Oracle 10g安全加固(审计、监听密码)
2015-11-25 17:36 AlfredZhao 阅读(2200) 评论(1) 编辑 收藏 举报环境: Linux 6.4 + Oracle 10.2.0.4
1. Oracle 10g 审计功能
Oracle 10g审计功能默认是关闭的。 需要注意开启审计功能必然会额外消耗一部分数据库性能,开启审计需要重启数据库生效。 具体的审计策略则需要根据项目实际要求自行配置。1.1 查看audit相关参数
--查看audit相关参数
set linesize 200
show parameter audit
--结果如下
NAME TYPE VALUE
------------------------------------ -------------------------------- ------------------------------
audit_file_dest string /opt/app/oracle/admin/vas/adum
p
audit_sys_operations boolean FALSE
audit_syslog_level string
audit_trail string NONE
1.2 开启审计
--开启审计
alter system set audit_sys_operations=TRUE scope=spfile;
alter system set audit_trail=db,extended scope=spfile;
--重启库生效
shutdown immediate
startup
--最后再次查看确定审计已开启
SQL> show parameter audit
NAME TYPE VALUE
------------------------------------ -------------------------------- ------------------------------
audit_file_dest string /opt/app/oracle/admin/vas/adum
p
audit_sys_operations boolean TRUE
audit_syslog_level string
audit_trail string DB, EXTENDED
1.3 配置审计策略
--查看审计策略
select * from DBA_STMT_AUDIT_OPTS;
--配置审计策略(参考11g默认开启的审计选项设置如下基本审计内容)
AUDIT ALTER ANY PROCEDURE ;
AUDIT ALTER ANY TABLE ;
AUDIT ALTER DATABASE ;
AUDIT ALTER PROFILE ;
AUDIT ALTER SYSTEM ;
AUDIT ALTER USER ;
AUDIT CREATE ANY JOB ;
AUDIT CREATE ANY LIBRARY ;
AUDIT CREATE ANY PROCEDURE ;
AUDIT CREATE ANY TABLE ;
AUDIT CREATE EXTERNAL JOB ;
AUDIT CREATE PUBLIC DATABASE LINK ;
AUDIT CREATE SESSION ;
AUDIT CREATE USER ;
AUDIT DATABASE LINK ;
AUDIT DIRECTORY ;
AUDIT DROP ANY PROCEDURE ;
AUDIT DROP ANY TABLE ;
AUDIT DROP PROFILE ;
AUDIT DROP USER ;
AUDIT EXEMPT ACCESS POLICY ;
AUDIT GRANT ANY OBJECT PRIVILEGE ;
AUDIT GRANT ANY PRIVILEGE ;
AUDIT GRANT ANY ROLE ;
AUDIT PROFILE ;
AUDIT PUBLIC SYNONYM ;
AUDIT ROLE ;
AUDIT SYSTEM AUDIT ;
AUDIT SYSTEM GRANT ;
--其他特殊需求的审计策略
----审计对业务用户JINGYU下的核心表T1数据的删除,更新和插入操作
AUDIT DELETE,UPDATE,INSERT ON JINGYU.T1;
----审计核心表T2(包括查询)
AUDIT ALL ON JINGYU.T2;
----审计核心表T2,每一次都生成一行审计记录
AUDIT ALL ON JINGYU.T2 BY ACCESS;
----取消特殊需求的审计策略
NOAUDIT DELETE,UPDATE,INSERT ON JINGYU.T1;
NOAUDIT ALL ON JINGYU.T2;
--取消审计策略
NOAUDIT ALTER ANY PROCEDURE ;
NOAUDIT ALTER ANY TABLE ;
NOAUDIT ALTER DATABASE ;
NOAUDIT ALTER PROFILE ;
NOAUDIT ALTER SYSTEM ;
NOAUDIT ALTER USER ;
NOAUDIT CREATE ANY JOB ;
NOAUDIT CREATE ANY LIBRARY ;
NOAUDIT CREATE ANY PROCEDURE ;
NOAUDIT CREATE ANY TABLE ;
NOAUDIT CREATE EXTERNAL JOB ;
NOAUDIT CREATE PUBLIC DATABASE LINK ;
NOAUDIT CREATE SESSION ;
NOAUDIT CREATE USER ;
NOAUDIT DATABASE LINK ;
NOAUDIT DIRECTORY ;
NOAUDIT DROP ANY PROCEDURE ;
NOAUDIT DROP ANY TABLE ;
NOAUDIT DROP PROFILE ;
NOAUDIT DROP USER ;
NOAUDIT EXEMPT ACCESS POLICY ;
NOAUDIT GRANT ANY OBJECT PRIVILEGE ;
NOAUDIT GRANT ANY PRIVILEGE ;
NOAUDIT GRANT ANY ROLE ;
NOAUDIT PROFILE ;
NOAUDIT PUBLIC SYNONYM ;
NOAUDIT ROLE ;
NOAUDIT SYSTEM AUDIT ;
NOAUDIT SYSTEM GRANT ;
--再次查看审计策略
select * from DBA_STMT_AUDIT_OPTS;
1.4 查看审计日志
--查看审计日志
select * from DBA_AUDIT_TRAIL;
1.5 关闭审计
--关闭审计
alter system set audit_trail=none scope=spfile;
alter system set audit_sys_operations=false scope=spfile;
--重启库生效
shutdown immediate
startup
--最后确定审计已关闭
SQL> show parameter audit
NAME TYPE VALUE
------------------------------------ -------------------------------- ------------------------------
audit_file_dest string /opt/app/oracle/admin/vas/adum
p
audit_sys_operations boolean FALSE
audit_syslog_level string
audit_trail string NONE
2. 对数据库监听器的关闭和启动设置密码
AlfredZhao©版权所有「从Oracle起航,领略精彩的IT技术。」