標準審計
審計是對選定的用戶動作進行監控和記錄,用來監視用戶對oracle數據庫所做的各種操作。
在語句執行階段產生審計記錄。審計記錄包含有審計的時間、審計的對象,用戶執行的操作,操作的結果等信息。審計記錄可存在數據字典表(稱爲審計記錄)或操作系統審計記錄中。數據庫審計記錄均保存在AUD$表中。
SYS用戶默認不被審計,除非AUDIT_SYS_OPERATIONS 參數置爲true.審計結果存放位置由audit_file_dest參數決定。
Oracle安全審計分爲標準審計,精細審計及強制審計。
啓用標準審計
SQL> show parameter audit_trail;
NAME TYPE VALUE
----------------------------------------------- ------------------------------
audit_trail string NONE
SQL> alter system set audit_trail=dbscope=spfile;
System altered.
SQL> selectisses_modifiable,issys_modifiable,ismodified from v$parameter wherename='audit_trail';
ISSES ISSYS_MOD ISMODIFIED
----- --------- ----------
FALSE FALSE FALSE
SQL> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> startup
ORACLE instance started.
Total System Global Area 549453824 bytes
Fixed Size 1274816 bytes
Variable Size 255855680 bytes
Database Buffers 289406976 bytes
Redo Buffers 2916352 bytes
Database mounted.
Database opened.
SQL> show parameter audit_trail;
NAME TYPE VALUE
----------------------------------------------- ------------------------------
audit_trail string DB
Audit_trail的值:
NONE:禁用審計(默認值)
DB審計記錄存放在數據庫中
OS審計記錄存放在操作系統文件中,AUDIT_FILE_DEST初參指定審計文件存儲的目錄。
設置標準審計
Oracle支持三種標準審計類型:
語句(statement)審計:對某種類型的SQL語句審計,不指定結果或對象,會話連接也屬於語句審計。
權限(privilege)審計:對執行相應動作的系統權限的使用審計。
對象(object)審計:對一特殊模式對象上的指定語句的審計。
Oracle支持的標準審計條件:
審計條件By user
By user對指定用戶進行審計,默認對所有用戶進行審計。
審計條件by session/byaccess
By session對每個session中發生的重複操作只記錄一次。
By access對每個session中發生的每次操作都記錄,而不管是否重複。
審計條件wheneversuccessful/whenever not successful
Whenever successful表示操作成功後才記錄下來。
Whenever not successful 表示操作失敗後才記錄下來。
默認值兩者都記錄
SQL> audit session;
【記錄每個會話連接(不論成功否)】
Audit succeeded.
SQL> audit create table by scott;
【記錄指定用戶的create table操作(不論成功否),注意:可單獨對錶的create,alter 操作進行審計,但若要審計drop操作則需要使用audit table命令。其同時包含有create table,drop table ,truncate table審計】
Audit succeeded.
SQL> audit insert any table by accesswhenever successful;
【記錄在任何表上執行成功的每次insert操作,注意用戶訪問自己的表不會審計,訪問他人表時將被審計(基本對象的審計除外)】
Audit succeeded.
SQL> audit select,delete on scott.emp byaccess whenever not successful;
【記錄在指定對象上執行失敗的每次select/delete操作 】
Audit succeeded.
SQL> select * from dba_stmt_audit_opts;
【查看所有有關於語句的審計選項設置,包括create /drop/truncate table等】
USER_NAME PROXY_NAME AUDIT_OPTION SUCCESS FAILURE
---------- ------------------------------ ------------------------------ ----------
CREATE SESSION BY ACCESS BY ACCESS
SCOTT CREATE TABLE BY ACCESS BY ACCESS
INSERT ANY TABLE BY ACCESS NOT SET
SQL> select * from dba_priv_audit_opts;
【查所有關於權限的審計選項設置,包括audit select /insert/delete/update any table 及grant select any table to a,用戶訪問自己的表不會被審計(基於對象的審計除外)】
USER_NAME PROXY PRIVILEGE SUCCESS FAILURE
---------- ----- --------------- ---------- ----------
CREATE SESSION BY ACCESS BY ACCESS
SCOTT CREATE TABLE BY ACCESS BY ACCESS
INSERT ANY TABL BY ACCESS NOT SET
E
SQL> select * from dba_obj_audit_opts;【查看所有對象上的審計設置,只審計on關鍵字指定對象上發生的相關操作】
OWNER OBJECT_NAME OBJECT_TYPE ALT AUD COM DEL GRA IND INS LOC REN SEL UPD REF EXE CRE REA WRI FBK
------------------------------ ----------------------------------------------- ----- ----- ----- ----- ----- ----- ----- ----- ----- ---------- --- ----- ----- ----- ----- -----
SCOTT EMP TABLE -/- -/- -/- -/A -/- -/- -/- -/- -/- -/A -/- -/- -/- -/- -/- -/- -/-
The character “_”indicates that the audit option is not set.
The character “S”indicates that the audit option is set,BY SESSION.
The character “A”indicates that the audit option is set ,by access.
SQL> noaudit all;
【取消所有語句審計】
Noaudit succeeded.
SQL> noaudit all privileges;
【取消所有權限審計(不能針對用戶)】
Noaudit succeeded.
SQL> noaudit all privileges by scott;
【取消所有權限審計(針對用戶)】
Noaudit succeeded.
SQL> noaudit all on scott.emp;
【取消對象審計(針對用戶)】
Noaudit succeeded.
查詢標準審計結果
SQL> select * from sys.aud$;
【列出審計記錄(基表)】
no rows selected
SQL> select * from dba_audit_trail;
【列出所有審計跟蹤條目(上表的視圖)】
no rows selected
SQL> create or replace view yy_audit asselect substr(username,1,8) username,substr(userhost,1,10) host,
2 to_char(timestamp,'yyyy-mm-ddhh:mi:ss') logintime,
3 to_char(logoff_time,'yyyy-mm-ddhh:mi:ss') logofftime,
4 substr(obj_name,1,10)obj,action,returncode from dba_audit_trail;
【自定義審計視圖】
View created.
SQL> select * from audit_actions;
【列出審計動作類型代碼action的含義】
ACTION NAME
---------- ----------------------------
0 UNKNOWN
1 CREATE TABLE
2 INSERT
3 SELECT
4 CREATE CLUSTER
5 ALTER CLUSTER
6 UPDATE
7 DELETE
8 DROP CLUSTER
9 CREATE INDEX
10DROP INDEX
測試標準審計
[oracle@desktop241 ~]$ sqlplus sys/song assysdba
SQL*Plus: Release 10.2.0.5.0 - Productionon Thu Oct 18 11:36:13 2012
Copyright (c) 1982, 2010, Oracle. All Rights Reserved.
Connected to:
Oracle Database 10g Enterprise EditionRelease 10.2.0.5.0 - Production
With the Partitioning, OLAP, Data Miningand Real Application Testing options
SQL> audit session;
【開啓連結(語句)審計】
Audit succeeded.
SQL> select * from dba_stmt_audit_opts;
【查看語句審計設置】
USER_NAME PROXY_NAME
------------------------------------------------------------
AUDIT_OPTION SUCCESS FAILURE
-------------------------------------------------- ----------
CREATE SESSION BY ACCESS BY ACCESS
[oracle@desktop241 ~]$ sqlplus john/john
[oracle@desktop241 ~]$ sqlplus sys/song assysdba
[oracle@desktop241 ~]$ sqlplus john/john123
另開窗口分別以上述4個身份進行登錄:
SQL> select * from yy_audit;
Sys以正確口令登錄,然後查Yy—audit視圖,可見連結未予記錄;
Kitty以錯誤口令登錄,再查,可見連接已記錄
Kitty 以正確口令登錄,再查,可見成功連接已記錄,退出後
SQL> select * from yy_audit;
USERNAME HOST LOGINTIME LOGOFFTIME
---------------- --------------------------------------- -------------------
OBJ ACTION RETURNCODE
-------------------- ---------- ----------
JOHN desktop241 2012-10-18 11:39:36
100 1017
JOHN desktop241 2012-10-18 11:39:59
100 1045
SQL> select * from yy_audit;
【停止連接審計】
SQL> noaudit session;
Noaudit succeeded.
SQL> truncate table aud$;
【清空審計記錄表】
Table truncated.
[oracle@desktop241 ~]$ sqlplus sys/song assysdba
SQL*Plus: Release 10.2.0.5.0 - Productionon Thu Oct 18 11:48:23 2012
Copyright (c) 1982, 2010, Oracle. All Rights Reserved.
Connected to:
Oracle Database 10g Enterprise EditionRelease 10.2.0.5.0 - Production
With the Partitioning, OLAP, Data Miningand Real Application Testing options
SQL> audit create table by kitty;
【開啓語句審計】
Audit succeeded.
SQL> select * from dba_stmt_audit_opts;
【查看語句審計設置】
USER_NAME PROXY_NAME
------------------------------------------------------------
AUDIT_OPTION SUCCESS FAILURE
-------------------------------------------------- ----------
KITTY
CREATE TABLE BY ACCESS BY ACCESS
[oracle@desktop241 ~]$ sqlplus sys/song assysdba
SQL*Plus: Release 10.2.0.5.0 - Productionon Thu Oct 18 11:50:21 2012
Copyright (c) 1982, 2010, Oracle. All Rights Reserved.
Connected to:
Oracle Database 10g Enterprise EditionRelease 10.2.0.5.0 - Production
With the Partitioning, OLAP, Data Miningand Real Application Testing options
SQL> create table t1 (id number);
Table created.
SQL> create table t1 (id number);
create table t1 (id number)
*
ERROR at line 1:
ORA-00955: name is already used by anexisting object
【SYS用戶登錄後執行兩次建表操作(前次成功後次失敗),再查yy_audit視圖,可見語句未予記錄】
SQL> select * from yy_audit;
no rows selected
[oracle@desktop241 ~]$ sqlpluskitty/kitty123
SQL*Plus: Release 10.2.0.5.0 - Productionon Thu Oct 18 11:53:28 2012
Copyright (c) 1982, 2010, Oracle. All Rights Reserved.
Connected to:
Oracle Database 10g Enterprise EditionRelease 10.2.0.5.0 - Production
With the Partitioning, OLAP, Data Miningand Real Application Testing options
SQL> create table t2(id number);
Table created.
SQL> create table t2(id number);
create table t2(id number)
*
ERROR at line 1:
ORA-00955: name is already used by anexisting object
【Kitty用戶登錄後執行兩次建表操作(前次成功後次失敗),再查yy_audit視圖,可見兩條語句(不論成功否)已經記錄】
SQL> select * from yy_audit;
USERNAME HOST LOGINTIME LOGOFFTIME
---------------- --------------------------------------- -------------------
OBJ ACTION RETURNCODE
-------------------- ---------- ----------
KITTY desktop241 2012-10-18 11:53:55
T2 1 0
KITTY desktop241 2012-10-18 11:53:56
T2 1 955
[oracle@desktop241 ~]$ sqlplus scott/tiger
SQL*Plus: Release 10.2.0.5.0 - Productionon Thu Oct 18 11:58:05 2012
Copyright (c) 1982, 2010, Oracle. All Rights Reserved.
Connected to:
Oracle Database 10g Enterprise EditionRelease 10.2.0.5.0 - Production
With the Partitioning, OLAP, Data Miningand Real Application Testing options
SQL> create table t3(id number);
Table created.
SQL> create table t3(id number);
create table t3(id number)
*
ERROR at line 1:
ORA-00955: name is already used by anexisting object
SQL> select * from yy_audit;
USERNAME HOST LOGINTIME LOGOFFTIME
---------------- --------------------------------------- -------------------
OBJ ACTION RETURNCODE
-------------------- ---------- ----------
KITTY desktop241 2012-10-18 11:53:55
T2 1 0
KITTY desktop241 2012-10-18 11:53:56
T2 1 955
【scott用戶登錄後執行兩次建表操作(前次成功後次失敗),再查Yy_audit視圖,可見語句未予記錄】
SQL> noaudit create table by kitty;【停止語句審計】
Noaudit succeeded.
SQL> truncate table aud$;
【清空審計記錄表】
Table truncated.
[oracle@desktop241 ~]$ sqlplus sys/song assysdba
SQL> audit insert any table by accesswhenever successful;
【開啓權限審計】
Audit succeeded.
SQL> select * from dba_priv_audit_opts;
【查看權限審計設置】
USER_NAME PROXY_NAME
------------------------------------------------------------
PRIVILEGE SUCCESS FAILURE
-------------------------------------------------- ----------
INSERT ANY TABLE BY ACCESS NOTSET
[oracle@desktop241 ~]$ sqlplus sys/song assysdba
SQL> insert into kitty.t2 values (111);
1 row created.
SQL> insert into kitty.t2 values ("aaa");
insert into kitty.t2 values ("aaa")
*
ERROR at line 1:
ORA-00984: column not allowed here
SQL> grant connect,resource,insert anytable to john;
Grant succeeded.
【以sys用戶登錄後執行兩次insert操作(前次成功後次失敗),再查yy_audit視圖,可見語句未予記錄(sys用戶不被審計)】
SQL> select * from yy_audit;
no rows selected
[oracle@desktop241 ~]$ sqlpluskitty/kitty123
SQL> insert into kitty.t2 values (222);
1 row created.
SQL> insert into kitty.t2 values ("bbb");
insert into kitty.t2 values ("bbb")
*
ERROR at line 1:
ORA-00984: column not allowed here
【Kitty 用戶登錄後執行兩次insert操作(前次成功後次失敗),再查yy_audit視圖,可見語句未予記錄(用戶訪問自己的表不被權限審計規則進行審計)】
[oracle@desktop241 ~]$ sqlplus john/john123
SQL> insert into kitty.t2 values (333);
1 row created.
SQL> insert into kitty.t2 values("ccc");
insert into kitty.t2 values("ccc")
*
ERROR at line 1:
ORA-00984: column not allowed here
【john用戶登錄後對他人所屬基表執行兩insert操作(前次成功後才失敗),再查yy_audit視圖,可見前一條成功語句已經記錄,而後一條失敗語句未記錄】
SQL> select * from yy_audit;
USERNAME HOST LOGINTIME LOGOFFTIME
---------------- --------------------------------------- -------------------
OBJ ACTION RETURNCODE
-------------------- ---------- ----------
JOHN desktop241 2012-10-18 03:52:54
T2 2 0
SQL> noaudit insert any table;
【停止權限審計】
Noaudit succeeded.
SQL> truncate table aud$;
【清空審計記錄表】
Table truncated.
[oracle@desktop241 ~]$ sqlplus sys/song assysdba
SQL> audit select,delete on kitty.t2 byaccess whenever not successful;
【開啓對象審計】
Audit succeeded.
SQL> select * from dba_obj_audit_opts;
【查看對象審計設置】
OWNER OBJECT_NAME OBJECT_TYPE
------------------------------------------------------------ -----------------
ALT AUD COM DEL GRA IND INS LOC REN SEL UPD REF EXE
----- ----- ----- ----- ----- ----- ---------- ----- ----- ----- --- -----
CRE REA WRI FBK
----- ----- ----- -----
KITTY T2 TABLE
-/- -/- -/- -/A -/- -/- -/- -/- -/- -/A -/- -/- -/-
-/- -/- -/- -/-
[oracle@desktop241 ~]$ sqlplus sys/song assysdba
SQL> delete from kitty.t2 where id=111;
1 row deleted.
SQL> delete from kitty.t2 where id=kkk;
delete from kitty.t2 where id=kkk
*
ERROR at line 1:
ORA-00904: "KKK": invalididentifier
【以sys用戶登錄後執行兩次delete操作(前次成功後次失敗),再查yy_audit視圖,可見語句未予記錄】
SQL> select * from yy_audit;
no rows selected
[oracle@desktop241 ~]$ sqlpluskitty/kitty123【kitty用戶登錄後執行測試操作】
SQL> select * from t2 where id=222;
【查詢成功,未記錄】
ID
----------
222
SQL> delete from t2 where id=222;
【刪除成功,查未記錄】
1 row deleted.
SQL> select * from t2 where id=kkk;
select * from t2 where id=kkk【查詢失敗,查yy_audit已記錄】
*
ERROR at line 1:
ORA-00904: "KKK": invalididentifier
SQL> delete from t2 where id=kkk;
delete from t2 where id=kkk
*【刪除失敗,查yy_audit已記錄】
ERROR at line 1:
ORA-00903: invalid table name
SQL> select * from t0l
2 ;【查詢失敗,未記錄(因非指定對象)】
select * from t0l
*
ERROR at line 1:
ORA-00942: table or view does not exist
SQL> delete from table t0;
delete from table t0
*【查詢失敗,未記錄(因非指定對象)】
ERROR at line 1:
ORA-00903: invalid table name
SQL> select * from yy_audit;
USERNAME HOST LOGINTIME LOGOFFTIME
---------------- --------------------------------------- -------------------
OBJ ACTION RETURNCODE
-------------------- ---------- ----------
KITTY desktop241 2012-10-18 04:07:05
T2 3 904
KITTY desktop241 2012-10-18 04:09:36
T2 7 904
[oracle@desktop241 ~]$ sqlplus john/john123
SQL> delete from kitty.t2 where id=333;
delete from kitty.t2 where id=333
*
ERROR at line 1:
ORA-01031: insufficient privileges
SQL> select * from yy_audit;
USERNAME HOST LOGINTIME LOGOFFTIME
---------------- --------------------------------------- -------------------
OBJ ACTION RETURNCODE
-------------------- ---------- ----------
KITTY desktop241 2012-10-18 04:07:05
T2 3 904
KITTY desktop241 2012-10-18 04:09:36
T2 7 904
JOHN desktop241 2012-10-18 04:14:51
T2 7 2004
USERNAME HOST LOGINTIME LOGOFFTIME
---------------- --------------------------------------- -------------------
OBJ ACTION RETURNCODE
-------------------- ---------- ----------
JOHN desktop241 2012-10-18 04:15:11
T2 3 2004
JOHN desktop241 2012-10-18 04:16:28
T2 7 2004
SCOTT desktop241 2012-10-18 04:17:45
T2 7 2004
6 rows selected.
【john 用戶登錄後執行兩次delete操作(前次成功後次失敗),再查yy_audit視圖,可見語句未記錄】
SQL> select * from audit_actions;
ACTION NAME
---------- ----------------------------
0 UNKNOWN
1 CREATE TABLE
2 INSERT
3 SELECT
4 CREATE CLUSTER
5 ALTER CLUSTER
6 UPDATE
7 DELETE
8 DROP CLUSTER
9 CREATE INDEX
10DROP INDEX
ACTION NAME
---------- ----------------------------
11ALTER INDEX
12 DROP TABLE
13CREATE SEQUENCE
14ALTER SEQUENCE
15ALTER TABLE
16DROP SEQUENCE
17GRANT OBJECT
18REVOKE OBJECT
19CREATE SYNONYM
20DROP SYNONYM
21CREATE VIEW
ACTION NAME
---------- ----------------------------
22DROP VIEW
23VALIDATE INDEX
24CREATE PROCEDURE
25ALTER PROCEDURE
26LOCK
27NO-OP
28RENAME
29COMMENT
30AUDIT OBJECT
31NOAUDIT OBJECT
32CREATE DATABASE LINK
ACTION NAME
---------- ----------------------------
33DROP DATABASE LINK
34CREATE DATABASE
35ALTER DATABASE
36CREATE ROLLBACK SEG
37ALTER ROLLBACK SEG
38DROP ROLLBACK SEG
39CREATE TABLESPACE
40ALTER TABLESPACE
41DROP TABLESPACE
42ALTER SESSION
43ALTER USER
ACTION NAME
---------- ----------------------------
44 COMMIT
45ROLLBACK
46SAVEPOINT
47PL/SQL EXECUTE
48SET TRANSACTION
49ALTER SYSTEM
50EXPLAIN
51CREATE USER
52CREATE ROLE
53DROP USER
54DROP ROLE
ACTION NAME
---------- ----------------------------
55SET ROLE
56CREATE SCHEMA
57CREATE CONTROL FILE
59CREATE TRIGGER
60ALTER TRIGGER
61DROP TRIGGER
62ANALYZE TABLE
63ANALYZE INDEX
64ANALYZE CLUSTER
65CREATE PROFILE
66DROP PROFILE
ACTION NAME
---------- ----------------------------
67ALTER PROFILE
68DROP PROCEDURE
70ALTER RESOURCE COST
71CREATE MATERIALIZED VIEW LOG
72ALTER MATERIALIZED VIEW LOG
73DROP MATERIALIZED VIEW LOG
74CREATE MATERIALIZED VIEW
75ALTER MATERIALIZED VIEW
76DROP MATERIALIZED VIEW
77CREATE TYPE
78DROP TYPE
ACTION NAME
---------- ----------------------------
79ALTER ROLE
80ALTER TYPE
81CREATE TYPE BODY
82ALTER TYPE BODY
83DROP TYPE BODY
84DROP LIBRARY
85TRUNCATE TABLE
86TRUNCATE CLUSTER
91CREATE FUNCTION
92ALTER FUNCTION
93DROP FUNCTION
ACTION NAME
---------- ----------------------------
94CREATE PACKAGE
95ALTER PACKAGE
96DROP PACKAGE
97CREATE PACKAGE BODY
98ALTER PACKAGE BODY
99DROP PACKAGE BODY
100 LOGON
101 LOGOFF
102 LOGOFF BY CLEANUP
103 SESSION REC
104 SYSTEM AUDIT
ACTION NAME
---------- ----------------------------
105 SYSTEM NOAUDIT
106 AUDIT DEFAULT
107 NOAUDIT DEFAULT
108 SYSTEM GRANT
109 SYSTEM REVOKE
110 CREATE PUBLIC SYNONYM
111 DROP PUBLIC SYNONYM
112 CREATE PUBLIC DATABASE LINK
113 DROP PUBLIC DATABASE LINK
114 GRANT ROLE
115 REVOKE ROLE
ACTION NAME
---------- ----------------------------
116 EXECUTE PROCEDURE
117 USER COMMENT
118 ENABLE TRIGGER
119 DISABLE TRIGGER
120 ENABLE ALL TRIGGERS
121 DISABLE ALL TRIGGERS
122 NETWORK ERROR
123 EXECUTE TYPE
128 FLASHBACK
129 CREATE SESSION
157 CREATE DIRECTORY
ACTION NAME
---------- ----------------------------
158 DROP DIRECTORY
159 CREATE LIBRARY
160 CREATE JAVA
161 ALTER JAVA
162 DROP JAVA
163 CREATE OPERATOR
164 CREATE INDEXTYPE
165 DROP INDEXTYPE
167 DROP OPERATOR
168 ASSOCIATE STATISTICS
169 DISASSOCIATE STATISTICS
ACTION NAME
---------- ----------------------------
170 CALL METHOD
171 CREATE SUMMARY
172 ALTER SUMMARY
173 DROP SUMMARY
174 CREATE DIMENSION
175 ALTER DIMENSION
176 DROP DIMENSION
177 CREATE CONTEXT
178 DROP CONTEXT
179 ALTER OUTLINE
180 CREATE OUTLINE
ACTION NAME
---------- ----------------------------
181 DROP OUTLINE
182 UPDATE INDEXES
183 ALTER OPERATOR
197 PURGE USER_RECYCLEBIN
198 PURGE DBA_RECYCLEBIN
199 PURGE TABLESAPCE
200 PURGE TABLE
201 PURGE INDEX
202 UNDROP OBJECT
204 FLASHBACK DATABASE
205 FLASHBACK TABLE
ACTION NAME
---------- ----------------------------
206 CREATE RESTORE POINT
207 DROP RESTORE POINT
208 PROXY AUTHENTICATION ONLY
209 DECLARE REWRITE EQUIVALENCE
210 ALTER REWRITE EQUIVALENCE
211 DROP REWRITE EQUIVALENCE
160 rows selected.