溫馨提示×
您好,登錄后才能下訂單哦!
點擊 登錄注冊 即表示同意《億速云用戶服務條款》
您好,登錄后才能下訂單哦!
Oracle標準數據庫審核可以對一般用戶(不包括SYS)的各種權限操作進行審核和跟蹤。
一、標準數據庫審核的基本方法
1、開啟標準數據庫審核
初始化參數audit_trail是一個靜態參數,該參數確定如何啟用審核,不同的值表示是否開啟審核以及如何記錄審核。
該參數可以設定為如下的值:
none或flase(10g為默認):不審核;
db或true(11g為默認):審核結果記錄到數據庫表sys.aud$,可以通過視圖dba_audit_trail來查看結果;
os:審核結果記錄到操作系統文件中,Unix在audit_file_dest參數中指定,Windows則在應用程序日志中(事件查看器eventvwr);
db_extended:與db大致相同,但審核結果包含了具有綁定變量的SQL語句;
xml:與os大致相同,但使用xml來標記;
xml_extended:與xml大致相同,但審核結果包含了具有綁定變量的SQL語句。
2、指定審核選項
使用audit命令可以配置數據庫審核,標準數據庫審核包含以下幾類:
1)系統權限審核
審核系統權限的操作,如
audit create any table;
audit create any trigger;
審核某用戶的系統權限操作,如
audit select any table by scott;
訪問自己的表時不會做審核。
審核用戶的創建和刪除
audit create user, drop user;
查開啟的系統權限審核,通過數據字典dba_priv_audit_opts,11g默認會開啟以下審核
col user_name for a20
col proxy_name for a20
col privilege for a30
col success for a20
col failure for a20
select * from dba_priv_audit_opts;
USER_NAME PROXY_NAME PRIVILEGE SUCCESS FAILURE
--------------- --------------- ---------------------------------------- ---------- ----------
CREATE EXTERNAL JOB BY ACCESS BY ACCESS
CREATE ANY JOB BY ACCESS BY ACCESS
GRANT ANY OBJECT PRIVILEGE BY ACCESS BY ACCESS
EXEMPT ACCESS POLICY BY ACCESS BY ACCESS
CREATE ANY LIBRARY BY ACCESS BY ACCESS
GRANT ANY PRIVILEGE BY ACCESS BY ACCESS
DROP PROFILE BY ACCESS BY ACCESS
ALTER PROFILE BY ACCESS BY ACCESS
DROP ANY PROCEDURE BY ACCESS BY ACCESS
ALTER ANY PROCEDURE BY ACCESS BY ACCESS
CREATE ANY PROCEDURE BY ACCESS BY ACCESS
ALTER DATABASE BY ACCESS BY ACCESS
GRANT ANY ROLE BY ACCESS BY ACCESS
CREATE PUBLIC DATABASE LINK BY ACCESS BY ACCESS
DROP ANY TABLE BY ACCESS BY ACCESS
ALTER ANY TABLE BY ACCESS BY ACCESS
CREATE ANY TABLE BY ACCESS BY ACCESS
DROP USER BY ACCESS BY ACCESS
ALTER USER BY ACCESS BY ACCESS
CREATE USER BY ACCESS BY ACCESS
CREATE SESSION BY ACCESS BY ACCESS
AUDIT SYSTEM BY ACCESS BY ACCESS
ALTER SYSTEM BY ACCESS BY ACCESS
2)對象權限審核
對所有用戶(不包括sys,sys是不審核的),如
aduit alter, delete, drop, insert on scott.emp;
對某個用戶,如
audit select on hr.employees by scott;
對所有操作,如
audit all on hr.employees;
查開啟的對象審核,通過數據字典dba_obj_audit_opts,默認是都沒有開啟
select * from dba_obj_audit_opts;
OWNER OBJECT_NAME OBJECT_TYPE ALT AUD COM DEL GRA IND INS LOC REN SEL UPD REF EXE CRE REA WRI FBK
---------- --------------- --------------- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- --- ----- ----- ----- ----- -----
3)語句審核
如審核表的所有DDL操作
audit table;
查開啟的語句審核,通過數據字典dba_stmt_audit_opts,11g默認會開啟以下審核,其中也包含了上述屬于系統權限的審核
col user_name for a20
col proxy_name for a20
col audit_option for a30
col success for a20
col failure for a20
select * from dba_stmt_audit_opts;
USER_NAME PROXY_NAME AUDIT_OPTION SUCCESS FAILURE
--------------- --------------- ---------------------------------------- ---------- ----------
ALTER SYSTEM BY ACCESS BY ACCESS
SYSTEM AUDIT BY ACCESS BY ACCESS
CREATE SESSION BY ACCESS BY ACCESS
CREATE USER BY ACCESS BY ACCESS
ALTER USER BY ACCESS BY ACCESS
DROP USER BY ACCESS BY ACCESS
PUBLIC SYNONYM BY ACCESS BY ACCESS
DATABASE LINK BY ACCESS BY ACCESS
ROLE BY ACCESS BY ACCESS
PROFILE BY ACCESS BY ACCESS
CREATE ANY TABLE BY ACCESS BY ACCESS
ALTER ANY TABLE BY ACCESS BY ACCESS
DROP ANY TABLE BY ACCESS BY ACCESS
CREATE PUBLIC DATABASE LINK BY ACCESS BY ACCESS
GRANT ANY ROLE BY ACCESS BY ACCESS
SYSTEM GRANT BY ACCESS BY ACCESS
ALTER DATABASE BY ACCESS BY ACCESS
CREATE ANY PROCEDURE BY ACCESS BY ACCESS
ALTER ANY PROCEDURE BY ACCESS BY ACCESS
DROP ANY PROCEDURE BY ACCESS BY ACCESS
ALTER PROFILE BY ACCESS BY ACCESS
DROP PROFILE BY ACCESS BY ACCESS
GRANT ANY PRIVILEGE BY ACCESS BY ACCESS
CREATE ANY LIBRARY BY ACCESS BY ACCESS
EXEMPT ACCESS POLICY BY ACCESS BY ACCESS
GRANT ANY OBJECT PRIVILEGE BY ACCESS BY ACCESS
CREATE ANY JOB BY ACCESS BY ACCESS
CREATE EXTERNAL JOB BY ACCESS BY ACCESS
4)其它審核配置
審核會話登錄
audit session;
這與審核create session權限的使用效果相同。
取消審核,通過noaudit命令指定
noaudit session;
noaudit all on scott.emp;
審核成功的操作,通過whenever successful選項指定,如審核表的成功插入
audit insert on scott.emp whenever successful;
審核不成功的操作,通過whenever not successful選項指定,如審核失敗的會話登錄
audit session whenever not successful;
默認情況下是審核所有的操作,不論成功與否。
會話級別上的審核,通過by session選項指定
audit update on scott.emp by session;
操作級別上的審核,通過by access選項指定
audit update on scott.emp by access;
對象權限審核默認是by session
系統權限審核默認是by access
3、查看審核記錄
如果審核針對數據庫(audit_trail=db或db_extended),則審核記錄寫入數據字典表sys.aud$中,雖然可以直接查看,但通過建立在其上的視圖來查看將更加方便。
常用的視圖是dba_audit_trail,其常用列的解釋如下:
os_username:執行操作的用戶的操作系統用戶名
username:執行操作的用戶的Oracle用戶名
userhost:運行用戶進程的計算機名稱
timestamp:審核事件的發生時間
owner,obj_name:受影響對象的模式和名稱
action,action_name:審核的操作,操作代碼action的對照含義可查數據字典表audit_actions
priv_used:使用的系統權限
sql_text:執行的語句
如果沒有表aud$及視圖dba_audit_trail,則需要執行審核相關的數據字典表的安裝腳本,安裝后要重啟數據庫,安裝腳本位于
%ORACLE_HOME%\rdbms\admin\cataudit.sql
其它審核視圖顯示了dba_audit_trail視圖的一個子集:
dba_audit_object
dba_audit_statement
dba_audit_session
二、標準數據庫審核實驗
1、創建實驗用表
create table scott.emp1 as select * from scott.emp;
grant all on scott.emp1 to hr;
2、啟用審核
audit all on scott.emp1 by access;
audit table;
alter system set audit_sys_operations=true scope=spfile;
alter system set audit_trail='db_extended' scope=spfile;
重啟數據庫實例
shutdown immediate
startup
實驗前可先清除審核結果表的所有記錄
truncate table sys.aud$;
3、進行sysdba的活動,并查看審核結果
以sysdba身份登錄并操作
select * from dba_users;
select * from scott.emp1;
create user audr1 identified by audr1;
drop user audr1;
create table scott.emp2 as select * from scott.emp1;
select * from scott.emp2;
drop table scott.emp2 purge;
查看sysdba的審核結果,由于開啟了sysdba審核,所以可以在操作系統文件和日志中看到所有操作記錄。Unix查看audit_file_dest指定的目標文件,Windows通過事件查看器eventvwr查看應用程序日志。另外可以看到SYS管理員的操作不會記入aud$中,視圖dba_audit_trail沒有相關記錄。
4、用system用戶登錄操作,并查看審核結果
select * from scott.emp;
select * from scott.emp1;
create user audr1 identified by audr1;
grant connect to audr1;
create table audr1.t1(n number);
select * from audr1.t1;
drop table audr1.t1 purge;
drop user audr1;
退出system的登錄
查看審核結果
col os_username for a20
col username for a20
col userhost for a20
col owner for a10
col obj_name for a20
col action_name for a20
col priv_used for a20
col sql_text for a50
select os_username, username, userhost, timestamp, owner, obj_name, action, action_name, priv_used, sql_text from dba_audit_trail order by timestamp desc;
OS_USERNAME USERNAME USERHOST TIMESTAMP OWNER OBJ_NAME ACTION ACTION_NAME PRIV_USED SQL_TEXT
-------------------- -------------------- -------------------- ------------------- ---------- -------------------- ---------- -------------------- -------------------- --------------------------------------------------
Administrator SYSTEM WORKGROUP\MYPC 2017-09-20 10:36:05 101 LOGOFF
Administrator SYSTEM WORKGROUP\MYPC 2017-09-20 10:35:59 AUDR1 53 DROP USER DROP USER drop user audr1
Administrator SYSTEM WORKGROUP\MYPC 2017-09-20 10:35:49 AUDR1 T1 12 DROP TABLE DROP ANY TABLE drop table audr1.t1 purge
Administrator SYSTEM WORKGROUP\MYPC 2017-09-20 10:35:32 AUDR1 T1 1 CREATE TABLE CREATE ANY TABLE create table audr1.t1(n number)
Administrator SYSTEM WORKGROUP\MYPC 2017-09-20 10:35:24 CONNECT 114 GRANT ROLE GRANT ANY ROLE grant connect to audr1
Administrator SYSTEM WORKGROUP\MYPC 2017-09-20 10:35:14 AUDR1 51 CREATE USER CREATE USER create user audr1 identified by *****
Administrator SYSTEM WORKGROUP\MYPC 2017-09-20 10:35:04 SCOTT EMP1 3 SELECT SELECT ANY TABLE select * from scott.emp1
Administrator SYSTEM WORKGROUP\MYPC 2017-09-20 10:34:33 100 LOGON CREATE SESSION
由于沒有對表scott.emp加入審核,因此對它的查詢未計入表中,而會話的登入登出、建表、刪表、授權是默認開啟的系統權限審核,因此這些操作被記入表中,同樣對表audr1.t1的查詢也不會加入審核。
5、清空aud$記錄,在sys下創建用戶audr1,并分別用audr1和hr用戶登錄操作,查看審核結果
sys的操作
create user audr1 identified by audr1;
grant connect to audr1;
audr1用戶登錄操作
select * from scott.emp1;
由于沒有給audr1訪問scott.emp1的權限,因此以上查詢將失敗
audr1用戶退出登錄
hr用戶登錄操作
select * from scott.emp1;
update scott.emp1 set sal=2000 where empno=7369;
commit;
update scott.emp1 set sal=2500 where empno=7369;
rollback;
hr用戶退出登錄
查看審核記錄
col os_username for a20
col username for a20
col userhost for a20
col owner for a10
col obj_name for a20
col action_name for a20
col priv_used for a20
col sql_text for a50
select os_username, username, userhost, timestamp, owner, obj_name, action, action_name, priv_used, sql_text from dba_audit_trail order by timestamp desc;
OS_USERNAME USERNAME USERHOST TIMESTAMP OWNER OBJ_NAME ACTION ACTION_NAME PRIV_USED SQL_TEXT
-------------------- -------------------- -------------------- ------------------- ---------- -------------------- ---------- -------------------- -------------------- --------------------------------------------------
Administrator HR WORKGROUP\MYPC 2017-09-20 10:42:29 101 LOGOFF
Administrator HR WORKGROUP\MYPC 2017-09-20 10:45:33 SCOTT EMP1 6 UPDATE update scott.emp1 set sal=2500 where empno=7369
Administrator HR WORKGROUP\MYPC 2017-09-20 10:42:17 SCOTT EMP1 6 UPDATE update scott.emp1 set sal=2000 where empno=7369
Administrator HR WORKGROUP\MYPC 2017-09-20 10:42:09 SCOTT EMP1 3 SELECT select * from scott.emp1
Administrator HR WORKGROUP\MYPC 2017-09-20 10:41:49 100 LOGON CREATE SESSION
Administrator AUDR1 WORKGROUP\MYPC 2017-09-20 10:41:41 101 LOGOFF
Administrator AUDR1 WORKGROUP\MYPC 2017-09-20 10:41:29 SCOTT EMP1 3 SELECT select * from scott.emp1
Administrator AUDR1 WORKGROUP\MYPC 2017-09-20 10:41:01 100 LOGON CREATE SESSION
由于默認是操作不論成功與否都會納入審核,因此audr1用戶失敗的查詢也被記錄,commit和rollback語句并沒有記錄,不管執行的語句最后是被提交還是回滾,更新操作總是被審核的。
6、取消對象審核
noaudit all on scott.emp1;
hr用戶再次登錄操作
select * from scott.emp1;
hr用戶退出登錄
查看審核記錄,確認審核只有用戶的登入登出,其它已取消。如果要將會話的登入登出記錄也取消,則執行noaudit session,但這樣一來,默認的系統權限審核將不再包括該項,除非執行audit session重新加入。
7、清空aud$記錄,改為會話級別的審核,并查看結果
audit all on scott.emp1 by session;
再次以hr用戶登錄并操作
select * from scott.emp1;
update scott.emp1 set sal=800 where empno=7369;
commit;
hr用戶退出登錄
查看審核記錄
col os_username for a20
col username for a20
col userhost for a20
col owner for a10
col obj_name for a20
col action_name for a20
col priv_used for a20
col sql_text for a50
select os_username, username, userhost, timestamp, owner, obj_name, action, action_name, priv_used, sql_text from dba_audit_trail order by timestamp desc;
OS_USERNAME USERNAME USERHOST TIMESTAMP OWNER OBJ_NAME ACTION ACTION_NAME PRIV_USED SQL_TEXT
-------------------- -------------------- -------------------- ------------------- ---------- -------------------- ---------- -------------------- -------------------- --------------------------------------------------
Administrator HR WORKGROUP\MYPC 2017-09-20 10:54:55 101 LOGOFF
Administrator HR WORKGROUP\MYPC 2017-09-20 10:54:44 SCOTT EMP1 103 SESSION REC update scott.emp1 set sal=800 where empno=7369
Administrator HR WORKGROUP\MYPC 2017-09-20 10:54:36 SCOTT EMP1 103 SESSION REC select * from scott.emp1
Administrator HR WORKGROUP\MYPC 2017-09-20 10:54:29 100 LOGON CREATE SESSION
比較可知,操作級別的審核明確記錄了action_name為select、update等,而會話級別的審核action_name只標明為session rec,但sql_text仍記錄了會話中每一步操作的SQL語句。
8、取消審核,清理恢復
noaudit all on scott.emp1;
drop user audr1;
drop table scott.emp1 purge;
alter system set audit_trail=false scope=spfile;
alter system set audit_sys_operations=false scope=spfile;
重啟數據庫實例
清空aud$記錄
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。
