from 閱讀筆記 dbms_fga 包的使用,對錶設定審計策略
piner的文章:
http://www.oracle.com.cn/thread-3582-1-162.html
http://www.oracle.com.cn/thread-1824-1-1.html
使用dbms_fga包可以,審計表的Select語句,在特定的情況下,如果想跟蹤一個表的Select語句已便於優化,使用這個包是非常好的;
對於使用綁定變量的語句也能獲取到變量值(DBA_FGA_AUDIT_TRAIL.SQL_BIND字段). DBMS_FGA包同普通審計與DML觸發器一樣,如果對過多的表進行審計,將會嚴重影響性能。
實驗:
1) 建策略:
BEGIN
dbms_fga.add_policy( object_schema => 'CRM2',
object_name => 'TMP_DETAIL',
policy_name => 'chk_test2',
audit_condition => 'STATUS=3',
audit_column => 'STATUS',
enable => TRUE ,
handler_schema => 'CRM2',
handler_module => 'SP_CHK_MYTABLE' );
END;
/
2) 建表,存儲過程 SP_CHK_MYTABLE:
create table audit$proc (audtime date,loguser varchar2(64),audsid number, clientip varchar2(64),object_schema varchar2(64), object_name varchar2(64), policy_name varchar2(64));
CREATE or replace PROCEDURE sp_chk_mytable (
p_object_schema VARCHAR2,
p_object_name VARCHAR2,
p_policy_name VARCHAR2) AS
BEGIN
INSERT INTO audit$proc (audtime,loguser,audsid, clientip,
object_schema, object_name, policy_name )
VALUES (sysdate,ora_login_user,userenv('SESSIONID'),
sys_context('userenv','ip_address'),p_object_schema,p_object_name, p_policy_name );
commit;
END sp_chk_mytable;
3)
運行 select * from TMP_DETAIL where rownum<2; 觸發審覈策略;
查 audit$proc表,dba_fga_audit_trail視圖; dbms_fga包自動帶入sp_chk_mytable過程所需要的三個參數,audit$proc表的記錄正確.
--參閱sql reference 文檔,sys_context函數:
select
sys_context('userenv','AUDITED_CURSORID'),
sys_context('userenv','AUTHENTICATION_DATA'),
sys_context('userenv','AUTHENTICATION_TYPE'),
sys_context('userenv','BG_JOB_ID'),
sys_context('userenv','CLIENT_IDENTIFIER'),
sys_context('userenv','CLIENT_INFO'),
sys_context('userenv','CURRENT_SCHEMA'),
sys_context('userenv','CURRENT_SCHEMAID'),
sys_context('userenv','CURRENT_SQL'),
sys_context('userenv','CURRENT_USER'),
sys_context('userenv','CURRENT_USERID'),
sys_context('userenv','DB_DOMAIN'),
sys_context('userenv','DB_NAME'),
sys_context('userenv','EXTERNAL_NAME'),
sys_context('userenv','FG_JOB_ID'),
sys_context('userenv','GLOBAL_CONTEXT_MEMORY'),
sys_context('userenv','HOST'),
sys_context('userenv','INSTANCE'),
sys_context('userenv','IP_ADDRESS'),
sys_context('userenv','ISDBA'),
sys_context('userenv','LANG'),
sys_context('userenv','LANGUAGE'),
sys_context('userenv','NETWORK_PROTOCOL'),
sys_context('userenv','NLS_CALENDAR'),
sys_context('userenv','NLS_CURRENCY'),
sys_context('userenv','NLS_DATE_FORMAT'),
sys_context('userenv','NLS_DATE_LANGUAGE'),
sys_context('userenv','NLS_SORT'),
sys_context('userenv','NLS_TERRITORY'),
sys_context('userenv','OS_USER'),
sys_context('userenv','PROXY_USER'),
sys_context('userenv','PROXY_USERID'),
sys_context('userenv','SESSION_USER'),
sys_context('userenv','SESSION_USERID'),
sys_context('userenv','SESSIONID'),
sys_context('userenv','TERMINAL') ,
SYS_CONTEXT('USERENV','ENTRYID')
from dual;
p.s.
以上實驗帶入 handler_module 的情況會造成表裏面的status=3的記錄都查詢不到的情況,大致判斷是查詢語句跑進 過程裏面去了. 現象是status=3的記錄都被屏蔽了,去掉 handler_module 參數後正常.