数据库审计

参数：audit_trail

SQL> show parameter audit

NAME                                 TYPE        VALUE

------------------------------------ ----------- ------------------------------

audit_file_dest                      string      /data/admin/oral/adump

audit_sys_operations                 boolean     FALSE

audit_syslog_level                   string

audit_trail                          string      NONE

参数查询：

可看是否静态参数v$system_parameter

查看audit_trail可设置的值：v$parameter_valid_values

配置审计需要重启实例，配置之前，需要备份好spfile;

create pfile='/oracle/app/product/10.2/dbs/pfile826.ora' from spfile;

alter system set AUDIT_TRAIL =DB_EXTENDED scope=spfile;

alter system set audit_sys_operations=true scope=spfile;

shutdown immediate

startup

如需关闭审计

alter system set audit_trail=none scope=spfile;

重启数据库

如果审计表aud$不存在,需要手工创建

SQL> conn / as sysdba

SQL> @?/rdbms/admin/cataudit.sql

将审计记录表移动到新的表空间

select * from aud$ ;

create tablespace aud datafile '/data/oradata/oral/aud01.dbf' size 10m autoextend on;

alter table aud$ move tablespace aud;

alter table aud$ move lob(sqlbind) store as (tablespace aud);

alter table aud$ move lob(sqltext) store as (tablespace aud);

alter index I_AUD1 rebuild tablespace aud;

如需删除审计记录，则将sys.aud$表中记录删除，将释放表空间；

开通的审计策略

如何检测潜在的登录攻击

audit create session by access whenever not successful;

audit connect by access whenever not successful;

对用户的所有行为进行审计

audit all by scott;

可查看到审计策略；

select * from dba_stmt_audit_opts ;--语句审计：statement

select * from dba_priv_audit_opts ; ---系统权限审计状态

select * from dba_obj_audit_opts ;--对象权限审计状态，中S:SESSION, A:ACCESS；按成功次数进行审计：audit select on t by access；SESSION 意思就是只记录一次成功；是默认值；

查询审计结果：

select * from dba_audit_trail ;   ---审计结果存放的表

select * from dba_fga_audit_trail;

select * from dba_common_audit_trail;

DBA_AUDIT_EXISTS;列出audit not exists和audit exists产生的审计跟踪,我们默认的都是audit exists.

DBA_AUDIT_OBJECT;可以查询所有对象跟踪信息.(例如,对grant,revoke等记录),信息完全包含于dba_audit_trail

DBA_AUDIT_SESSION;所得到的数据都是有关logon或者logoff的信息.

DBA_AUDIT_STATEMENT;列出grant ,revoke ,audit ,noaudit ,alter system语句的审计跟踪信息.

ALL_DEF_AUDIT_OPTS

查看审计内容，主要字段：os_username, userhost, timestamp, owner，sql_bind, sql_text

SQL> select * from dba_audit_trail where  owner = 'AUDIT_TEST' order by timestamp;

注意：owner的值必须大写，例如 owner = 'AUDIT_TEST'

辅助视图

1.SYS.AUD$

审计功能的底层视图,如果需要对数据进行删除,只需要对aud$视图进行删除既可,其他视图里的数据都是由aud$所得.

select * from sys.audit_actions;---审计的可用命令动作，可以查询出在aud$等视图中actions列的含义

select * from SYSTEM_PRIVILEGE_MAP;--可以查询出aud$等视图中priv$used列的含义(注意前面加'-')

审计策略示例：

对某用户某动作开启审计：audit create session by a;

停止审计：noaudit create session;

对表开启查询审计：audit select on t whenever successful;

对用户a执行的语句中有table的进行审计： audit table by a;

audit CREATE TABLE by scott;

audit CREATE TABLE, CREATE VIEW, ALTER USER;

audit INDEX;  --包括CREATE INDEX, DROP INDEX, ALTER INDEX and ANALYZE INDEX

audit INDEX by scott;

audit ALL whenever SUCCESSFUL;

AUDIT DELETE ANY TABLE BY ACCESS WHENEVER NOT SUCCESSFUL;

audit select any table;

audit select any table, delete any table by scott, system;

audit select on SCOTT.EMP whenever successful;

audit delete on SCOTT.EMP by access;

audit ALL on SCOTT.EMP;

audit select on DEFAULT;

AUDIT NETWORK;

AUDIT ROLE WHENEVER NOT SUCCESSFUL;

AUDIT CREATE ANY DIRECTORY;

审计速查

Quick Reference to Auditing Information

Database Audit mode

~~~~~~~~~~~~~~~~~~~

show parameter audit

AUDIT_TRAIL   --&gt DB, DB_EXTENDED, OS, XML, XML_EXTENDED, FALSE or NONE

AUDIT_FILE_DEST --&gt Audit File location

AUDIT_SYS_OPERATIONS --&gt Controls whether the activities of SYSDBA are audited or not.

AUDIT_SYSLOG_LEVEL    --&gt specifies a SYSLOG facility that will receive the audit information

What Statements are being audited ?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

To set audit:

AUDIT [option] [BY user|SESSION|ACCESS] [WHENEVER {NOT} SUCCESSFUL]

select * from dba_stmt_audit_opts where USER_NAME='...';

Columns are:

AUDIT_OPTION from STMT_AUDIT_OPTION_MAP

SUCCESS 'BY SESSION', 'BY ACCESS' or 'NOT SET'

FAILURE ""

What Privileges are being audited ?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

To set audit:

AUDIT [option] [BY user|SESSION|ACCESS] [WHENEVER {NOT} SUCCESSFUL]

select * from dba_priv_audit_opts where USER_NAME='...';

Columns are:

PRIVILEGE from SYSTEM_PRIVILEGE_MAP

SUCCESS 'BY SESSION', 'BY ACCESS' or 'NOT SET'

FAILURE ""

What Objects are being audited ?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

To set Auditing:

AUDIT [object_option] ON [schema].object|DEFAULT [BY SESSION|ACCESS]

[WHENEVER {NOT} SUCCESSFUL]

select * from dba_obj_audit_opts where owner='..' and OBJECT_NAME='...';

select * from all_def_audit_opts;

Columns are:

ALT AUD COM DEL GRA IND INS LOC REN SEL UPD REF EXE FBK REA

X/Y - is no option set

X is when successful

Y is when Unsuccessful

S set by session

A set by access

Audit results

~~~~~~~~~~~~~

Raw results can go to various places depending on the value of parameter AUDIT_TRAIL:

- when audit_trail is DB or DB_EXTENDED the audit data will go to AUD$ (DBA_AUDIT_TRAIL is a view on top of this table ).

Main where columns are: USERNAME, TIMESTAMP, OWNER

- when audit_trail is OS or XML or XML_EXTENDED the audit data will be written to files located in the AUDIT_FILE_DEST directory

- when AUDIT_SYSLOG_LEVEL is defined and audit_trail is set to OS the audit data will be sent to SYSLOG

For underlying results see:

Select STATEMENT, TIMESTAMP, ACTION, USERID from AUD$;

Auditing administrative connections

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The administrative user connections (CONNECT / AS SYSDBA or CONNECT / AS SYSOPER) are always logged regardless of audit setting.

On UNIX platforms these are logged to *.aud files in $ORACLE_HOME/rdbms/audit when the instance is stopped and to AUDIT_FILE_DEST

when the instance is started regardless of any init.ora parameter settings. See Note 103964.1 for more details.

---------------------------------------------------