一、標準化審計:
1.系統權限審計
(1).開啓數據庫標準審計,使用db_extended級別
SQL> alter system set audit_trail='DB_EXTENDED' scope=spfile
;
(2).清空標準化審計所使用的數據字典表,並把該表移動到users表空間
SQL> alter table aud$ move tablespace users;
(3).給hr用戶授予delete any table權限
SQL> grant delete any table to scott;
(4).在scott用戶下創建實驗表e,要求根據 emp表進行創建
(5).要求在會話級別審計hr用戶的系統權限delete any table
SQL> audit delete any table by hi by session;
(6).使用hr用戶,刪除scott用戶e表的記錄,並檢查審計結果。
SQL> select username,timestamp,ses_actions,obj_name from dba_audit_trail;
(7).關閉hr用戶系統權限delete any table的審計。
noaudit delete any table by hi
2.對象權限審計
(1).清空標準化審計所使用的數據字典表
(2).審計scott用戶在e表的上的insert操作
SQL> audit update,select,insert on scott.e by session;
(3).使用scott用戶在e表中插入數據
(4).檢查審計結果
select username,timestamp,ses_actions,object_name,action_name
from dba_audit_trail;
(5).關閉該審計
noaudit select,update,insert on scott.e
3.語句級審計
(1).清空標準化審計所使用的數據字典表
(2).審計序列
(3).使用hr用戶,創建序列,要求名稱爲seq_hr_audit,起始值爲1,增量爲1,不循環,不緩存,沒有最大值最小值。
(4).檢查審計結果
(5).刪除該序列
(6).檢查審計結果
(7).關閉該審計
4.登錄審計
(1)清空標準化審計所使用的數據字典表
truncate table aud$
(2)審計用戶登錄,要求能夠記錄登錄失敗以及用戶賬戶鎖定情況
audit session
(3)給SCOTT用戶創建專用的PROFILE,名稱爲P1,要求該PROFILE限制登錄失敗次數爲5次,其它限制均與DEFAULT的PROFILE相同。
alter profile p1 limit FAILED_LOGIN_ATTEMPTS 5
(4)切換SCOTT用戶的PROFILE爲P1
alter user scott profile p1
(5)嘗試使用錯誤密碼登陸SCOTT 5次,直到賬戶被鎖定
(6)檢查審計結果,統計SCOTT用戶登錄成功與失敗的次數
SQL> select returncode,count(*) from dba_audit_trail group by returncode;
RETURNCODE COUNT(*)
---------- ----------
28000 1 --鎖定的數量
1017 6 失敗的數量
0 96 成功的數量
(7)關閉該審計
audit session
二.SYSDBA的審計
1.打開SYSDBA審計的附加記錄選項(提示,修改某個參數)
show parameter audit_sys_operations
2.找到存放SYSDBA審計結果的目錄
show paremeter audi_file_dest
/u01/app/oracle/admin/orcl/adump
3.查詢當前會話的SPID值,找到相關的審計文件
select spid from v$process where addr=(select paddr from v$session
where sid=(select sid from v$mystat where rownum=1))
4.使用SYSDBA查詢參數,查詢一些表或者視圖
/u01/app/oracle/admin/orcl/adump
5.檢查該SYSDBA會話的審計結果
/u01/app/oracle/admin/orcl/adump
[oracle@oracle adump]$ ls
orcl_s000_22527_1.aud orcl_s001_22529_1.aud
[oracle@oracle adump]$ more orcl_s000_22527_1.aud
6.關閉SYSDBA審計的附加記錄選項
alter system set audit_sys_operations=fales scope=spfile
startup force
三.細粒度審計
1.確認細粒度審計使用的數據字典基表,查詢該表所在的表空間,將該表移動至USERS表空間
select count(*) from fga_log$;
2.清空細粒度審計使用的數據字典基表
truncate table fga_log$
3.實施細粒度審計,
使用HR創建實驗表emps,根據employees表創建
要求審計HR 用戶在emps表上的delete操作
使用HR用戶在emps表上執行一些delete操作
檢查審計結果
禁用該審計策略
清空細粒度審計使用的數據字典基表
[oracle@oracle ~]$ vim dbms_fga.add_policy.sql
begin
dbms_fga.add_policy(
object_schema =>'scott',
object_name =>'emp',
audit_condition=>'empno=7788',
audit_column =>'sal,comm',
enable =true,
statement_type =>'select,update');
end;
SQL>get dbms_fga.add_policy.sql
begin
dbms_fga.add_policy(
object_schema =>'scott',
object_name =>'emp',
audit_condition=>'empno=7788',
audit_column =>'sal,comm',
enable =true,
statement_type =>'select,update');
end;
/
SQL>conn scott/tiger
SQL> select sal,comm from emp where empno=7788;
SAL COMM
---------- ----------
100
100
SQL> update emp set sal=1 where empno=7788;
已更新2行。
SQL> update emp set sal=1,comm=1 where empno=7788;
SQL>conn / as sysdba
SQL> select count(*) from fga_log$;
COUNT(*)
----------
3
SQL>desc dba_fga_audit_trail
SQL>select to_char(timestamp,'yyyy-mm-ddhh24:mi:ss'), db_user,os_user,object_schema,object_name,sql_text from dba_fga_audit_trail;
TO_CHAR(TIMESTAMP,' DB_USER OS_USER OBJECT_SCH OBJECT_NAM
------------------- ---------- ---------- ---------- ----------
SQL_TEXT
------------------------------------------------------------
2016-05-14 11:27:37 SCOTT oracle SCOTT EMP
select sal,comm from emp where empno=7788
2016-05-14 11:27:58 SCOTT oracle SCOTT EMP
update emp set sal=1 where empno=7788
2016-05-14 11:28:13 SCOTT oracle SCOTT EMP
update emp set sal=1,comm=1 where empno=7788
SQL> desc dbms_fga
PROCEDURE ADD_POLICY
參數名稱 類型 輸入/輸出默認值?
------------------------------ ----------------------- ------ --------
OBJECT_SCHEMA VARCHAR2 IN DEFAULT
OBJECT_NAME VARCHAR2 IN
POLICY_NAME VARCHAR2 IN
AUDIT_CONDITION VARCHAR2 IN DEFAULT
AUDIT_COLUMN VARCHAR2 IN DEFAULT
HANDLER_SCHEMA VARCHAR2 IN DEFAULT
HANDLER_MODULE VARCHAR2 IN DEFAULT
ENABLE BOOLEAN IN DEFAULT
STATEMENT_TYPES VARCHAR2 IN DEFAULT
AUDIT_TRAIL BINARY_INTEGER IN DEFAULT
AUDIT_COLUMN_OPTS BINARY_INTEGER IN DEFAULT
POLICY_OWNER VARCHAR2 IN DEFAULT
PROCEDURE DISABLE_POLICY
參數名稱 類型 輸入/輸出默認值?
------------------------------ ----------------------- ------ --------
OBJECT_SCHEMA VARCHAR2 IN DEFAULT
OBJECT_NAME VARCHAR2 IN
POLICY_NAME VARCHAR2 IN
PROCEDURE DROP_POLICY
參數名稱 類型 輸入/輸出默認值?
------------------------------ ----------------------- ------ --------
OBJECT_SCHEMA VARCHAR2 IN DEFAULT
OBJECT_NAME VARCHAR2 IN
POLICY_NAME VARCHAR2 IN
PROCEDURE ENABLE_POLICY
參數名稱 類型 輸入/輸出默認值?
------------------------------ ----------------------- ------ --------
OBJECT_SCHEMA VARCHAR2 IN DEFAULT
OBJECT_NAME VARCHAR2 IN
POLICY_NAME VARCHAR2 IN
ENABLE BOOLEAN IN DEFAULT
SQL> begin
2 dbms_fga.disable_policy(
3 object_schema =>'scott',
4 object_name =>'emp',
5 policy_name =>'audit_emp');
6 end;
7 /
SQL> select object_name,object_schema,policy_name,enabled from dba_audit_policies;
OBJECT_NAM OBJECT_SCH POLICY_NAME ENA
---------- ---------- ------------------------------ ---
EMP SCOTT AUDIT_EMP NO
SQL>truncate table fga_log$;
4.實施細粒度審計
要求審計HR用戶在emps表上,與部門80相關的update及delete操作
使用HR用戶在emps表上執行一些DML操作
檢查審計結果
禁用該審計策略
清空細粒度審計使用的數據字典基表
SQL> begin
2 dbms_fga.add_policy(
3 object_schema =>'scott',
4 object_name =>'emp',
5 policy_name =>'audit_emp1',
6 audit_condition =>'deptno=20',
7 enable =>true,
8 statement_types =>'update,delete');
9 end;
10 /
SQL> select timestamp,object_schema,object_name,sql_text from dba_fga_audit_trail;
TIMESTAMP OBJECT_SCHEMA OBJECT_NAME SQL_TEXT
14-5月 -16 SCOTT EMP
update emp set sal=300 where deptno=20
SQL> begin
2 dbms_fga.disable_policy(
3 object_schema =>'scott',
4 object_name =>'emp',
5 policy_name =>'audit_emp1');
6 end;
7 /
PL/SQL 過程已成功完成。
SQL> select object_schema,object_name,policy_name,policy_owner,enabled from dba_audit_policies;
OBJECT_SCHEMA OBJECT_NAM POLICY_NAME POLICY_OWN ENABLED
------------------------------ ---------- ------------------------------ ---------- ----------
SCOTT EMP AUDIT_EMP SYS NO
SCOTT EMP AUDIT_EMP1 SYS NO
SQL> truncate table fga_log$;
表被截斷。
SQL> select object_name,object_schema,sql_text,timestamp from dba_fga_audit_trail;
未選定行
5.實施細粒度審計
要求審計HR用戶在emps表上,與職務'IT_PROG'相關的salary、commission_pct字段上的select,update,insert操作
使用HR用戶在emps表上執行一些DML操作
檢查審計結果
禁用該審計策略
清空細粒度審計使用的數據字典基表
SQL> ed
已寫入 file afiedt.buf
1 begin
2 dbms_fga.add_policy(
3 object_schema =>'scott',
4 object_name =>'emp',
5 policy_name =>'audit_emp2',
6 audit_condition =>'deptno=10',
7 audit_column =>'job,ename',
8 enable =>true,
9 statement_types =>'select,update,insert');
10* end;
11 /
PL/SQL 過程已成功完成。
SQL> define _EDITOR='vi';
SQL> ed
已寫入 file afiedt.buf
1 begin
2 dbms_fga.disable_policy(
3 object_schema =>'scott',
4 object_name =>'emp',
5 policy_name =>'audit_emp2');
6* end;
7 /
PL/SQL 過程已成功完成。
SQL> select object_schema,object_name,policy_name,policy_owner,enabled from dba_audit_policies;
OBJECT_SCHEMA OBJECT_NAM POLICY_NAME POLICY_OWN ENABLED
------------------------------ ---------- ------------------------------ ---------- ----------
SCOTT EMP AUDIT_EMP SYS NO
SCOTT EMP AUDIT_EMP1 SYS NO
SCOTT EMP AUDIT_EMP2 SYS NO
SQL> !oerr ora 28106
28106, 00000, "input value for argument #%s is not valid"
// *Cause: Input values for the argument is missing or invalid.
// *Action: Correct the input values.
6.刪除上述三個細粒度審計中定義的審計策略
SQL> select object_schema,object_name,policy_name,policy_owner,enabled from dba_audit_policies;
OBJECT_SCHEMA OBJECT_NAM POLICY_NAME POLICY_OWN ENABLED
------------------------------ ---------- ------------------------------ ---------- ----------
SCOTT EMP AUDIT_EMP SYS NO
SCOTT EMP AUDIT_EMP1 SYS NO
SCOTT EMP AUDIT_EMP2 SYS NO
SQL> begin
2 dbms_fga.drop_policy(
3 object_schema =>'scott',
4 object_name =>'emp',
5 policy_name =>'audit_emp');
6 end;
7 /
PL/SQL 過程已成功完成。
SQL> begin
2 dbms_fga.drop_policy(
3 object_schema =>'scott',
4 object_name =>'emp',
5 policy_name =>'audit_emp1');
6 end;
7 /
SQL> begin
2 dbms_fga.drop_policy(
3 object_schema =>'scott',
4 object_name =>'emp',
5 policy_name =>'audit_emp2');
6 end;
7 /
PL/SQL 過程已成功完成。
SQL> select object_schema,object_name,policy_name,policy_owner,enabled from dba_audit_policies;
未選定行
SQL> desc dbms_fga;
PROCEDURE ADD_POLICY
參數名稱 類型 輸入/輸出默認值?
------------------------------ ----------------------- ------ --------
OBJECT_SCHEMA VARCHAR2 IN DEFAULT
OBJECT_NAME VARCHAR2 IN
POLICY_NAME VARCHAR2 IN
AUDIT_CONDITION VARCHAR2 IN DEFAULT
AUDIT_COLUMN VARCHAR2 IN DEFAULT
HANDLER_SCHEMA VARCHAR2 IN DEFAULT
HANDLER_MODULE VARCHAR2 IN DEFAULT
ENABLE BOOLEAN IN DEFAULT
STATEMENT_TYPES VARCHAR2 IN DEFAULT
AUDIT_TRAIL BINARY_INTEGER IN DEFAULT
AUDIT_COLUMN_OPTS BINARY_INTEGER IN DEFAULT
POLICY_OWNER VARCHAR2 IN DEFAULT
PROCEDURE DISABLE_POLICY
參數名稱 類型 輸入/輸出默認值?
------------------------------ ----------------------- ------ --------
OBJECT_SCHEMA VARCHAR2 IN DEFAULT
OBJECT_NAME VARCHAR2 IN
POLICY_NAME VARCHAR2 IN
PROCEDURE DROP_POLICY
參數名稱 類型 輸入/輸出默認值?
------------------------------ ----------------------- ------ --------
OBJECT_SCHEMA VARCHAR2 IN DEFAULT
OBJECT_NAME VARCHAR2 IN
POLICY_NAME VARCHAR2 IN
PROCEDURE ENABLE_POLICY
參數名稱 類型 輸入/輸出默認值?
------------------------------ ----------------------- ------ --------
OBJECT_SCHEMA VARCHAR2 IN DEFAULT
OBJECT_NAME VARCHAR2 IN
POLICY_NAME VARCHAR2 IN
ENABLE BOOLEAN IN DEFAULT
SQL> get dbms_fga.add_policy.sql
1 begin
2 dbms_fga.add_policy (
3 object_schema =>'scott',
4 object_name =>'emp',
5 policy_name =>'audit_emp',
6 audit_condition=>'empno=7788',
7 audit_column =>'sal,comm',
8 enable =>true,
9 statement_types =>'select,update');
10* end;
11 /
PL/SQL 過程已成功完成。
SQL> begin
2 dbms_fga.disable_policy(
3 object_schema =>'scott',
4 object_name =>'emp',
5 policy_name =>'audit_emp');
6 end;
7 /
PL/SQL 過程已成功完成。
SQL> select object_schema,object_name,policy_name,policy_owner,enabled from dba_audit_policies;
OBJECT_SCHEMA OBJECT_NAME
------------------------------ ------------------------------
POLICY_NAME POLICY_OWNER ENA
------------------------------ ------------------------------ ---
SCOTT EMP
AUDIT_EMP SYS NO
SQL> begin
2 dbms_fga.enable_policy(
3 object_schema =>'scott',
4 object_name =>'emp',
5 policy_name =>'audit_emp');
6 end;
7 /
PL/SQL 過程已成功完成。
SQL> select object_schema,object_name,policy_name,policy_owner,enabled from dba_audit_policies;
OBJECT_SCHEMA OBJECT_NAME
------------------------------ ------------------------------
POLICY_NAME POLICY_OWNER ENA
------------------------------ ------------------------------ ---
SCOTT EMP
AUDIT_EMP SYS YES
SQL> begin
2 dbms_fga.drop_policy(
3 object_schema =>'scott',
4 object_name =>'emp',
5 policy_name =>'audit_emp');
6 end;
7 /
PL/SQL 過程已成功完成。
SQL> select object_schema,object_name,policy_name,policy_owner,enabled from dba_audit_policies;
未選定行
可以使用shell腳本
[oracle@oracle ~]$ cat dbms_fga.add_policy.sql
#!/bin/bash
sqlplus / as sysdba <<EOF
begin
dbms_fga.add_policy (
object_schema =>'scott',
object_name =>'emp',
policy_name =>'audit_emp',
audit_condition=>'empno=7788',
audit_column =>'sal,comm',
enable =>true,
statement_types =>'select,update');
end;
/
EOF
[oracle@oracle ~]$ vim dbms_fga.add_policy.sql
[oracle@oracle ~]$ ./dbms_fga.add_policy.sql
SQL*Plus: Release 11.2.0.1.0 Production on 星期六 5月 14 17:19:32 2016
Copyright (c) 1982, 2009, Oracle. All rights reserved.
連接到:
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> 2 3 4 5 6 7 8 9 10 11
PL/SQL 過程已成功完成。
SQL> select object_schema,object_name,policy_name,policy_owner,enabled from dba_audit_policies;
OBJECT_SCHEMA OBJECT_NAM POLICY_NAME POLICY_OWN ENABLED
------------------------------ ---------- ------------------------------ ---------- ----------
SCOTT EMP AUDIT_EMP SYS NO
編寫 sql語句
vim geshi.sql
內容
col timestamp for a20
col db_user for a10
col os_user for a10
col object_schema for a10
col object_namefor a10
col sql_text for a60
select to_char(timestamp,'yyyy-mm-dd hh24:mi:ss'),db_user,os_user,
object_schema,object_name,sql_text from dba_fga_audit_trail;
SQL> @geshi.sql
TO_CHAR(TIMESTAMP,' DB_USER OS_USER OBJECT_SCH OBJECT_NAM
------------------- ---------- ---------- ---------- ----------
SQL_TEXT
--------------------------------------------------
2016-05-14 17:39:54 SCOTT oracle SCOTT EMP
select * from emp where deptno=20
使用exec
[oracle@oracle ~]$ ./dbms_fga.add_policy.sql
SQL*Plus: Release 11.2.0.1.0 Production on 星期六 5月 14 17:56:32 2016
Copyright (c) 1982, 2009, Oracle. All rights reserved.
連接到:
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> 2 3 4 5 6 7 8 9 10 11
PL/SQL 過程已成功完成。
SQL> select object_schema,object_name,policy_owner,policy_name,enabled from dba_audit_policies;
OBJECT_SCHEMA OBJECT_NAME
------------------------------ ------------------------------
POLICY_OWNER POLICY_NAME ENA
------------------------------ ------------------------------ ---
SCOTT EMP
SYS AUDIT_EMP YES
SQL> exec dbms_fga.disable_policy('SCOTT','EMP','AUDIT_EMP');
PL/SQL 過程已成功完成。
SQL> select object_schema,object_name,policy_owner,policy_name,enabled from dba_audit_policies;
OBJECT_SCHEMA OBJECT_NAME
------------------------------ ------------------------------
POLICY_OWNER POLICY_NAME ENA
------------------------------ ------------------------------ ---
SCOTT EMP
SYS AUDIT_EMP NO
SQL> exec dbms_fga.enable_policy('SCOTT','EMP','AUDIT_EMP');
PL/SQL 過程已成功完成。
SQL> select object_schema,object_name,policy_owner,policy_name,enabled from dba_audit_policies;
OBJECT_SCHEMA OBJECT_NAME
------------------------------ ------------------------------
POLICY_OWNER POLICY_NAME ENA
------------------------------ ------------------------------ ---
SCOTT EMP
SYS AUDIT_EMP YES
SQL> exec dbms_fga.drop_policy('SCOTT','EMP','AUDIT_EMP');
PL/SQL 過程已成功完成。
SQL> select object_schema,object_name,policy_owner,policy_name,enabled from dba_audit_policies;
數據庫審計
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.