2008年(105)
分类: Oracle
2008-07-25 18:05:41
Oracle审计
1.
AUDIT_SYS_OPERATIONS = TRUE审计管理用户(以sysdba/sysoper角色登陆)
windows平台会保存到Event Viewer日志文件中,诸如
CONNECT / AS SYSDBA;
ALTER SYSTEM FLUSH SHARED_POOL;
UPDATE salary SET base=1000 WHERE name='myname';
的操作都会记录到windows事件中
AUDIT_TRAIL=OS时AUDIT_FILE_DEST定义审计的destination
2.
相关的视图
-- 审计记录
select * from sys.aud$
select * from dba_audit_trail
select * from dba_common_audit_trail
-- action的定义
select * from audit_actions
3.
多层环境下的审计
appserve-应用服务器
jackson-client?
AUDIT SELECT TABLE BY appserve ON BEHALF OF jackson;
4.
审计选项
Statement-诸如CREATE TABLE, TRUNCATE TABLE, COMMENT ON TABLE, and DELETE [FROM] TABLE等语句
Privilege-AUDIT CREATE ANY TRIGGER会审计使用CREATE ANY TRIGGER权限执行的语句
Object-审计特定对象上的特定语句,比如emp表上的ALTER TABLE语句
5.
BY SESSION/BY ACCESS-每个session或者每次访问
WHENEVER SUCCESSFUL/WHENEVER NOT SUCCESSFUL-成功/不成功
6.
审计连接或断开连接:
AUDIT SESSION;
-- 指定用户
AUDIT SESSION BY jeff, lori;
审计权限(使用该权限才能执行的操作):
AUDIT DELETE ANY TABLE BY ACCESS WHENEVER NOT SUCCESSFUL;
AUDIT DELETE ANY TABLE;
AUDIT SELECT TABLE, INSERT TABLE, DELETE TABLE, EXECUTE PROCEDURE
BY ACCESS WHENEVER NOT SUCCESSFUL;
对象审计:
AUDIT DELETE ON jeff.emp;
AUDIT SELECT, INSERT, DELETE ON jward.dept BY ACCESS WHENEVER SUCCESSFUL;
7.
取消审计
NOAUDIT session;
NOAUDIT session BY jeff, lori;
NOAUDIT DELETE ANY TABLE;
NOAUDIT SELECT TABLE, INSERT TABLE, DELETE TABLE,EXECUTE PROCEDURE;
-- 取消所有statement审计
NOAUDIT ALL;
-- 取消所有权限审计
NOAUDIT ALL PRIVILEGES;
-- 取消所有对象审计
NOAUDIT ALL ON DEFAULT;
8.
清除审计信息
DELETE FROM SYS.AUD$;
DELETE FROM SYS.AUD$ WHERE obj$name='EMP';
9.
审计视图
STMT_AUDIT_OPTION_MAP-审计选项类型代码
AUDIT_ACTIONS-action代码
ALL_DEF_AUDIT_OPTS-对象创建时默认的对象审计选项
DBA_STMT_AUDIT_OPTS-当前数据库系统审计选项
DBA_PRIV_AUDIT_OPTS-权限审计选项
DBA_OBJ_AUDIT_OPTS
USER_OBJ_AUDIT_OPTS-对象审计选项
DBA_AUDIT_TRAIL
USER_AUDIT_TRAIL-审计记录
DBA_AUDIT_OBJECT
USER_AUDIT_OBJECT-审计对象列表
DBA_AUDIT_SESSION
USER_AUDIT_SESSION-session审计
DBA_AUDIT_STATEMENT
USER_AUDIT_STATEMENT-语句审计
DBA_AUDIT_EXISTS-使用BY AUDIT NOT EXISTS选项的审计
DBA_AUDIT_POLICIES-审计POLICIES
DBA_COMMON_AUDIT_TRAIL-标准审计+精细审计