Table AUD$ 以及oracle 审计策略讨论
#######sample
http://blog.itpub.net/26937943/viewspace-1097999/
1.启用数据库审计
SQL> alter system set audit_trail=db scope=spfile;
2.审计结果保存在哪里
1)保存在数据库中(sys.aud$这个基表)
如果把audit_trail=xml,也会记录在audit_file_dest指定的目录中,xml文件格式保存,查看v$xml_audit_trail视图
2)保存在操作系统日志文件中
a.如果是windows系统,保存在事件查看器
b.如果是linux系统,由参数audit_file_dest指定的目录
SQL> show parameter audit
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest string C:\ORACLE\PRODUCT\10.2.0\ADMIN
\ORCL\ADUMP
audit_sys_operations boolean FALSE
audit_trail string DB
3.查看audit_trail这个参数的有效值有哪些
SQL> select * from v$parameter_valid_values where name like '%audit%';
NUM NAME ORDINAL VALUE ISDEFAULT
---------- -------------------- ---------- --------------- ----------
907 audit_trail 1 DB FALSE
907 audit_trail 2 OS FALSE
907 audit_trail 3 NONE FALSE
907 audit_trail 4 TRUE FALSE
907 audit_trail 5 FALSE FALSE
907 audit_trail 6 DB_EXTENDED FALSE
907 audit_trail 7 XML FALSE
907 audit_trail 8 EXTENDED FALSE
4.审计类型
4.1标准审计
a.权限审计(系统权限)
查看有哪些权限审计-->dba_priv_audit_opts
SQL> select * from dba_priv_audit_opts; --没有记录
no rows selected
审计scott用户后再查看
SQL> audit create session by scott; --审计scott用户
Audit succeeded.
SQL> select * from dba_priv_audit_opts;
USER_NAME PROXY_NAME PRIVILEGE SUCCESS FAILURE
------------------------------ ------------------------------ ---------------------------------------- ---------- ----------
SCOTT CREATE SESSION BY ACCESS BY ACCESS
默认成功或失败都审计.
scott用户成功登录
C:\Documents and Settings\Administrator>sqlplus scott/tiger
SQL*Plus: Release 10.2.0.1.0 - Production on Sun Mar 2 10:44:38 2014
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
SQL>
查看审计结果
SQL> select username,owner,audit_option,to_char(timestamp,'yyyy-mm-dd hh24:mi:ss') from dba_audit_trail;
USERNAME OWNER AUDIT_OPTION TO_CHAR(TIMESTAMP,'
------------------------------ ------------------------------ ---------------------------------------- -------------------
SCOTT 2014-03-02 10:44:39
scott登录失败也会记录
C:\Documents and Settings\Administrator>sqlplus scott/tigeer
SQL*Plus: Release 10.2.0.1.0 - Production on Sun Mar 2 10:47:00 2014
Copyright (c) 1982, 2005, Oracle. All rights reserved.
ERROR:
ORA-01017: invalid username/password; logon denied
SQL> select username,owner,audit_option,to_char(timestamp,'yyyy-mm-dd hh24:mi:ss') from dba_audit_trail;
USERNAME OWNER AUDIT_OPTION TO_CHAR(TIMESTAMP,'
------------------------------ ------------------------------ ---------------------------------------- -------------------
SCOTT SCOTT 2014-01-19 18:13:47
SCOTT 2014-03-02 10:44:39
SCOTT 2014-03-02 10:47:00
SQL> noaudit create session by scott; --取消审计
Noaudit succeeded.
2)只审计不成功的情况
SQL> audit create session by scott whenever not successful;
Audit succeeded.
SQL> select * from dba_priv_audit_opts;
USER_NAME PROXY_NAME PRIVILEGE SUCCESS FAILURE
------------------------------ ------------------------------ ---------------------------------------- ---------- ----------
SCOTT CREATE SESSION NOT SET BY ACCESS
b.对象审计
SQL> audit select on scott.t_3;
Audit succeeded.
SQL> col owner for a5
SQL> col object_name for a10
SQL> col object_type for a10
SQL> select * from dba_obj_audit_opts;
OWNER OBJECT_NAM OBJECT_TYP ALT AUD COM DEL GRA IND INS LOC REN SEL UPD REF EXE CRE REA WRI FBK
----- ---------- ---------- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- --- ----- ----- ----- ----- -----
SCOTT T_3 TABLE -/- -/- -/- -/- -/- -/- -/- -/- -/- S/S -/- -/- -/- -/- -/- -/- -/-
S(session): 同一个会话查询多次只有一条审计记录,默认是by session;
SQL> noaudit select on scott.t_3; --取消审计
Noaudit succeeded.
SQL> audit select on scott.t_3 by access;
Audit succeeded.
SQL> select * from dba_obj_audit_opts;
OWNER OBJECT_NAM OBJECT_TYP ALT AUD COM DEL GRA IND INS LOC REN SEL UPD REF EXE CRE REA WRI FBK
----- ---------- ---------- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- --- ----- ----- ----- ----- -----
SCOTT T_3 TABLE -/- -/- -/- -/- -/- -/- -/- -/- -/- A/A -/- -/- -/- -/- -/- -/- -/-
A(access): 在同一个会话,执行同一个select语句多次会记录多条审计结果,执行两次select就会有两条审计记录.
c.语句审计
SQL> select * from dba_stmt_audit_opts;
4.2强制审计
不管数据库审计是否启用一些数据库相关的行为总会被写到操作系统日志中,以下操作会被记录:
a.启动实例
b.关闭实例
c.管理员权限连接数据库
4.3细粒度审计
附录:查看策略
select * from dba_priv_audit_opts;
###以下审计策略仅仅针对dbmgr 开启 create session 审计,(create session 有一行)。usernaem 为空,就是对所有用户进行审计,username 有值,就是仅仅对该用户进行审计。
1 ALTER DATABASE BY ACCESS BY ACCESS
2 CREATE PUBLIC DATABASE LINK BY ACCESS BY ACCESS
3 DROP ANY TABLE BY ACCESS BY ACCESS
4 ALTER ANY TABLE BY ACCESS BY ACCESS
5 CREATE ANY TABLE BY ACCESS BY ACCESS
6 DROP USER BY ACCESS BY ACCESS
7 ALTER USER BY ACCESS BY ACCESS
8 CREATE USER BY ACCESS BY ACCESS
9 DBMGR CREATE SESSION BY ACCESS BY ACCESS 《=
---->
开启对所有用户成功登陆的create session 审计
AUDIT CREATE SESSION WHENEVER SUCCESSFUL;
9 DBMGR CREATE SESSION BY ACCESS BY ACCESS
10 CREATE SESSION BY ACCESS NOT SET 《-
关闭对所有用户成功登陆的create session 审计
NOAUDIT CREATE SESSION WHENEVER SUCCESSFUL;
9 DBMGR CREATE SESSION BY ACCESS BY ACCESS
---->
开启对所有用户失败登陆的create session 审计
audit session whenever not successful;
9 DBMGR CREATE SESSION BY ACCESS BY ACCESS
10 CREATE SESSION NOT SET BY ACCESS 《-
关闭对所有用户失败登陆的create session 审计
noaudit session whenever not successful;
9 DBMGR CREATE SESSION BY ACCESS BY ACCESS
###以下审计策略仅仅针对dbmgr /和所有用户开启 create session 审计,(create session 只有二 行)。usernaem 为空,就是对所有用户进行审计,username 有值,就是仅仅对该用户进行审计。
15 DROP ANY TABLE BY ACCESS BY ACCESS
16 ALTER ANY TABLE BY ACCESS BY ACCESS
17 CREATE ANY TABLE BY ACCESS BY ACCESS
18 DROP USER BY ACCESS BY ACCESS
19 ALTER USER BY ACCESS BY ACCESS
20 CREATE USER BY ACCESS BY ACCESS
21 DBMGR CREATE SESSION BY ACCESS BY ACCESS 《=
22 CREATE SESSION BY ACCESS BY ACCESS 《=
23 AUDIT SYSTEM BY ACCESS BY ACCESS
24 ALTER SYSTEM BY ACCESS BY ACCESS
-- 取消所有已配置的审计项目
NOAUDIT ALL PRIVILEGES;
NOAUDIT ALL STATEMENTS;
NOAUDIT CREATE SESSION BY DBMONOPR;
NOAUDIT CREATE SESSION BY IQMSDATA;
NOAUDIT CREATE SESSION BY IQMSOPR;
NOAUDIT PUBLIC SYNONYM;
NOAUDIT DATABASE LINK;
NOAUDIT ROLE;
NOAUDIT PROFILE;
NOAUDIT DIRECTORY;
NOAUDIT SYSTEM GRANT;
NOAUDIT EXEMPT ACCESS POLICY;
-- 确认已没有审计项目
select * from DBA_PRIV_AUDIT_OPTS;
select * from DBA_STMT_AUDIT_OPTS;
-- 删除已有的审计记录
CREATE TABLE backup_aud AS SELECT * from sys.aud$;
truncate table aud$;
-- 配置登录失败审计
audit create session by access whenever not successful;
audit connect by access whenever not successful;
audit insert table, delete table, update table by dbmonopr by session whenever successful;
####
查看实际数据,也可以验证以上结论
select distinct(username) from sys.dba_audit_session
PURPOSEThis document explains how to purge, truncate, or delete rows from the audit trail table SYS.AUD$. Starting with Oracle 11gR2 it is possible to use package DBMS_AUDIT_MGMT for this. More information about this package can be read in Note 731908.1 -New Feature DBMS_AUDIT_MGMT To Manage And Purge Audit Information.
SCOPEThis document is intended for DBA's or Oracle Support Analysts. DETAILSTo delete rows from the database audit trail table, an appropriate privilege is required. You must either be the user SYS, or a user with DELETE ANY TABLE system privilege, or a user to whom SYS has granted the object privilege DELETE on SYS.AUD$. SQL> truncate table aud$;
SQL> DELETE FROM sys.aud$ WHERE obj$name='<object_name>';
Note: The above operations must be performed as an user who is granted the delete_catalog_role role or by SYS. If OLS is being installed then the delete_catalog_role might lose the delete privilege on table aud$ because of bug 9697811 which is fixed by patchset 11.2.0.2. To remedy this problem one can run the following statement as SYS: grant delete on sys.aud$ to delete_catalog_role;
SQL> CREATE TABLE backup_aud$ AS SELECT * from sys.aud$;
SQL> truncate table aud$;
[oracle@seclin4 ~]$ exp file=aud_backup.dmp tables=backup_aud$
Export: Release 11.2.0.3.0 - Production on Tue Jun 25 10:53:06 2013 Copyright (c) 1982, 2011, Oracle and/or its affiliates. All rights reserved. Username: / as sysdba Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production With the Partitioning, Oracle Label Security, OLAP, Data Mining and Real Application Testing options Export done in US7ASCII character set and AL16UTF16 NCHAR character set server uses AL32UTF8 character set (possible charset conversion) About to export specified tables via Conventional Path ... . . exporting table BACKUP_AUD$ 1722 rows exported Export terminated successfully without warnings. SQL> drop table backup_aud$;
SQL>insert into aud$ select * from backup_aud$;
SQL>commit; CAUTION: SYS.AUD$ is the only SYS object that should ever be directly modified
Note: The DELETE ANY TABLE privilege only applies to SYS objects if O7_DICTIONARY_ACCESSIBILITY=TRUE
###sample 111 对单个表进行审计,是因为客户测试环境的表不知道为何少了一笔数据 也找不到原因
取消对SC表的一切审计可使用如下语句:
检查结果 一般查询 DBA_AUDIT_OBJECT 这个是对对象进行查询
select username,userhost,obj_name, to_char(timestamp,'MM-DD-RRRR HH:MI:SS'), |
