转- Oracle Audit 功能的使用和说明
http://blog.itpub.net/9399028/viewspace-712457/
审计(Audit) 用于监视用户所执行的数据库操作,审计记录可存在数据字典表(称为审计记录:存储在system表空间中的 SYS.AUD$ 表中,可通过视图dba_audit_trail查看)或操作系统审计记录中(默认位置为$ORACLE_BASE/admin/$ORACLE_SID/adump/).。默认情况下审计是没有开启的。 不管你是否打开数据库的审计功能,以下这些操作系统会强制记录:用管理员权限连接Instance;启动数据库;关闭数据库。 和审计相关的两个主要参数 1、audit_sys_operations AUDIT_SYS_OPERATIONS enables or disables the auditing of top-level operations, which are SQL statements directly issued by users when connecting with SYSDBA or SYSOPER privileges.(SQL statements run from within PL/SQL procedures or functions are not considered top-level.) The audit records are written to the operating system'saudit trail. The audit records will be written in XML format if the AUDIT_TRAIL initialization parameter is set to xml or xml, extended. On UNIX platforms, if the AUDIT_SYSLOG_LEVEL parameter has also been set, then it overrides the AUDIT_TRAIL parameter and SYS audit records are written to the system audit log using the SYSLOG utility. 默认为false,当设置为true时,所有sys用户(包括以sysdba, sysoper身份登录的用户)的操作都会被记录,audit trail不会写在aud$表中,这个很好理解,如果数据库还未启动aud$不可用,那么像conn /as sysdba这样的连接信息,只能记录在其它地方。如果是windows平台,audti trail会记录在windows的事件管理中,如果是linux/unix平台则会记录在audit_file_dest参数指定的文件中。 2、audit_trail AUDIT_TRAIL = { none | os | db | db,extended | xml | xml,extended } none or false - Auditing is disabled. 是默认值,不做审计; db or true - Auditing is enabled, with all audit records stored in the database audit trial (SYS.AUD$). 将audit trail 记录在数据库的审计相关表中,如aud$,审计的结果只有连接信息; db,extended - As db, but the SQL_BIND and SQL_TEXT columns are also populated. 审计结果里面除了连接信息还包含了当时执行的具体语句; xml- Auditing is enabled, with all audit records stored as XML format OS files. 10g里新增的。 xml,extended - As xml, but the SQL_BIND and SQL_TEXT columns are also populated. 10g里新增的。 os- Auditing is enabled, with all audit records directed to the operating system's audit trail. 将audit trail 记录在操作系统文件中,文件名由audit_file_dest参数指定; 注:这两个参数是static参数,需要重新启动数据库才能生效。 当开启审计功能后,可在三个级别对数据库进行审计:Statement(语句)、Privilege(权限)、object(对象)。 1、 Statement(语句审计) 对某种类型的SQL语句审计,不指定结构或对象。比如audit table 会审计数据库中所有的create table、drop table、truncate table语句,alter session by cmy会审计cmy用户所有的数据库连接。 2、 Privilege(权限审计) 当用户使用了该权限则被审计,如执行grant select any table to a,当执行了audit select any table语句后,当用户a 访问了用户b的表时(如select * from b.t)会用到select any table权限,故会被审计。 注意:用户是自己表的所有者,所以用户访问自己的表不会被审计。 3 、 Object(对象审计) 对一特殊模式对象上的指定语句的审计。 如审计on关键字指定对象的相关操作,如aduit alter, delete, drop, insert on cmy.t by scott; 这里会对cmy用户的t表进行审计,但同时使用了by子句,所以只会对scott用户发起的操作进行审计。 注意:Oracle没有提供对schema中所有对象的审计功能,只能一个一个对象审计,对于后面创建的对象,Oracle则提供on default子句来实现自动审计,比如执行audit drop on default by access;后,对于随后创建的对象的drop操作都会审计。但这个default会对之后创建的所有数据库对象有效,似乎没办法指定只对某个用户创建的对象有效,相比 trigger 可以对schema的DDL进行“审计”,这个功能稍显不足。 审计的一些其他选项: 1、by access / by session by access 每一个被审计的操作都会生成一条audit trail。 by session 一个会话里面同类型的操作只会生成一条audit trail,默认为by session。 2、whenever [not] successful whenever successful 操作成功(dba_audit_trail中returncode字段为0) 才审计, whenever not successful 反之。省略该子句的话,不管操作成功与否都会审计。 和审计相关的视图 1、dba_audit_trail 保存所有的audit trail,实际上它只是一个基于aud$的视图。其它的视图dba_audit_session,dba_audit_object,dba_audit_statement都只是dba_audit_trail的一个子集。 2、dba_stmt_audit_opts 可以用来查看statement审计级别的audit options,即数据库设置过哪些statement级别的审计。dba_obj_audit_opts,dba_priv_audit_opts视图功能与之类似。 3、all_def_audit_opts 用来查看数据库用on default子句设置了哪些默认对象审计。 取消审计 将对应审计语句的 audit 改为noaudit即可。如audit session whenever successful;取消审计noaudit session whenever successful; 试验如下: 首先,检查审计功能是否开启。 SQL> SHOW PARAMETER AUDIT NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ audit_file_dest string C:\ORACLE\PRODUCT\10.2.0\ADMIN \DB10G\ADUMP audit_sys_operations boolean FALSE audit_trail string NONE SQL> 审计相关的表安装 SQL> connect / AS SYSDBA SQL> select * from sys.aud$; --没有记录返回 SQL> select * from dba_audit_trail; - 没有记录返回 如果做上述查询的时候发现表不存在,说明审计相关的表还没有安装,需要安装。 SQL> connect / as sysdba SQL> @$ORACLE_HOME/rdbms/admin/cataudit.sql 审计表安装在SYSTEM表空间。所以要确保SYSTEM表空间又足够的空间存放审计信息。 安装后要重启数据库 基于Oracle的稳定性及性能考虑,可以将审计相关的表移动到其他表空间。 connect / as sysdba; alter table aud$ move tablespace ; alter index I_aud1 rebuild online tablespace ; alter table audit$ move tablespace; alter index i_audit rebuild online tablespace ; alter table audit_actions move tablespace ; alter index i_audit_actions rebuild online tablespace ; 开启审计功能。 SQL> alter system set audit_sys_operations=TRUE scope=spfile; --审计管理用户(以sysdba/sysoper角色登陆) SQL> alter system set audit_trail=db,extended scope=spfile; SQL> startup force; SQL> show parameter audit NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ audit_file_dest string C:\ORACLE\PRODUCT\10.2.0\ADMIN \DB10G\ADUMP audit_sys_operations boolean TRUE audit_trail string DB, EXTENDED SQL> 1、对创建表的审计 会话1中(已sysdba登录) SQL> audit create table by user1; 审计已成功。 会话2中(已user1用户登录) SQL> create table test (id number); Table created SQL> create table test (id number); create table test (id number) ORA-00955: 名称已由现有对象使用 SQL> select username,returncode,action_name from dba_audit_trail; USERNAME RETURNCODE ACTION_NAME ------------------------------ ---------- ---------------------------- USER1 0 CREATE TABLE USER1 955 CREATE TABLE SQL> 2、对修改、删除表的审计 由于没有对drop table进行单独审计的操作,需要添加audit table by user(此命令将对create table ,drop table, truncate table 进行审计) 会话1中: SQL> audit table by user1; 审计已成功。 会话2中: SQL> create table test(id number); Table created SQL> alter table test add name varchar2(100); Table altered SQL> drop table test; Table dropped SQL> select username,returncode,action_name from dba_audit_trail; USERNAME RETURNCODE ACTION_NAME ------------------------------ ---------- ---------------------------- USER1 0 CREATE TABLE USER1 0 ALTER TABLE USER1 0 DROP TABLE 3、对视图的审计 对创建视图(create view)进行审计 会话1中: SQL> audit create view by USER1; 审计已成功。 会话2中: SQL> create view test0 as select * from test; SQL> create view test0 as select * from test; 名称已由现有对象使用 SQL>select username,returncode,action_name from dba_audit_trail; USERNAME RETURNCODE ACTION_NAME ------------------------------ ---------- ---------------------------- USER1 0 CREATE VIEW USER1 955 CREATE VIEW 会话1中: SQL> audit view by USER1; 审计已成功。 会话2中: SQL> drop view test0; View dropped SQL> drop view test0; drop view test0 ORA-00942: 表或视图不存在 SQL> select username,returncode,action_name from dba_audit_trail; USERNAME RETURNCODE ACTION_NAME ------------------------------ ---------- ---------------------------- USER1 0 DROP VIEW USER1 942 DROP VIEW 4、对程序包的审计 会话1中: SQL> audit procedure by user1; 审计已成功。 SQL> truncate table aud$; 表被截断。 会话2中: SQL> create procedure test1 as 2 begin 3 null; 4 end; 5 / Procedure created SQL> drop procedure test1; Procedure dropped SQL> drop procedure test1; drop procedure test1 ORA-04043: 对象 TEST1 不存在 SQL> select username,returncode,action_name from dba_audit_trail; USERNAME RETURNCODE ACTION_NAME ------------------------------ ---------- ---------------------------- USER1 0 CREATE PROCEDURE USER1 0 DROP PROCEDURE USER1 4043 DROP PROCEDURE 5、对用户的审计 audit user by user 综上所述: 1. 对表的审计:可以单独对表的create,alter进行审计,如果要对drop操作进行审计需要对表加audit table(该命令包含有create table,drop table,truncate table). 2. 对视图的审计:可以单独对视图的create进行审计,如果要对drop操作进行审计需要对视图加audit view(该命令包含有create view,drop view). 3. 对程序包的审计:可以对包(函数,存储过程等)的create进行审计,如果需要对drop操作进行审计需要加audit procedure(该命令对CREATE FUNCTION, CREATE LIBRARY , CREATE PACKAGE, CREATE PACKAGE BODY, CREATE PROCEDURE, DROP FUNCTION, DROP LIBRARY, DROP PACKAGE, DROP PROCEDURE进行审计) 4. 对用户的审计:可以通过audit user(该命令包含 create user,alter user,drop user)进行审计 以下是对上面内容的一个补充。 Maintenance and Security Auditing should be planned carefully to control the quantity of audit information. Only audit specific operations or objects of interest. Over time you can refine the level of auditing to match your requirements. The database audit trail must be deleted, or archived, on a regular basis to prevent the SYS.AUD$ table growing to an unnacceptable size.Only DBAs should have maintenance access to the audit trail. Auditing modifications of the data in the audit trail itself can be achieved using the following statement: AUDIT INSERT, UPDATE, DELETE ON sys.aud$ BY ACCESS; The OS and XML audit trails are managed through the OS. These files should be secured at the OS level by assigning the correct file permissions. Fine Grained Auditing (FGA) Fine grained auditing extends Oracle standard auditing capabilities by allowing the user to audit actions based on user-defined predicates. It is independant of the AUDIT_TRAIL parameter setting and all audit records are stored in the FGA_LOG$ table, rather than the AUD$ table. The following example illustrates how fine grained auditing is used. First, create a test table. CONN audit_test/password CREATE TABLE emp ( empno NUMBER(4) NOT NULL, ename VARCHAR2(10), job VARCHAR2(9), mgr NUMBER(4), hiredate DATE, sal NUMBER(7,2), comm NUMBER(7,2), deptno NUMBER(2) ); INSERT INTO emp (empno, ename, sal) VALUES (9999, 'Tim', 1); INSERT INTO emp (empno, ename, sal) VALUES (9999, 'Larry', 50001); COMMIT; The following policy audits any queries of salaries greater than £50,000. CONN sys/password AS sysdba BEGIN DBMS_FGA.add_policy( object_schema => 'AUDIT_TEST', object_name => 'EMP', policy_name => 'SALARY_CHK_AUDIT', audit_condition => 'SAL > 50000', audit_column => 'SAL'); END; / Querying both employees proves the auditing policy works as expected. CONN audit_test/password SELECT sal FROM emp WHERE ename = 'Tim'; SELECT sal FROM emp WHERE ename = 'Larry'; CONN sys/password AS SYSDBA SELECT sql_text FROM dba_fga_audit_trail; SQL_TEXT ------------------------------------------ SELECT sal FROM emp WHERE ename = 'Larry' 1 row selected. SQL> Extra processing can be associated with an FGA event by defining a database procedure and associating this to the audit event. The following example assumes the FIRE_CLERK procedure has been defined: BEGIN DBMS_FGA.add_policy( object_schema => 'AUDIT_TEST', object_name => 'EMP', policy_name => 'SALARY_CHK_AUDIT', audit_condition => 'SAL > 50000', audit_column => 'SAL', handler_schema => 'AUDIT_TEST', handler_module => 'FIRE_CLERK', enable => TRUE); END; / The DBMS_FGA package contains the following procedures: ADD_POLICY DROP_POLICY ENABLE_POLICY DISABLE_POLICY In Oracle9i fine grained auditing was limited queries, but in Oracle 10g it has been extended to include DML statements, as shown by the following example. -- Clear down the audit trail. CONN sys/password AS SYSDBA TRUNCATE TABLE fga_log$; SELECT sql_text FROM dba_fga_audit_trail; no rows selected. -- Apply the policy to the SAL column of the EMP table. BEGIN DBMS_FGA.add_policy( object_schema => 'AUDIT_TEST', object_name => 'EMP', policy_name => 'SAL_AUDIT', audit_condition => NULL, -- Equivalent to TRUE audit_column => 'SAL', statement_types => 'SELECT,INSERT,UPDATE,DELETE'); END; / -- Test the auditing. CONN audit_test/password SELECT * FROM emp WHERE empno = 9998; INSERT INTO emp (empno, ename, sal) VALUES (9998, 'Bill', 1); UPDATE emp SET sal = 10 WHERE empno = 9998; DELETE emp WHERE empno = 9998; ROLLBACK; -- Check the audit trail. CONN sys/password AS SYSDBA SELECT sql_text FROM dba_fga_audit_trail; SQL_TEXT -------------------------------------- SELECT * FROM emp WHERE empno = 9998 INSERT INTO emp (empno, ename, sal) VALUES (9998, 'Bill', 1) UPDATE emp SET sal = 10 WHERE empno = 9998 DELETE emp WHERE empno = 9998 4 rows selected. -- Drop the policy. CONN sys/password AS SYSDBA BEGIN DBMS_FGA.drop_policy( object_schema => 'AUDIT_TEST', object_name => 'EMP', policy_name => 'SAL_AUDIT'); END; /