Oracle Database 12c Security - 12. Audit for Accountability

Oracle Unified Audit Trail (OUA)是12c新增功能。

THE SECURITY CYCLE

审计使安全更完整,审计是事后行为,不能预防。

访问控制并不能保证非授权访问,人总是会犯错误,如设计,实现和疏忽的原因。

Auditing for Accountability

accountability - 问责

Auditing Provides the Feedback Loop

比数据被偷更严重的是不知道谁是贼,因为你不知道如何改进。

两点很重要,审计正确的事情,解读审计记录。

审计是一种反馈机制,否则你无法知道你的安全机制是否健全。

Auditing Is Not Overhead

审计不会增加不必要的开销。

无需审计所有数据,只需审计正确的数据,流程和用户。

审计记录只在有必要时查看,也会定期删除/归档审计数据。

AUDIT METHODS

这些审计手段是互补的。

Infrastructure and Application Server Logs

是基础和必要的,但不完整,需要结合其他信息,如数据库审计记录。

Application Auditing

好处是可扩展,因为代码可改,另外对用户是透明的。

可控制,如记录的详细程度,记录在数据库还是文件系统。

记录是全面的,不仅可记录数据库的访问,所有的访问都可以记录,如多个数据库,访问其它资源等。

如果应用不提供信息,数据库审计是无用的。

坏处,应用是代码,代码可能有错。应用可能被绕过,如直接访问数据库或磁盘。

Trigger Auditing

指触发器,好处是应用透明,有选择性(针对某些列),可扩展(因为是代码)。

坏处是不能保证,例如truncate,direct path load都不会触发。

不能传递参数,可获取的用户信息有限,如IP,用户名等。

需要为每一个对象创建。

Database Auditing

有四种方式:

  • mandatory SYS auditing (MSA)
  • traditional auditing (TA)
  • fine-grained auditing (FGA)
  • Oracle unified auditing (OUA)

参考Oracle Database Auditing

MSA审计数据库启动关闭和带系统权限(SYSDBA, SYSOPER等)的用户。记录存于操作系统。

TA审计会话登录登出,对象访问,系统权限使用,PL/SQL执行。

TA是11gR2及之前唯一的选择。

FGA是基于策略的审计,或有条件的审计。

OUA是12c新特性,可包含以上各审计方式所有功能,并且审计记录统一存放于一处(unified_audit_trail)。

OUA最大好处是可以定义审计发生的条件,因此性能会由于前几种方式。

另一好处是无法绕开,支持所有的操作。

坏处是其不完整,还需结合其它层面审计,如其无法获取客户端的IP。

ENABLING AUDITING IN THE DATABASE

11gR2及之前,建议使用TA和MSA,12c及以后,建议使用OUA和MSA。

Audit Destination for Standard Auditing and FGA

如果不准备用OUA,第一件事是需确定审计记录存放位置。

FGA记录存于表SYS.FGA 。 T A 记 录 存 于 表 S Y S . A U D 。TA记录存于表SYS.AUD TASYS.AUD 或 SYSTEM.AUD$。

MSA记录存于$ORACLE_BASE/admin//adump 目录,由参数AUDIT_FILE_DEST控制。
以下是19c中关于审计的一些配置:

SQL> SHOW PARAMETER audit

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest                      string      /opt/oracle/admin/ORCLCDB/adum
                                                 p
audit_sys_operations                 boolean     TRUE
audit_syslog_level                   string
audit_trail                          string      NONE
unified_audit_common_systemlog       string
unified_audit_sga_queue_size         integer     1048576
unified_audit_systemlog              string

SQL> 
SELECT audit_trail
, parameter_name
, parameter_value
FROM dba_audit_mgmt_config_params
ORDER by audit_trail, parameter_name;

AUDIT_TRAIL                  PARAMETER_NAME                 PARAMETER_VALUE
---------------------------- ------------------------------ ------------------------------
FGA AUDIT TRAIL              DB AUDIT CLEAN BATCH SIZE      10000
FGA AUDIT TRAIL              DB AUDIT TABLESPACE            SYSAUX
OS AUDIT TRAIL               AUDIT FILE MAX AGE             5
OS AUDIT TRAIL               AUDIT FILE MAX SIZE            10000
OS AUDIT TRAIL               OS FILE CLEAN BATCH SIZE       1000
STANDARD AUDIT TRAIL         DB AUDIT CLEAN BATCH SIZE      10000
STANDARD AUDIT TRAIL         DB AUDIT TABLESPACE            SYSAUX
UNIFIED AUDIT TRAIL          AUDIT FILE MAX AGE             5
UNIFIED AUDIT TRAIL          AUDIT FILE MAX SIZE            10000
UNIFIED AUDIT TRAIL          AUDIT WRITE MODE               QUEUED WRITE MODE
UNIFIED AUDIT TRAIL          DB AUDIT TABLESPACE            SYSAUX
XML AUDIT TRAIL              AUDIT FILE MAX AGE             5
XML AUDIT TRAIL              AUDIT FILE MAX SIZE            10000
XML AUDIT TRAIL              OS FILE CLEAN BATCH SIZE       1000

14 rows selected.

可以看到,audit_sys_operations已设为true,audit_trail未设置,说明未启用TA,设置示例如下,需要重启数据库生效:

alter system set AUDIT_TRAIL=xml, extended scope=spfile;

12c中,审计相关的参数需在CDB中设置,因为PDB会共享此参数。

Enable Oracle Unified Auditing in Oracle Database 12c

12c中,OUA可以和其它方式并存,但从性能和容量计,不建议。

OUA性能好,因为其使用cache模式,即先将审计记录写入SGA缓存,然后冲刷到磁盘。缓存方式是默认的,也可以改为直写模式:

BEGIN
 DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_PROPERTY(
  DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,
  DBMS_AUDIT_MGMT.AUDIT_TRAIL_WRITE_MODE, 
  DBMS_AUDIT_MGMT.AUDIT_TRAIL_IMMEDIATE_WRITE);
END;
/

纯OUA模式需要将AUDIT_TRAIL设为NONE:

alter system set AUDIT_TRAIL=none scope=spfile;

当前,OUA未启用:

select parameter, value from v$option where parameter like '%Uni%';

PARAMETER
----------------------------------------------------------------
VALUE
----------------------------------------------------------------
Unified Auditing
FALSE

shutdown immediate

cd $ORACLE_HOME/rdbms/lib

make -f ins_rdbms.mk uniaud_on ioracle ORACLE_HOME=$ORACLE_HOME

sqlplus / as sysdba

startup

select parameter, value from v$option where parameter like '%Uni%';

PARAMETER
----------------------------------------------------------------
VALUE
----------------------------------------------------------------
Unified Auditing
TRUE

WHO CONDUCTS THE AUDIT POLICY AND AUDIT REPORTING?

根据SoD原则,审计策略指定和审计报告角色应分开。
Security Administrator (SA) 可复制策略指定,赋予AUDIT_ADMIN角色;审计报告查看者可赋予AUDIT_VIEWER角色。

这两个角色都是12c后才有的。

Audit Administrator Role

AUDIT_ADMIN角色包含AUDIT ANY 和 AUDIT SYSTEM权限,前者是普通对象的,后者是系统对象的,以及制订审计策略。

AUDIT_ADMIN还可以执行DBMS_AUDIT_MGMT和DBMS_FGA package以及查看审计相关视图。

Audit Reporting Role

此角色有读取审计相关视图权限。

WHAT SHOULD BE AUDITED? CREATING THE AUDIT POLICY

确定为何审计以及审计什么后,才可以成功实施审计。否则不免审计不必要的对象,导致性能和管理负担。目标越明确,审计越有效。

在用户具有超级权限时,审计时保证权利不被滥用和误用的唯一手段。

Best Practices for Audit Policies

12c中,很多policy已制订好,直接用就可以。

  • 审计所有特权用户的操作
  • 审计会话开始和结束
    要包括必要的用户信息,单纯数据库用户意义不大,例如连接池。应用可使用DBMS_SESSION.SET_IDENTIFIER设置。另外,根据合规要求,定期清楚审计记录。
  • 审计账户,权限,审计相关的管理命令
  • 审计失败的命令
    因可能是非法侵入
  • 审计数据访问和修改命令
    最常访问的表,包含敏感数据的表
  • 审计对象管理命令
    如CREATE和ALTER,建议审计所有DDL命令
  • 审计系统管理命令
    ALTER SYSTEM, ALTER DATABASE
  • 审计安全策略管理命令和配置表
    审计相关package的执行,以及对配置表的访问

OUA Audit Policy Configuration

默认policy:

SELECT DISTINCT policy_name
FROM audit_unified_policies
ORDER BY policy_name;

POLICY_NAME
-------------------------
ORA_ACCOUNT_MGMT
ORA_CIS_RECOMMENDATIONS
ORA_DATABASE_PARAMETER
ORA_DV_AUDPOL
ORA_DV_AUDPOL2
ORA_LOGON_FAILURES
ORA_RAS_POLICY_MGMT
ORA_RAS_SESSION_MGMT
ORA_SECURECONFIG

9 rows selected.

SELECT *
FROM audit_unified_enabled_policies
ORDER BY policy_name;

POLICY_NAME               ENABLED_OPTION  ENTITY_NAM ENTITY_ SUCCESS    FAILURE
------------------------- --------------- ---------- ------- ---------- ----------
ORA_LOGON_FAILURES        BY USER         ALL USERS  USER    NO         YES
ORA_SECURECONFIG          BY USER         ALL USERS  USER    YES        YES

可以查看详情:

SELECT policy_name, audit_option_type
, audit_option
FROM audit_unified_policies where policy_name in ( 'ORA_SECURECONFIG', 'ORA_LOGON_FAILURES')
ORDER BY policy_name, audit_option_type, audit_option
;
POLICY_NAME               AUDIT_OPTION_TYPE  AUDIT_OPTION
------------------------- ------------------ --------------------------------------
ORA_LOGON_FAILURES        STANDARD ACTION    LOGON
ORA_SECURECONFIG          OBJECT ACTION      EXECUTE
ORA_SECURECONFIG          OBJECT ACTION      EXECUTE
ORA_SECURECONFIG          STANDARD ACTION    ALTER DATABASE DICTIONARY
ORA_SECURECONFIG          STANDARD ACTION    ALTER DATABASE LINK
ORA_SECURECONFIG          STANDARD ACTION    ALTER PLUGGABLE DATABASE
ORA_SECURECONFIG          STANDARD ACTION    ALTER PROFILE
ORA_SECURECONFIG          STANDARD ACTION    ALTER ROLE
ORA_SECURECONFIG          STANDARD ACTION    ALTER USER
ORA_SECURECONFIG          STANDARD ACTION    CREATE DATABASE LINK
ORA_SECURECONFIG          STANDARD ACTION    CREATE DIRECTORY
ORA_SECURECONFIG          STANDARD ACTION    CREATE PLUGGABLE DATABASE
ORA_SECURECONFIG          STANDARD ACTION    CREATE PROFILE
ORA_SECURECONFIG          STANDARD ACTION    CREATE ROLE
ORA_SECURECONFIG          STANDARD ACTION    DROP DATABASE LINK
ORA_SECURECONFIG          STANDARD ACTION    DROP DIRECTORY
ORA_SECURECONFIG          STANDARD ACTION    DROP PLUGGABLE DATABASE
ORA_SECURECONFIG          STANDARD ACTION    DROP PROFILE
ORA_SECURECONFIG          STANDARD ACTION    DROP ROLE
ORA_SECURECONFIG          STANDARD ACTION    SET ROLE
ORA_SECURECONFIG          SYSTEM PRIVILEGE   ADMINISTER KEY MANAGEMENT
ORA_SECURECONFIG          SYSTEM PRIVILEGE   ALTER ANY PROCEDURE
ORA_SECURECONFIG          SYSTEM PRIVILEGE   ALTER ANY SQL TRANSLATION PROFILE
ORA_SECURECONFIG          SYSTEM PRIVILEGE   ALTER ANY TABLE
ORA_SECURECONFIG          SYSTEM PRIVILEGE   ALTER DATABASE
ORA_SECURECONFIG          SYSTEM PRIVILEGE   ALTER SYSTEM
ORA_SECURECONFIG          SYSTEM PRIVILEGE   AUDIT SYSTEM
ORA_SECURECONFIG          SYSTEM PRIVILEGE   BECOME USER
ORA_SECURECONFIG          SYSTEM PRIVILEGE   CREATE ANY JOB
ORA_SECURECONFIG          SYSTEM PRIVILEGE   CREATE ANY LIBRARY
ORA_SECURECONFIG          SYSTEM PRIVILEGE   CREATE ANY PROCEDURE
ORA_SECURECONFIG          SYSTEM PRIVILEGE   CREATE ANY SQL TRANSLATION PROFILE
ORA_SECURECONFIG          SYSTEM PRIVILEGE   CREATE ANY TABLE
ORA_SECURECONFIG          SYSTEM PRIVILEGE   CREATE EXTERNAL JOB
ORA_SECURECONFIG          SYSTEM PRIVILEGE   CREATE PUBLIC SYNONYM
ORA_SECURECONFIG          SYSTEM PRIVILEGE   CREATE SQL TRANSLATION PROFILE
ORA_SECURECONFIG          SYSTEM PRIVILEGE   CREATE USER
ORA_SECURECONFIG          SYSTEM PRIVILEGE   DROP ANY PROCEDURE
ORA_SECURECONFIG          SYSTEM PRIVILEGE   DROP ANY SQL TRANSLATION PROFILE
ORA_SECURECONFIG          SYSTEM PRIVILEGE   DROP ANY TABLE
ORA_SECURECONFIG          SYSTEM PRIVILEGE   DROP PUBLIC SYNONYM
ORA_SECURECONFIG          SYSTEM PRIVILEGE   DROP USER
ORA_SECURECONFIG          SYSTEM PRIVILEGE   EXEMPT ACCESS POLICY
ORA_SECURECONFIG          SYSTEM PRIVILEGE   EXEMPT REDACTION POLICY
ORA_SECURECONFIG          SYSTEM PRIVILEGE   GRANT ANY OBJECT PRIVILEGE
ORA_SECURECONFIG          SYSTEM PRIVILEGE   GRANT ANY PRIVILEGE
ORA_SECURECONFIG          SYSTEM PRIVILEGE   GRANT ANY ROLE
ORA_SECURECONFIG          SYSTEM PRIVILEGE   LOGMINING
ORA_SECURECONFIG          SYSTEM PRIVILEGE   PURGE DBA_RECYCLEBIN
ORA_SECURECONFIG          SYSTEM PRIVILEGE   TRANSLATE ANY SQL

50 rows selected.

除以上两个外,还建议启用ORA_ACCOUNT_MGMT 和 the ORA_DATABASE_PARAMETER。

AUDIT POLICY ora_account_mgmt;
AUDIT POLICY ora_database_parameter;

SELECT *
FROM audit_unified_enabled_policies
ORDER BY policy_name;

POLICY_NAME               ENABLED_OPTION  ENTITY_NAM ENTITY_ SUCCESS    FAILURE
------------------------- --------------- ---------- ------- ---------- ----------
ORA_ACCOUNT_MGMT          BY USER         ALL USERS  USER    YES        YES
ORA_DATABASE_PARAMETER    BY USER         ALL USERS  USER    YES        YES
ORA_LOGON_FAILURES        BY USER         ALL USERS  USER    NO         YES
ORA_SECURECONFIG          BY USER         ALL USERS  USER    YES        YES

可以选择成功或失败时审计,或按用户审计。

AUDIT POLICY ora_account_mgmt BY sys
WHENEVER NOT SUCCESSFUL;

SELECT *
FROM audit_unified_enabled_policies
ORDER BY policy_name;

POLICY_NAME               ENABLED_OPTION  ENTITY_NAM ENTITY_ SUCCESS    FAILURE
------------------------- --------------- ---------- ------- ---------- ----------
ORA_ACCOUNT_MGMT          BY USER         SYS        USER    NO         YES
ORA_ACCOUNT_MGMT          BY USER         ALL USERS  USER    YES        YES
ORA_DATABASE_PARAMETER    BY USER         ALL USERS  USER    YES        YES
ORA_LOGON_FAILURES        BY USER         ALL USERS  USER    NO         YES
ORA_SECURECONFIG          BY USER         ALL USERS  USER    YES        YES

我们看到ORA_ACCOUNT_MGMT有两条记录,完全去除需要两条命令:

NOAUDIT POLICY ORA_ACCOUNT_MGMT;
NOAUDIT POLICY ORA_ACCOUNT_MGMT BY SYS;
AUDIT POLICY ORA_ACCOUNT_MGMT;
AUDIT POLICY ora_account_mgmt BY sys
WHENEVER NOT SUCCESSFUL;

审计Session Context, 可以指定用户,可以指定用户自定义context:

AUDIT CONTEXT
NAMESPACE userenv
ATTRIBUTES authenticated_identity
,authentication_method
,client_identifier
,client_info
,ip_address
;

SELECT * FROM audit_unified_contexts
ORDER BY namespace, attribute, user_name;

NAMESPACE       ATTRIBUTE                                USER_NAME
--------------- ---------------------------------------- ---------------
USERENV         AUTHENTICATED_IDENTITY                   ALL USERS
USERENV         AUTHENTICATION_METHOD                    ALL USERS
USERENV         CLIENT_IDENTIFIER                        ALL USERS
USERENV         CLIENT_INFO                              ALL USERS
USERENV         IP_ADDRESS                               ALL USERS

5 rows selected.

LOGON/LOGOFF ACTIONS DON'T AUDIT WHEN UNIFIED AUDIT ENABLED (Doc ID 2435456.1) To BottomTo Bottom所说,ORA_SECURECONFIG中不包含LOGON和LOGOFF,因此你需要自建policy:

CREATE AUDIT POLICY LOG_ON_OFF ACTIONS LOGON,LOGOFF;
AUDIT POLICY LOG_ON_OFF;

POLICY_NAME              ENABLED_OPTION  ENTITY_NAME          ENTITY_ SUC FAI
------------------------ --------------- -------------------- ------- --- ---
LOG_ON_OFF               BY USER         ALL USERS            USER    YES YES
ORA_ACCOUNT_MGMT         BY USER         ALL USERS            USER    YES YES
ORA_ACCOUNT_MGMT         BY USER         SYS                  USER    NO  YES
ORA_DATABASE_PARAMETER   BY USER         ALL USERS            USER    YES YES
ORA_LOGON_FAILURES       BY USER         ALL USERS            USER    NO  YES
ORA_SECURECONFIG         BY USER         ALL USERS            USER    YES YES

6 rows selected.

然后登录登出几次,就有审计记录了:

exec DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL;

SELECT audit_type,
unified_audit_policies,
event_timestamp,
dbusername,
application_contexts
FROM unified_audit_trail
WHERE action_name = 'LOGON'
AND application_contexts IS NOT NULL
ORDER BY event_timestamp DESC;

Standard	LOG_ON_OFF	28-8月 -20 11.51.12.553694000 上午	HR	(USERENV,AUTHENTICATED_IDENTITY=HR); (USERENV,AUTHENTICATION_METHOD=PASSWORD); (USERENV,CLIENT_IDENTIFIER=); (USERENV,CLIENT_INFO=); (USERENV,IP_ADDRESS=127.0.0.1)
Standard	LOG_ON_OFF	28-8月 -20 11.49.44.110506000 上午	SYS	(USERENV,AUTHENTICATED_IDENTITY=oracle); (USERENV,AUTHENTICATION_METHOD=OS); (USERENV,CLIENT_IDENTIFIER=); (USERENV,CLIENT_INFO=); (USERENV,IP_ADDRESS=)

以下为自定义policy:

connect / as sys
alter session set container=orclpdb1;
select count(*) from sh.sales;

  COUNT(*)
----------
    918843

create table sh.sales_history as select * from sh.sales;

CREATE AUDIT POLICY sales_history_modification
ACTIONS
  ALTER     ON sh.sales_history,
  AUDIT     ON sh.sales_history,
  COMMENT   ON sh.sales_history,
  DELETE    ON sh.sales_history,
  FLASHBACK ON sh.sales_history,
  GRANT     ON sh.sales_history,
  INDEX     ON sh.sales_history,
  INSERT    ON sh.sales_history,
  RENAME    ON sh.sales_history,
  UPDATE    ON sh.sales_history;

AUDIT POLICY sales_history_modification;

CREATE AUDIT POLICY sales_history_read
ACTIONS
  SELECT    ON sh.sales_history;

AUDIT POLICY sales_history_read WHENEVER NOT SUCCESSFUL;

CREATE AUDIT POLICY system_any_priv_fail
PRIVILEGES SELECT ANY TABLE,
  INSERT ANY TABLE,
  UPDATE ANY TABLE,
  DELETE ANY TABLE,
  EXECUTE ANY PROCEDURE;

AUDIT POLICY system_any_priv_fail
WHENEVER NOT SUCCESSFUL;

CREATE AUDIT POLICY recommended_actions
ACTIONS ALTER DISK GROUP,
  ALTER FLASHBACK ARCHIVE,
  CREATE DISK GROUP,
  CREATE FLASHBACK ARCHIVE,
  CREATE RESTORE POINT,
  FLASHBACK TABLE,
  DROP RESTORE POINT,
  DROP FLASHBACK ARCHIVE,
  PURGE INDEX,
  PURGE TABLE,
  PURGE TABLESPACE,
  TRUNCATE CLUSTER,
  TRUNCATE TABLE,
  CHANGE PASSWORD;

AUDIT POLICY recommended_actions ;

CREATE AUDIT POLICY component_common_all
ACTIONS COMPONENT = DATAPUMP EXPORT, IMPORT
ACTIONS COMPONENT = DIRECT_LOAD LOAD;

ALTER AUDIT POLICY component_common_all
ADD ACTIONS COMPONENT = OLS ALL;

AUDIT POLICY component_common_all;

-- oracle-19c-vagrant是从linux主机登录的,如果是从windows上SQL Developer则是YYXIAO-CN
CREATE AUDIT POLICY conditional_session
PRIVILEGES CREATE SESSION
ACTIONS LOGON
ROLES connect
WHEN
  'NOT (SYS_CONTEXT(''USERENV'', ''SESSION_USER'') = ''DBSNMP'' AND SYS_CONTEXT(''USERENV'', ''HOST'') = ''oracle-19c-vagrant'')'
EVALUATE PER STATEMENT;

AUDIT POLICY conditional_session;

-- 其它
-- EXECUTE ON owner.plsql_package
-- actions read, write on directory dir

可以定义的组件和权限可参见:

select component, name from auditable_system_actions order by component;

SQL> select name from auditable_system_actions where component = 'Standard' order by name;

NAME
----------------------------------------------------------------
ADMINISTER KEY MANAGEMENT
ALL
ALTER ANALYTIC VIEW
ALTER ASSEMBLY
ALTER ATTRIBUTE DIMENSION
ALTER AUDIT POLICY
ALTER CLUSTER
ALTER DATABASE
ALTER DATABASE DICTIONARY
ALTER DATABASE LINK
ALTER DIMENSION
ALTER DISK GROUP
ALTER FLASHBACK ARCHIVE
ALTER FUNCTION
ALTER HIERARCHY
ALTER INDEX
ALTER INDEXTYPE
ALTER INMEMORY JOIN GROUP
ALTER JAVA
ALTER LIBRARY
ALTER LOCKDOWN PROFILE
ALTER MATERIALIZED VIEW
ALTER MATERIALIZED VIEW LOG
ALTER MATERIALIZED ZONEMAP
ALTER MINING MODEL
ALTER OPERATOR
ALTER OUTLINE
ALTER PACKAGE
ALTER PACKAGE BODY
ALTER PLUGGABLE DATABASE
ALTER PROCEDURE
ALTER PROFILE
ALTER RESOURCE COST
ALTER ROLE
ALTER ROLLBACK SEGMENT
ALTER SEQUENCE
ALTER SESSION
ALTER SYNONYM
ALTER SYSTEM
ALTER TABLE
ALTER TABLESPACE
ALTER TRACING
ALTER TRIGGER
ALTER TYPE
ALTER TYPE BODY
ALTER USER
ALTER VIEW
ANALYZE CLUSTER
ANALYZE INDEX
ANALYZE TABLE
ASSOCIATE STATISTICS
AUDIT
CALL
CHANGE PASSWORD
COMMENT
COMMIT
CREATE ANALYTIC VIEW
CREATE ASSEMBLY
CREATE ATTRIBUTE DIMENSION
CREATE AUDIT POLICY
CREATE CLUSTER
CREATE CONTEXT
CREATE DATABASE LINK
CREATE DIMENSION
CREATE DIRECTORY
CREATE DISK GROUP
CREATE EDITION
CREATE FLASHBACK ARCHIVE
CREATE FUNCTION
CREATE HIERARCHY
CREATE INDEX
CREATE INDEXTYPE
CREATE INMEMORY JOIN GROUP
CREATE JAVA
CREATE LIBRARY
CREATE LOCKDOWN PROFILE
CREATE MATERIALIZED VIEW
CREATE MATERIALIZED VIEW LOG
CREATE MATERIALIZED ZONEMAP
CREATE MINING MODEL
CREATE OPERATOR
CREATE OUTLINE
CREATE PACKAGE
CREATE PACKAGE BODY
CREATE PFILE
CREATE PLUGGABLE DATABASE
CREATE PROCEDURE
CREATE PROFILE
CREATE RESTORE POINT
CREATE ROLE
CREATE ROLLBACK SEGMENT
CREATE SCHEMA
CREATE SCHEMA SYNONYM
CREATE SEQUENCE
CREATE SPFILE
CREATE SYNONYM
CREATE TABLE
CREATE TABLESPACE
CREATE TRIGGER
CREATE TYPE
CREATE TYPE BODY
CREATE USER
CREATE VIEW
DELETE
DISASSOCIATE STATISTICS
DROP ANALYTIC VIEW
DROP ASSEMBLY
DROP ATTRIBUTE DIMENSION
DROP AUDIT POLICY
DROP CLUSTER
DROP CONTEXT
DROP DATABASE LINK
DROP DIMENSION
DROP DIRECTORY
DROP DISK GROUP
DROP EDITION
DROP FLASHBACK ARCHIVE
DROP FUNCTION
DROP HIERARCHY
DROP INDEX
DROP INDEXTYPE
DROP INMEMORY JOIN GROUP
DROP JAVA
DROP LIBRARY
DROP LOCKDOWN PROFILE
DROP MATERIALIZED VIEW
DROP MATERIALIZED VIEW  LOG
DROP MATERIALIZED ZONEMAP
DROP MINING MODEL
DROP OPERATOR
DROP OUTLINE
DROP PACKAGE
DROP PACKAGE BODY
DROP PLUGGABLE DATABASE
DROP PROCEDURE
DROP PROFILE
DROP RESTORE POINT
DROP ROLE
DROP ROLLBACK SEGMENT
DROP SCHEMA SYNONYM
DROP SEQUENCE
DROP SYNONYM
DROP TABLE
DROP TABLESPACE
DROP TRIGGER
DROP TYPE
DROP TYPE BODY
DROP USER
DROP VIEW
EXECUTE
EXPLAIN PLAN
FLASHBACK TABLE
GRANT
INSERT
LOCK TABLE
LOGOFF
LOGON
NOAUDIT
PURGE DBA_RECYCLEBIN
PURGE INDEX
PURGE RECYCLEBIN
PURGE TABLE
PURGE TABLESPACE
RENAME
REVOKE
ROLLBACK
SELECT
SET ROLE
SET TRANSACTION
TRUNCATE CLUSTER
TRUNCATE TABLE
UPDATE

172 rows selected.


删除polciy用DROP AUDIT POLICY.
禁用policy用NOAUDIT POLICY.

通过脚本oua.demo.sql可产生一系列操作。然后查看审计记录:

SELECT audit_type,
unified_audit_policies,
event_timestamp,
action_name,sql_text
FROM unified_audit_trail
ORDER BY event_timestamp DESC;

AUDIT_TYPE UNIFIED_AUDIT_POLICIES                   EVENT_TIMESTAMP                ACTION_NAME                    SQL_TEXT
---------- ---------------------------------------- ------------------------------ ------------------------------ ------------------------------------------------------------
Standard   LOG_ON_OFF, CONDITIONAL_SESSION          28-AUG-20 01.20.43.663602 PM   LOGON                          alter session set container=orclpdb1
Standard   LOG_ON_OFF                               28-AUG-20 01.18.04.072435 PM   LOGOFF
Standard   ORA_DATABASE_PARAMETER, ORA_SECURECONFIG 28-AUG-20 01.17.54.904151 PM   ALTER SYSTEM                   ALTER SYSTEM FLUSH SHARED_POOL
Standard   ORA_DATABASE_PARAMETER, ORA_SECURECONFIG 28-AUG-20 01.17.51.742300 PM   ALTER SYSTEM                   ALTER SYSTEM FLUSH SHARED_POOL
Standard   ORA_ACCOUNT_MGMT                         28-AUG-20 01.17.44.465629 PM   GRANT                          GRANT READ,WRITE ON DIRECTORY TMPDIR TO testaudit2
Standard   LOG_ON_OFF, CONDITIONAL_SESSION          28-AUG-20 01.17.40.908735 PM   LOGON
Standard   LOG_ON_OFF                               28-AUG-20 01.17.40.635598 PM   LOGOFF
Standard   LOG_ON_OFF, CONDITIONAL_SESSION          28-AUG-20 01.16.30.239839 PM   LOGON
Standard   LOG_ON_OFF                               28-AUG-20 01.16.30.187463 PM   LOGOFF
Standard   LOG_ON_OFF, CONDITIONAL_SESSION          28-AUG-20 01.16.24.041023 PM   LOGON
Standard   LOG_ON_OFF                               28-AUG-20 01.16.23.854305 PM   LOGOFF
Standard   LOG_ON_OFF, CONDITIONAL_SESSION          28-AUG-20 01.16.14.927063 PM   LOGON                          alter session set container=orclpdb1
Standard   ORA_LOGON_FAILURES, LOG_ON_OFF, CONDITIO 28-AUG-20 01.16.00.265627 PM   LOGON
           NAL_SESSION

Standard   LOG_ON_OFF                               28-AUG-20 01.16.00.200436 PM   LOGOFF
Standard   LOG_ON_OFF, CONDITIONAL_SESSION          28-AUG-20 01.14.59.564148 PM   LOGON
Standard   LOG_ON_OFF                               28-AUG-20 01.14.59.413794 PM   LOGOFF
Standard   ORA_DATABASE_PARAMETER, ORA_SECURECONFIG 28-AUG-20 01.14.34.508806 PM   ALTER SYSTEM                   ALTER SYSTEM FLUSH SHARED_POOL
Standard   ORA_ACCOUNT_MGMT                         28-AUG-20 01.14.30.309230 PM   GRANT                          GRANT READ,WRITE ON DIRECTORY TMPDIR TO testaudit2
Standard   ORA_ACCOUNT_MGMT, ORA_SECURECONFIG       28-AUG-20 01.14.08.411675 PM   DROP ROLE                      DROP ROLE audit_test_role
Standard                                            28-AUG-20 01.14.08.073966 PM   GRANT                          GRANT DBA TO audit_test_role
Standard   ORA_ACCOUNT_MGMT, ORA_SECURECONFIG       28-AUG-20 01.14.08.069762 PM   GRANT                          GRANT DBA TO audit_test_role
Standard   ORA_ACCOUNT_MGMT, ORA_SECURECONFIG       28-AUG-20 01.14.08.029903 PM   CREATE ROLE                    CREATE ROLE audit_test_role
Standard                                            28-AUG-20 01.14.02.699974 PM   REVOKE                         REVOKE DBA FROM testaudit1
Standard   ORA_ACCOUNT_MGMT, ORA_SECURECONFIG       28-AUG-20 01.14.02.697303 PM   REVOKE                         REVOKE DBA FROM testaudit1
Standard   ORA_ACCOUNT_MGMT, ORA_SECURECONFIG       28-AUG-20 01.13.52.219908 PM   ALTER USER                     ALTER USER testaudit1 QUOTA UNLIMITED ON users
Standard   ORA_ACCOUNT_MGMT, ORA_SECURECONFIG       28-AUG-20 01.13.47.814282 PM   ALTER USER                     ALTER USER testaudit2 QUOTA UNLIMITED ON users
Standard                                            28-AUG-20 01.13.36.694324 PM   GRANT                          GRANT CONNECT,CREATE TABLE TO testaudit2
Standard   ORA_ACCOUNT_MGMT, ORA_SECURECONFIG       28-AUG-20 01.13.36.692898 PM   GRANT                          GRANT CONNECT,CREATE TABLE TO testaudit2
Standard                                            28-AUG-20 01.13.35.654653 PM   GRANT                          GRANT CREATE SESSION, DBA TO testaudit1
Standard                                            28-AUG-20 01.13.35.651883 PM   GRANT                          GRANT CREATE SESSION, DBA TO testaudit1
Standard   ORA_ACCOUNT_MGMT, ORA_SECURECONFIG       28-AUG-20 01.13.35.648545 PM   GRANT                          GRANT CREATE SESSION, DBA TO testaudit1
Standard   ORA_ACCOUNT_MGMT, ORA_SECURECONFIG       28-AUG-20 01.13.32.074394 PM   CREATE USER                    CREATE USER testaudit2 IDENTIFIED BY *
Standard   ORA_ACCOUNT_MGMT, ORA_SECURECONFIG       28-AUG-20 01.13.32.048000 PM   CREATE USER                    CREATE USER testaudit1 IDENTIFIED BY *
Standard   ORA_SECURECONFIG                         28-AUG-20 01.13.31.956671 PM   CREATE DIRECTORY               CREATE DIRECTORY TMPDIR AS '/tmp'
Standard   LOG_ON_OFF, CONDITIONAL_SESSION          28-AUG-20 01.13.27.491994 PM   LOGON
Standard   LOG_ON_OFF                               28-AUG-20 01.13.27.322443 PM   LOGOFF
Standard   RECOMMENDED_ACTIONS                      28-AUG-20 01.00.35.152626 PM   TRUNCATE TABLE                 truncate table stats_advisor_filter_obj$
Standard   RECOMMENDED_ACTIONS                      28-AUG-20 01.00.35.138994 PM   TRUNCATE TABLE                 truncate table stats_advisor_filter_opr$
Standard   RECOMMENDED_ACTIONS                      28-AUG-20 01.00.35.126085 PM   TRUNCATE TABLE                 truncate table stats_advisor_filter_rule$
Standard   RECOMMENDED_ACTIONS                      28-AUG-20 01.00.07.568729 PM   TRUNCATE TABLE                 truncate table wri$_heatmap_topn_dep2
Standard   RECOMMENDED_ACTIONS                      28-AUG-20 01.00.07.022011 PM   TRUNCATE TABLE                 truncate table sys.wri$_heatmap_topn_dep1
Standard   RECOMMENDED_ACTIONS                      28-AUG-20 01.00.06.839838 PM   TRUNCATE TABLE                 truncate table sys.wri$_heatmap_top_tablespaces
Standard   ORA_SECURECONFIG                         28-AUG-20 12.01.39.243072 PM   AUDIT                          AUDIT POLICY conditional_session
Standard   ORA_SECURECONFIG                         28-AUG-20 12.01.34.237821 PM   CREATE AUDIT POLICY            CREATE AUDIT POLICY conditional_session
                                                                                                                  PRIVILEGES CREATE SESSION
                                                                                                                  ACTIONS LOGON

Standard   ORA_SECURECONFIG                         28-AUG-20 11.59.37.990976 AM   CREATE AUDIT POLICY            CREATE AUDIT POLICY component_dv_example
                                                                                                                  ACTIONS COMPONENT=DV REALM VIOLATION ON

Standard   ORA_SECURECONFIG                         28-AUG-20 11.59.24.072757 AM   AUDIT                          AUDIT POLICY component_common_all
Standard   ORA_SECURECONFIG                         28-AUG-20 11.59.16.197608 AM   ALTER AUDIT POLICY             ALTER AUDIT POLICY component_common_all
                                                                                                                  ADD ACTIONS COMPONENT = OLS ALL

Standard   ORA_SECURECONFIG                         28-AUG-20 11.58.58.554923 AM   CREATE AUDIT POLICY            CREATE AUDIT POLICY component_common_all
                                                                                                                  ACTIONS COMPONENT = DATAPUMP EXPORT, IM

Standard   ORA_SECURECONFIG                         28-AUG-20 11.58.12.270863 AM   AUDIT                          AUDIT POLICY recommended_actions
Standard   ORA_SECURECONFIG                         28-AUG-20 11.58.03.249164 AM   CREATE AUDIT POLICY            CREATE AUDIT POLICY recommended_actions
                                                                                                                  ACTIONS ALTER DISK GROUP,
                                                                                                                    ALTER FLASHB

Standard   ORA_SECURECONFIG                         28-AUG-20 11.57.50.263862 AM   AUDIT                          AUDIT POLICY system_any_priv_fail
                                                                                                                  WHENEVER NOT SUCCESSFUL

Standard   ORA_SECURECONFIG                         28-AUG-20 11.57.37.860801 AM   CREATE AUDIT POLICY            CREATE AUDIT POLICY system_any_priv_fail
                                                                                                                  PRIVILEGES SELECT ANY TABLE,
                                                                                                                    INSERT A

Standard   ORA_SECURECONFIG                         28-AUG-20 11.57.16.960857 AM   AUDIT                          AUDIT POLICY sales_history_read
                                                                                                                  WHENEVER NOT SUCCESSFUL

Standard   ORA_SECURECONFIG                         28-AUG-20 11.56.59.354973 AM   CREATE AUDIT POLICY            CREATE AUDIT POLICY sales_history_read
                                                                                                                  ACTIONS
                                                                                                                    SELECT    ON sh.sales_history

Standard   ORA_SECURECONFIG                         28-AUG-20 11.56.41.134694 AM   AUDIT                          AUDIT POLICY sales_history_modification
Standard   ORA_SECURECONFIG                         28-AUG-20 11.56.31.183470 AM   CREATE AUDIT POLICY            CREATE AUDIT POLICY sales_history_modification
                                                                                                                  ACTIONS
                                                                                                                    ALTER     ON sh.sales_h

Standard                                            28-AUG-20 11.55.53.199133 AM   SELECT                         create table sh.sales_history as select * from sh.sales
Standard   ORA_SECURECONFIG                         28-AUG-20 11.55.53.198407 AM   CREATE TABLE                   create table sh.sales_history as select * from sh.sales
Standard   LOG_ON_OFF                               28-AUG-20 11.54.41.508125 AM   LOGON                          alter session set container=orclpdb1
Standard   LOG_ON_OFF                               28-AUG-20 11.54.34.914927 AM   LOGOFF
Standard   LOG_ON_OFF                               28-AUG-20 11.54.18.879839 AM   LOGON
Standard   LOG_ON_OFF                               28-AUG-20 11.51.12.553694 AM   LOGOFF
Standard   LOG_ON_OFF                               28-AUG-20 11.51.10.495337 AM   LOGON
Standard   LOG_ON_OFF                               28-AUG-20 11.49.44.110506 AM   LOGOFF
Standard   LOG_ON_OFF                               28-AUG-20 11.49.39.051850 AM   LOGON                          alter session set container=orclpdb1
Standard   ORA_SECURECONFIG                         28-AUG-20 11.47.37.456796 AM   AUDIT                          AUDIT POLICY LOG_ON_OFF
Standard   ORA_SECURECONFIG                         28-AUG-20 11.47.36.768654 AM   CREATE AUDIT POLICY            CREATE AUDIT POLICY LOG_ON_OFF ACTIONS LOGON,LOGOFF
Standard                                            28-AUG-20 11.44.06.888105 AM   EXECUTE                        BEGIN DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL; END;
Standard                                            28-AUG-20 11.42.36.213136 AM   EXECUTE                        BEGIN DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL; END;
Standard   ORA_SECURECONFIG                         28-AUG-20 11.42.11.483007 AM   AUDIT                          audit create session by hr
Standard                                            28-AUG-20 11.40.53.914740 AM   EXECUTE                        BEGIN DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL; END;
Standard                                            28-AUG-20 11.31.30.736585 AM   EXECUTE                        BEGIN DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL; END;


Standard                                            28-AUG-20 11.30.48.751162 AM   EXECUTE                        BEGIN DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL; END;


Standard                                            28-AUG-20 11.28.48.402668 AM   EXECUTE                        BEGIN DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL; END;


Standard                                            28-AUG-20 11.27.48.992515 AM   EXECUTE                        BEGIN DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL; END;


Standard                                            28-AUG-20 11.24.05.159645 AM   AUDIT                          AUDIT CONTEXT
                                                                                                                  NAMESPACE userenv
                                                                                                                  ATTRIBUTES authenticated_identity
                                                                                                                  ,authenticatio

Standard                                            28-AUG-20 11.24.05.158946 AM   AUDIT                          AUDIT CONTEXT
                                                                                                                  NAMESPACE userenv
                                                                                                                  ATTRIBUTES authenticated_identity
                                                                                                                  ,authenticatio

Standard                                            28-AUG-20 11.24.05.158337 AM   AUDIT                          AUDIT CONTEXT
                                                                                                                  NAMESPACE userenv
                                                                                                                  ATTRIBUTES authenticated_identity
                                                                                                                  ,authenticatio

Standard                                            28-AUG-20 11.24.05.155678 AM   AUDIT                          AUDIT CONTEXT
                                                                                                                  NAMESPACE userenv
                                                                                                                  ATTRIBUTES authenticated_identity
                                                                                                                  ,authenticatio

Standard   ORA_SECURECONFIG                         28-AUG-20 11.24.05.154315 AM   AUDIT                          AUDIT CONTEXT
                                                                                                                  NAMESPACE userenv
                                                                                                                  ATTRIBUTES authenticated_identity
                                                                                                                  ,authenticatio

Standard   ORA_SECURECONFIG                         28-AUG-20 11.12.44.877176 AM   AUDIT                          AUDIT POLICY ora_account_mgmt BY sys
                                                                                                                  WHENEVER NOT SUCCESSFUL

Standard   ORA_SECURECONFIG                         28-AUG-20 11.12.28.577498 AM   AUDIT                          AUDIT POLICY ORA_ACCOUNT_MGMT
Standard   ORA_SECURECONFIG                         28-AUG-20 11.11.24.795566 AM   NOAUDIT                        noAUDIT POLICY ORA_ACCOUNT_MGMT BY SYS
Standard   ORA_SECURECONFIG                         28-AUG-20 11.10.09.291292 AM   NOAUDIT                        noAUDIT POLICY ORA_ACCOUNT_MGMT
Standard   ORA_SECURECONFIG                         28-AUG-20 11.09.49.885547 AM   AUDIT                          AUDIT POLICY ORA_ACCOUNT_MGMT
Standard   ORA_SECURECONFIG                         28-AUG-20 11.08.43.999801 AM   NOAUDIT                        noAUDIT POLICY ORA_ACCOUNT_MGMT
Standard   ORA_SECURECONFIG                         28-AUG-20 11.08.18.341272 AM   AUDIT                          AUDIT POLICY ora_database_parameter
Standard   ORA_SECURECONFIG                         28-AUG-20 11.07.50.320499 AM   NOAUDIT                        NOAUDIT POLICY ORA_DATABASE_PARAMETER
Standard   ORA_SECURECONFIG                         28-AUG-20 11.07.24.013187 AM   NOAUDIT                        NOAUDIT POLICY ora_account_mgmt  EXCEPT sys WHENEVER NOT SUC
                                                                                                                  CESSFUL

Standard   ORA_SECURECONFIG                         28-AUG-20 11.06.52.949319 AM   NOAUDIT                        NOAUDIT POLICY ora_account_mgmt  EXCEPT sys
Standard   ORA_SECURECONFIG                         28-AUG-20 11.04.52.634360 AM   AUDIT                          AUDIT POLICY ora_account_mgmt EXCEPT sys
                                                                                                                  WHENEVER SUCCESSFUL

Standard   ORA_SECURECONFIG                         28-AUG-20 11.04.43.956505 AM   ALTER PLUGGABLE DATABASE       ALTER PLUGGABLE DATABASE  OPEN
Standard                                            28-AUG-20 11.04.42.050496 AM   SELECT                         SELECT SYS_CONTEXT('USERENV','CDB_NAME'),    SYS_CONTEXT('US
                                                                                                                  ERENV','CON_NAME'),

Standard                                            28-AUG-20 11.04.39.961723 AM   ALTER PLUGGABLE DATABASE       ALTER PLUGGABLE DATABASE CLOSE IMMEDIATE
Standard   ORA_SECURECONFIG                         28-AUG-20 11.04.09.310056 AM   AUDIT                          AUDIT POLICY ora_account_mgmt EXCEPT sys
                                                                                                                  WHENEVER SUCCESSFUL

Standard   ORA_SECURECONFIG                         28-AUG-20 11.04.02.162235 AM   NOAUDIT                        NOAUDIT POLICY ora_account_mgmt
Standard   ORA_SECURECONFIG                         28-AUG-20 11.03.30.827808 AM   AUDIT                          AUDIT POLICY ora_account_mgmt EXCEPT sys
                                                                                                                  WHENEVER SUCCESSFUL

Standard   ORA_SECURECONFIG                         28-AUG-20 11.02.18.327682 AM   AUDIT                          AUDIT POLICY ora_account_mgmt BY sys
                                                                                                                  WHENEVER NOT SUCCESSFUL

Standard   ORA_SECURECONFIG                         28-AUG-20 11.01.03.789528 AM   AUDIT                          AUDIT POLICY ora_database_parameter
Standard   ORA_SECURECONFIG                         28-AUG-20 11.01.03.660697 AM   AUDIT                          AUDIT POLICY ora_account_mgmt

100 rows selected.

Traditional Audit Policy Configuration

12c前,只能用TA。

AUDIT CREATE SESSION;

AUDIT CONNECT;

AUDIT TABLE;

AUDIT DELETE ANY TABLE WHENEVER NOT SUCCESSFUL;

NOAUDIT TABLE;

AUDIT INSERT, UPDATE, DELETE ON sh.sales_history;

AUDIT SELECT ON sh.sales_history
WHENEVER NOT SUCCESSFUL;

Audit succeeded.

SELECT sel "select option"
FROM dba_obj_audit_opts
WHERE owner = 'SH'
  AND object_name = 'SALES_HISTORY';

select op
---------
-/A

AUDIT SELECT ON sh.sales_history BY SESSION
WHENEVER SUCCESSFUL;

SELECT sel "select option"
FROM dba_obj_audit_opts
WHERE owner = 'SH'
AND object_name = 'SALES_HISTORY';

select op
---------
S/A

-- 以上输出中,A表示All,S表示Session,-表示No

SELECT audit_option, success, failure
FROM dba_stmt_audit_opts
WHERE audit_option = 'CREATE SESSION';

AUDIT_OPTION                             SUCCESS    FAILURE
---------------------------------------- ---------- ----------
CREATE SESSION                           BY ACCESS  BY ACCESS
CREATE SESSION                           BY ACCESS  BY ACCESS

SELECT privilege, success, failure
FROM dba_priv_audit_opts
WHERE privilege = 'DELETE ANY TABLE';

PRIVILEGE                                SUCCESS    FAILURE
---------------------------------------- ---------- ----------
DELETE ANY TABLE                         NOT SET    BY ACCESS

TA的审计记录存于SYS.AUD$。

FINE-GRAINED AUDITING

FGA相较于TA的好处在于可以按条件(通过SQL)审计,因此也可以消除不必要的审计。

FGA甚至可以审计是否访问某行或某列数据。

Enabling FGA

使用DBMS_FGA package。

BEGIN
  DBMS_FGA.ADD_POLICY(
      object_schema => 'SH'
    , object_name => 'SALES_HISTORY'
    , policy_name => 'FGA_LARGE_ORDER'
    , audit_condition => 'AMOUNT_SOLD > 1000'
    , audit_column => NULL
    , handler_schema => NULL
    , handler_module => NULL
    , enable => TRUE
    , statement_types => 'INSERT,UPDATE,DELETE,SELECT'
  );
END;
/

测试:

connect sh/orclpdb1

SQL> select PROD_ID, CUST_ID, AMOUNT_SOLD from SALES_HISTORY where AMOUNT_SOLD > 1000 and rownum < 10;

   PROD_ID    CUST_ID AMOUNT_SOLD
---------- ---------- -----------
        13        987     1232.16
        13       1660     1232.16
        13       1762     1232.16
        13       1843     1232.16
        13       1948     1232.16
        13       2273     1232.16
        13       2380     1232.16
        13       2683     1232.16
        13       2865     1232.16

9 rows selected.

Acting on the Audit

FGA支持event handler,类似于SELECT Trigger,即handler_schema和handler_module。你可以利用其做额外处理,例如通过USERENV中的CURRENT_SQL获取执行的语句,利用UTL_TCP, UTL_HTTP, 或 UTL_SMTP发生消息到外部。

AUDIT STORAGE, AUDIT RETENTION, AND REPORTING

retention通常由合规性决定。

Oracle Audit Vault

AV可以同时用于审计报告和retention。这样审计记录可以尽快从源系统删除。

AV还支持第三方数据库和操作系统。

AV降低了源系统的管理复杂性和资源消耗,释放了空间。

由于数据汇集到一起,因此可以做全局的审计报告。

AV类似于数据仓库,适合做报表。

Audit Trail Retention Under OUA

OUA审计数据位于AUDSYS schema,只能通过视图UNIFIED_AUDIT_TRAIL查询。

MSA的审计数据位于 O R A C L E B A S E / a u d i t / ORACLE_BASE/audit/ ORACLEBASE/audit/ORACLE_SID。

清理前,可以备份到其它表,或者data pumper导出为文件。

清理由专门的过程, 先需设时间点,然后清除:

BEGIN
  DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP(
      audit_trail_type  => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED
    , last_archive_time => TRUNC(SYSTIMESTAMP - 2)
    , container         => DBMS_AUDIT_MGMT.CONTAINER_CURRENT
  );
END;
/
SELECT COUNT(*) FROM unified_audit_trail;
BEGIN
  DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL(
     audit_trail_type        => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED
   , use_last_arch_timestamp => TRUE
   , container               => DBMS_AUDIT_MGMT.CONTAINER_CURRENT
   );
END;
/

Audit Trail Retention Under Traditional Auditing

TA中审计数据:

  • $ORACLE_BASE/admin//adump下.xml, .aud文件
  • SYS.AUD$ or SYSTEM.AUD$ for TA 和 OLS
  • SYS.FGA$ for FGA
  • DVSYS.AUDIT_TRAIL$ for DBV

清理方法与OUA同。

Reporting on Database History

如果想知道入侵者在某一时间点所看到的数据,可利用flashback archive特性。

例如:

CREATE FLASHBACK ARCHIVE
DEFAULT sales_archive TABLESPACE sales
QUOTA 1G RETENTION 5 YEAR;

ALTER TABLE sales_history
FLASHBACK ARCHIVE;

查询:

select * from sales_history as of timestamp ...

flashback archive中的数据可通过PURGE BEFORE TIMESTAMP 或 PURGE BEFORE SCN 删除。

你可能感兴趣的:(Oracle,12c,Oracle数据库安全,Oracle,数据库,Security)