在19c环境里面想关闭传统审计,只使用同一审计(默认是audit_trail 为 DB,混合审计模式,两者都可以使用);
然后就将参数设置为none,结果过了一段时间发现同一审计也是没有记录的(因为没有执行make操作,本文会有操作描述)
-- Oracle 审计
-- 官档:https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/introduction-to-auditing.html#GUID-94381464-53A3-421B-8F13-BD171C867405
-- 盖国强老师介绍统一审计:https://www.modb.pro/db/21964,在 Oracle 20c 中,传统审计(Traditional Auditing)不再支持,统一审计(Unified Auditing)成为主流。
/*混合模式审计和纯统一审计之间的差异
模式 特征 启用
混合模式审核 既有传统审计,也有统一审计;可以使用统一审计工具和传统的审计工具 启用任何统一审计策略。无需重新启动数据库。依赖audit_trail为 DB 或DB,EXTENDED
纯统一审计 只有统一审计;只能使用统一审计工具 以uniaud_on选项链接二进制文件oracle,然后重新启动数据库。
*/
-- 调整统一审计 AUD$UNIFIED 基表默认表空间,
create tablespace AUDIT_TBS datafile size 100m autoextend on next 100m maxsize unlimited;
alter tablespace AUDIT_TBS add datafile size 100m autoextend on next 100m maxsize unlimited;
BEGIN
DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_LOCATION(AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, AUDIT_TRAIL_LOCATION_VALUE => 'AUDIT_TBS');
DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_LOCATION(AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_DB_STD, AUDIT_TRAIL_LOCATION_VALUE => 'AUDIT_TBS');
END;
/
-- 查看启
col segment_name FOR a35
col partition_name FOR a20
col segment_type FOR a20
col tablespace_name FOR a15
col mbytes FOR 999,990.00
SELECT segment_name,
segment_type,
partition_name,
bytes / 1024 / 1024 AS MBytes,
tablespace_name
FROM dba_segments
WHERE owner = 'AUDSYS';
-- 调整审计记录分区间隔
BEGIN
dbms_audit_mgmt.alter_partition_interval(interval_number => 1, interval_frequency => 'DAY');
END;
/
-- 创建策略
CREATE AUDIT POLICY DBA_AUDIT_DDL_ACTIONS
PRIVILEGES
CREATE PUBLIC DATABASE LINK,DROP PUBLIC DATABASE LINK
ACTIONS
ALTER FUNCTION,ALTER INDEX,ALTER PACKAGE,ALTER PACKAGE BODY,ALTER SEQUENCE,ALTER TABLE,ALTER VIEW,ALTER MATERIALIZED VIEW,ALTER PROCEDURE,ALTER TABLESPACE,ALTER TRIGGER,
CHANGE PASSWORD,CREATE FUNCTION,CREATE INDEX,CREATE PACKAGE,CREATE PACKAGE BODY,CREATE PROCEDURE,CREATE SEQUENCE,CREATE TABLE,CREATE SYNONYM,CREATE VIEW,CREATE MATERIALIZED VIEW,CREATE TABLESPACE,CREATE AUDIT POLICY,CREATE TRIGGER,
DROP FUNCTION,DROP INDEX,DROP PACKAGE,DROP PACKAGE BODY,DROP PROCEDURE,DROP SEQUENCE,DROP TABLE,DROP SYNONYM,DROP VIEW,DROP MATERIALIZED VIEW,DROP TABLESPACE,DROP AUDIT POLICY,DROP TRIGGER,
TRUNCATE TABLE,GRANT,REVOKE,COMMENT,AUDIT,FLASHBACK TABLE,NOAUDIT,RENAME
ACTIONS COMPONENT=DATAPUMP ALL
ACTIONS COMPONENT=DIRECT_LOAD LOAD;
-- 启用策略
AUDIT POLICY DBA_AUDIT_DDL_ACTIONS;
-- 停用策略
-- NOAUDIT POLICY DBA_AUDIT_DDL_ACTIONS;
-- 删除策略
-- DROP AUDIT POLICY DBA_AUDIT_DDL_ACTIONS;
-- 删除定时作业
BEGIN
DBMS_SCHEDULER.drop_job ( job_name => 'UPDATE_AUDIT_TSTAMP_UNIFIED');
DBMS_SCHEDULER.drop_job ( job_name => 'PURGE_AUDIT_TRAIL_UNIFIED');
END;
/
-- 设置更新 last archive time 定时任务
BEGIN
DBMS_SCHEDULER.create_job (
job_name => 'UPDATE_AUDIT_TSTAMP_UNIFIED',
job_type => 'PLSQL_BLOCK',
job_action => 'BEGIN DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP(DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,TRUNC(SYSTIMESTAMP)-180); END;',
start_date => SYSTIMESTAMP,
repeat_interval => 'freq=daily;interval=1;byhour=5;byminute=0;bysecond=0;',
end_date => NULL,
enabled => TRUE,
comments => 'Automatically update Unified Audit last archive time @05:00 everyday.');
END;
/
-- 设置基于 last archive time 清理审计记录定时任务
BEGIN
DBMS_SCHEDULER.create_job (
job_name => 'PURGE_AUDIT_TRAIL_UNIFIED',
job_type => 'PLSQL_BLOCK',
job_action => 'BEGIN dbms_audit_mgmt.clean_audit_trail(audit_trail_type => dbms_audit_mgmt.audit_trail_unified,use_last_arch_timestamp => TRUE);END;',
number_of_arguments => 0,
start_date => SYSDATE,
repeat_interval => 'freq=DAILY;interval=1;byhour=5;byminute=05;bysecond=0',
enabled => TRUE,
auto_drop => FALSE,
comments => 'Purge Unified Audit Trail befor update last archive time @05:05 everyday.');
END;
/
-- 官档创建统一审计purge job (基于 last archive time,不更新last archive time的话,只执行一次,需要另外制定last archive time更新job)
BEGIN
DBMS_AUDIT_MGMT.CREATE_PURGE_JOB (
AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,
AUDIT_TRAIL_PURGE_INTERVAL => 24,
AUDIT_TRAIL_PURGE_NAME => 'Audit_Trail_Purge_24h',
USE_LAST_ARCH_TIMESTAMP => TRUE,
CONTAINER => DBMS_AUDIT_MGMT.CONTAINER_CURRENT);
END;
/
-- 修改统一审计job间隔
BEGIN DBMS_AUDIT_MGMT.SET_PURGE_JOB_INTERVAL (
AUDIT_TRAIL_PURGE_NAME => 'Audit_Trail_Purge_24h',
AUDIT_TRAIL_INTERVAL_VALUE => 24);
END;
/
-- 删除job
BEGIN
DBMS_SCHEDULER.drop_job (
job_name => 'AUDSYS.Audit_Trail_Purge_24h');
END;
/
-- 停用传统审计(12C - 19C,停用后统一审计也不能使用,除非执行 make 操作,启用统一审计)
alter system set audit_trail=NONE scope=spfile sid='*';
-- 查询所有定时任务
col SCHEMA_USER for a18
col "id/name" for a25
col INTERVAL for a45
col WHAT for a75
col JOB_TYPE for a10
select * from (
-- JOBS
SELECT SCHEMA_USER, TO_CHAR(JOB) AS "id/name", INTERVAL, WHAT, 'JOBS' JOB_TYPE
FROM DBA_JOBS
WHERE BROKEN='N'
UNION ALL
-- SCHEDULER
SELECT OWNER, JOB_NAME, REPEAT_INTERVAL, JOB_ACTION, 'SCHEDULER'
FROM DBA_SCHEDULER_JOBS
WHERE ENABLED = 'TRUE')
ORDER BY 1, 2;
-- 查看已有策略审计的内容
SELECT T.POLICY_NAME,
T.ENABLED_OPTION,
T.SUCCESS,
T.FAILURE,
p.AUDIT_OPTION,
p.AUDIT_OPTION_TYPE,
p.OBJECT_SCHEMA,
p.OBJECT_NAME,
p.COMMON
FROM AUDIT_UNIFIED_ENABLED_POLICIES T
LEFT JOIN audit_unified_policies p ON T.POLICY_NAME = p.POLICY_NAME
ORDER BY 5;
-- CREATE_PURGE_JOB Procedure Parameters(CREATE_PURGE_JOB 参数信息)
Parameter Description
audit_trail_type The audit trail type for which the purge job needs to be created. Audit trail types are listed in Table 27-1 .
audit_trail_purge_interval The interval, in hours, at which the clean up procedure is called. A lower value means that the cleanup is performed more often.
audit_trail_purge_name A name to identify the purge job.
use_last_arch_timestamp Specifies whether the last archived timestamp should be used for deciding on the records that should be deleted.
A value of TRUE indicates that only audit records created before the last archive timestamp should be deleted.
A value of FALSE indicates that all audit records should be deleted.
The default value is TRUE.
container Values: CONTAINER_CURRENT for the connected pluggable database (PDB) or CONTAINER_ALL for all pluggable databases (PDBs).
When CONTAINER is set to CONTAINER_ALL, it creates one job in the Root PDB and the invocation of this job will invoke cleanup in all the PDBs.
--混合模式切换为纯统一审计
sqlplus / as sysdba
SQL> SHUTDOWN IMMEDIATE
SQL> EXIT
lsnrctl stop
cd $ORACLE_HOME/rdbms/lib
make -f ins_rdbms.mk uniaud_on ioracle ORACLE_HOME=$ORACLE_HOME
lsnrctl start
sqlplus / as sysdba
SQL> STARTUP
/* 调整后查询 (DB, EXTENDED 是之前人为设置的,默认是 DB,多数情况会选择关闭none)
col PARAMETER for a25
col VALUE for a35
SELECT PARAMETER,VALUE FROM V$OPTION WHERE PARAMETER = 'Unified Auditing'
union all
select name,value from v$parameter where name='audit_trail';SQL> SQL> 2 3
PARAMETER VALUE
------------------------- -----------------------------------
Unified Auditing TRUE
audit_trail DB, EXTENDED
Elapsed: 00:00:00.00
*/
-- 查看是否使用Unified Auditing
col PARAMETER for a25
col VALUE for a35
SELECT PARAMETER,VALUE FROM V$OPTION WHERE PARAMETER = 'Unified Auditing'
union all
select name,value from v$parameter where name='audit_trail';
PARAMETER VALUE
------------------------- -----------------------------------
Unified Auditing FALSE
audit_trail DB, EXTENDED
-- TRUE为纯统一审计,FALSE为使用混合模式审计
--查看统一审计记录
SELECT a.EVENT_TIMESTAMP,
a.AUDIT_TYPE,
a.SYSTEM_PRIVILEGE_USED,
a.USERHOST,
a.DBUSERNAME,
a.OS_USERNAME,
a.UNIFIED_AUDIT_POLICIES,
a.ACTION_NAME,
a.SQL_TEXT,
a.AUTHENTICATION_TYPE,
a.*
FROM UNIFIED_AUDIT_TRAIL a
ORDER BY 1 DESC;
--删除统一审计记录,Purge the audit trail records by running the DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL PL/SQL procedure.
BEGIN
DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL(
AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,
USE_LAST_ARCH_TIMESTAMP => TRUE,
CONTAINER => DBMS_AUDIT_MGMT.CONTAINER_CURRENT);
END;
/
-- 相关视图说明
DBA_AUDIT_MGMT_CLEAN_EVENTS
Displays the history of purge events of the traditional (that is, non-unified) audit trails. Periodically, as a user who has been granted the AUDIT_ADMIN role, you should delete the contents of this view so that it does not grow too large. For example:
DELETE FROM DBA_AUDIT_MGMT_CLEAN_EVENTS;
This view applies to read-write databases only. For read-only databases, a history of purge events is in the alert log.
For unified auditing, you can find a history of purged events by querying the UNIFIED_AUDIT_TRAIL data dictionary view, using the following criteria: OBJECT_NAME is DBMS_AUDIT_MGMT, OBJECT_SCHEMA is SYS, and SQL_TEXT is set to LIKE %DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL%.
DBA_AUDIT_MGMT_CLEANUP_JOBS
Displays the currently configured audit trail purge jobs
DBA_AUDIT_MGMT_CONFIG_PARAMS
Displays the currently configured audit trail properties that are used by the DBMS_AUDIT_MGMT PL/SQL package
DBA_AUDIT_MGMT_LAST_ARCH_TS
Displays the last archive timestamps that have set for audit trail purges
-- 相关参数
col Description format a70
col Parameter format a35
col value for a15
select a.ksppinm "Parameter",a.KSPPDESC "Description",
b.ksppstvl "Value"
from sys.x$ksppi a, sys.x$ksppcv b
where a.indx = b.indx and a.ksppinm like '%unified_audit%';
Parameter Description Value
----------------------------------- ---------------------------------------------------------------------- ---------------
_unified_audit_policy_disabled Disable Default Unified Audit Policies on DB Create FALSE
unified_audit_sga_queue_size Size of Unified audit SGA Queue 1048576
_unified_audit_flush_threshold Unified Audit SGA Queue Flush Threshold 85
_unified_audit_flush_interval Unified Audit SGA Queue Flush Interval 3
unified_audit_systemlog Syslog facility and level for Unified Audit
unified_audit_common_systemlog Syslog facility and level for only common unified audit records
-- 1. 谁可以进行审计
Oracle 为执行审计的用户提供了两个角色:AUDIT_ADMIN和AUDIT_VIEWER。
AUDIT_ADMIN:创建统一和细粒度的审计策略、查看审计数据及管理审计跟踪管理(读写权限)
AUDIT_VIEWER:查看和分析审计数据(只读权限),需要此角色的用户通常是外部审计员。
-- 2. 查看启用的统一审计策略
col POLICY_NAME for a25
col ENTITY_NAME for a15
select T.* from AUDIT_UNIFIED_ENABLED_POLICIES T;
POLICY_NAME ENABLED_OPTION ENTITY_NAME ENTITY_ SUC FAI
------------------------- --------------- --------------- ------- --- ---
ORA_SECURECONFIG BY USER ALL USERS USER YES YES
ORA_LOGON_FAILURES BY USER ALL USERS USER NO YES
-- ORA_LOGON_FAILURES,用于仅审计登陆失败的操作
-- ORA_SECURECONFIG审计策略详细参考 http://docs.oracle.com/database/121/DBSEG/audit_config.htm#CHDIGFHG
-- ORA_LOGON_FAILURES审计策略详细参考 http://docs.oracle.com/database/121/DBSEG/audit_config.htm#DBSEG703
-- 3. 禁用查询到的统一审计策略
noaudit policy ORA_SECURECONFIG;
noaudit policy ORA_LOGON_FAILURES;
-- 删除:
DROP AUDIT POLICY policy_name;
-- 启用:
audit policy ORA_SECURECONFIG;
audit policy ORA_LOGON_FAILURES;
AUDIT POLICY role_connect_audit_pol BY SYS, SYSTEM;
AUDIT POLICY admin_audit_pol BY USERS WITH GRANTED ROLES DBA, CDB_DBA;
AUDIT POLICY role_connect_audit_pol EXCEPT rlee, jrandolph;
AUDIT POLICY role_connect_audit_pol WHENEVER NOT SUCCESSFUL;
-- 4. 创建统一审计策略 policy
CREATE AUDIT POLICY policy_name
{ {privilege_audit_clause [action_audit_clause ] [role_audit_clause ]}
| { action_audit_clause [role_audit_clause ] }
| { role_audit_clause }
}
[WHEN audit_condition EVALUATE PER {STATEMENT|SESSION|INSTANCE}]
[ONLY TOPLEVEL]
[CONTAINER = {CURRENT | ALL}];
-- privilege_audit_clause describes privilege-related audit option
privilege_audit_clause := PRIVILEGES privilege1 [, privilege2]
-- action_audit_clause and standard_actions describe object action-related audit options.
action_audit_clause := {standard_actions | component_actions}
[, component_actions ]
standard_actions :=
ACTIONS action1 [ ON {schema.obj_name
| DIRECTORY directory_name
| MINING MODEL schema.obj_name
}
]
[, action2 [ ON {schema.obj_name
| DIRECTORY directory_name
| MINING MODEL schema.obj_name
}
]
-- component_actions enables you to create an audit policy for Oracle Label Security, Oracle Database Real Application Security, Oracle Database Vault, Oracle Data Pump, or Oracle SQL*Loader.
component_actions :=
ACTIONS COMPONENT=[OLS|XS] action1 [,action2 ] |
ACTIONS COMPONENT=DV DV_action ON DV_object_name |
ACTIONS COMPONENT=DATAPUMP [ EXPORT | IMPORT | ALL ] |
ACTIONS COMPONENT=DIRECT_LOAD [ LOAD | ALL ]
-- role_audit_clause enables you to audit roles.
role_audit_clause := ROLES role1 [, role2]
-- WHEN audit_condition EVALUATE PER enables you to specify a function to create a condition for the audit policy and the evaluation frequency. You must include the EVALUATE PER clause with the WHEN condition.
WHEN 'audit_condition := function operation value_list'
EVALUATE PER {STATEMENT|SESSION|INSTANCE}
CREATE AUDIT POLICY os_users_priv_pol
PRIVILEGES SELECT ANY TABLE, CREATE LIBRARY
WHEN 'SYS_CONTEXT (''USERENV'', ''OS_USER'') IN (''psmith'', ''jrawlins'')'
EVALUATE PER SESSION;
AUDIT POLICY os_users_priv_pol;
-- 审计 datapump 操作
CREATE AUDIT POLICY policy_name ACTIONS COMPONENT=DATAPUMP { EXPORT | IMPORT | ALL };
CREATE AUDIT POLICY policy_name ACTIONS COMPONENT=DATAPUMP ALL;
-- 审计 SQL*Loader Direct Load
CREATE AUDIT POLICY audit_sqlldr_pol ACTIONS COMPONENT=DIRECT_LOAD LOAD;
-- Auditing Both Actions and Privileges on an Object
CREATE AUDIT POLICY actions_on_hr_emp_pol2
PRIVILEGES CREATE LIBRARY
ACTIONS EXECUTE, GRANT
ON app_lib;
AUDIT POLICY actions_on_hr_emp_pol2 BY jrandolph, phawkins;
-- 审计DBA权限使用
CREATE AUDIT POLICY role_dba_audit_pol
ROLES DBA
CONTAINER = ALL;
AUDIT POLICY role_dba_audit_pol;
统一审计结果写入模式设定
通过DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_PROPERTY函数,对数据库默认的写入模式进行修改。需要注意的是,该设置仅对当前的CDB或PDB有效。
--设定立即写模式(Immediate-write mode)
BEGIN
DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_PROPERTY(
DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,
DBMS_AUDIT_MGMT.AUDIT_TRAIL_WRITE_MODE,
DBMS_AUDIT_MGMT.AUDIT_TRAIL_IMMEDIATE_WRITE);
END;
/
--确认写入模式
SELECT PARAMETER_VALUE
FROM DBA_AUDIT_MGMT_CONFIG_PARAMS
WHERE PARAMETER_NAME = 'AUDIT WRITE MODE';
PARAMETER_VALUE
-------------------------------------------------
IMMEDIATE WRITE MODE
--设定队列写入模式(Queued-write mode)-- 19C默认
BEGIN
DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_PROPERTY(
DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,
DBMS_AUDIT_MGMT.AUDIT_TRAIL_WRITE_MODE,
DBMS_AUDIT_MGMT.AUDIT_TRAIL_QUEUED_WRITE);
END;
/
PL/SQL procedure successfully completed.
--确认写入模式
SELECT PARAMETER_VALUE
FROM DBA_AUDIT_MGMT_CONFIG_PARAMS
WHERE PARAMETER_NAME = 'AUDIT WRITE MODE';
PARAMETER_VALUE
-------------------------------------------------
QUEUED WRITE MODE
-- 手动清理统一审计记录
BEGIN
DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, -- AUDIT_TRAIL_ALL
container => DBMS_AUDIT_MGMT.CONTAINER_CURRENT, -- CONTAINER_ALL
use_last_arch_timestamp => FALSE);
END;
禁用统一审计 Disabling Unified Auditing
-- Query the POLICY_NAME and ENABLED_OPT columns of the AUDIT_UNIFIED_ENABLED_POLICIES data dictionary view to find unified audit policies that are enabled.
select T.* from AUDIT_UNIFIED_ENABLED_POLICIES T;
-- Run the NOAUDIT POLICY statement to disable each enabled policy.
-- For example, to disable a policy that had been applied to user psmith:
NOAUDIT POLICY audit_pol BY psmith;
-- Shut down the database.
SHUTDOWN IMMEDIATE
-- In a multitenant environment, this command shuts down all PDBs in the CDB.
-- UNIX systems: Run the following commands:
cd $ORACLE_HOME/rdbms/lib
make -f ins_rdbms.mk uniaud_off ioracle
-- Windows systems: Rename the %ORACLE_HOME%/bin/orauniaud12.dll file to %ORACLE_HOME%/bin/orauniaud19.dll.dbl.
-- In a multitenant environment, these actions disable unified auditing in all PDBs in the CDB.
-- restart the database.
STARTUP
-- In a multitenant environment, this command restarts all PDBs in the CDB.