Oracle Database 12c Security - 12. Audit for Accountability
2024-05-10 08:47:48
Oracle Unified Audit Trail (OUA)是12c新增功能。
THE SECURITY CYCLE
审计使安全更完整,审计是事后行为,不能预防。
访问控制并不能保证非授权访问,人总是会犯错误,如设计,实现和疏忽的原因。
Auditing for Accountability
accountability - 问责
Auditing Provides the Feedback Loop
比数据被偷更严重的是不知道谁是贼,因为你不知道如何改进。
两点很重要,审计正确的事情,解读审计记录。
审计是一种反馈机制,否则你无法知道你的安全机制是否健全。
Auditing Is Not Overhead
审计不会增加不必要的开销。
无需审计所有数据,只需审计正确的数据,流程和用户。
审计记录只在有必要时查看,也会定期删除/归档审计数据。
AUDIT METHODS
这些审计手段是互补的。
Infrastructure and Application Server Logs
是基础和必要的,但不完整,需要结合其他信息,如数据库审计记录。
Application Auditing
好处是可扩展,因为代码可改,另外对用户是透明的。
可控制,如记录的详细程度,记录在数据库还是文件系统。
记录是全面的,不仅可记录数据库的访问,所有的访问都可以记录,如多个数据库,访问其它资源等。
如果应用不提供信息,数据库审计是无用的。
坏处,应用是代码,代码可能有错。应用可能被绕过,如直接访问数据库或磁盘。
Trigger Auditing
指触发器,好处是应用透明,有选择性(针对某些列),可扩展(因为是代码)。
坏处是不能保证,例如truncate,direct path load都不会触发。
不能传递参数,可获取的用户信息有限,如IP,用户名等。
需要为每一个对象创建。
Database Auditing
有四种方式:
- mandatory SYS auditing (MSA)
- traditional auditing (TA)
- fine-grained auditing (FGA)
- Oracle unified auditing (OUA)
参考Oracle Database Auditing
MSA审计数据库启动关闭和带系统权限(SYSDBA, SYSOPER等)的用户。记录存于操作系统。
TA审计会话登录登出,对象访问,系统权限使用,PL/SQL执行。
TA是11gR2及之前唯一的选择。
FGA是基于策略的审计,或有条件的审计。
OUA是12c新特性,可包含以上各审计方式所有功能,并且审计记录统一存放于一处(unified_audit_trail)。
OUA最大好处是可以定义审计发生的条件,因此性能会由于前几种方式。
另一好处是无法绕开,支持所有的操作。
坏处是其不完整,还需结合其它层面审计,如其无法获取客户端的IP。
ENABLING AUDITING IN THE DATABASE
11gR2及之前,建议使用TA和MSA,12c及以后,建议使用OUA和MSA。
Audit Destination for Standard Auditing and FGA
如果不准备用OUA,第一件事是需确定审计记录存放位置。
FGA记录存于表SYS.FGA。TA记录存于表SYS.AUD。TA记录存于表SYS.AUD。TA记录存于表SYS.AUD 或 SYSTEM.AUD$。
MSA记录存于$ORACLE_BASE/admin/<SID>/adump 目录,由参数AUDIT_FILE_DEST控制。
以下是19c中关于审计的一些配置:
SQL> SHOW PARAMETER auditNAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest string /opt/oracle/admin/ORCLCDB/adump
audit_sys_operations boolean TRUE
audit_syslog_level string
audit_trail string NONE
unified_audit_common_systemlog string
unified_audit_sga_queue_size integer 1048576
unified_audit_systemlog stringSQL>
SELECT audit_trail
, parameter_name
, parameter_value
FROM dba_audit_mgmt_config_params
ORDER by audit_trail, parameter_name;AUDIT_TRAIL PARAMETER_NAME PARAMETER_VALUE
---------------------------- ------------------------------ ------------------------------
FGA AUDIT TRAIL DB AUDIT CLEAN BATCH SIZE 10000
FGA AUDIT TRAIL DB AUDIT TABLESPACE SYSAUX
OS AUDIT TRAIL AUDIT FILE MAX AGE 5
OS AUDIT TRAIL AUDIT FILE MAX SIZE 10000
OS AUDIT TRAIL OS FILE CLEAN BATCH SIZE 1000
STANDARD AUDIT TRAIL DB AUDIT CLEAN BATCH SIZE 10000
STANDARD AUDIT TRAIL DB AUDIT TABLESPACE SYSAUX
UNIFIED AUDIT TRAIL AUDIT FILE MAX AGE 5
UNIFIED AUDIT TRAIL AUDIT FILE MAX SIZE 10000
UNIFIED AUDIT TRAIL AUDIT WRITE MODE QUEUED WRITE MODE
UNIFIED AUDIT TRAIL DB AUDIT TABLESPACE SYSAUX
XML AUDIT TRAIL AUDIT FILE MAX AGE 5
XML AUDIT TRAIL AUDIT FILE MAX SIZE 10000
XML AUDIT TRAIL OS FILE CLEAN BATCH SIZE 100014 rows selected.可以看到,audit_sys_operations已设为true,audit_trail未设置,说明未启用TA,设置示例如下,需要重启数据库生效:
alter system set AUDIT_TRAIL=xml, extended scope=spfile;
12c中,审计相关的参数需在CDB中设置,因为PDB会共享此参数。
Enable Oracle Unified Auditing in Oracle Database 12c
12c中,OUA可以和其它方式并存,但从性能和容量计,不建议。
OUA性能好,因为其使用cache模式,即先将审计记录写入SGA缓存,然后冲刷到磁盘。缓存方式是默认的,也可以改为直写模式:
BEGINDBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_PROPERTY(DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,DBMS_AUDIT_MGMT.AUDIT_TRAIL_WRITE_MODE, DBMS_AUDIT_MGMT.AUDIT_TRAIL_IMMEDIATE_WRITE);
END;
/
纯OUA模式需要将AUDIT_TRAIL设为NONE:
alter system set AUDIT_TRAIL=none scope=spfile;
当前,OUA未启用:
select parameter, value from v$option where parameter like '%Uni%';PARAMETER
----------------------------------------------------------------
VALUE
----------------------------------------------------------------
Unified Auditing
FALSEshutdown immediatecd $ORACLE_HOME/rdbms/libmake -f ins_rdbms.mk uniaud_on ioracle ORACLE_HOME=$ORACLE_HOMEsqlplus / as sysdbastartupselect parameter, value from v$option where parameter like '%Uni%';PARAMETER
----------------------------------------------------------------
VALUE
----------------------------------------------------------------
Unified Auditing
TRUEWHO CONDUCTS THE AUDIT POLICY AND AUDIT REPORTING?
根据SoD原则,审计策略指定和审计报告角色应分开。
Security Administrator (SA) 可复制策略指定,赋予AUDIT_ADMIN角色;审计报告查看者可赋予AUDIT_VIEWER角色。
这两个角色都是12c后才有的。
Audit Administrator Role
AUDIT_ADMIN角色包含AUDIT ANY 和 AUDIT SYSTEM权限,前者是普通对象的,后者是系统对象的,以及制订审计策略。
AUDIT_ADMIN还可以执行DBMS_AUDIT_MGMT和DBMS_FGA package以及查看审计相关视图。
Audit Reporting Role
此角色有读取审计相关视图权限。
WHAT SHOULD BE AUDITED? CREATING THE AUDIT POLICY
确定为何审计以及审计什么后,才可以成功实施审计。否则不免审计不必要的对象,导致性能和管理负担。目标越明确,审计越有效。
在用户具有超级权限时,审计时保证权利不被滥用和误用的唯一手段。
Best Practices for Audit Policies
12c中,很多policy已制订好,直接用就可以。
- 审计所有特权用户的操作
- 审计会话开始和结束
要包括必要的用户信息,单纯数据库用户意义不大,例如连接池。应用可使用DBMS_SESSION.SET_IDENTIFIER设置。另外,根据合规要求,定期清楚审计记录。 - 审计账户,权限,审计相关的管理命令
- 审计失败的命令
因可能是非法侵入 - 审计数据访问和修改命令
最常访问的表,包含敏感数据的表 - 审计对象管理命令
如CREATE和ALTER,建议审计所有DDL命令 - 审计系统管理命令
ALTER SYSTEM, ALTER DATABASE - 审计安全策略管理命令和配置表
审计相关package的执行,以及对配置表的访问
OUA Audit Policy Configuration
默认policy:
SELECT DISTINCT policy_name
FROM audit_unified_policies
ORDER BY policy_name;POLICY_NAME
-------------------------
ORA_ACCOUNT_MGMT
ORA_CIS_RECOMMENDATIONS
ORA_DATABASE_PARAMETER
ORA_DV_AUDPOL
ORA_DV_AUDPOL2
ORA_LOGON_FAILURES
ORA_RAS_POLICY_MGMT
ORA_RAS_SESSION_MGMT
ORA_SECURECONFIG9 rows selected.SELECT *
FROM audit_unified_enabled_policies
ORDER BY policy_name;POLICY_NAME ENABLED_OPTION ENTITY_NAM ENTITY_ SUCCESS FAILURE
------------------------- --------------- ---------- ------- ---------- ----------
ORA_LOGON_FAILURES BY USER ALL USERS USER NO YES
ORA_SECURECONFIG BY USER ALL USERS USER YES YES可以查看详情:
SELECT policy_name, audit_option_type
, audit_option
FROM audit_unified_policies where policy_name in ( 'ORA_SECURECONFIG', 'ORA_LOGON_FAILURES')
ORDER BY policy_name, audit_option_type, audit_option
;
POLICY_NAME AUDIT_OPTION_TYPE AUDIT_OPTION
------------------------- ------------------ --------------------------------------
ORA_LOGON_FAILURES STANDARD ACTION LOGON
ORA_SECURECONFIG OBJECT ACTION EXECUTE
ORA_SECURECONFIG OBJECT ACTION EXECUTE
ORA_SECURECONFIG STANDARD ACTION ALTER DATABASE DICTIONARY
ORA_SECURECONFIG STANDARD ACTION ALTER DATABASE LINK
ORA_SECURECONFIG STANDARD ACTION ALTER PLUGGABLE DATABASE
ORA_SECURECONFIG STANDARD ACTION ALTER PROFILE
ORA_SECURECONFIG STANDARD ACTION ALTER ROLE
ORA_SECURECONFIG STANDARD ACTION ALTER USER
ORA_SECURECONFIG STANDARD ACTION CREATE DATABASE LINK
ORA_SECURECONFIG STANDARD ACTION CREATE DIRECTORY
ORA_SECURECONFIG STANDARD ACTION CREATE PLUGGABLE DATABASE
ORA_SECURECONFIG STANDARD ACTION CREATE PROFILE
ORA_SECURECONFIG STANDARD ACTION CREATE ROLE
ORA_SECURECONFIG STANDARD ACTION DROP DATABASE LINK
ORA_SECURECONFIG STANDARD ACTION DROP DIRECTORY
ORA_SECURECONFIG STANDARD ACTION DROP PLUGGABLE DATABASE
ORA_SECURECONFIG STANDARD ACTION DROP PROFILE
ORA_SECURECONFIG STANDARD ACTION DROP ROLE
ORA_SECURECONFIG STANDARD ACTION SET ROLE
ORA_SECURECONFIG SYSTEM PRIVILEGE ADMINISTER KEY MANAGEMENT
ORA_SECURECONFIG SYSTEM PRIVILEGE ALTER ANY PROCEDURE
ORA_SECURECONFIG SYSTEM PRIVILEGE ALTER ANY SQL TRANSLATION PROFILE
ORA_SECURECONFIG SYSTEM PRIVILEGE ALTER ANY TABLE
ORA_SECURECONFIG SYSTEM PRIVILEGE ALTER DATABASE
ORA_SECURECONFIG SYSTEM PRIVILEGE ALTER SYSTEM
ORA_SECURECONFIG SYSTEM PRIVILEGE AUDIT SYSTEM
ORA_SECURECONFIG SYSTEM PRIVILEGE BECOME USER
ORA_SECURECONFIG SYSTEM PRIVILEGE CREATE ANY JOB
ORA_SECURECONFIG SYSTEM PRIVILEGE CREATE ANY LIBRARY
ORA_SECURECONFIG SYSTEM PRIVILEGE CREATE ANY PROCEDURE
ORA_SECURECONFIG SYSTEM PRIVILEGE CREATE ANY SQL TRANSLATION PROFILE
ORA_SECURECONFIG SYSTEM PRIVILEGE CREATE ANY TABLE
ORA_SECURECONFIG SYSTEM PRIVILEGE CREATE EXTERNAL JOB
ORA_SECURECONFIG SYSTEM PRIVILEGE CREATE PUBLIC SYNONYM
ORA_SECURECONFIG SYSTEM PRIVILEGE CREATE SQL TRANSLATION PROFILE
ORA_SECURECONFIG SYSTEM PRIVILEGE CREATE USER
ORA_SECURECONFIG SYSTEM PRIVILEGE DROP ANY PROCEDURE
ORA_SECURECONFIG SYSTEM PRIVILEGE DROP ANY SQL TRANSLATION PROFILE
ORA_SECURECONFIG SYSTEM PRIVILEGE DROP ANY TABLE
ORA_SECURECONFIG SYSTEM PRIVILEGE DROP PUBLIC SYNONYM
ORA_SECURECONFIG SYSTEM PRIVILEGE DROP USER
ORA_SECURECONFIG SYSTEM PRIVILEGE EXEMPT ACCESS POLICY
ORA_SECURECONFIG SYSTEM PRIVILEGE EXEMPT REDACTION POLICY
ORA_SECURECONFIG SYSTEM PRIVILEGE GRANT ANY OBJECT PRIVILEGE
ORA_SECURECONFIG SYSTEM PRIVILEGE GRANT ANY PRIVILEGE
ORA_SECURECONFIG SYSTEM PRIVILEGE GRANT ANY ROLE
ORA_SECURECONFIG SYSTEM PRIVILEGE LOGMINING
ORA_SECURECONFIG SYSTEM PRIVILEGE PURGE DBA_RECYCLEBIN
ORA_SECURECONFIG SYSTEM PRIVILEGE TRANSLATE ANY SQL50 rows selected.除以上两个外,还建议启用ORA_ACCOUNT_MGMT 和 the ORA_DATABASE_PARAMETER。
AUDIT POLICY ora_account_mgmt;
AUDIT POLICY ora_database_parameter;SELECT *
FROM audit_unified_enabled_policies
ORDER BY policy_name;POLICY_NAME ENABLED_OPTION ENTITY_NAM ENTITY_ SUCCESS FAILURE
------------------------- --------------- ---------- ------- ---------- ----------
ORA_ACCOUNT_MGMT BY USER ALL USERS USER YES YES
ORA_DATABASE_PARAMETER BY USER ALL USERS USER YES YES
ORA_LOGON_FAILURES BY USER ALL USERS USER NO YES
ORA_SECURECONFIG BY USER ALL USERS USER YES YES可以选择成功或失败时审计,或按用户审计。
AUDIT POLICY ora_account_mgmt BY sys
WHENEVER NOT SUCCESSFUL;SELECT *
FROM audit_unified_enabled_policies
ORDER BY policy_name;POLICY_NAME ENABLED_OPTION ENTITY_NAM ENTITY_ SUCCESS FAILURE
------------------------- --------------- ---------- ------- ---------- ----------
ORA_ACCOUNT_MGMT BY USER SYS USER NO YES
ORA_ACCOUNT_MGMT BY USER ALL USERS USER YES YES
ORA_DATABASE_PARAMETER BY USER ALL USERS USER YES YES
ORA_LOGON_FAILURES BY USER ALL USERS USER NO YES
ORA_SECURECONFIG BY USER ALL USERS USER YES YES
我们看到ORA_ACCOUNT_MGMT有两条记录,完全去除需要两条命令:
NOAUDIT POLICY ORA_ACCOUNT_MGMT;
NOAUDIT POLICY ORA_ACCOUNT_MGMT BY SYS;
AUDIT POLICY ORA_ACCOUNT_MGMT;
AUDIT POLICY ora_account_mgmt BY sys
WHENEVER NOT SUCCESSFUL;
审计Session Context, 可以指定用户,可以指定用户自定义context:
AUDIT CONTEXT
NAMESPACE userenv
ATTRIBUTES authenticated_identity
,authentication_method
,client_identifier
,client_info
,ip_address
;SELECT * FROM audit_unified_contexts
ORDER BY namespace, attribute, user_name;NAMESPACE ATTRIBUTE USER_NAME
--------------- ---------------------------------------- ---------------
USERENV AUTHENTICATED_IDENTITY ALL USERS
USERENV AUTHENTICATION_METHOD ALL USERS
USERENV CLIENT_IDENTIFIER ALL USERS
USERENV CLIENT_INFO ALL USERS
USERENV IP_ADDRESS ALL USERS5 rows selected.如LOGON/LOGOFF ACTIONS DON'T AUDIT WHEN UNIFIED AUDIT ENABLED (Doc ID 2435456.1) To BottomTo Bottom所说,ORA_SECURECONFIG中不包含LOGON和LOGOFF,因此你需要自建policy:
CREATE AUDIT POLICY LOG_ON_OFF ACTIONS LOGON,LOGOFF;
AUDIT POLICY LOG_ON_OFF;POLICY_NAME ENABLED_OPTION ENTITY_NAME ENTITY_ SUC FAI
------------------------ --------------- -------------------- ------- --- ---
LOG_ON_OFF BY USER ALL USERS USER YES YES
ORA_ACCOUNT_MGMT BY USER ALL USERS USER YES YES
ORA_ACCOUNT_MGMT BY USER SYS USER NO YES
ORA_DATABASE_PARAMETER BY USER ALL USERS USER YES YES
ORA_LOGON_FAILURES BY USER ALL USERS USER NO YES
ORA_SECURECONFIG BY USER ALL USERS USER YES YES6 rows selected.然后登录登出几次,就有审计记录了:
exec DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL;SELECT audit_type,
unified_audit_policies,
event_timestamp,
dbusername,
application_contexts
FROM unified_audit_trail
WHERE action_name = 'LOGON'
AND application_contexts IS NOT NULL
ORDER BY event_timestamp DESC;Standard LOG_ON_OFF 28-8月 -20 11.51.12.553694000 上午 HR (USERENV,AUTHENTICATED_IDENTITY=HR); (USERENV,AUTHENTICATION_METHOD=PASSWORD); (USERENV,CLIENT_IDENTIFIER=); (USERENV,CLIENT_INFO=); (USERENV,IP_ADDRESS=127.0.0.1)
Standard LOG_ON_OFF 28-8月 -20 11.49.44.110506000 上午 SYS (USERENV,AUTHENTICATED_IDENTITY=oracle); (USERENV,AUTHENTICATION_METHOD=OS); (USERENV,CLIENT_IDENTIFIER=); (USERENV,CLIENT_INFO=); (USERENV,IP_ADDRESS=)
以下为自定义policy:
connect / as sys
alter session set container=orclpdb1;
select count(*) from sh.sales;COUNT(*)
----------918843create table sh.sales_history as select * from sh.sales;CREATE AUDIT POLICY sales_history_modification
ACTIONSALTER ON sh.sales_history,AUDIT ON sh.sales_history,COMMENT ON sh.sales_history,DELETE ON sh.sales_history,FLASHBACK ON sh.sales_history,GRANT ON sh.sales_history,INDEX ON sh.sales_history,INSERT ON sh.sales_history,RENAME ON sh.sales_history,UPDATE ON sh.sales_history;AUDIT POLICY sales_history_modification;CREATE AUDIT POLICY sales_history_read
ACTIONSSELECT ON sh.sales_history;AUDIT POLICY sales_history_read WHENEVER NOT SUCCESSFUL;CREATE AUDIT POLICY system_any_priv_fail
PRIVILEGES SELECT ANY TABLE,INSERT ANY TABLE,UPDATE ANY TABLE,DELETE ANY TABLE,EXECUTE ANY PROCEDURE;AUDIT POLICY system_any_priv_fail
WHENEVER NOT SUCCESSFUL;CREATE AUDIT POLICY recommended_actions
ACTIONS ALTER DISK GROUP,ALTER FLASHBACK ARCHIVE,CREATE DISK GROUP,CREATE FLASHBACK ARCHIVE,CREATE RESTORE POINT,FLASHBACK TABLE,DROP RESTORE POINT,DROP FLASHBACK ARCHIVE,PURGE INDEX,PURGE TABLE,PURGE TABLESPACE,TRUNCATE CLUSTER,TRUNCATE TABLE,CHANGE PASSWORD;AUDIT POLICY recommended_actions ;CREATE AUDIT POLICY component_common_all
ACTIONS COMPONENT = DATAPUMP EXPORT, IMPORT
ACTIONS COMPONENT = DIRECT_LOAD LOAD;ALTER AUDIT POLICY component_common_all
ADD ACTIONS COMPONENT = OLS ALL;AUDIT POLICY component_common_all;-- oracle-19c-vagrant是从linux主机登录的,如果是从windows上SQL Developer则是YYXIAO-CN
CREATE AUDIT POLICY conditional_session
PRIVILEGES CREATE SESSION
ACTIONS LOGON
ROLES connect
WHEN'NOT (SYS_CONTEXT(''USERENV'', ''SESSION_USER'') = ''DBSNMP'' AND SYS_CONTEXT(''USERENV'', ''HOST'') = ''oracle-19c-vagrant'')'
EVALUATE PER STATEMENT;AUDIT POLICY conditional_session;-- 其它
-- EXECUTE ON owner.plsql_package
-- actions read, write on directory dir
可以定义的组件和权限可参见:
select component, name from auditable_system_actions order by component;SQL> select name from auditable_system_actions where component = 'Standard' order by name;NAME
----------------------------------------------------------------
ADMINISTER KEY MANAGEMENT
ALL
ALTER ANALYTIC VIEW
ALTER ASSEMBLY
ALTER ATTRIBUTE DIMENSION
ALTER AUDIT POLICY
ALTER CLUSTER
ALTER DATABASE
ALTER DATABASE DICTIONARY
ALTER DATABASE LINK
ALTER DIMENSION
ALTER DISK GROUP
ALTER FLASHBACK ARCHIVE
ALTER FUNCTION
ALTER HIERARCHY
ALTER INDEX
ALTER INDEXTYPE
ALTER INMEMORY JOIN GROUP
ALTER JAVA
ALTER LIBRARY
ALTER LOCKDOWN PROFILE
ALTER MATERIALIZED VIEW
ALTER MATERIALIZED VIEW LOG
ALTER MATERIALIZED ZONEMAP
ALTER MINING MODEL
ALTER OPERATOR
ALTER OUTLINE
ALTER PACKAGE
ALTER PACKAGE BODY
ALTER PLUGGABLE DATABASE
ALTER PROCEDURE
ALTER PROFILE
ALTER RESOURCE COST
ALTER ROLE
ALTER ROLLBACK SEGMENT
ALTER SEQUENCE
ALTER SESSION
ALTER SYNONYM
ALTER SYSTEM
ALTER TABLE
ALTER TABLESPACE
ALTER TRACING
ALTER TRIGGER
ALTER TYPE
ALTER TYPE BODY
ALTER USER
ALTER VIEW
ANALYZE CLUSTER
ANALYZE INDEX
ANALYZE TABLE
ASSOCIATE STATISTICS
AUDIT
CALL
CHANGE PASSWORD
COMMENT
COMMIT
CREATE ANALYTIC VIEW
CREATE ASSEMBLY
CREATE ATTRIBUTE DIMENSION
CREATE AUDIT POLICY
CREATE CLUSTER
CREATE CONTEXT
CREATE DATABASE LINK
CREATE DIMENSION
CREATE DIRECTORY
CREATE DISK GROUP
CREATE EDITION
CREATE FLASHBACK ARCHIVE
CREATE FUNCTION
CREATE HIERARCHY
CREATE INDEX
CREATE INDEXTYPE
CREATE INMEMORY JOIN GROUP
CREATE JAVA
CREATE LIBRARY
CREATE LOCKDOWN PROFILE
CREATE MATERIALIZED VIEW
CREATE MATERIALIZED VIEW LOG
CREATE MATERIALIZED ZONEMAP
CREATE MINING MODEL
CREATE OPERATOR
CREATE OUTLINE
CREATE PACKAGE
CREATE PACKAGE BODY
CREATE PFILE
CREATE PLUGGABLE DATABASE
CREATE PROCEDURE
CREATE PROFILE
CREATE RESTORE POINT
CREATE ROLE
CREATE ROLLBACK SEGMENT
CREATE SCHEMA
CREATE SCHEMA SYNONYM
CREATE SEQUENCE
CREATE SPFILE
CREATE SYNONYM
CREATE TABLE
CREATE TABLESPACE
CREATE TRIGGER
CREATE TYPE
CREATE TYPE BODY
CREATE USER
CREATE VIEW
DELETE
DISASSOCIATE STATISTICS
DROP ANALYTIC VIEW
DROP ASSEMBLY
DROP ATTRIBUTE DIMENSION
DROP AUDIT POLICY
DROP CLUSTER
DROP CONTEXT
DROP DATABASE LINK
DROP DIMENSION
DROP DIRECTORY
DROP DISK GROUP
DROP EDITION
DROP FLASHBACK ARCHIVE
DROP FUNCTION
DROP HIERARCHY
DROP INDEX
DROP INDEXTYPE
DROP INMEMORY JOIN GROUP
DROP JAVA
DROP LIBRARY
DROP LOCKDOWN PROFILE
DROP MATERIALIZED VIEW
DROP MATERIALIZED VIEW LOG
DROP MATERIALIZED ZONEMAP
DROP MINING MODEL
DROP OPERATOR
DROP OUTLINE
DROP PACKAGE
DROP PACKAGE BODY
DROP PLUGGABLE DATABASE
DROP PROCEDURE
DROP PROFILE
DROP RESTORE POINT
DROP ROLE
DROP ROLLBACK SEGMENT
DROP SCHEMA SYNONYM
DROP SEQUENCE
DROP SYNONYM
DROP TABLE
DROP TABLESPACE
DROP TRIGGER
DROP TYPE
DROP TYPE BODY
DROP USER
DROP VIEW
EXECUTE
EXPLAIN PLAN
FLASHBACK TABLE
GRANT
INSERT
LOCK TABLE
LOGOFF
LOGON
NOAUDIT
PURGE DBA_RECYCLEBIN
PURGE INDEX
PURGE RECYCLEBIN
PURGE TABLE
PURGE TABLESPACE
RENAME
REVOKE
ROLLBACK
SELECT
SET ROLE
SET TRANSACTION
TRUNCATE CLUSTER
TRUNCATE TABLE
UPDATE172 rows selected.删除polciy用DROP AUDIT POLICY.
禁用policy用NOAUDIT POLICY.
通过脚本oua.demo.sql可产生一系列操作。然后查看审计记录:
SELECT audit_type,
unified_audit_policies,
event_timestamp,
action_name,sql_text
FROM unified_audit_trail
ORDER BY event_timestamp DESC;AUDIT_TYPE UNIFIED_AUDIT_POLICIES EVENT_TIMESTAMP ACTION_NAME SQL_TEXT
---------- ---------------------------------------- ------------------------------ ------------------------------ ------------------------------------------------------------
Standard LOG_ON_OFF, CONDITIONAL_SESSION 28-AUG-20 01.20.43.663602 PM LOGON alter session set container=orclpdb1
Standard LOG_ON_OFF 28-AUG-20 01.18.04.072435 PM LOGOFF
Standard ORA_DATABASE_PARAMETER, ORA_SECURECONFIG 28-AUG-20 01.17.54.904151 PM ALTER SYSTEM ALTER SYSTEM FLUSH SHARED_POOL
Standard ORA_DATABASE_PARAMETER, ORA_SECURECONFIG 28-AUG-20 01.17.51.742300 PM ALTER SYSTEM ALTER SYSTEM FLUSH SHARED_POOL
Standard ORA_ACCOUNT_MGMT 28-AUG-20 01.17.44.465629 PM GRANT GRANT READ,WRITE ON DIRECTORY TMPDIR TO testaudit2
Standard LOG_ON_OFF, CONDITIONAL_SESSION 28-AUG-20 01.17.40.908735 PM LOGON
Standard LOG_ON_OFF 28-AUG-20 01.17.40.635598 PM LOGOFF
Standard LOG_ON_OFF, CONDITIONAL_SESSION 28-AUG-20 01.16.30.239839 PM LOGON
Standard LOG_ON_OFF 28-AUG-20 01.16.30.187463 PM LOGOFF
Standard LOG_ON_OFF, CONDITIONAL_SESSION 28-AUG-20 01.16.24.041023 PM LOGON
Standard LOG_ON_OFF 28-AUG-20 01.16.23.854305 PM LOGOFF
Standard LOG_ON_OFF, CONDITIONAL_SESSION 28-AUG-20 01.16.14.927063 PM LOGON alter session set container=orclpdb1
Standard ORA_LOGON_FAILURES, LOG_ON_OFF, CONDITIO 28-AUG-20 01.16.00.265627 PM LOGONNAL_SESSIONStandard LOG_ON_OFF 28-AUG-20 01.16.00.200436 PM LOGOFF
Standard LOG_ON_OFF, CONDITIONAL_SESSION 28-AUG-20 01.14.59.564148 PM LOGON
Standard LOG_ON_OFF 28-AUG-20 01.14.59.413794 PM LOGOFF
Standard ORA_DATABASE_PARAMETER, ORA_SECURECONFIG 28-AUG-20 01.14.34.508806 PM ALTER SYSTEM ALTER SYSTEM FLUSH SHARED_POOL
Standard ORA_ACCOUNT_MGMT 28-AUG-20 01.14.30.309230 PM GRANT GRANT READ,WRITE ON DIRECTORY TMPDIR TO testaudit2
Standard ORA_ACCOUNT_MGMT, ORA_SECURECONFIG 28-AUG-20 01.14.08.411675 PM DROP ROLE DROP ROLE audit_test_role
Standard 28-AUG-20 01.14.08.073966 PM GRANT GRANT DBA TO audit_test_role
Standard ORA_ACCOUNT_MGMT, ORA_SECURECONFIG 28-AUG-20 01.14.08.069762 PM GRANT GRANT DBA TO audit_test_role
Standard ORA_ACCOUNT_MGMT, ORA_SECURECONFIG 28-AUG-20 01.14.08.029903 PM CREATE ROLE CREATE ROLE audit_test_role
Standard 28-AUG-20 01.14.02.699974 PM REVOKE REVOKE DBA FROM testaudit1
Standard ORA_ACCOUNT_MGMT, ORA_SECURECONFIG 28-AUG-20 01.14.02.697303 PM REVOKE REVOKE DBA FROM testaudit1
Standard ORA_ACCOUNT_MGMT, ORA_SECURECONFIG 28-AUG-20 01.13.52.219908 PM ALTER USER ALTER USER testaudit1 QUOTA UNLIMITED ON users
Standard ORA_ACCOUNT_MGMT, ORA_SECURECONFIG 28-AUG-20 01.13.47.814282 PM ALTER USER ALTER USER testaudit2 QUOTA UNLIMITED ON users
Standard 28-AUG-20 01.13.36.694324 PM GRANT GRANT CONNECT,CREATE TABLE TO testaudit2
Standard ORA_ACCOUNT_MGMT, ORA_SECURECONFIG 28-AUG-20 01.13.36.692898 PM GRANT GRANT CONNECT,CREATE TABLE TO testaudit2
Standard 28-AUG-20 01.13.35.654653 PM GRANT GRANT CREATE SESSION, DBA TO testaudit1
Standard 28-AUG-20 01.13.35.651883 PM GRANT GRANT CREATE SESSION, DBA TO testaudit1
Standard ORA_ACCOUNT_MGMT, ORA_SECURECONFIG 28-AUG-20 01.13.35.648545 PM GRANT GRANT CREATE SESSION, DBA TO testaudit1
Standard ORA_ACCOUNT_MGMT, ORA_SECURECONFIG 28-AUG-20 01.13.32.074394 PM CREATE USER CREATE USER testaudit2 IDENTIFIED BY *
Standard ORA_ACCOUNT_MGMT, ORA_SECURECONFIG 28-AUG-20 01.13.32.048000 PM CREATE USER CREATE USER testaudit1 IDENTIFIED BY *
Standard ORA_SECURECONFIG 28-AUG-20 01.13.31.956671 PM CREATE DIRECTORY CREATE DIRECTORY TMPDIR AS '/tmp'
Standard LOG_ON_OFF, CONDITIONAL_SESSION 28-AUG-20 01.13.27.491994 PM LOGON
Standard LOG_ON_OFF 28-AUG-20 01.13.27.322443 PM LOGOFF
Standard RECOMMENDED_ACTIONS 28-AUG-20 01.00.35.152626 PM TRUNCATE TABLE truncate table stats_advisor_filter_obj$
Standard RECOMMENDED_ACTIONS 28-AUG-20 01.00.35.138994 PM TRUNCATE TABLE truncate table stats_advisor_filter_opr$
Standard RECOMMENDED_ACTIONS 28-AUG-20 01.00.35.126085 PM TRUNCATE TABLE truncate table stats_advisor_filter_rule$
Standard RECOMMENDED_ACTIONS 28-AUG-20 01.00.07.568729 PM TRUNCATE TABLE truncate table wri$_heatmap_topn_dep2
Standard RECOMMENDED_ACTIONS 28-AUG-20 01.00.07.022011 PM TRUNCATE TABLE truncate table sys.wri$_heatmap_topn_dep1
Standard RECOMMENDED_ACTIONS 28-AUG-20 01.00.06.839838 PM TRUNCATE TABLE truncate table sys.wri$_heatmap_top_tablespaces
Standard ORA_SECURECONFIG 28-AUG-20 12.01.39.243072 PM AUDIT AUDIT POLICY conditional_session
Standard ORA_SECURECONFIG 28-AUG-20 12.01.34.237821 PM CREATE AUDIT POLICY CREATE AUDIT POLICY conditional_sessionPRIVILEGES CREATE SESSIONACTIONS LOGONStandard ORA_SECURECONFIG 28-AUG-20 11.59.37.990976 AM CREATE AUDIT POLICY CREATE AUDIT POLICY component_dv_exampleACTIONS COMPONENT=DV REALM VIOLATION ONStandard ORA_SECURECONFIG 28-AUG-20 11.59.24.072757 AM AUDIT AUDIT POLICY component_common_all
Standard ORA_SECURECONFIG 28-AUG-20 11.59.16.197608 AM ALTER AUDIT POLICY ALTER AUDIT POLICY component_common_allADD ACTIONS COMPONENT = OLS ALLStandard ORA_SECURECONFIG 28-AUG-20 11.58.58.554923 AM CREATE AUDIT POLICY CREATE AUDIT POLICY component_common_allACTIONS COMPONENT = DATAPUMP EXPORT, IMStandard ORA_SECURECONFIG 28-AUG-20 11.58.12.270863 AM AUDIT AUDIT POLICY recommended_actions
Standard ORA_SECURECONFIG 28-AUG-20 11.58.03.249164 AM CREATE AUDIT POLICY CREATE AUDIT POLICY recommended_actionsACTIONS ALTER DISK GROUP,ALTER FLASHBStandard ORA_SECURECONFIG 28-AUG-20 11.57.50.263862 AM AUDIT AUDIT POLICY system_any_priv_failWHENEVER NOT SUCCESSFULStandard ORA_SECURECONFIG 28-AUG-20 11.57.37.860801 AM CREATE AUDIT POLICY CREATE AUDIT POLICY system_any_priv_failPRIVILEGES SELECT ANY TABLE,INSERT AStandard ORA_SECURECONFIG 28-AUG-20 11.57.16.960857 AM AUDIT AUDIT POLICY sales_history_readWHENEVER NOT SUCCESSFULStandard ORA_SECURECONFIG 28-AUG-20 11.56.59.354973 AM CREATE AUDIT POLICY CREATE AUDIT POLICY sales_history_readACTIONSSELECT ON sh.sales_historyStandard ORA_SECURECONFIG 28-AUG-20 11.56.41.134694 AM AUDIT AUDIT POLICY sales_history_modification
Standard ORA_SECURECONFIG 28-AUG-20 11.56.31.183470 AM CREATE AUDIT POLICY CREATE AUDIT POLICY sales_history_modificationACTIONSALTER ON sh.sales_hStandard 28-AUG-20 11.55.53.199133 AM SELECT create table sh.sales_history as select * from sh.sales
Standard ORA_SECURECONFIG 28-AUG-20 11.55.53.198407 AM CREATE TABLE create table sh.sales_history as select * from sh.sales
Standard LOG_ON_OFF 28-AUG-20 11.54.41.508125 AM LOGON alter session set container=orclpdb1
Standard LOG_ON_OFF 28-AUG-20 11.54.34.914927 AM LOGOFF
Standard LOG_ON_OFF 28-AUG-20 11.54.18.879839 AM LOGON
Standard LOG_ON_OFF 28-AUG-20 11.51.12.553694 AM LOGOFF
Standard LOG_ON_OFF 28-AUG-20 11.51.10.495337 AM LOGON
Standard LOG_ON_OFF 28-AUG-20 11.49.44.110506 AM LOGOFF
Standard LOG_ON_OFF 28-AUG-20 11.49.39.051850 AM LOGON alter session set container=orclpdb1
Standard ORA_SECURECONFIG 28-AUG-20 11.47.37.456796 AM AUDIT AUDIT POLICY LOG_ON_OFF
Standard ORA_SECURECONFIG 28-AUG-20 11.47.36.768654 AM CREATE AUDIT POLICY CREATE AUDIT POLICY LOG_ON_OFF ACTIONS LOGON,LOGOFF
Standard 28-AUG-20 11.44.06.888105 AM EXECUTE BEGIN DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL; END;
Standard 28-AUG-20 11.42.36.213136 AM EXECUTE BEGIN DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL; END;
Standard ORA_SECURECONFIG 28-AUG-20 11.42.11.483007 AM AUDIT audit create session by hr
Standard 28-AUG-20 11.40.53.914740 AM EXECUTE BEGIN DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL; END;
Standard 28-AUG-20 11.31.30.736585 AM EXECUTE BEGIN DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL; END;Standard 28-AUG-20 11.30.48.751162 AM EXECUTE BEGIN DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL; END;Standard 28-AUG-20 11.28.48.402668 AM EXECUTE BEGIN DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL; END;Standard 28-AUG-20 11.27.48.992515 AM EXECUTE BEGIN DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL; END;Standard 28-AUG-20 11.24.05.159645 AM AUDIT AUDIT CONTEXTNAMESPACE userenvATTRIBUTES authenticated_identity,authenticatioStandard 28-AUG-20 11.24.05.158946 AM AUDIT AUDIT CONTEXTNAMESPACE userenvATTRIBUTES authenticated_identity,authenticatioStandard 28-AUG-20 11.24.05.158337 AM AUDIT AUDIT CONTEXTNAMESPACE userenvATTRIBUTES authenticated_identity,authenticatioStandard 28-AUG-20 11.24.05.155678 AM AUDIT AUDIT CONTEXTNAMESPACE userenvATTRIBUTES authenticated_identity,authenticatioStandard ORA_SECURECONFIG 28-AUG-20 11.24.05.154315 AM AUDIT AUDIT CONTEXTNAMESPACE userenvATTRIBUTES authenticated_identity,authenticatioStandard ORA_SECURECONFIG 28-AUG-20 11.12.44.877176 AM AUDIT AUDIT POLICY ora_account_mgmt BY sysWHENEVER NOT SUCCESSFULStandard ORA_SECURECONFIG 28-AUG-20 11.12.28.577498 AM AUDIT AUDIT POLICY ORA_ACCOUNT_MGMT
Standard ORA_SECURECONFIG 28-AUG-20 11.11.24.795566 AM NOAUDIT noAUDIT POLICY ORA_ACCOUNT_MGMT BY SYS
Standard ORA_SECURECONFIG 28-AUG-20 11.10.09.291292 AM NOAUDIT noAUDIT POLICY ORA_ACCOUNT_MGMT
Standard ORA_SECURECONFIG 28-AUG-20 11.09.49.885547 AM AUDIT AUDIT POLICY ORA_ACCOUNT_MGMT
Standard ORA_SECURECONFIG 28-AUG-20 11.08.43.999801 AM NOAUDIT noAUDIT POLICY ORA_ACCOUNT_MGMT
Standard ORA_SECURECONFIG 28-AUG-20 11.08.18.341272 AM AUDIT AUDIT POLICY ora_database_parameter
Standard ORA_SECURECONFIG 28-AUG-20 11.07.50.320499 AM NOAUDIT NOAUDIT POLICY ORA_DATABASE_PARAMETER
Standard ORA_SECURECONFIG 28-AUG-20 11.07.24.013187 AM NOAUDIT NOAUDIT POLICY ora_account_mgmt EXCEPT sys WHENEVER NOT SUCCESSFULStandard ORA_SECURECONFIG 28-AUG-20 11.06.52.949319 AM NOAUDIT NOAUDIT POLICY ora_account_mgmt EXCEPT sys
Standard ORA_SECURECONFIG 28-AUG-20 11.04.52.634360 AM AUDIT AUDIT POLICY ora_account_mgmt EXCEPT sysWHENEVER SUCCESSFULStandard ORA_SECURECONFIG 28-AUG-20 11.04.43.956505 AM ALTER PLUGGABLE DATABASE ALTER PLUGGABLE DATABASE OPEN
Standard 28-AUG-20 11.04.42.050496 AM SELECT SELECT SYS_CONTEXT('USERENV','CDB_NAME'), SYS_CONTEXT('USERENV','CON_NAME'),Standard 28-AUG-20 11.04.39.961723 AM ALTER PLUGGABLE DATABASE ALTER PLUGGABLE DATABASE CLOSE IMMEDIATE
Standard ORA_SECURECONFIG 28-AUG-20 11.04.09.310056 AM AUDIT AUDIT POLICY ora_account_mgmt EXCEPT sysWHENEVER SUCCESSFULStandard ORA_SECURECONFIG 28-AUG-20 11.04.02.162235 AM NOAUDIT NOAUDIT POLICY ora_account_mgmt
Standard ORA_SECURECONFIG 28-AUG-20 11.03.30.827808 AM AUDIT AUDIT POLICY ora_account_mgmt EXCEPT sysWHENEVER SUCCESSFULStandard ORA_SECURECONFIG 28-AUG-20 11.02.18.327682 AM AUDIT AUDIT POLICY ora_account_mgmt BY sysWHENEVER NOT SUCCESSFULStandard ORA_SECURECONFIG 28-AUG-20 11.01.03.789528 AM AUDIT AUDIT POLICY ora_database_parameter
Standard ORA_SECURECONFIG 28-AUG-20 11.01.03.660697 AM AUDIT AUDIT POLICY ora_account_mgmt100 rows selected.Traditional Audit Policy Configuration
12c前,只能用TA。
AUDIT CREATE SESSION;AUDIT CONNECT;AUDIT TABLE;AUDIT DELETE ANY TABLE WHENEVER NOT SUCCESSFUL;NOAUDIT TABLE;AUDIT INSERT, UPDATE, DELETE ON sh.sales_history;AUDIT SELECT ON sh.sales_history
WHENEVER NOT SUCCESSFUL;Audit succeeded.SELECT sel "select option"
FROM dba_obj_audit_opts
WHERE owner = 'SH'AND object_name = 'SALES_HISTORY';select op
---------
-/AAUDIT SELECT ON sh.sales_history BY SESSION
WHENEVER SUCCESSFUL;SELECT sel "select option"
FROM dba_obj_audit_opts
WHERE owner = 'SH'
AND object_name = 'SALES_HISTORY';select op
---------
S/A-- 以上输出中,A表示All,S表示Session,-表示NoSELECT audit_option, success, failure
FROM dba_stmt_audit_opts
WHERE audit_option = 'CREATE SESSION';AUDIT_OPTION SUCCESS FAILURE
---------------------------------------- ---------- ----------
CREATE SESSION BY ACCESS BY ACCESS
CREATE SESSION BY ACCESS BY ACCESSSELECT privilege, success, failure
FROM dba_priv_audit_opts
WHERE privilege = 'DELETE ANY TABLE';PRIVILEGE SUCCESS FAILURE
---------------------------------------- ---------- ----------
DELETE ANY TABLE NOT SET BY ACCESS
TA的审计记录存于SYS.AUD$。
FINE-GRAINED AUDITING
FGA相较于TA的好处在于可以按条件(通过SQL)审计,因此也可以消除不必要的审计。
FGA甚至可以审计是否访问某行或某列数据。
Enabling FGA
使用DBMS_FGA package。
BEGINDBMS_FGA.ADD_POLICY(object_schema => 'SH', object_name => 'SALES_HISTORY', policy_name => 'FGA_LARGE_ORDER', audit_condition => 'AMOUNT_SOLD > 1000', audit_column => NULL, handler_schema => NULL, handler_module => NULL, enable => TRUE, statement_types => 'INSERT,UPDATE,DELETE,SELECT');
END;
/
测试:
connect sh/orclpdb1SQL> select PROD_ID, CUST_ID, AMOUNT_SOLD from SALES_HISTORY where AMOUNT_SOLD > 1000 and rownum < 10;PROD_ID CUST_ID AMOUNT_SOLD
---------- ---------- -----------13 987 1232.1613 1660 1232.1613 1762 1232.1613 1843 1232.1613 1948 1232.1613 2273 1232.1613 2380 1232.1613 2683 1232.1613 2865 1232.169 rows selected.
Acting on the Audit
FGA支持event handler,类似于SELECT Trigger,即handler_schema和handler_module。你可以利用其做额外处理,例如通过USERENV中的CURRENT_SQL获取执行的语句,利用UTL_TCP, UTL_HTTP, 或 UTL_SMTP发生消息到外部。
AUDIT STORAGE, AUDIT RETENTION, AND REPORTING
retention通常由合规性决定。
Oracle Audit Vault
AV可以同时用于审计报告和retention。这样审计记录可以尽快从源系统删除。
AV还支持第三方数据库和操作系统。
AV降低了源系统的管理复杂性和资源消耗,释放了空间。
由于数据汇集到一起,因此可以做全局的审计报告。
AV类似于数据仓库,适合做报表。
Audit Trail Retention Under OUA
OUA审计数据位于AUDSYS schema,只能通过视图UNIFIED_AUDIT_TRAIL查询。
MSA的审计数据位于ORACLEBASE/audit/ORACLE_BASE/audit/ORACLEBASE/audit/ORACLE_SID。
清理前,可以备份到其它表,或者data pumper导出为文件。
清理由专门的过程, 先需设时间点,然后清除:
BEGINDBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP(audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, last_archive_time => TRUNC(SYSTIMESTAMP - 2), container => DBMS_AUDIT_MGMT.CONTAINER_CURRENT);
END;
/
SELECT COUNT(*) FROM unified_audit_trail;
BEGINDBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL(audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, use_last_arch_timestamp => TRUE, container => DBMS_AUDIT_MGMT.CONTAINER_CURRENT);
END;
/Audit Trail Retention Under Traditional Auditing
TA中审计数据:
- $ORACLE_BASE/admin//adump下.xml, .aud文件
- SYS.AUD$ or SYSTEM.AUD$ for TA 和 OLS
- SYS.FGA$ for FGA
- DVSYS.AUDIT_TRAIL$ for DBV
清理方法与OUA同。
Reporting on Database History
如果想知道入侵者在某一时间点所看到的数据,可利用flashback archive特性。
例如:
CREATE FLASHBACK ARCHIVE
DEFAULT sales_archive TABLESPACE sales
QUOTA 1G RETENTION 5 YEAR;ALTER TABLE sales_history
FLASHBACK ARCHIVE;
查询:
select * from sales_history as of timestamp ...
flashback archive中的数据可通过PURGE BEFORE TIMESTAMP 或 PURGE BEFORE SCN 删除。
Oracle Database 12c Security - 12. Audit for Accountability相关推荐
- Oracle Database 12c Security - 11. Oracle Transparent Data Encryption
Transparent Data Encryption以下简称TDE. 称为透明是因为加密工作在SQL层以下,由数据库引擎自动进行. TDE是第三代加密,10gR2时引入.之前两代为DBMS_OBFU ...
- Oracle Database 12c Security - 13. An Applied Approach to Multitenancy and Cloud Security
有时,不必要的安全措施会导向更不安全.例如,增加口令强度导致用户不得不将口令记录,并存放在不安全的地方. 安全象洋葱,一层又一层. SYSTEM BASELINE AND CONFIGURATION ...
- 解读Tom介绍的Oracle Database 12c的12个新特性
在OOW 2012上Tom kyte介绍了Oracle新一代重量级数据库产品12c 的12个新特性, 目前Open World 2012的主要PDF都可以下载了,传送门在此:Search Conten ...
- Oracle Database 12c Security - 6. Real Application Security
RAS(Real Application Security)是12c的新特性,RAS的特点是全面(comprehensive)和透明. 传统的Web应用,要在不同连接间切换,并保证正确权限的成本太高, ...
- Oracle Database 12c Security - 1. Security for Today’s World
THE SECURITY LANDSCAPE 全面考虑(think holistically),理解为什么要这么做. 基本假设: 系统是脆弱的,可能会被攻破,要保护最重要的部分 一切关乎数据,正如抢劫 ...
- 开始读《Oracle Database 12c Security》
去年大致过了一遍,几年由于遇到很多数据库安全需求,因此决定仔细过一遍. 原出版社Oracle Press应是被McGraw Hill收购了,介绍页面即随书代码下载参见这里 8月8日开始读,8月30日读 ...
- 【OH】Deprecated and Desupported Features for Oracle Database 12c
连接地址:http://docs.oracle.com/database/121/UPGRD/deprecated.htm#UPGRD60000 8Deprecated and Desupported ...
- 5和6 objbc oracle_《Oracle Database 12c完全参考手册(第7版)(试读版)》
图书目录: 第Ⅰ部分 数据库核心概念 第1章 Oracle Database 12c架构选件 3 1.1 数据库和实例 4 1.2 数据库技术 5 1.2.1 存储数据 6 1.2.2 数据保护 7 ...
- Oracle Database 12C 学习之多租户(连载四)
使用克隆现存PDB的方式创建新的PDB:这里有两种情况,一种为使用本地PDB,另外一种为使用远程PDB.二者并无太大差异.只是第二种需要使用DBLINK而已. 克隆本地方式: SYS@ora12g&g ...
最新文章
- qt-designer使用教程3--编写自己的槽
- siteMap与站点导航
- pythonhtml内容比较_Python使用difflib模块比较两个文件内容异同,同时输出html易浏览...
- 【图像分割模型】快速道路场景分割—ENet
- 纯CSS实现气泡聊天框的方法
- Membership学习记录
- MySQL安装时出现的问题
- 干货|训练神经网络时要知道的几个要点
- Markdown入门
- 习题3.3 线性表元素的区间删除 (20 分)
- XXX管理平台系统——项目总结(over)
- npm 安装出错 npm ERR! request to https://registry.npmjs.org/express failed, reason: unable to verify th
- 力扣-剑指offer 06 从尾到头打印链表
- 学习python:异常处理
- Java学习的正确打开方式
- 大话谈VUE之export const
- 饥荒专用服务器全图显示代码,饥荒联机地图全开代码
- 如何防止基因编辑技术突破底线:警惕科学狂人再现
- python爬取整个网页,教师节不知道给老师送什么?
- 解决在SQLYog中执行SQL语句会提示错误的信息,但数据能查出来