Oracle Unified Audit Trail (OUA)是12c新增功能。
审计使安全更完整,审计是事后行为,不能预防。
访问控制并不能保证非授权访问,人总是会犯错误,如设计,实现和疏忽的原因。
accountability - 问责
比数据被偷更严重的是不知道谁是贼,因为你不知道如何改进。
两点很重要,审计正确的事情,解读审计记录。
审计是一种反馈机制,否则你无法知道你的安全机制是否健全。
审计不会增加不必要的开销。
无需审计所有数据,只需审计正确的数据,流程和用户。
审计记录只在有必要时查看,也会定期删除/归档审计数据。
这些审计手段是互补的。
是基础和必要的,但不完整,需要结合其他信息,如数据库审计记录。
好处是可扩展,因为代码可改,另外对用户是透明的。
可控制,如记录的详细程度,记录在数据库还是文件系统。
记录是全面的,不仅可记录数据库的访问,所有的访问都可以记录,如多个数据库,访问其它资源等。
如果应用不提供信息,数据库审计是无用的。
坏处,应用是代码,代码可能有错。应用可能被绕过,如直接访问数据库或磁盘。
指触发器,好处是应用透明,有选择性(针对某些列),可扩展(因为是代码)。
坏处是不能保证,例如truncate,direct path load都不会触发。
不能传递参数,可获取的用户信息有限,如IP,用户名等。
需要为每一个对象创建。
有四种方式:
参考Oracle Database Auditing
MSA审计数据库启动关闭和带系统权限(SYSDBA, SYSOPER等)的用户。记录存于操作系统。
TA审计会话登录登出,对象访问,系统权限使用,PL/SQL执行。
TA是11gR2及之前唯一的选择。
FGA是基于策略的审计,或有条件的审计。
OUA是12c新特性,可包含以上各审计方式所有功能,并且审计记录统一存放于一处(unified_audit_trail)。
OUA最大好处是可以定义审计发生的条件,因此性能会由于前几种方式。
另一好处是无法绕开,支持所有的操作。
坏处是其不完整,还需结合其它层面审计,如其无法获取客户端的IP。
11gR2及之前,建议使用TA和MSA,12c及以后,建议使用OUA和MSA。
如果不准备用OUA,第一件事是需确定审计记录存放位置。
FGA记录存于表SYS.FGA 。 T A 记 录 存 于 表 S Y S . A U D 。TA记录存于表SYS.AUD 。TA记录存于表SYS.AUD 或 SYSTEM.AUD$。
MSA记录存于$ORACLE_BASE/admin/
目录,由参数AUDIT_FILE_DEST控制。
以下是19c中关于审计的一些配置:
SQL> SHOW PARAMETER audit
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest string /opt/oracle/admin/ORCLCDB/adum
p
audit_sys_operations boolean TRUE
audit_syslog_level string
audit_trail string NONE
unified_audit_common_systemlog string
unified_audit_sga_queue_size integer 1048576
unified_audit_systemlog string
SQL>
SELECT audit_trail
, parameter_name
, parameter_value
FROM dba_audit_mgmt_config_params
ORDER by audit_trail, parameter_name;
AUDIT_TRAIL PARAMETER_NAME PARAMETER_VALUE
---------------------------- ------------------------------ ------------------------------
FGA AUDIT TRAIL DB AUDIT CLEAN BATCH SIZE 10000
FGA AUDIT TRAIL DB AUDIT TABLESPACE SYSAUX
OS AUDIT TRAIL AUDIT FILE MAX AGE 5
OS AUDIT TRAIL AUDIT FILE MAX SIZE 10000
OS AUDIT TRAIL OS FILE CLEAN BATCH SIZE 1000
STANDARD AUDIT TRAIL DB AUDIT CLEAN BATCH SIZE 10000
STANDARD AUDIT TRAIL DB AUDIT TABLESPACE SYSAUX
UNIFIED AUDIT TRAIL AUDIT FILE MAX AGE 5
UNIFIED AUDIT TRAIL AUDIT FILE MAX SIZE 10000
UNIFIED AUDIT TRAIL AUDIT WRITE MODE QUEUED WRITE MODE
UNIFIED AUDIT TRAIL DB AUDIT TABLESPACE SYSAUX
XML AUDIT TRAIL AUDIT FILE MAX AGE 5
XML AUDIT TRAIL AUDIT FILE MAX SIZE 10000
XML AUDIT TRAIL OS FILE CLEAN BATCH SIZE 1000
14 rows selected.
可以看到,audit_sys_operations已设为true,audit_trail未设置,说明未启用TA,设置示例如下,需要重启数据库生效:
alter system set AUDIT_TRAIL=xml, extended scope=spfile;
12c中,审计相关的参数需在CDB中设置,因为PDB会共享此参数。
12c中,OUA可以和其它方式并存,但从性能和容量计,不建议。
OUA性能好,因为其使用cache模式,即先将审计记录写入SGA缓存,然后冲刷到磁盘。缓存方式是默认的,也可以改为直写模式:
BEGIN
DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_PROPERTY(
DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,
DBMS_AUDIT_MGMT.AUDIT_TRAIL_WRITE_MODE,
DBMS_AUDIT_MGMT.AUDIT_TRAIL_IMMEDIATE_WRITE);
END;
/
纯OUA模式需要将AUDIT_TRAIL设为NONE:
alter system set AUDIT_TRAIL=none scope=spfile;
当前,OUA未启用:
select parameter, value from v$option where parameter like '%Uni%';
PARAMETER
----------------------------------------------------------------
VALUE
----------------------------------------------------------------
Unified Auditing
FALSE
shutdown immediate
cd $ORACLE_HOME/rdbms/lib
make -f ins_rdbms.mk uniaud_on ioracle ORACLE_HOME=$ORACLE_HOME
sqlplus / as sysdba
startup
select parameter, value from v$option where parameter like '%Uni%';
PARAMETER
----------------------------------------------------------------
VALUE
----------------------------------------------------------------
Unified Auditing
TRUE
根据SoD原则,审计策略指定和审计报告角色应分开。
Security Administrator (SA) 可复制策略指定,赋予AUDIT_ADMIN角色;审计报告查看者可赋予AUDIT_VIEWER角色。
这两个角色都是12c后才有的。
AUDIT_ADMIN角色包含AUDIT ANY 和 AUDIT SYSTEM权限,前者是普通对象的,后者是系统对象的,以及制订审计策略。
AUDIT_ADMIN还可以执行DBMS_AUDIT_MGMT和DBMS_FGA package以及查看审计相关视图。
此角色有读取审计相关视图权限。
确定为何审计以及审计什么后,才可以成功实施审计。否则不免审计不必要的对象,导致性能和管理负担。目标越明确,审计越有效。
在用户具有超级权限时,审计时保证权利不被滥用和误用的唯一手段。
12c中,很多policy已制订好,直接用就可以。
默认policy:
SELECT DISTINCT policy_name
FROM audit_unified_policies
ORDER BY policy_name;
POLICY_NAME
-------------------------
ORA_ACCOUNT_MGMT
ORA_CIS_RECOMMENDATIONS
ORA_DATABASE_PARAMETER
ORA_DV_AUDPOL
ORA_DV_AUDPOL2
ORA_LOGON_FAILURES
ORA_RAS_POLICY_MGMT
ORA_RAS_SESSION_MGMT
ORA_SECURECONFIG
9 rows selected.
SELECT *
FROM audit_unified_enabled_policies
ORDER BY policy_name;
POLICY_NAME ENABLED_OPTION ENTITY_NAM ENTITY_ SUCCESS FAILURE
------------------------- --------------- ---------- ------- ---------- ----------
ORA_LOGON_FAILURES BY USER ALL USERS USER NO YES
ORA_SECURECONFIG BY USER ALL USERS USER YES YES
可以查看详情:
SELECT policy_name, audit_option_type
, audit_option
FROM audit_unified_policies where policy_name in ( 'ORA_SECURECONFIG', 'ORA_LOGON_FAILURES')
ORDER BY policy_name, audit_option_type, audit_option
;
POLICY_NAME AUDIT_OPTION_TYPE AUDIT_OPTION
------------------------- ------------------ --------------------------------------
ORA_LOGON_FAILURES STANDARD ACTION LOGON
ORA_SECURECONFIG OBJECT ACTION EXECUTE
ORA_SECURECONFIG OBJECT ACTION EXECUTE
ORA_SECURECONFIG STANDARD ACTION ALTER DATABASE DICTIONARY
ORA_SECURECONFIG STANDARD ACTION ALTER DATABASE LINK
ORA_SECURECONFIG STANDARD ACTION ALTER PLUGGABLE DATABASE
ORA_SECURECONFIG STANDARD ACTION ALTER PROFILE
ORA_SECURECONFIG STANDARD ACTION ALTER ROLE
ORA_SECURECONFIG STANDARD ACTION ALTER USER
ORA_SECURECONFIG STANDARD ACTION CREATE DATABASE LINK
ORA_SECURECONFIG STANDARD ACTION CREATE DIRECTORY
ORA_SECURECONFIG STANDARD ACTION CREATE PLUGGABLE DATABASE
ORA_SECURECONFIG STANDARD ACTION CREATE PROFILE
ORA_SECURECONFIG STANDARD ACTION CREATE ROLE
ORA_SECURECONFIG STANDARD ACTION DROP DATABASE LINK
ORA_SECURECONFIG STANDARD ACTION DROP DIRECTORY
ORA_SECURECONFIG STANDARD ACTION DROP PLUGGABLE DATABASE
ORA_SECURECONFIG STANDARD ACTION DROP PROFILE
ORA_SECURECONFIG STANDARD ACTION DROP ROLE
ORA_SECURECONFIG STANDARD ACTION SET ROLE
ORA_SECURECONFIG SYSTEM PRIVILEGE ADMINISTER KEY MANAGEMENT
ORA_SECURECONFIG SYSTEM PRIVILEGE ALTER ANY PROCEDURE
ORA_SECURECONFIG SYSTEM PRIVILEGE ALTER ANY SQL TRANSLATION PROFILE
ORA_SECURECONFIG SYSTEM PRIVILEGE ALTER ANY TABLE
ORA_SECURECONFIG SYSTEM PRIVILEGE ALTER DATABASE
ORA_SECURECONFIG SYSTEM PRIVILEGE ALTER SYSTEM
ORA_SECURECONFIG SYSTEM PRIVILEGE AUDIT SYSTEM
ORA_SECURECONFIG SYSTEM PRIVILEGE BECOME USER
ORA_SECURECONFIG SYSTEM PRIVILEGE CREATE ANY JOB
ORA_SECURECONFIG SYSTEM PRIVILEGE CREATE ANY LIBRARY
ORA_SECURECONFIG SYSTEM PRIVILEGE CREATE ANY PROCEDURE
ORA_SECURECONFIG SYSTEM PRIVILEGE CREATE ANY SQL TRANSLATION PROFILE
ORA_SECURECONFIG SYSTEM PRIVILEGE CREATE ANY TABLE
ORA_SECURECONFIG SYSTEM PRIVILEGE CREATE EXTERNAL JOB
ORA_SECURECONFIG SYSTEM PRIVILEGE CREATE PUBLIC SYNONYM
ORA_SECURECONFIG SYSTEM PRIVILEGE CREATE SQL TRANSLATION PROFILE
ORA_SECURECONFIG SYSTEM PRIVILEGE CREATE USER
ORA_SECURECONFIG SYSTEM PRIVILEGE DROP ANY PROCEDURE
ORA_SECURECONFIG SYSTEM PRIVILEGE DROP ANY SQL TRANSLATION PROFILE
ORA_SECURECONFIG SYSTEM PRIVILEGE DROP ANY TABLE
ORA_SECURECONFIG SYSTEM PRIVILEGE DROP PUBLIC SYNONYM
ORA_SECURECONFIG SYSTEM PRIVILEGE DROP USER
ORA_SECURECONFIG SYSTEM PRIVILEGE EXEMPT ACCESS POLICY
ORA_SECURECONFIG SYSTEM PRIVILEGE EXEMPT REDACTION POLICY
ORA_SECURECONFIG SYSTEM PRIVILEGE GRANT ANY OBJECT PRIVILEGE
ORA_SECURECONFIG SYSTEM PRIVILEGE GRANT ANY PRIVILEGE
ORA_SECURECONFIG SYSTEM PRIVILEGE GRANT ANY ROLE
ORA_SECURECONFIG SYSTEM PRIVILEGE LOGMINING
ORA_SECURECONFIG SYSTEM PRIVILEGE PURGE DBA_RECYCLEBIN
ORA_SECURECONFIG SYSTEM PRIVILEGE TRANSLATE ANY SQL
50 rows selected.
除以上两个外,还建议启用ORA_ACCOUNT_MGMT 和 the ORA_DATABASE_PARAMETER。
AUDIT POLICY ora_account_mgmt;
AUDIT POLICY ora_database_parameter;
SELECT *
FROM audit_unified_enabled_policies
ORDER BY policy_name;
POLICY_NAME ENABLED_OPTION ENTITY_NAM ENTITY_ SUCCESS FAILURE
------------------------- --------------- ---------- ------- ---------- ----------
ORA_ACCOUNT_MGMT BY USER ALL USERS USER YES YES
ORA_DATABASE_PARAMETER BY USER ALL USERS USER YES YES
ORA_LOGON_FAILURES BY USER ALL USERS USER NO YES
ORA_SECURECONFIG BY USER ALL USERS USER YES YES
可以选择成功或失败时审计,或按用户审计。
AUDIT POLICY ora_account_mgmt BY sys
WHENEVER NOT SUCCESSFUL;
SELECT *
FROM audit_unified_enabled_policies
ORDER BY policy_name;
POLICY_NAME ENABLED_OPTION ENTITY_NAM ENTITY_ SUCCESS FAILURE
------------------------- --------------- ---------- ------- ---------- ----------
ORA_ACCOUNT_MGMT BY USER SYS USER NO YES
ORA_ACCOUNT_MGMT BY USER ALL USERS USER YES YES
ORA_DATABASE_PARAMETER BY USER ALL USERS USER YES YES
ORA_LOGON_FAILURES BY USER ALL USERS USER NO YES
ORA_SECURECONFIG BY USER ALL USERS USER YES YES
我们看到ORA_ACCOUNT_MGMT有两条记录,完全去除需要两条命令:
NOAUDIT POLICY ORA_ACCOUNT_MGMT;
NOAUDIT POLICY ORA_ACCOUNT_MGMT BY SYS;
AUDIT POLICY ORA_ACCOUNT_MGMT;
AUDIT POLICY ora_account_mgmt BY sys
WHENEVER NOT SUCCESSFUL;
审计Session Context, 可以指定用户,可以指定用户自定义context:
AUDIT CONTEXT
NAMESPACE userenv
ATTRIBUTES authenticated_identity
,authentication_method
,client_identifier
,client_info
,ip_address
;
SELECT * FROM audit_unified_contexts
ORDER BY namespace, attribute, user_name;
NAMESPACE ATTRIBUTE USER_NAME
--------------- ---------------------------------------- ---------------
USERENV AUTHENTICATED_IDENTITY ALL USERS
USERENV AUTHENTICATION_METHOD ALL USERS
USERENV CLIENT_IDENTIFIER ALL USERS
USERENV CLIENT_INFO ALL USERS
USERENV IP_ADDRESS ALL USERS
5 rows selected.
如LOGON/LOGOFF ACTIONS DON'T AUDIT WHEN UNIFIED AUDIT ENABLED (Doc ID 2435456.1) To BottomTo Bottom
所说,ORA_SECURECONFIG中不包含LOGON和LOGOFF,因此你需要自建policy:
CREATE AUDIT POLICY LOG_ON_OFF ACTIONS LOGON,LOGOFF;
AUDIT POLICY LOG_ON_OFF;
POLICY_NAME ENABLED_OPTION ENTITY_NAME ENTITY_ SUC FAI
------------------------ --------------- -------------------- ------- --- ---
LOG_ON_OFF BY USER ALL USERS USER YES YES
ORA_ACCOUNT_MGMT BY USER ALL USERS USER YES YES
ORA_ACCOUNT_MGMT BY USER SYS USER NO YES
ORA_DATABASE_PARAMETER BY USER ALL USERS USER YES YES
ORA_LOGON_FAILURES BY USER ALL USERS USER NO YES
ORA_SECURECONFIG BY USER ALL USERS USER YES YES
6 rows selected.
然后登录登出几次,就有审计记录了:
exec DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL;
SELECT audit_type,
unified_audit_policies,
event_timestamp,
dbusername,
application_contexts
FROM unified_audit_trail
WHERE action_name = 'LOGON'
AND application_contexts IS NOT NULL
ORDER BY event_timestamp DESC;
Standard LOG_ON_OFF 28-8月 -20 11.51.12.553694000 上午 HR (USERENV,AUTHENTICATED_IDENTITY=HR); (USERENV,AUTHENTICATION_METHOD=PASSWORD); (USERENV,CLIENT_IDENTIFIER=); (USERENV,CLIENT_INFO=); (USERENV,IP_ADDRESS=127.0.0.1)
Standard LOG_ON_OFF 28-8月 -20 11.49.44.110506000 上午 SYS (USERENV,AUTHENTICATED_IDENTITY=oracle); (USERENV,AUTHENTICATION_METHOD=OS); (USERENV,CLIENT_IDENTIFIER=); (USERENV,CLIENT_INFO=); (USERENV,IP_ADDRESS=)
以下为自定义policy:
connect / as sys
alter session set container=orclpdb1;
select count(*) from sh.sales;
COUNT(*)
----------
918843
create table sh.sales_history as select * from sh.sales;
CREATE AUDIT POLICY sales_history_modification
ACTIONS
ALTER ON sh.sales_history,
AUDIT ON sh.sales_history,
COMMENT ON sh.sales_history,
DELETE ON sh.sales_history,
FLASHBACK ON sh.sales_history,
GRANT ON sh.sales_history,
INDEX ON sh.sales_history,
INSERT ON sh.sales_history,
RENAME ON sh.sales_history,
UPDATE ON sh.sales_history;
AUDIT POLICY sales_history_modification;
CREATE AUDIT POLICY sales_history_read
ACTIONS
SELECT ON sh.sales_history;
AUDIT POLICY sales_history_read WHENEVER NOT SUCCESSFUL;
CREATE AUDIT POLICY system_any_priv_fail
PRIVILEGES SELECT ANY TABLE,
INSERT ANY TABLE,
UPDATE ANY TABLE,
DELETE ANY TABLE,
EXECUTE ANY PROCEDURE;
AUDIT POLICY system_any_priv_fail
WHENEVER NOT SUCCESSFUL;
CREATE AUDIT POLICY recommended_actions
ACTIONS ALTER DISK GROUP,
ALTER FLASHBACK ARCHIVE,
CREATE DISK GROUP,
CREATE FLASHBACK ARCHIVE,
CREATE RESTORE POINT,
FLASHBACK TABLE,
DROP RESTORE POINT,
DROP FLASHBACK ARCHIVE,
PURGE INDEX,
PURGE TABLE,
PURGE TABLESPACE,
TRUNCATE CLUSTER,
TRUNCATE TABLE,
CHANGE PASSWORD;
AUDIT POLICY recommended_actions ;
CREATE AUDIT POLICY component_common_all
ACTIONS COMPONENT = DATAPUMP EXPORT, IMPORT
ACTIONS COMPONENT = DIRECT_LOAD LOAD;
ALTER AUDIT POLICY component_common_all
ADD ACTIONS COMPONENT = OLS ALL;
AUDIT POLICY component_common_all;
-- oracle-19c-vagrant是从linux主机登录的,如果是从windows上SQL Developer则是YYXIAO-CN
CREATE AUDIT POLICY conditional_session
PRIVILEGES CREATE SESSION
ACTIONS LOGON
ROLES connect
WHEN
'NOT (SYS_CONTEXT(''USERENV'', ''SESSION_USER'') = ''DBSNMP'' AND SYS_CONTEXT(''USERENV'', ''HOST'') = ''oracle-19c-vagrant'')'
EVALUATE PER STATEMENT;
AUDIT POLICY conditional_session;
-- 其它
-- EXECUTE ON owner.plsql_package
-- actions read, write on directory dir
可以定义的组件和权限可参见:
select component, name from auditable_system_actions order by component;
SQL> select name from auditable_system_actions where component = 'Standard' order by name;
NAME
----------------------------------------------------------------
ADMINISTER KEY MANAGEMENT
ALL
ALTER ANALYTIC VIEW
ALTER ASSEMBLY
ALTER ATTRIBUTE DIMENSION
ALTER AUDIT POLICY
ALTER CLUSTER
ALTER DATABASE
ALTER DATABASE DICTIONARY
ALTER DATABASE LINK
ALTER DIMENSION
ALTER DISK GROUP
ALTER FLASHBACK ARCHIVE
ALTER FUNCTION
ALTER HIERARCHY
ALTER INDEX
ALTER INDEXTYPE
ALTER INMEMORY JOIN GROUP
ALTER JAVA
ALTER LIBRARY
ALTER LOCKDOWN PROFILE
ALTER MATERIALIZED VIEW
ALTER MATERIALIZED VIEW LOG
ALTER MATERIALIZED ZONEMAP
ALTER MINING MODEL
ALTER OPERATOR
ALTER OUTLINE
ALTER PACKAGE
ALTER PACKAGE BODY
ALTER PLUGGABLE DATABASE
ALTER PROCEDURE
ALTER PROFILE
ALTER RESOURCE COST
ALTER ROLE
ALTER ROLLBACK SEGMENT
ALTER SEQUENCE
ALTER SESSION
ALTER SYNONYM
ALTER SYSTEM
ALTER TABLE
ALTER TABLESPACE
ALTER TRACING
ALTER TRIGGER
ALTER TYPE
ALTER TYPE BODY
ALTER USER
ALTER VIEW
ANALYZE CLUSTER
ANALYZE INDEX
ANALYZE TABLE
ASSOCIATE STATISTICS
AUDIT
CALL
CHANGE PASSWORD
COMMENT
COMMIT
CREATE ANALYTIC VIEW
CREATE ASSEMBLY
CREATE ATTRIBUTE DIMENSION
CREATE AUDIT POLICY
CREATE CLUSTER
CREATE CONTEXT
CREATE DATABASE LINK
CREATE DIMENSION
CREATE DIRECTORY
CREATE DISK GROUP
CREATE EDITION
CREATE FLASHBACK ARCHIVE
CREATE FUNCTION
CREATE HIERARCHY
CREATE INDEX
CREATE INDEXTYPE
CREATE INMEMORY JOIN GROUP
CREATE JAVA
CREATE LIBRARY
CREATE LOCKDOWN PROFILE
CREATE MATERIALIZED VIEW
CREATE MATERIALIZED VIEW LOG
CREATE MATERIALIZED ZONEMAP
CREATE MINING MODEL
CREATE OPERATOR
CREATE OUTLINE
CREATE PACKAGE
CREATE PACKAGE BODY
CREATE PFILE
CREATE PLUGGABLE DATABASE
CREATE PROCEDURE
CREATE PROFILE
CREATE RESTORE POINT
CREATE ROLE
CREATE ROLLBACK SEGMENT
CREATE SCHEMA
CREATE SCHEMA SYNONYM
CREATE SEQUENCE
CREATE SPFILE
CREATE SYNONYM
CREATE TABLE
CREATE TABLESPACE
CREATE TRIGGER
CREATE TYPE
CREATE TYPE BODY
CREATE USER
CREATE VIEW
DELETE
DISASSOCIATE STATISTICS
DROP ANALYTIC VIEW
DROP ASSEMBLY
DROP ATTRIBUTE DIMENSION
DROP AUDIT POLICY
DROP CLUSTER
DROP CONTEXT
DROP DATABASE LINK
DROP DIMENSION
DROP DIRECTORY
DROP DISK GROUP
DROP EDITION
DROP FLASHBACK ARCHIVE
DROP FUNCTION
DROP HIERARCHY
DROP INDEX
DROP INDEXTYPE
DROP INMEMORY JOIN GROUP
DROP JAVA
DROP LIBRARY
DROP LOCKDOWN PROFILE
DROP MATERIALIZED VIEW
DROP MATERIALIZED VIEW LOG
DROP MATERIALIZED ZONEMAP
DROP MINING MODEL
DROP OPERATOR
DROP OUTLINE
DROP PACKAGE
DROP PACKAGE BODY
DROP PLUGGABLE DATABASE
DROP PROCEDURE
DROP PROFILE
DROP RESTORE POINT
DROP ROLE
DROP ROLLBACK SEGMENT
DROP SCHEMA SYNONYM
DROP SEQUENCE
DROP SYNONYM
DROP TABLE
DROP TABLESPACE
DROP TRIGGER
DROP TYPE
DROP TYPE BODY
DROP USER
DROP VIEW
EXECUTE
EXPLAIN PLAN
FLASHBACK TABLE
GRANT
INSERT
LOCK TABLE
LOGOFF
LOGON
NOAUDIT
PURGE DBA_RECYCLEBIN
PURGE INDEX
PURGE RECYCLEBIN
PURGE TABLE
PURGE TABLESPACE
RENAME
REVOKE
ROLLBACK
SELECT
SET ROLE
SET TRANSACTION
TRUNCATE CLUSTER
TRUNCATE TABLE
UPDATE
172 rows selected.
删除polciy用DROP AUDIT POLICY
.
禁用policy用NOAUDIT POLICY
.
通过脚本oua.demo.sql
可产生一系列操作。然后查看审计记录:
SELECT audit_type,
unified_audit_policies,
event_timestamp,
action_name,sql_text
FROM unified_audit_trail
ORDER BY event_timestamp DESC;
AUDIT_TYPE UNIFIED_AUDIT_POLICIES EVENT_TIMESTAMP ACTION_NAME SQL_TEXT
---------- ---------------------------------------- ------------------------------ ------------------------------ ------------------------------------------------------------
Standard LOG_ON_OFF, CONDITIONAL_SESSION 28-AUG-20 01.20.43.663602 PM LOGON alter session set container=orclpdb1
Standard LOG_ON_OFF 28-AUG-20 01.18.04.072435 PM LOGOFF
Standard ORA_DATABASE_PARAMETER, ORA_SECURECONFIG 28-AUG-20 01.17.54.904151 PM ALTER SYSTEM ALTER SYSTEM FLUSH SHARED_POOL
Standard ORA_DATABASE_PARAMETER, ORA_SECURECONFIG 28-AUG-20 01.17.51.742300 PM ALTER SYSTEM ALTER SYSTEM FLUSH SHARED_POOL
Standard ORA_ACCOUNT_MGMT 28-AUG-20 01.17.44.465629 PM GRANT GRANT READ,WRITE ON DIRECTORY TMPDIR TO testaudit2
Standard LOG_ON_OFF, CONDITIONAL_SESSION 28-AUG-20 01.17.40.908735 PM LOGON
Standard LOG_ON_OFF 28-AUG-20 01.17.40.635598 PM LOGOFF
Standard LOG_ON_OFF, CONDITIONAL_SESSION 28-AUG-20 01.16.30.239839 PM LOGON
Standard LOG_ON_OFF 28-AUG-20 01.16.30.187463 PM LOGOFF
Standard LOG_ON_OFF, CONDITIONAL_SESSION 28-AUG-20 01.16.24.041023 PM LOGON
Standard LOG_ON_OFF 28-AUG-20 01.16.23.854305 PM LOGOFF
Standard LOG_ON_OFF, CONDITIONAL_SESSION 28-AUG-20 01.16.14.927063 PM LOGON alter session set container=orclpdb1
Standard ORA_LOGON_FAILURES, LOG_ON_OFF, CONDITIO 28-AUG-20 01.16.00.265627 PM LOGON
NAL_SESSION
Standard LOG_ON_OFF 28-AUG-20 01.16.00.200436 PM LOGOFF
Standard LOG_ON_OFF, CONDITIONAL_SESSION 28-AUG-20 01.14.59.564148 PM LOGON
Standard LOG_ON_OFF 28-AUG-20 01.14.59.413794 PM LOGOFF
Standard ORA_DATABASE_PARAMETER, ORA_SECURECONFIG 28-AUG-20 01.14.34.508806 PM ALTER SYSTEM ALTER SYSTEM FLUSH SHARED_POOL
Standard ORA_ACCOUNT_MGMT 28-AUG-20 01.14.30.309230 PM GRANT GRANT READ,WRITE ON DIRECTORY TMPDIR TO testaudit2
Standard ORA_ACCOUNT_MGMT, ORA_SECURECONFIG 28-AUG-20 01.14.08.411675 PM DROP ROLE DROP ROLE audit_test_role
Standard 28-AUG-20 01.14.08.073966 PM GRANT GRANT DBA TO audit_test_role
Standard ORA_ACCOUNT_MGMT, ORA_SECURECONFIG 28-AUG-20 01.14.08.069762 PM GRANT GRANT DBA TO audit_test_role
Standard ORA_ACCOUNT_MGMT, ORA_SECURECONFIG 28-AUG-20 01.14.08.029903 PM CREATE ROLE CREATE ROLE audit_test_role
Standard 28-AUG-20 01.14.02.699974 PM REVOKE REVOKE DBA FROM testaudit1
Standard ORA_ACCOUNT_MGMT, ORA_SECURECONFIG 28-AUG-20 01.14.02.697303 PM REVOKE REVOKE DBA FROM testaudit1
Standard ORA_ACCOUNT_MGMT, ORA_SECURECONFIG 28-AUG-20 01.13.52.219908 PM ALTER USER ALTER USER testaudit1 QUOTA UNLIMITED ON users
Standard ORA_ACCOUNT_MGMT, ORA_SECURECONFIG 28-AUG-20 01.13.47.814282 PM ALTER USER ALTER USER testaudit2 QUOTA UNLIMITED ON users
Standard 28-AUG-20 01.13.36.694324 PM GRANT GRANT CONNECT,CREATE TABLE TO testaudit2
Standard ORA_ACCOUNT_MGMT, ORA_SECURECONFIG 28-AUG-20 01.13.36.692898 PM GRANT GRANT CONNECT,CREATE TABLE TO testaudit2
Standard 28-AUG-20 01.13.35.654653 PM GRANT GRANT CREATE SESSION, DBA TO testaudit1
Standard 28-AUG-20 01.13.35.651883 PM GRANT GRANT CREATE SESSION, DBA TO testaudit1
Standard ORA_ACCOUNT_MGMT, ORA_SECURECONFIG 28-AUG-20 01.13.35.648545 PM GRANT GRANT CREATE SESSION, DBA TO testaudit1
Standard ORA_ACCOUNT_MGMT, ORA_SECURECONFIG 28-AUG-20 01.13.32.074394 PM CREATE USER CREATE USER testaudit2 IDENTIFIED BY *
Standard ORA_ACCOUNT_MGMT, ORA_SECURECONFIG 28-AUG-20 01.13.32.048000 PM CREATE USER CREATE USER testaudit1 IDENTIFIED BY *
Standard ORA_SECURECONFIG 28-AUG-20 01.13.31.956671 PM CREATE DIRECTORY CREATE DIRECTORY TMPDIR AS '/tmp'
Standard LOG_ON_OFF, CONDITIONAL_SESSION 28-AUG-20 01.13.27.491994 PM LOGON
Standard LOG_ON_OFF 28-AUG-20 01.13.27.322443 PM LOGOFF
Standard RECOMMENDED_ACTIONS 28-AUG-20 01.00.35.152626 PM TRUNCATE TABLE truncate table stats_advisor_filter_obj$
Standard RECOMMENDED_ACTIONS 28-AUG-20 01.00.35.138994 PM TRUNCATE TABLE truncate table stats_advisor_filter_opr$
Standard RECOMMENDED_ACTIONS 28-AUG-20 01.00.35.126085 PM TRUNCATE TABLE truncate table stats_advisor_filter_rule$
Standard RECOMMENDED_ACTIONS 28-AUG-20 01.00.07.568729 PM TRUNCATE TABLE truncate table wri$_heatmap_topn_dep2
Standard RECOMMENDED_ACTIONS 28-AUG-20 01.00.07.022011 PM TRUNCATE TABLE truncate table sys.wri$_heatmap_topn_dep1
Standard RECOMMENDED_ACTIONS 28-AUG-20 01.00.06.839838 PM TRUNCATE TABLE truncate table sys.wri$_heatmap_top_tablespaces
Standard ORA_SECURECONFIG 28-AUG-20 12.01.39.243072 PM AUDIT AUDIT POLICY conditional_session
Standard ORA_SECURECONFIG 28-AUG-20 12.01.34.237821 PM CREATE AUDIT POLICY CREATE AUDIT POLICY conditional_session
PRIVILEGES CREATE SESSION
ACTIONS LOGON
Standard ORA_SECURECONFIG 28-AUG-20 11.59.37.990976 AM CREATE AUDIT POLICY CREATE AUDIT POLICY component_dv_example
ACTIONS COMPONENT=DV REALM VIOLATION ON
Standard ORA_SECURECONFIG 28-AUG-20 11.59.24.072757 AM AUDIT AUDIT POLICY component_common_all
Standard ORA_SECURECONFIG 28-AUG-20 11.59.16.197608 AM ALTER AUDIT POLICY ALTER AUDIT POLICY component_common_all
ADD ACTIONS COMPONENT = OLS ALL
Standard ORA_SECURECONFIG 28-AUG-20 11.58.58.554923 AM CREATE AUDIT POLICY CREATE AUDIT POLICY component_common_all
ACTIONS COMPONENT = DATAPUMP EXPORT, IM
Standard ORA_SECURECONFIG 28-AUG-20 11.58.12.270863 AM AUDIT AUDIT POLICY recommended_actions
Standard ORA_SECURECONFIG 28-AUG-20 11.58.03.249164 AM CREATE AUDIT POLICY CREATE AUDIT POLICY recommended_actions
ACTIONS ALTER DISK GROUP,
ALTER FLASHB
Standard ORA_SECURECONFIG 28-AUG-20 11.57.50.263862 AM AUDIT AUDIT POLICY system_any_priv_fail
WHENEVER NOT SUCCESSFUL
Standard ORA_SECURECONFIG 28-AUG-20 11.57.37.860801 AM CREATE AUDIT POLICY CREATE AUDIT POLICY system_any_priv_fail
PRIVILEGES SELECT ANY TABLE,
INSERT A
Standard ORA_SECURECONFIG 28-AUG-20 11.57.16.960857 AM AUDIT AUDIT POLICY sales_history_read
WHENEVER NOT SUCCESSFUL
Standard ORA_SECURECONFIG 28-AUG-20 11.56.59.354973 AM CREATE AUDIT POLICY CREATE AUDIT POLICY sales_history_read
ACTIONS
SELECT ON sh.sales_history
Standard ORA_SECURECONFIG 28-AUG-20 11.56.41.134694 AM AUDIT AUDIT POLICY sales_history_modification
Standard ORA_SECURECONFIG 28-AUG-20 11.56.31.183470 AM CREATE AUDIT POLICY CREATE AUDIT POLICY sales_history_modification
ACTIONS
ALTER ON sh.sales_h
Standard 28-AUG-20 11.55.53.199133 AM SELECT create table sh.sales_history as select * from sh.sales
Standard ORA_SECURECONFIG 28-AUG-20 11.55.53.198407 AM CREATE TABLE create table sh.sales_history as select * from sh.sales
Standard LOG_ON_OFF 28-AUG-20 11.54.41.508125 AM LOGON alter session set container=orclpdb1
Standard LOG_ON_OFF 28-AUG-20 11.54.34.914927 AM LOGOFF
Standard LOG_ON_OFF 28-AUG-20 11.54.18.879839 AM LOGON
Standard LOG_ON_OFF 28-AUG-20 11.51.12.553694 AM LOGOFF
Standard LOG_ON_OFF 28-AUG-20 11.51.10.495337 AM LOGON
Standard LOG_ON_OFF 28-AUG-20 11.49.44.110506 AM LOGOFF
Standard LOG_ON_OFF 28-AUG-20 11.49.39.051850 AM LOGON alter session set container=orclpdb1
Standard ORA_SECURECONFIG 28-AUG-20 11.47.37.456796 AM AUDIT AUDIT POLICY LOG_ON_OFF
Standard ORA_SECURECONFIG 28-AUG-20 11.47.36.768654 AM CREATE AUDIT POLICY CREATE AUDIT POLICY LOG_ON_OFF ACTIONS LOGON,LOGOFF
Standard 28-AUG-20 11.44.06.888105 AM EXECUTE BEGIN DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL; END;
Standard 28-AUG-20 11.42.36.213136 AM EXECUTE BEGIN DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL; END;
Standard ORA_SECURECONFIG 28-AUG-20 11.42.11.483007 AM AUDIT audit create session by hr
Standard 28-AUG-20 11.40.53.914740 AM EXECUTE BEGIN DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL; END;
Standard 28-AUG-20 11.31.30.736585 AM EXECUTE BEGIN DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL; END;
Standard 28-AUG-20 11.30.48.751162 AM EXECUTE BEGIN DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL; END;
Standard 28-AUG-20 11.28.48.402668 AM EXECUTE BEGIN DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL; END;
Standard 28-AUG-20 11.27.48.992515 AM EXECUTE BEGIN DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL; END;
Standard 28-AUG-20 11.24.05.159645 AM AUDIT AUDIT CONTEXT
NAMESPACE userenv
ATTRIBUTES authenticated_identity
,authenticatio
Standard 28-AUG-20 11.24.05.158946 AM AUDIT AUDIT CONTEXT
NAMESPACE userenv
ATTRIBUTES authenticated_identity
,authenticatio
Standard 28-AUG-20 11.24.05.158337 AM AUDIT AUDIT CONTEXT
NAMESPACE userenv
ATTRIBUTES authenticated_identity
,authenticatio
Standard 28-AUG-20 11.24.05.155678 AM AUDIT AUDIT CONTEXT
NAMESPACE userenv
ATTRIBUTES authenticated_identity
,authenticatio
Standard ORA_SECURECONFIG 28-AUG-20 11.24.05.154315 AM AUDIT AUDIT CONTEXT
NAMESPACE userenv
ATTRIBUTES authenticated_identity
,authenticatio
Standard ORA_SECURECONFIG 28-AUG-20 11.12.44.877176 AM AUDIT AUDIT POLICY ora_account_mgmt BY sys
WHENEVER NOT SUCCESSFUL
Standard ORA_SECURECONFIG 28-AUG-20 11.12.28.577498 AM AUDIT AUDIT POLICY ORA_ACCOUNT_MGMT
Standard ORA_SECURECONFIG 28-AUG-20 11.11.24.795566 AM NOAUDIT noAUDIT POLICY ORA_ACCOUNT_MGMT BY SYS
Standard ORA_SECURECONFIG 28-AUG-20 11.10.09.291292 AM NOAUDIT noAUDIT POLICY ORA_ACCOUNT_MGMT
Standard ORA_SECURECONFIG 28-AUG-20 11.09.49.885547 AM AUDIT AUDIT POLICY ORA_ACCOUNT_MGMT
Standard ORA_SECURECONFIG 28-AUG-20 11.08.43.999801 AM NOAUDIT noAUDIT POLICY ORA_ACCOUNT_MGMT
Standard ORA_SECURECONFIG 28-AUG-20 11.08.18.341272 AM AUDIT AUDIT POLICY ora_database_parameter
Standard ORA_SECURECONFIG 28-AUG-20 11.07.50.320499 AM NOAUDIT NOAUDIT POLICY ORA_DATABASE_PARAMETER
Standard ORA_SECURECONFIG 28-AUG-20 11.07.24.013187 AM NOAUDIT NOAUDIT POLICY ora_account_mgmt EXCEPT sys WHENEVER NOT SUC
CESSFUL
Standard ORA_SECURECONFIG 28-AUG-20 11.06.52.949319 AM NOAUDIT NOAUDIT POLICY ora_account_mgmt EXCEPT sys
Standard ORA_SECURECONFIG 28-AUG-20 11.04.52.634360 AM AUDIT AUDIT POLICY ora_account_mgmt EXCEPT sys
WHENEVER SUCCESSFUL
Standard ORA_SECURECONFIG 28-AUG-20 11.04.43.956505 AM ALTER PLUGGABLE DATABASE ALTER PLUGGABLE DATABASE OPEN
Standard 28-AUG-20 11.04.42.050496 AM SELECT SELECT SYS_CONTEXT('USERENV','CDB_NAME'), SYS_CONTEXT('US
ERENV','CON_NAME'),
Standard 28-AUG-20 11.04.39.961723 AM ALTER PLUGGABLE DATABASE ALTER PLUGGABLE DATABASE CLOSE IMMEDIATE
Standard ORA_SECURECONFIG 28-AUG-20 11.04.09.310056 AM AUDIT AUDIT POLICY ora_account_mgmt EXCEPT sys
WHENEVER SUCCESSFUL
Standard ORA_SECURECONFIG 28-AUG-20 11.04.02.162235 AM NOAUDIT NOAUDIT POLICY ora_account_mgmt
Standard ORA_SECURECONFIG 28-AUG-20 11.03.30.827808 AM AUDIT AUDIT POLICY ora_account_mgmt EXCEPT sys
WHENEVER SUCCESSFUL
Standard ORA_SECURECONFIG 28-AUG-20 11.02.18.327682 AM AUDIT AUDIT POLICY ora_account_mgmt BY sys
WHENEVER NOT SUCCESSFUL
Standard ORA_SECURECONFIG 28-AUG-20 11.01.03.789528 AM AUDIT AUDIT POLICY ora_database_parameter
Standard ORA_SECURECONFIG 28-AUG-20 11.01.03.660697 AM AUDIT AUDIT POLICY ora_account_mgmt
100 rows selected.
12c前,只能用TA。
AUDIT CREATE SESSION;
AUDIT CONNECT;
AUDIT TABLE;
AUDIT DELETE ANY TABLE WHENEVER NOT SUCCESSFUL;
NOAUDIT TABLE;
AUDIT INSERT, UPDATE, DELETE ON sh.sales_history;
AUDIT SELECT ON sh.sales_history
WHENEVER NOT SUCCESSFUL;
Audit succeeded.
SELECT sel "select option"
FROM dba_obj_audit_opts
WHERE owner = 'SH'
AND object_name = 'SALES_HISTORY';
select op
---------
-/A
AUDIT SELECT ON sh.sales_history BY SESSION
WHENEVER SUCCESSFUL;
SELECT sel "select option"
FROM dba_obj_audit_opts
WHERE owner = 'SH'
AND object_name = 'SALES_HISTORY';
select op
---------
S/A
-- 以上输出中,A表示All,S表示Session,-表示No
SELECT audit_option, success, failure
FROM dba_stmt_audit_opts
WHERE audit_option = 'CREATE SESSION';
AUDIT_OPTION SUCCESS FAILURE
---------------------------------------- ---------- ----------
CREATE SESSION BY ACCESS BY ACCESS
CREATE SESSION BY ACCESS BY ACCESS
SELECT privilege, success, failure
FROM dba_priv_audit_opts
WHERE privilege = 'DELETE ANY TABLE';
PRIVILEGE SUCCESS FAILURE
---------------------------------------- ---------- ----------
DELETE ANY TABLE NOT SET BY ACCESS
TA的审计记录存于SYS.AUD$。
FGA相较于TA的好处在于可以按条件(通过SQL)审计,因此也可以消除不必要的审计。
FGA甚至可以审计是否访问某行或某列数据。
使用DBMS_FGA package。
BEGIN
DBMS_FGA.ADD_POLICY(
object_schema => 'SH'
, object_name => 'SALES_HISTORY'
, policy_name => 'FGA_LARGE_ORDER'
, audit_condition => 'AMOUNT_SOLD > 1000'
, audit_column => NULL
, handler_schema => NULL
, handler_module => NULL
, enable => TRUE
, statement_types => 'INSERT,UPDATE,DELETE,SELECT'
);
END;
/
测试:
connect sh/orclpdb1
SQL> select PROD_ID, CUST_ID, AMOUNT_SOLD from SALES_HISTORY where AMOUNT_SOLD > 1000 and rownum < 10;
PROD_ID CUST_ID AMOUNT_SOLD
---------- ---------- -----------
13 987 1232.16
13 1660 1232.16
13 1762 1232.16
13 1843 1232.16
13 1948 1232.16
13 2273 1232.16
13 2380 1232.16
13 2683 1232.16
13 2865 1232.16
9 rows selected.
FGA支持event handler,类似于SELECT Trigger,即handler_schema和handler_module。你可以利用其做额外处理,例如通过USERENV中的CURRENT_SQL获取执行的语句,利用UTL_TCP, UTL_HTTP, 或 UTL_SMTP发生消息到外部。
retention通常由合规性决定。
AV可以同时用于审计报告和retention。这样审计记录可以尽快从源系统删除。
AV还支持第三方数据库和操作系统。
AV降低了源系统的管理复杂性和资源消耗,释放了空间。
由于数据汇集到一起,因此可以做全局的审计报告。
AV类似于数据仓库,适合做报表。
OUA审计数据位于AUDSYS schema,只能通过视图UNIFIED_AUDIT_TRAIL查询。
MSA的审计数据位于 O R A C L E B A S E / a u d i t / ORACLE_BASE/audit/ ORACLEBASE/audit/ORACLE_SID。
清理前,可以备份到其它表,或者data pumper导出为文件。
清理由专门的过程, 先需设时间点,然后清除:
BEGIN
DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED
, last_archive_time => TRUNC(SYSTIMESTAMP - 2)
, container => DBMS_AUDIT_MGMT.CONTAINER_CURRENT
);
END;
/
SELECT COUNT(*) FROM unified_audit_trail;
BEGIN
DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED
, use_last_arch_timestamp => TRUE
, container => DBMS_AUDIT_MGMT.CONTAINER_CURRENT
);
END;
/
TA中审计数据:
清理方法与OUA同。
如果想知道入侵者在某一时间点所看到的数据,可利用flashback archive特性。
例如:
CREATE FLASHBACK ARCHIVE
DEFAULT sales_archive TABLESPACE sales
QUOTA 1G RETENTION 5 YEAR;
ALTER TABLE sales_history
FLASHBACK ARCHIVE;
查询:
select * from sales_history as of timestamp ...
flashback archive中的数据可通过PURGE BEFORE TIMESTAMP 或 PURGE BEFORE SCN 删除。