由于项目平台管理的需要,最近在研究Oracle 10G的审计功能,以便记录和跟踪用户在Oracle数据库系统中的所有操作行为,进而提高Oracle的安全性。现在把审计功能的配置步骤分享出来,供大家参考:
1、以DBA登录Oracle
# su - oracle
$ sqlplus /nolog
SQL> conn / as sysdba
2、查看当前审计设置
SQL> show parameter audit;
参数说明
AUDIT_TRAIL = { none | os | db | db,extended | xml | xml,extended }
none or false - Auditing is disabled.
db or true - Auditing is enabled, with all audit records stored in the database audit trial (SYS.AUD$).
db,extended - As db, but the SQL_BIND and SQL_TEXT columns are also populated.
xml- Auditing is enabled, with all audit records stored as XML format OS files.
xml,extended - As xml, but the SQL_BIND and SQL_TEXT columns are also populated.
os- Auditing is enabled, with all audit records directed to the operating system's audit trail.
The AUDIT_SYS_OPERATIONS static parameter
enables or disables the auditing of operations issued by users connecting with SYSDBA or SYSOPER privileges,
including the SYS user. All audit records are written to the OS audit trail.
The AUDIT_FILE_DEST parameter
specifies the OS directory used for the audit trail when the os, xml and xml,extended options are used.
It is also the location for all mandatory auditing specified by the AUDIT_SYS_OPERATIONS parameter.
3、修改audit参数,开启审计
SQL> alter system set audit_trail=db_extended scope=spfile;
注意,如果audit_trail=db,不记录SQL_BIND和SQL_TEXT
4、重启数据库
SQL> shutdown immediate;
SQL> startup;
5、测试
创建用户AUDIT_TEST
$ sqlplus /nolog
SQL> conn / as sysdba
SQL> audit all by audit_test by access;
SQL> audit select table, update table, insert table, delete table by audit_test by access;
SQL> audit execute procedure by audit_test by access;
分别对应以下三种:
DDL (CREATE, ALTER & DROP of objects)
DML (INSERT UPDATE, DELETE, SELECT, EXECUTE).
SYSTEM EVENTS (LOGON, LOGOFF etc.)
SQL> conn audit_test/password
SQL> create table test(id number);
SQL> insert into test(id) values (1);
SQL> insert into test(id) values (2);
SQL> update test set id = 3 where id = 1;
SQL> select * from test;
SQL> delete from test;
SQL> commit;
SQL> drop table test;
SQL> select view_name from dba_views where view_name like 'dba%audit%' order by view_name;
VIEW_NAME
------------------------------
DBA_AUDIT_EXISTS
DBA_AUDIT_OBJECT
DBA_AUDIT_POLICIES
DBA_AUDIT_POLICY_COLUMNS
DBA_AUDIT_SESSION
DBA_AUDIT_STATEMENT
DBA_AUDIT_TRAIL
DBA_COMMON_AUDIT_TRAIL
DBA_FGA_AUDIT_TRAIL
DBA_OBJ_AUDIT_OPTS
DBA_PRIV_AUDIT_OPTS
DBA_REPAUDIT_ATTRIBUTE
DBA_REPAUDIT_COLUMN
DBA_STMT_AUDIT_OPTS
视图说明:
1. SYS.AUD$
审计功能的底层视图,如果需要对数据进行删除,只需要对aud$视图进行删除既可,其他视图里的数据都是由aud$所得.
2. DBA_AUDIT_EXISTS
列出audit not exists和audit exists产生的审计跟踪,我们默认的都是audit exists.
3. DBA_AUDIT_TRAIL
可以在里面查处所有审计所跟踪的信息.
4. DBA_AUDIT_OBJECT
可以查询所有对象跟踪信息.(例如,对grant,revoke等不记录),信息完全包含于dba_audit_trail
5. DBA_AUDIT_SESSION
所得到的数据都是有关logon或者logoff的信息.
6. DBA_AUDIT_STATEMENT
列出grant ,revoke ,audit ,noaudit ,alter system语句的审计跟踪信息.
7. DBA_PRIV_AUDIT_OPTS
通过系统和由用户审计的当前系统特权
8. DBA_OBJ_AUDIT_OPTS
可以查询到所有用户所有对象的设计选项
9. ALL_DEF_AUDIT_OPTS
10. AUDIT_ACTIONS
可以查询出在aud$等视图中actions列的含义
11. SYSTEM_PRIVILEGE_MAP
可以查询出aud$等视图中priv$used列的含义(注意前面加'-')
常用视图:
DBA_AUDIT_TRAIL
DBA_FGA_AUDIT_TRAIL
DBA_COMMON_AUDIT_TRAIL
查看审计内容,主要字段:os_username, userhost, timestamp, owner,sql_bind, sql_text
SQL> select * from dba_audit_trail where owner = 'AUDIT_TEST' order by timestamp;
注意:owner的值必须大写,例如 owner = 'AUDIT_TEST'
-------------------------------------------------------------------------------
关闭审计
-------------------------------------------------------------------------------
SQL> alter system set audit_trail=none scope=spfile;