从Oracle9i开始,就可以使用DBMS_FGA对指定的表的SELECT语句进行审计,但是在9i中只能对select语句进行审计,在10g中可以实现对DML的审计功能。
1、在审计策略生效之前,必须对表进行分析,因为只有在CBO模式,DBMS_FGA才能正确的工作
分析该表,让其使用CBO优化模式
2、指定audit_condition可以设定监控条件(例如select某部分记录)
3、可以指定audit_column来审计专门的字段
4、statement_types包括“SELECT,UPDATE,INSERT.DELETE”四种,如需多种以','分开
5,被审计的只能是非SYS用户,SYS用户没有办法审计
Summary of DBMS_FGA Subprograms
Subprogram Description
ADD_POLICY Procedure Creates an audit policy using the supplied predicate as the audit condition
DISABLE_POLICY Procedure Disables an audit policy
DROP_POLICY Procedure Drops an audit policy
ENABLE_POLICY Procedure Enables an audit policy
下面来重点介绍两个重要的参数:
1,audit_column_opts:(any_columns,all_columns默认是any_columns)
2,audit_trail:审计的记录方式要不用数据库记录要不用XML文件记录,默认是DBMS_FGA.DB+DBMS_FGA.EXTENDED
所以DBMS_FGA.DB+DBMS_FGA.XML是不可以的!!!!
audit_trail可以取下面四种值之一。
DBMS_FGA.XML,
DBMS_FGA.XML+DBMS_FGA.EXTENDED,
DBMS_FGA.DB,
DBMS_FGA.DB+DBMS_FGA.EXTENDED
一, 介绍audit_column_opts的用法注意要点:
salary&commission_pct(DBMS_FGA.ALL_COLUMNS下面表示两个同时查询的时候,就审计,否则不审计)
begin
dbms_fga.add_policy(
OBJECT_SCHEMA=>'HR',
OBJECT_NAME=>'EMPLOYEES',
POLICY_NAME=>'policy1',
AUDIT_CONDITION =>'department_id=60',
AUDIT_COLUMN=>'salary,commission_pct',
HANDLER_SCHEMA=>null,
HANDLER_MODULE=>null,
ENABLE=>true,
STATEMENT_TYPES=>'select',
audit_column_opts=>DBMS_FGA.ALL_COLUMNS
);
end;
/
conn hr/hr
SQL>select salary,commission_pct from employees (两个字段同时查询才审计)
begin
dbms_fga.drop_policy(
OBJECT_SCHEMA=>'HR',
OBJECT_NAME=>'EMPLOYEES',
POLICY_NAME=>'policy1');
end;
/
salary|commission_pct (DBMS_FGA.ANY_COLUMNS下面表示只要查询两个中的任何一个的时候就审计)
begin
dbms_fga.add_policy(
OBJECT_SCHEMA=>'HR',
OBJECT_NAME=>'EMPLOYEES',
POLICY_NAME=>'policy2',
AUDIT_CONDITION =>'department_id=60',
AUDIT_COLUMN=>'salary,commission_pct',
HANDLER_SCHEMA=>null,
HANDLER_MODULE=>null,
ENABLE=>true,
STATEMENT_TYPES=>'select',
audit_column_opts=>DBMS_FGA.ANY_COLUMNS
);
end;
/
conn hr/hr
(下面三种情况查询都审计)
SQL>select salary,commission_pct from employees
SQL>select 'salary from employees
SQL>select commission_pct' from employees
如果不写audit_column_opts,则相当于ANY_COLUMNS
begin
dbms_fga.add_policy(
OBJECT_SCHEMA=>'HR',
OBJECT_NAME=>'EMPLOYEES',
POLICY_NAME=>'ABC',
AUDIT_CONDITION =>null,
AUDIT_COLUMN=>'salary,commission_pct',
HANDLER_SCHEMA=>null,
HANDLER_MODULE=>null,
ENABLE=>true,
STATEMENT_TYPES=>'select'
);
end;
/
SYS验证下FGA是否生效:
SQL> select count(*) from fga_log$;
最后看一下,如何查看审计的结果:
如果audit_trail=>DBMS_FGA.DB or DBMS_FGA.DB+DBMS_FGA.EXTENDED则审计的记录保存在:
select * from fga_log$;
如果audit_trail=>DBMS_FGA.XML or DBMS_FGA.XML+DBMS_FGA.EXTENDED则审计的记录保存在:
select * from v$xml_audit_trail;