日期:2014-05-16  浏览次数:20496 次

oracle审计功能

1、oracle审计功能如何实现启动关闭功能

一 审计功能的参数控制
audit_trail 参数的值可以设置为以下几种

1. NONE:不开启
2. DB:开启审计功能
3. OS:审计记录写入一个操作系统文件。
4. TRUE:与参数DB一样
5. FALSE:不开启审计功能。
这个参数是写道spfile里面的,需要重启数据库

?

二 查看是否审计功能是否启动
SQL> show parameter audit
NAME???????????????????????????????? TYPE??????? VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest????????????????????? string????? /u01/app/oracle/admin/ORCL/adump
audit_sys_operations???????????????? boolean???? FALSE
audit_syslog_level?????????????????? string
audit_trail????????????????????????? string????? NONE

?

三 开启审计
SQL> conn /as sysdba
SQL> show parameter audit
NAME???????????????????????????????? TYPE??????? VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest????????????????????? string????? /u01/app/oracle/admin/ORCL/adump
audit_sys_operations???????????????? boolean???? FALSE
audit_syslog_level?????????????????? string
audit_trail????????????????????????? string????? NONE

SQL> alter system set audit_sys_operations=TRUE scope=spfile;--审计管理用户(以sysdba/sysoper角色登陆)
SQL> alter system set audit_trail=db,extended scope=spfile;

重启实例
SQL> show parameter audit
NAME???????????????????????????????? TYPE??????? VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest????????????????????? string????? /u01/app/oracle/admin/ORCL/adump
audit_sys_operations???????????????? boolean???? TRUE
audit_syslog_level?????????????????? string
audit_trail????????????????????????? string????? DB, EXTENDED?????
(完成)

?

四 关闭审计
SQL> conn /as sysdba
SQL> show parameter audit
SQL> alter system set audit_trail = none?scope=spfile;
重启实例

===================================================

2、

Oracle审计
1.
AUDIT_SYS_OPERATIONS = TRUE审计管理用户(以sysdba/sysoper角色登陆)
windows平台会保存到Event Viewer日志文件中,诸如
CONNECT / AS SYSDBA;
ALTER SYSTEM FLUSH SHARED_POOL;
UPDATE salary SET base=1000 WHERE name='myname';
的操作都会记录到windows事件中
AUDIT_TRAIL=OS时AUDIT_FILE_DEST定义审计的destination
2.
相关的视图
-- 审计记录
select * from sys.aud$
select * from dba_audit_trail
select * from dba_common_audit_trail
-- action的定义
select * from audit_actions

3.
多层环境下的审计
appserve-应用服务器
jackson-client?
AUDIT SELECT TABLE BY appserve ON BEHALF OF jackson;

4.
审计选项
Statement-诸如CREATE TABLE, TRUNCATE TABLE, COMMENT ON TABLE, and DELETE [FROM] TABLE等语句
Privilege-AUDIT CREATE ANY TRIGGER会审计使用CREATE ANY TRIGGER权限执行的语句
Object-审计特定对象上的特定语句,比如emp表上的ALTER TABLE语句

5.
BY SESSION/BY ACCESS-每个session或者每次访问
WHENEVER SUCCESSFUL/WHENEVER NOT SUCCESSFUL-成功/不成功

6.
审计连接或断开连接:
AUDIT SESSION;
-- 指定用户
AUDIT SESSION BY jeff, lori;
审计权限(使用该权限才能执行的操作):
AUDIT DELETE ANY TABLE BY ACCESS WHENEVER NOT SUCCESSFUL;
AUDIT DELETE ANY TABLE;
AUDIT SELECT TABLE, INSERT TABLE, DELETE TABLE, EXECUTE PROCEDURE
BY ACCESS WHENEVER NOT SUCCESSFUL;
对象审计:
AUDIT DELETE ON jeff.emp;
AUDIT SELECT, INSERT, DELETE ON jward.dept BY ACCESS WHENEVER SUCCESSFUL;

7.
取消审计
NOAUDIT session;
NOAUDIT session BY jeff, lori;
NOAUDIT DELETE ANY TABLE;
NOAUDIT SELECT TABLE, INSERT TABLE, DELETE TABLE,EXECUTE PROCEDURE;
-- 取消所有statement审计
NOAUDIT ALL;
-- 取消所有权限审计
NOAUDIT ALL PRIVILEGES;
-- 取消所有对象审计
NOAUDIT ALL ON DEFAULT;

8.
清除审计信息
DELETE FROM SYS.AUD$;
DELETE FROM SYS.AUD$ WHERE obj$name='EMP';

9.
审计视图
STMT_AUDIT_OPTION_MAP-审计选项类型代码
AUDIT_ACTIONS-action代码
ALL_DEF_AUDIT_OPTS-对象创建时默认的对象审计选项
DBA_STMT_AUDIT_OPTS-当前数据库系统审计选项
DBA_PRIV_AUDIT_OPTS-权限审计选项
DBA_OBJ_AUDIT_OPTS
USER_OBJ_AUDIT_OPTS-对象审计选项
DBA_AUDIT_TRAIL
USER_AUDIT_TRAIL-审计记录
DBA_AUDIT_OBJECT
USER