but can enabled by setting the AUDIT_TRAIL static parameter, which has the following allowed values.
AUDIT_TRAIL = { none | os | db | db,extended | xml | xml,extended }
The following list provides a description of each setting:
- none or false - Auditing is disabled.
- db or true - Auditing is enabled, with all audit records stored in the database audit trial (SYS.AUD$).
- db,extended - As db, but the SQL_BIND and SQL_TEXT columns are also populated.
- xml- Auditing is enabled, with all audit records stored as XML format OS files.
- xml,extended - As xml, but the SQL_BIND and SQL_TEXT columns are also populated.
- os- Auditing is enabled, with all audit records directed to the operating system's audit trail.
Note. In Oracle 10g Release 1, db_extended was used in place of db,extended. The XML options are new to Oracle 10g Release 2.
The AUDIT_SYS_OPERATIONS static parameter enables or disables the auditing of operations issued by users connecting with SYSDBA or SYSOPER privileges, including the SYS user. All audit records are written to the OS audit trail. After enable sys operation audit, you'll find below context in OS audit file.
Sat Apr 26 15:50:41 2014 +08:00
LENGTH : '218'
ACTION :[64] 'select count(*) from dba_tables
where table_name='AQ$_SCHEDULES''
DATABASE USER:[1] '/'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[6] 'oracle'
CLIENT TERMINAL:[5] 'pts/4'
STATUS:[1] '0'
DBID:[10] '1348048916'
The AUDIT_FILE_DEST parameter specifies the OS directory used for the audit trail when the os, xml and xml,extended options are used. It is also the location for all mandatory auditing specified by the AUDIT_SYS_OPERATIONS parameter.
To enable auditing and direct audit records to the database audit trail, we would do the following.
SQL> ALTER SYSTEM SET audit_trail=db SCOPE=SPFILE;
System altered.
SQL> SHUTDOWN
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> STARTUP
ORACLE instance started.
Total System Global Area 289406976 bytes
Fixed Size 1248600 bytes
Variable Size 71303848 bytes
Database Buffers 213909504 bytes
Redo Buffers 2945024 bytes
Database mounted.
Database opened.
审计级别
当开启审计功能后,可在三个级别对数据库进行审计:Statement(语句)、Privilege(权限)、object(对象)。
语句审计,对某种类型的SQL语句审计,不指定结构或对象。比如audit table 会审计数据库中所有的create table,drop table,truncate table语句,alter session by cmy会审计cmy用户所有的数据库连接。
权限审计,当用户使用了该权限则被审计,如执行grant selectany table to a,当执行了audit select any table语句后,当用户a 访问了用户b的表时(如select * from b.t)会用到select any table权限,故会被审计。注意用户是自己表的所有者,所以用户访问自己的表不会被审计。
对象审计,对一特殊模式对象上的指定语句的审计. 如审计on关键字指定对象的相关操作,如aduit alter,delete,drop,insert on cmy.t by scott; 这里会对cmy用户的t表进行审计,但同时使用了by子句,所以只会对scott用户发起的操作进行审计。
注意:Oracle没有提供对schema中所有对象的审计功能,只能一个一个对象审计,对于后面创建的对象,Oracle则提供on default子句来实现自动审计,比如执行
audit create on default by access;
后,对于随后创建的对象的create操作都会审计。但这个default会对之后创建的所有数据库对象有效,似乎没办法指定只对某个用户创建的对象有效,可以使用 trigger可以对schema的DDL进行“审计”,这个功能稍显不足。
审计的一些其他选项
by access / by session
by access 每一个被审计的操作都会生成一条audit trail。
by session 一个会话里面同类型的操作只会生成一条audit trail,默认为by session。
whenever [not] successful
whenever successful 操作成功(dba_audit_trail中returncode字段为0) 才审计,
whenever not successful 反之。省略该子句的话,不管操作成功与否都会审计。
审计相关的视图
dba_audit_trail:保存所有的audit trail,实际上它只是一个基于aud$的视图。其它的视图dba_audit_session,dba_audit_object,dba_audit_statement都只是dba_audit_trail的一个子集。
dba_stmt_audit_opts:可以用来查看statement审计级别的audit options,即数据库设置过哪些statement级别的审计。dba_obj_audit_opts,dba_priv_audit_opts视图功能与之类似
all_def_audit_opts:用来查看数据库用on default子句设置了哪些默认对象审计。
取消审计
将对应审计语句的audit改为noaudit即可,
如audit session whenever successful;
对应的取消审计语句为
noaudit session whenever successful;
Audit Options
One look at the AUDIT command syntax should give you an idea of how flexible Oracle auditing is. There is no point repeating all this information, so instead we will look at a simple example.
First we create a new user called AUDIT_TEST.
CONNECT sys/password AS SYSDBA
CREATE USER audit_test IDENTIFIED BY password
DEFAULT TABLESPACE users
TEMPORARY TABLESPACE temp
QUOTA UNLIMITED ON users;
GRANT connect TO audit_test;
GRANT create table, create procedure TO audit_test;
Next we audit all operations by the AUDIT_TEST user.
CONNECT sys/password AS SYSDBA
AUDIT ALL BY audit_test BY ACCESS;
AUDIT SELECT TABLE, UPDATE TABLE, INSERT TABLE, DELETE TABLE BY audit_test BY ACCESS;
AUDIT EXECUTE PROCEDURE BY audit_test BY ACCESS;
These options audit all DDL and DML, along with some system events.
- DDL (CREATE, ALTER & DROP of objects)
- DML (INSERT UPDATE, DELETE, SELECT, EXECUTE).
- SYSTEM EVENTS (LOGON, LOGOFF etc.)
Next, we perform some operations that will be audited.
CONN audit_test/password
CREATE TABLE test_tab (
id NUMBER
);
INSERT INTO test_tab (id) VALUES (1);
UPDATE test_tab SET id = id;
SELECT * FROM test_tab;
DELETE FROM test_tab;
DROP TABLE test_tab;
View Audit Trail
The audit trail is stored in the SYS.AUD$ table. Its contents can be viewed directly or via the following views.
The three main audit related views are shown below.
DBA_AUDIT_TRAIL - Standard auditing only (from AUD$).
DBA_FGA_AUDIT_TRAIL - Fine-grained auditing only (from FGA_LOG$).
DBA_COMMON_AUDIT_TRAIL - Both standard and fine-grained auditing.
The most basic view of the database audit trail is provided by the DBA_AUDIT_TRAIL view, which contains a wide variety of information. The following query displays the some of the information from the database audit trail.
COLUMN username FORMAT A10
COLUMN owner FORMAT A10
COLUMN obj_name FORMAT A10
COLUMN extended_timestamp FORMAT A35
SELECT username,
extended_timestamp,
owner,
obj_name,
action_name
FROM dba_audit_trail
WHERE owner = 'AUDIT_TEST'
ORDER BY timestamp;
USERNAME EXTENDED_TIMESTAMP OWNER OBJ_NAME ACTION_NAME
---------- ----------------------------------- ---------- ---------- ----------------------------
AUDIT_TEST 16-FEB-2006 14:16:55.435000 +00:00 AUDIT_TEST TEST_TAB CREATE TABLE
AUDIT_TEST 16-FEB-2006 14:16:55.514000 +00:00 AUDIT_TEST TEST_TAB INSERT
AUDIT_TEST 16-FEB-2006 14:16:55.545000 +00:00 AUDIT_TEST TEST_TAB UPDATE
AUDIT_TEST 16-FEB-2006 14:16:55.592000 +00:00 AUDIT_TEST TEST_TAB SELECT
AUDIT_TEST 16-FEB-2006 14:16:55.670000 +00:00 AUDIT_TEST TEST_TAB DELETE
AUDIT_TEST 16-FEB-2006 14:17:00.045000 +00:00 AUDIT_TEST TEST_TAB DROP TABLE
6 rows selected.
When the audit trail is directed to an XML format OS file, it can be read using a text editor or via the V$XML_AUDIT_TRAIL view, which contains similar information to the DBA_AUDIT_TRAIL view.
COLUMN db_user FORMAT A10
COLUMN object_schema FORMAT A10
COLUMN object_name FORMAT A10
COLUMN extended_timestamp FORMAT A35
SELECT db_user,
extended_timestamp,
object_schema,
object_name,
action
FROM v$xml_audit_trail
WHERE object_schema = 'AUDIT_TEST'
ORDER BY extended_timestamp;
DB_USER EXTENDED_TIMESTAMP OBJECT_SCH OBJECT_NAM ACTION
---------- ----------------------------------- ---------- ---------- ----------
AUDIT_TEST 16-FEB-2006 14:14:33.417000 +00:00 AUDIT_TEST TEST_TAB 1
AUDIT_TEST 16-FEB-2006 14:14:33.464000 +00:00 AUDIT_TEST TEST_TAB 2
AUDIT_TEST 16-FEB-2006 14:14:33.511000 +00:00 AUDIT_TEST TEST_TAB 6
AUDIT_TEST 16-FEB-2006 14:14:33.542000 +00:00 AUDIT_TEST TEST_TAB 3
AUDIT_TEST 16-FEB-2006 14:14:33.605000 +00:00 AUDIT_TEST TEST_TAB 7
AUDIT_TEST 16-FEB-2006 14:14:34.917000 +00:00 AUDIT_TEST TEST_TAB 12
6 rows selected.
Several fields were added to both the standard and fine-grained audit trails in Oracle 10g, including the following.
EXTENDED_TIMESTAMP - A more precise value than the exising TIMESTAMP column.
PROXY_SESSIONID - Proxy session serial number when an enterprise user is logging in via the proxy method.
GLOBAL_UID - Global Universal Identifier for an enterprise user.
INSTANCE_NUMBER - The INSTANCE_NUMBER value from the actioning instance.
OS_PROCESS - Operating system process id for the oracle process.
TRANSACTIONID - Transaction identifier for the audited transaction. This column can be used to join to the XID column on the FLASHBACK_TRANSACTION_QUERY view.
SCN - System change number of the query. This column can be used in flashback queries.
SQL_BIND - The values of any bind variables if any.
SQL_TEXT - The SQL statement that initiated the audit action.
The SQL_BIND and SQL_TEXT columns are only populated when the AUDIT_TRAIL parameter is set to db,extended or xml,extended.
Maintenance and Security
Auditing should be planned carefully to control the quantity of audit information. Only audit specific operations or objects of interest. Over time you can refine the level of auditing to match your requirements.
The database audit trail must be deleted, or archived, on a regular basis to prevent the SYS.AUD$ table growing to an unnacceptable size.Only DBAs should have maintenance access to the audit trail. Auditing modifications of the data in the audit trail itself can be achieved using the following statement.
AUDIT INSERT, UPDATE, DELETE ON sys.aud$ BY ACCESS;
The OS and XML audit trails are managed through the OS. These files should be secured at the OS level by assigning the correct file permissions.
Fine-grained auditing(FGA) 细粒度审计
前面所提到的审计都是针对操作进行审计,如果需要对表的特定数据进行审计则应使用FGA来实现。Fine-grained auditing在Oracle 9i 中引入,10g 之后版本可以audit 所有DML。FGA的实现基于DBMS_FGA包,它属于SYS用户。
增加 FGA 策略
-- 审计表
SQL>grant resource,connect to bank identified by bank;
create table bank.accounts
(
acct_no number primary key,
cust_id number not null ,
balance number(15,2) null
);
insert into bank.accounts values(1,1,10000);
insert into bank.accounts values(2,2,20000);
commit;
Begin
dbms_fga.drop_policy (
object_schema=>'BANK',
object_name=>'ACCOUNTS',
policy_name=>'ACCOUNTS_ACCESS');
dbms_fga.add_policy (
object_schema=>'BANK',
object_name=>'ACCOUNTS',
policy_name=>'ACCOUNTS_ACCESS');
end;
/
select * from bank.accounts;
select timestamp, db_user,os_user,object_schema,object_name,sql_text from dba_fga_audit_trail;
-- 审计列和审计条件, 在add_policy中加入
-- audit_column => 'BALANCE'
-- audit_condition => 'BALANCE >=11000'
Begin
dbms_fga.drop_policy (
object_schema=>'BANK',
object_name=>'ACCOUNTS',
policy_name=>'ACCOUNTS_ACCESS');
dbms_fga.add_policy (
object_schema=>'BANK',
object_name=>'ACCOUNTS',
audit_column => 'BALANCE',
audit_condition => 'BALANCE >=11000',
policy_name=>'ACCOUNTS_ACCESS');
end;
/
select BALANCE from bank.accounts;
select timestamp, db_user,os_user,object_schema,object_name,sql_text from dba_fga_audit_trail;
管理 FGA 策略
--要删除策略,您可以使用以下语句:
begin
dbms_fga.drop_policy (
object_schema => 'BANK',
object_name => 'ACCOUNTS',
policy_name => 'ACCOUNTS_ACCESS'
);
end;
/
-- 对于更改策略而言,没有随取随用的解决方案。要更改策略中的任何参数,必须删除策略,再使用更改后的参数添加策略。
-- 需要临时禁用审计收集
例如,如果您希望将线索表移动到不同的表空间或者要删除线索表。您可以按如下方法禁用 FGA 策略:
begin
dbms_fga.enable_policy (
object_schema => 'BANK',
object_name => 'ACCOUNTS',
policy_name => 'ACCOUNTS_ACCESS',
enable => FALSE );
end;
/
-- 重新启用很简单 enable =>TRUE;
FGA 数据字典视图
FGA 策略的定义位于数据字典视图 DBA_AUDIT_POLICIES 中。
审计线索收集在SYS 拥有的表 FGA_LOG$ 中。对于 SYS 拥有的任何原始表,此表上的某些视图以对用户友好的方式显示信息。DBA_FGA_AUDIT_TRAIL是该表上的一个视图。
一个重要的列是SQL_BIND,它指定查询中使用的绑定变量的值,这是显著增强该工具功能的一项信息。
另一个重要的列是 SCN,当发生特定的查询时,它记录系统更改号。此信息用于识别用户在特定时间看到了什么,而不是现在的值,它使用了闪回查询,这种查询能够显示在指定的 SCN 值时的数据。
审计表的管理
SQLPLUS> connect / AS SYSDBA
SQLPLUS> select * from sys.aud$; --没有记录返回
SQLPLUS> select * from dba_audit_trail; - 没有记录返回
如果做上述查询的时候发现表不存在,说明审计相关的表还没有安装,需要安装。
SQLPLUS> connect / as sysdba
SQLPLUS> @$ORACLE_HOME/rdbms/admin/cataudit.sql
审计表安装在SYSTEM表空间。所以要确保SYSTEM表空间又足够的空间存放审计信息。
安装后要重启数据库
将审计相关的表移动到其他表空间
由于AUD$表等审计相关的表存放在SYSTEM表空间,因此为了不影响系统的性能,保护SYSTEM表空间,最好把AUD$移动到其他的表空间上。可以使用下面的语句来进行移动:
sql>connect / as sysdba;
sql>alter table aud$ move tablespace<new tablespace>;
sql>alter index I_aud1 rebuild onlinetablespace <new tablespace>;
SQL> alter table audit$ move tablespace<new tablespace>;
SQL> alter index i_audit rebuild onlinetablespace <new tablespace>;
SQL> alter table audit_actions movetablespace <new tablespace>;
SQL> alter index i_audit_actions rebuildonline tablespace <new tablespace>;
参考至:http://blog.csdn.net/tianlesoftware/article/details/4712932
http://www.oracle-base.com/articles/10g/auditing-10gr2.php
http://docs.oracle.com/cd/E11882_01/server.112/e41084/statements_4007.htm#SQLRF53734
本文原创,转载请注明出处、作者
如有错误,欢迎指正