Oracle审计sys操作记录到操作系统系统日志中

此次以Linux系统为例!


1、查看当前数据库版本及状态信息

SQL> select * from v$version;
BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
PL/SQL Release 11.2.0.4.0 - Production
CORE    11.2.0.4.0      Production
TNS for Linux: Version 11.2.0.4.0 - Production
NLSRTL Version 11.2.0.4.0 - Production


SQL> select dbid,name,open_mode from v$database;
      DBID NAME      OPEN_MODE
---------- --------- --------------------
1435632369 ORCL      READ WRITE


2、检查audit默认设置
SQL> show parameter audit
NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest                      string      /u01/app/oracle/admin/orcl/adu
                                                 mp
audit_sys_operations                 boolean     FALSE
audit_syslog_level                   string
audit_trail                          string      DB


3、修改如下参数,将sys操作记入/var/log/message中
SQL> alter system set audit_syslog_level='USER.NOTICE' scope=spfile;
System altered.

SQL> alter system set audit_sys_operations=TRUE scope=spfile;
System altered.


SQL> alter system set audit_trail=none scope=spfile;

System altered.


SQL> startup force     ---生产环境中严禁此操作(强烈建议使用shundown immediate--startup)
ORACLE instance started.

Total System Global Area  413372416 bytes
Fixed Size                  2253784 bytes
Variable Size             327158824 bytes
Database Buffers           79691776 bytes
Redo Buffers                4268032 bytes
Database mounted.
Database opened.
SQL>  show parameter audit
NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest                      string      /u01/app/oracle/admin/orcl/adu
                                                 mp
audit_sys_operations                 boolean     TRUE
audit_syslog_level                   string      USER.NOTICE

audit_trail                          string      NONE


SQL> select * from test.t1;
        ID
----------
         2
         1
         3


 
4、测试结果如下
(1)在服务器上执行select * from test.t1;查询,/var/log/message日志记录如下:
Apr 21 15:41:54 db Oracle Audit[7156]: LENGTH : '174' ACTION :[21] 'select * from test.t1' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[5] 'pts/0' STATUS:[1] '0' DBID:[10] '1435632369' 
Apr 21 15:42:32 db Oracle Audit[7264]: LENGTH : '159' ACTION :[7] 'CONNECT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[5] 'pts/2' STATUS:[1] '0' DBID:[10] '1435632369' 
Apr 21 15:42:32 db Oracle Audit[7264]: LENGTH : '158' ACTION :[6] 'COMMIT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[5] 'pts/2' STATUS:[1] '0' DBID:[10] '1435632369' 
Apr 21 15:42:32 db Oracle Audit[7264]: LENGTH : '158' ACTION :[6] 'COMMIT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[5] 'pts/2' STATUS:[1] '0' DBID:[10] '1435632369' 
Apr 21 15:42:35 db Oracle Audit[7264]: LENGTH : '174' ACTION :[21] 'alter system register' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[5] 'pts/2' STATUS:[1] '0' DBID:[10] '1435632369' 

(2)plsql developer用sys as sysdba连接,/var/log/message日志记录如下:
Apr 21 15:42:52 db Oracle Audit[7268]: LENGTH : '158' ACTION :[7] 'CONNECT' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369' 
Apr 21 15:42:52 db Oracle Audit[7268]: LENGTH : '254' ACTION :[101] 'select length(chr(2000000000)) l4, length(chr(2000000)) l3,  length(chr(20000)) l2, 'c' c1 from dual ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369' 
Apr 21 15:42:52 db Oracle Audit[7268]: LENGTH : '197' ACTION :[45] 'select lengthb(nchr(20)), nchr(20) from dual ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369' 
Apr 21 15:42:52 db Oracle Audit[7268]: LENGTH : '176' ACTION :[24] 'select * from v$version ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369' 
Apr 21 15:42:52 db Oracle Audit[7268]: LENGTH : '175' ACTION :[23] 'begin :n := user; end; ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369' 
Apr 21 15:42:52 db Oracle Audit[7268]: LENGTH : '293' ACTION :[138] 'select grantee, name from sys.plsqldev_authorization where grantee in (user, 'PUBLIC') or grantee in (select role from sys.session_roles) ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[3] '942' DBID:[10] '1435632369' 
Apr 21 15:42:52 db Oracle Audit[7270]: LENGTH : '158' ACTION :[7] 'CONNECT' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369' 
Apr 21 15:42:52 db Oracle Audit[7268]: LENGTH : '174' ACTION :[22] 'select null from dual ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369' 
Apr 21 15:42:52 db Oracle Audit[7268]: LENGTH : '230' ACTION :[78] 'begin sys.dbms_application_info.set_module('PL/SQL Developer', :action); end; ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369' 
Apr 21 15:42:52 db Oracle Audit[7268]: LENGTH : '228' ACTION :[76] 'select value from v$nls_parameters where parameter = 'NLS_LENGTH_SEMANTICS' ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369' 
Apr 21 15:42:52 db Oracle Audit[7270]: LENGTH : '305' ACTION :[152] 'select object_name, object_type from sys.user_objects o where o.object_type in ('TABLE', 'VIEW', 'PACKAGE','TYPE', 'PROCEDURE', 'FUNCTION', 'SEQUENCE') ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369' 
Apr 21 15:42:52 db Oracle Audit[7268]: LENGTH : '235' ACTION :[83] 'select value from sys.nls_database_parameters where parameter = 'NLS_CHARACTERSET' ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369' 
Apr 21 15:42:53 db Oracle Audit[7270]: LENGTH : '439' ACTION :[286] 'select s.synonym_name object_name, o.object_type from sys.all_synonyms s,      sys.all_objects o where s.owner in ('PUBLIC', user) and o.owner = s.table_owner and o.object_name = s.table_name and o.object_type in ('TABLE', 'VIEW', 'PACKAGE','TYPE', 'PROCEDURE', 'FUNCTION', 'SEQUENCE') ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369' 

(3)plsql developer中执行select * from test.t1;查询,/var/log/message日志记录如下:
Apr 21 15:43:15 db Oracle Audit[7279]: LENGTH : '158' ACTION :[7] 'CONNECT' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369' 
Apr 21 15:43:15 db Oracle Audit[7279]: LENGTH : '174' ACTION :[22] 'select null from dual ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369' 
Apr 21 15:43:15 db Oracle Audit[7279]: LENGTH : '254' ACTION :[101] 'select length(chr(2000000000)) l4, length(chr(2000000)) l3,  length(chr(20000)) l2, 'c' c1 from dual ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369' 
Apr 21 15:43:15 db Oracle Audit[7279]: LENGTH : '197' ACTION :[45] 'select lengthb(nchr(20)), nchr(20) from dual ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369' 
Apr 21 15:43:15 db Oracle Audit[7279]: LENGTH : '230' ACTION :[78] 'begin sys.dbms_application_info.set_module('PL/SQL Developer', :action); end; ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369' 
Apr 21 15:43:15 db Oracle Audit[7279]: LENGTH : '223' ACTION :[71] 'select sid, serial# from v$session where audsid = userenv('SESSIONID') ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369' 
Apr 21 15:43:15 db Oracle Audit[7279]: LENGTH : '267' ACTION :[114] 'begin   if :enable = 0 then     sys.dbms_output.disable;   else     sys.dbms_output.enable(:size);   end if; end; ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369' 
Apr 21 15:43:15 db Oracle Audit[7268]: LENGTH : '200' ACTION :[48] 'select name from v$statname order by statistic# ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369' 
Apr 21 15:43:16 db Oracle Audit[7268]: LENGTH : '217' ACTION :[65] 'select value from v$sesstat where sid = :sid order by statistic# ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369' 
Apr 21 15:43:16 db Oracle Audit[7279]: LENGTH : '213' ACTION :[61] 'begin :id := sys.dbms_transaction.local_transaction_id; end; ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369' 
Apr 21 15:43:16 db Oracle Audit[7279]: LENGTH : '174' ACTION :[22] 'select * from test.t1 ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369' 
Apr 21 15:43:16 db Oracle Audit[7279]: LENGTH : '213' ACTION :[61] 'begin :id := sys.dbms_transaction.local_transaction_id; end; ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369' 
Apr 21 15:43:16 db Oracle Audit[7268]: LENGTH : '217' ACTION :[65] 'select value from v$sesstat where sid = :sid order by statistic# ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369' 
Apr 21 15:43:16 db Oracle Audit[7279]: LENGTH : '225' ACTION :[73] 'begin   sys.dbms_output.get_line(line => :line, status => :status); end; ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369' 


5、说明
因此项设置会造成message日志增长较快,建议实时监控文件系统使用率。

你可能感兴趣的:(Oracle审计sys操作记录到操作系统系统日志中)