oracle审计

概述:
    数据库审计功能是oracle自身提供的对数据库操作进行记录的功能。
    可以审计权限的调用记录、用户的dml操作记录、查询操作记录等等
功能分类
    oracle审计分标准审计和细粒度审计(FGA)。
    标准审计又分语句审计、权限审计、模式对象审计。
    基于值的审计(Value-Based, 触发器审计)
    精细审计(FGA)
    
审计有关参数
SYS@PROD> show parameter audit;
NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest                      string      /u01/app/oracle/admin/PROD/adu
                                                 mp
audit_sys_operations                 boolean     FALSE
audit_syslog_level                   string
audit_trail                          string      DB
audit_trail
AUDIT_TRAIL = { none | os | db | db,extended | xml | xml,extended }
none 禁用数据库审计  不启用audit
os 将数据库审计记录定向到操作系统审计记录
  将审计结果存放到操作系统的文件里, audit_file_dest 指定的位置,
 一般用于审计 sys
db 将数据库所有审计记录定向到数据库的SYS.AUD$表
   一般用于审计非sys用户
  
db,extended 将数据库所有审计记录定向到数据库的SYS.AUD$表。
      可以包括绑定变量, CLOB 类型大对象等审计信息
      另外,填充SYS.AUD$表的SQLBIND 列和SQLTEXT CLOB 列。
xml 将所有记录写到XML格式的操作系统文件中。
xml,extended 输出审计记录的所有列,包括SqlText和SqlBind的值。

1、强制性审计
应用:  记录用户登录数据库的信息、数据库启动关闭
文件存储:
SYS@PROD> show parameter audit
NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest                      string      /u01/app/oracle/admin/PROD/adu
                                                 mp
audit_sys_operations                 boolean     FALSE
audit_syslog_level                   string
audit_trail                          string      DB
2、标准审计
应用: 默认对指定普通用户在数据库上的操作进行行为监控
审计记录  audit_trail  DB:审计结果存储在数据字典中(sys可以更新)
                      XML:审计结果以xml格式存储在操作系统下
                     
sys用户审计 audit_sys_operations  默认false,不启用对sys用户的审计;
                             建立sys审计,需设置为true,但审计结果不能存储在DB
审计结果
     1、audit$基表(可以删除)
     2、dba_audit_trail 视图
     
     
标准审计不记录用户的具体操作(sql_text)
【分类:】
1)基于语句的审计Auditing SQL statement
审计指定用户关于table的操作 
SYS@PROD> create user kobe identified by oracle;
User created.
SYS@PROD> grant create session,unlimited tablespace,create table to kobe;
Grant succeeded.
SYS@PROD> audit table by kobe whenever successful;
对kobe用户进行审计,当对表操作成功
Audit succeeded.
SYS@PROD> conn scott/tiger  在scott下删除表失败
Connected.
SCOTT@PROD> drop table t1 purge;
drop table t1 purge
           *
ERROR at line 1:
ORA-00942: table or view does not exist

SCOTT@PROD> drop table test purge;
drop table test purge
           *
ERROR at line 1:
ORA-00942: table or view does not exist

SCOTT@PROD> conn kobe/oracle
Connected.
KOBE@PROD> create table test(id number); kobe建表成功
Table created.
KOBE@PROD> insert into test values(1);
1 row created.
KOBE@PROD> drop table t1 ;  删除表失败
drop table t1
           *
ERROR at line 1:
ORA-00942: table or view does not exist

KOBE@PROD> drop table test purge; 删除表成功
Table dropped.
sys下查询审计结果
SYS@PROD> select username,timestamp,obj_name,action_name from dba_audit_trail
  2  where username='KOBE';
USERNAME             TIMESTAMP          OBJ_NAME             ACTION_NAME
-------------------- ------------------ -------------------- ----------------------------
KOBE                 31-MAY-18                               LOGON
KOBE                 31-MAY-18          TEST                 CREATE TABLE
KOBE                 31-MAY-18          TEST                 DROP TABLE
KOBE                 31-MAY-18                               LOGOFF
 最后审计结果里只有建表、删表成功
关闭审计
SYS@PROD> noaudit table by kobe;
Noaudit succeeded.
删除审计结果
SYS@PROD> delete from audit$;
29 rows deleted.
SYS@PROD> commit;
Commit complete.
2) 基于权限的审计Auditing Privileges
审计kobe用户的select any table权限
SYS@PROD> grant select any table to kobe;
Grant succeeded.
SYS@PROD> audit select any table by kobe;
Audit succeeded.
SYS@PROD> conn kobe/oracle
Connected.
KOBE@PROD> select count(*) from scott.emp;
  COUNT(*)
----------
        14
KOBE@PROD> conn / as sysdba
Connected.
SYS@PROD> col owner for a10
SYS@PROD> select username,timestamp,owner,obj_name,priv_used
  2  from dba_audit_trail where username='KOBE';
USERNAME             TIMESTAMP          OWNER      OBJ_NAME             PRIV_USED
-------------------- ------------------ ---------- -------------------- ----------------------------------------
KOBE                 31-MAY-18                                          CREATE SESSION
KOBE                 31-MAY-18          KOBE       TEST                 CREATE TABLE
KOBE                 31-MAY-18          KOBE       TEST
KOBE                 31-MAY-18
KOBE                 31-MAY-18          SCOTT      EMP                  SELECT ANY TABLE
关闭审计
SYS@PROD> noaudit select any table by kobe;
Noaudit succeeded.
3) 基于对象的审计Auditing Schema Objects
应用  对重要的object建立用户访问行为的跟踪
SYS@PROD> audit all on scott.emp;
Audit succeeded.
SYS@PROD> revoke select any table from kobe;
Revoke succeeded.
SYS@PROD> grant select,update on scott.emp to kobe;
Grant succeeded.
SYS@PROD> conn kobe/oracle
Connected.
KOBE@PROD> select * from scott.emp;
     EMPNO ENAME      JOB              MGR HIREDATE                  SAL       COMM     DEPTNO
---------- ---------- --------- ---------- ------------------ ---------- ---------- ----------
      7369 SMITH      CLERK           7902 17-DEC-80                 800                    20
      7499 ALLEN      SALESMAN        7698 20-FEB-81                1600        300         30
      7521 WARD       SALESMAN        7698 22-FEB-81                1250        500         30
      7566 JONES      MANAGER         7839 02-APR-81                2975                    20
      7654 MARTIN     SALESMAN        7698 28-SEP-81                1250       1400         30
      7698 BLAKE      MANAGER         7839 01-MAY-81                2850                    30
      7782 CLARK      MANAGER         7839 09-JUN-81                2450                    10
      7788 SCOTT      ANALYST         7566 19-APR-87                3000                    20
      7839 KING       PRESIDENT            17-NOV-81                5000                    10
      7844 TURNER     SALESMAN        7698 08-SEP-81                1500          0         30
      7876 ADAMS      CLERK           7788 23-MAY-87                1100                    20
      7900 JAMES      CLERK           7698 03-DEC-81                 950                    30
      7902 FORD       ANALYST         7566 03-DEC-81                3000                    20
      7934 MILLER     CLERK           7782 23-JAN-82                1300                    10
14 rows selected.
KOBE@PROD> update scott.emp set sal=100 where deptno=10;
3 rows updated.
KOBE@PROD> commit;
Commit complete.
KOBE@PROD> conn scott/tiger
Connected.
SCOTT@PROD> select * from emp;
     EMPNO ENAME      JOB              MGR HIREDATE                  SAL       COMM     DEPTNO
---------- ---------- --------- ---------- ------------------ ---------- ---------- ----------
      7369 SMITH      CLERK           7902 17-DEC-80                 800                    20
      7499 ALLEN      SALESMAN        7698 20-FEB-81                1600        300         30
      7521 WARD       SALESMAN        7698 22-FEB-81                1250        500         30
      7566 JONES      MANAGER         7839 02-APR-81                2975                    20
      7654 MARTIN     SALESMAN        7698 28-SEP-81                1250       1400         30
      7698 BLAKE      MANAGER         7839 01-MAY-81                2850                    30
      7782 CLARK      MANAGER         7839 09-JUN-81                 100                    10
      7788 SCOTT      ANALYST         7566 19-APR-87                3000                    20
      7839 KING       PRESIDENT            17-NOV-81                 100                    10
      7844 TURNER     SALESMAN        7698 08-SEP-81                1500          0         30
      7876 ADAMS      CLERK           7788 23-MAY-87                1100                    20
      7900 JAMES      CLERK           7698 03-DEC-81                 950                    30
      7902 FORD       ANALYST         7566 03-DEC-81                3000                    20
      7934 MILLER     CLERK           7782 23-JAN-82                 100                    10
14 rows selected.
SCOTT@PROD> delete from emp where deptno=10;
3 rows deleted.
SCOTT@PROD> conn / as sysdba
Connected.
SYS@PROD> select username,ses_actions,owner,obj_name,to_char(timestamp,'yyyy-mm-dd hh34:mi:ss')
from dba_audit_trail order by 1;
USERNAME             SES_ACTIONS         OWNER      OBJ_NAME             TO_CHAR(TIMESTAMP,'
-------------------- ------------------- ---------- -------------------- -------------------
KOBE                                                                     2018-05-31 14:19:25
KOBE                                     KOBE       TEST                 2018-05-31 14:19:40
KOBE                                     KOBE       TEST                 2018-05-31 14:20:22
KOBE                 ----------S-----    SCOTT      EMP                  2018-05-31 14:48:12
KOBE                 ---------S------    SCOTT      EMP                  2018-05-31 14:39:05
KOBE                 ---------S------    SCOTT      EMP                  2018-05-31 14:47:47
KOBE                                                                     2018-05-31 14:22:11
SCOTT                                                                    2017-06-15 21:51:47
SCOTT                                                                    2017-06-15 21:51:58
SCOTT                                                                    2018-05-31 14:18:54
SCOTT                ---S------------    SCOTT      EMP                  2018-05-31 14:48:55
SCOTT                ---------S------    SCOTT      EMP                  2018-05-31 14:48:37
SCOTT                                                                    2018-05-31 14:19:25
S:success 成功访问
F: failure 失败的访问
B:both 对对象的操作有成功,也有失败
标准审计不记录用户的具体操作(sql_text)
SES_ACTIONS字段共包含16个字符,初始状态都为“-”,当被审计的对象被操作后,
SES_ACTIONS会在相应的位置作出标识,标识为“S”的代表操作成功,标识为“F”的代表操作失败,
16个位置的字符所代表的操作依次如下:
1. Auditing ALTER
2. Auditing AUDIT
3. Auditing COMMIT
4. Auditing DELETE
5. Auditing GRANT
6. Auditing INDEX
7. Auditing INSERT
8. Auditing LOCK
9. Aduiting RENAME
10.Auditing SELECT
11.Auditing UPDATE
12.Auditing EXECUTE
13.Auditing CREATE
14.Auditing READ
15.Auditing WRITE
16.Auditing FLASHBACK
关闭审计
SYS@PROD> noaudit all on scott.emp;
Noaudit succeeded.
3、精细化审计(FGA)
应用 
  通过DBMS_FGA建立审计策略,更细化的记录用户访问object的相应sql text及不同条件建立审计
  
建立对emp1表的FGA
SYS@PROD> create table scott.emp1 as select * from scott.emp;
Table created.
添加一个精细度审计策略
SYS@PROD> begin
  2  dbms_fga.add_policy(
  3  object_schema=>'scott',
  4  object_name=>'emp1',
  5  policy_name=>'chk_emp1',
  6  audit_condition =>'deptno=20',
  7  audit_column =>'sal',
  8  statement_types =>'update,select');
  9  end;
 10  /
PL/SQL procedure successfully completed.
测试
SYS@PROD> conn scott/tiger
Connected.
SCOTT@PROD> select * from emp1 where deptno=20;
     EMPNO ENAME      JOB              MGR HIREDATE                  SAL       COMM     DEPTNO
---------- ---------- --------- ---------- ------------------ ---------- ---------- ----------
      7369 SMITH      CLERK           7902 17-DEC-80                 800                    20
      7566 JONES      MANAGER         7839 02-APR-81                2975                    20
      7788 SCOTT      ANALYST         7566 19-APR-87                3000                    20
      7876 ADAMS      CLERK           7788 23-MAY-87                1100                    20
      7902 FORD       ANALYST         7566 03-DEC-81                3000                    20
SCOTT@PROD> update scott.emp1 set sal=8000 where empno=7902;
1 row updated.
SCOTT@PROD> select empno,ename from scott.emp1 where deptno=20; 缺少sal列 不审计
     EMPNO ENAME
---------- ----------
      7369 SMITH
      7566 JONES
      7788 SCOTT
      7876 ADAMS
      7902 FORD
SCOTT@PROD> conn / as sysdba
Connected.                      虽然符合条件,默认不审计sys
SYS@PROD> select empno,ename,sal from scott.emp1 where deptno=20;
     EMPNO ENAME             SAL
---------- ---------- ----------
      7369 SMITH             800
      7566 JONES            2975
      7788 SCOTT            3000
      7876 ADAMS            1100
      7902 FORD             8000
查看审计结果
SYS@PROD> col db_user for a10
SYS@PROD> col sql_text for a60
SYS@PROD> select db_user,to_char(timestamp,'yyyy-mm-dd hh34:mi:ss') "time" ,sql_text
  2  from dba_fga_audit_trail;
DB_USER    time                SQL_TEXT
---------- ------------------- ------------------------------------------------------------
SCOTT      2018-05-31 15:28:52 select * from emp1 where deptno=20
SCOTT      2018-05-31 15:29:01 update scott.emp1 set sal=8000 where empno=7902
删除FGA策略
SYS@PROD> exec dbms_fga.drop_policy(object_schema=>'scott',object_name=>'emp1',policy_name=>'chk_emp1');
PL/SQL procedure successfully completed.
或者
SYS@PROD> execute dbms_fga.DROP_POLICY('scott','emp1','chk_emp1');
PL/SQL procedure successfully completed.
删除审计结果
SYS@PROD> select count(*) from fga_log$;
  COUNT(*)
----------
         2
 
SYS@PROD> delete from fga_log$;
2 rows deleted.
SYS@PROD> commit;
Commit complete. 

审计结果 
     fga_log$
     dba_fga_audit_trail     

4、应用审计(触发器)
应用  对object中数据的变化进行监控和跟踪
案例  跟踪emp表中sal字段的变化
SCOTT@PROD> create table audit_emp_change(name varchar2(10),
            oldsal number(6,2),newsal number(6,2),time date);
Table created.
SCOTT@PROD> desc audit_emp_change;
 Name                                                              Null?    Type
 ----------------------------------------------------------------- -------- --------------------------------------------
 NAME                                                                       VARCHAR2(10)
 OLDSAL                                                                     NUMBER(6,2)
 NEWSAL                                                                     NUMBER(6,2)
 TIME                                                                       DATE
建立触发器
SCOTT@PROD> create or replace trigger tr_sal_change
  2  after update of sal on scott.emp
  3  for each row
  4  declare
  5   v_temp int;
  6  begin
  7  select count(*) into v_temp from audit_emp_change
  8  where name=:old.ename;
  9   if v_temp=0 then
 10  insert into audit_emp_change
 11   values(:old.ename,:old.sal,:new.sal,sysdate);
 12  else
 13   update audit_emp_change
 14  set oldsal=:old.sal,newsal=:new.sal,time=sysdate
 15  where name=:old.ename;
 16  end if;
 17  end;
 18  /
Trigger created.
更新sal
SCOTT@PROD> update emp set sal=777 where empno=7788;
1 row updated.
SCOTT@PROD> commit;
Commit complete.
查看
SCOTT@PROD> select * from audit_emp_change;
NAME           OLDSAL     NEWSAL TIME
---------- ---------- ---------- ------------------
SCOTT            3000        777 31-MAY-18


本文名称:oracle审计
标题链接:http://myzitong.com/article/gcsoee.html