审计:记录数据库用户的操作,为故障分析、权限控制等提供有用的信息。
审计的类型:
语句审计:按照语句类型审计SQL语句,而不论访问何种特定的模式对象。也可以在数据库中指定一个或多个用户,针对特定的语句审计这些用户。
权限审计:审计系统权限,例如CREATE TABLE或ALTER INDEX。和语句审计一样,权限审计可以指定一个或多个特定的用户作为审计的目标。
模式对象审计:审计特定模式对象上运行的特定语句(例如,DEPARTMENTS表上的UPDATE语句)。模式对象审计总是应用于数据库中的所有用户。
细粒度的审计:根据访问对象的内容来审计表访问和权限。使用程序包DBMS_FGA来建立特定表上的策略。
相关参数
audit_file_dest:当审计信息记录在系统文件时的审计文件存放目录。
audit_sys_operations:默认为false,当设置为true时,所有sys用户(包括以sysdba,sysoper身份登录的用户)的操作都会被记录,audit trail不会写在aud$表中,这个很好理解,如果数据库还未启动aud$不可用,那么像conn /as sysdba这样的连接信息,只能记录在其它地方。如果是windows平台,audti trail会记录在windows的事件管理中,如果是linux/unix平台则会记录在audit_file_dest参数指定的文件中。
audit_trail参数值:
| 值 | 说明 |
| db | Enables database auditing and directs all audit records to the database audit trail (the SYS.AUD$ table) |
| db,extended | Enables database auditing and directs all audit records to the database audit trail (the SYS.AUD$ table). In addition, populates the SQLBIND and SQLTEXT CLOB columns of the SYS.AUD$ table. |
| os | Enables database auditing and directs all audit records to the operating system's audit trail. |
| xml | Enables database auditing and writes all audit records to XML format OS files. |
| xml,extended | Enables database auditing and prints all columns of the audit trail, including SqlText and SqlBind values. |
| nome | Disables database auditing |
注意:参数AUDIT_TRAIL不是动态的,为了使AUDIT_TRAIL参数中的改动生效,必须关闭数据库并重新启动。在对SYS.AUD$表进行审计时, 应该注意监控该表的大小,以避免影响SYS表空间中其他对象的空间需求。推荐周期性归档SYS.AUD$中的行,并且截取该表。
开启审计:
SQL> show parameter audit; NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ audit_file_dest string /u01/app/oracle/admin/ann/adum p audit_sys_operations boolean FALSE audit_syslog_level string audit_trail string NONE SQL> alter system set audit_trail=db,extended scope=spfile; System altered. SQL> startup force; ORACLE instance started. Total System Global Area 285212672 bytes Fixed Size 2020224 bytes Variable Size 146803840 bytes Database Buffers 134217728 bytes Redo Buffers 2170880 bytes Database mounted. Database opened. SQL> show parameter audit_trail; NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ audit_trail string DB, EXTENDED
可以看到审计已开启。
1.语句审计
语法:audit sql_statement_clause by {session | access} whenever [not] successful;
sql_statement_clause选项:
| 选项 | 说明 |
| ALTER SEQUENCE | ALTER SEQUENCE |
| ALTER TABLE | ALTER TABLE |
| COMMENT TABLE | COMMENT ON TABLE table, view, materialized view/COMMENT ON COLUMN table.column, view.column, materialized view.column |
| DELETE TABLE | DELETE FROM table, view |
| EXECUTE PROCEDURE | CALL/Execution of any procedure or function or access to any variable, library, or cursor inside a package. |
| GRANT DIRECTORY | GRANT privilege ON directory/REVOKE privilege ON directory |
| GRANT PROCEDUR | GRANT privilege ON procedure, function, package/REVOKE privilege ON procedure, function, package |
| GRANT SEQUENCE | GRANT privilege ON sequence/REVOKE privilege ON sequence |
| GRANT TABLE | GRANT privilege ON table, view, materialized view/REVOKE privilege ON table, view, materialized view |
| GRANT TYPE | GRANT privilege ON TYPE/REVOKE privilege ON TYPE |
| INSERT TABLE | INSERT INTO table, view |
| LOCK TABLE | LOCK TABLE table, view |
| SELECT SEQUENCE | Any statement containing sequence.CURRVAL or sequence.NEXTVAL |
| SELECT TABLE | SELECT FROM table, view, materialized view |
| UPDATE TABLE | UPDATE table, view |
例如:audit insert table by access whenever not successful;
实验:
--开启语句审计 SQL> audit insert table by access whenever not successful; Audit succeeded. --查看审计动作视图: SQL> select * from dba_stmt_audit_opts; USER_NAME PROXY_NAME AUDIT_OPTION SUCCESS FAILURE ------------------------------ ------------------------------ ---------------------------------------- ---------- ---------- INSERT TABLE NOT SET BY ACCESS --插入行 SQL> insert into test03 (id) values (3); 1 row created. SQL> commit; --查看审计记录 SQL> select username,userhost,timestamp,sql_text from dba_audit_trail; no rows selected --为何?因为audit_sys_operations=false/true时,sys的操作均不会记录到sys.aud$视图中,只有当audit_sys_operations=true时,才会记录到audit_file_dest目录中的*.aud文件中 [oracle@localhost adump]$ cat ora_13020.aud Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bit Production With the Partitioning, OLAP and Data Mining options ORACLE_HOME = /u01/app/oracle/product/10.2/db_1 System name: Linux Node name: localhost.localdomain Release: 2.6.18-194.el5 Version: #1 SMP Tue Mar 16 21:52:39 EDT 2010 Machine: x86_64 ············· Mon Feb 18 18:07:22 2013 ACTION : 'insert into test03 (id) values (3)' DATABASE USER: '/' PRIVILEGE : SYSDBA CLIENT USER: oracle CLIENT TERMINAL: pts/1 STATUS: 0 ············ --验证其他用户,以sys用户开启审计,以user01登陆插入数据 SQL> audit insert table by access; Audit succeeded. SQL> select * from dba_stmt_audit_opts; USER_NAME PROXY_NAME AUDIT_OPTION SUCCESS FAILURE ------------------------------ ------------------------------ ---------------------------------------- ---------- ---------- INSERT TABLE BY ACCESS BY ACCESS --以user01用户插入数据 SQL> insert into test02(id) values(99); 1 row created. SQL> commit; Commit complete. --以sys用户查询审计结果 SQL> select username,userhost,timestamp,sql_text from dba_audit_trail where obj_name='TEST02'; USERNAME USERHOST TIMESTAMP SQL_TEXT ------------------------------ ------------------------------ ------------------------------ ---------------------------------------------------------------------------------------------------- USER01 localhost.localdomain 18-FEB-13 insert into test02(id) values(99) --sys用户登陆,清空审计及审计结果 SQL> noaudit insert table; Noaudit succeeded. SQL> select * from dba_stmt_audit_opts; no rows selected --清空审计结果 SQL> delete from sys.aud$; 51 rows deleted. SQL> commit; Commit complete. SQL> select username,userhost,timestamp,sql_text from dba_audit_trail where obj_name='TEST02'; no rows selected 实验完毕
2.权限审计
审计系统权限具有与语句审计相同的基本语法,但审计系统权限是在sql_statement_clause中,而不是在语句中,指定系统权限。
例如:SQL> audit insert tablespace by access whenever successful;
实验:
--用user01登陆,授权 SQL> grant insert on test02 to user02; Grant succeeded. --管理员登陆,添加审计 SQL> grant insert on test02 to user02; Grant succeeded. SQL> select * from dba_stmt_audit_opts; USER_NAME PROXY_NAME AUDIT_OPTION SUCCESS FAILURE ------------------------------ ------------------------------ ---------------------------------------- ---------- ---------- INSERT TABLE BY ACCESS BY ACCESS --审计添加成功 --user02进行insert操作 SQL> insert into user01.test02(id) values(100); 1 row created. SQL> commit; Commit complete. --验证 SQL> select username,userhost,timestamp,sql_text from dba_audit_trail where obj_name='TEST02'; USERNAME USERHOST TIMESTAMP SQL_TEXT ------------------------------ ------------------------------ --------- ---------------------------------------------------------------------------------------------------- USER02 localhost.localdomain 21-FEB-13 insert into user01.test02(id) values(100) --得证
3.模式对象审计。
审计对各种模式对象的访问,看起来类似于语句审计和权限审计,语法:
audit schema_object_clause by {session | access} whenever [not] successful;
schema_object_clause指定对象访问的类型以及访问的对象。可以审计特定对象上14种不同的操作类型:
| 选项 | 说明 |
| ALTER | 改变表、序列或物化视图 |
| AUDIT | 审计任何对象上的命令 |
| COMMENT | 添加注释到表、视图或物化视图 |
| DELETE | 从表、视图或物化视图中删除行 |
| EXECUTE | 执行过程、函数或程序包 |
| FLASHBACK | 执行表或视图上的闪回操作 |
| GRANT | 授予任何类型对象上的权限 |
| INDEX | 创建表或物化视图上的索引 |
| INSERT | 将行插入表、视图或物化视图中 |
| LOCK | 锁定表、视图或物化视图 |
| READ | 对DIRECTORY对象的内容执行读操作 |
| RENAME | 重命名表、视图或过程 |
| SELECT | 从表、视图、序列或物化视图中选择行 |
| UPDATE | 更新表、视图或物化视图 |
例如:SQL> audit insert, update on hr.jobs by access whenever successful;
实验:
--管理员登陆,添加对象审计 SQL> audit insert on user01.test02 by access; Audit succeeded. --查看审计是否成功添加 SQL> SELECT OWNER,OBJECT_NAME,OBJECT_TYPE FROM DBA_OBJ_AUDIT_OPTS; OWNER OBJECT_NAME OBJECT_TYPE ------------------------------ ------------------------------ ----------------- USER01 TEST02 TABLE --user01登陆,分别向test02和test04插入记录 SQL> insert into test02(id) values(300); 1 row created. SQL> commit; Commit complete. SQL> insert into test04(id) values(300); 1 row created. SQL> commit; Commit complete. --验证 SQL> select username,userhost,timestamp,sql_text from dba_audit_trail where obj_name='TEST02' or obj_name='TEST04'; USERNAME USERHOST TIMESTAMP SQL_TEXT ------------------------------ ------------------------------ --------- ---------------------------------------------------------------------------------------------------- USER01 localhost.localdomain 21-FEB-13 select * from test02 USER01 localhost.localdomain 21-FEB-13 insert into test02(id) values(300)
--可以看见只记录了对test02的插入操作,而未记录对test04的插入操作。
4.细粒度的审计
从Oracle9i开始,通过引入细粒度的对象审计,或称为FGA,审计变得更为关注某个方面,并且更为精确。由称为DBMS_FGA的PL/SQL程序包实现FGA。
使用标准的审计,可以轻松发现访问了哪些对象以及由谁访问,但无法知道访问了哪些行或列。细粒度的审计可解决这个问题,它不仅为需要访问的行指定谓词(或where子句),还指定了表中访问的列。通过只在访问某些行和列时审计对表的访问,可以极大地减少审计表条目的数量。
程序包DBMS_FGA具有4个过程:
| ADD_POLICY | 添加使用谓词和审计列的审计策略 |
| DROP_POLICY | 删除审计策略 |
| DISABLE_POLICY | 禁用审计策略,保留与表或视图关联的策略 |
| ENABLE_POLICY | 启用策略 |
实验:
--添加审计策略,条件为查询name字段则记录审计 SQL> exec sys.DBMS_FGA.ADD_POLICY(object_schema => 'USER01', object_name => 'TEST01', policy_name => 'POLICY_ANN01', audit_condition => '', audit_column => 'NAME',enable => TRUE,statement_types => 'SELECT'); PL/SQL procedure successfully completed. --查看策略是否成功添加 SQL> select OBJECT_SCHEMA, OBJECT_NAME, POLICY_NAME, POLICY_TEXT,POLICY_COLUMN, ENABLED, SEL, INS, UPD, DEL from DBA_AUDIT_POLICIES; OBJECT_SCHEMA OBJECT_NAME POLICY_NAME POLICY_TEXT POLICY_COLUMN ENA SEL INS UPD DEL ------------------------------ ------------------------------ ------------------------------ -------------------------------------------------- ------------------------------ --- --- --- --- --- USER01 TEST01 POLICY_ANN01 NAME YES YES NO NO NO --用user01用户登录查询test01,分别查询id列和name列 SQL> select id from test01; ID ---------- 2 SQL> select name from test01; NAME -------------------------------------------------- Attacker --sys登陆查看审计结果 SQL> select DB_USER,OBJECT_SCHEMA "SCHEMA",OBJECT_NAME,POLICY_NAME,SQL_TEXT from dba_fga_audit_trail; DB_USER SCHEMA OBJECT_NAME POLICY_NAME SQL_TEXT ------------------------------ ------------------------------ ------------------------------ ------------------------------ ---------------------------------------------------------------------------------------------------- USER01 USER01 TEST01 POLICY_ANN01 select name from test01 --可以看见查询name列的sql语句已经被记录,而查询id列的语句则未被记录 --清除审计策略 SQL> execute sys.dbms_fga.drop_policy(object_schema => 'USER01', object_name => 'TEST01',policy_name => 'POLICY_ANN01'); PL/SQL procedure successfully completed.
细粒度审计还可以添加基于值的审计,例如插入ID>10的语句,需在添加审计策略时指定条件,详细可以参照sys.DBMS_FGA.ADD_POLICY()的audit_condition和statement_types参数,此处就不做相关实验了。
5.与审计相关的数据字典视图
| 数据字典视图 | 说明 |
| AUDIT_ACTIONS | 包含审计跟踪动作类型代码的描述,例如INSERT、DROP VIEW、DELETE、LOGON和LOCK |
| DBA_AUDIT_OBJECT | 与数据库中对象相关的审计跟踪记录 |
| DBA_AUDIT_POLICIES | 数据库中的细粒度审计策略 |
| DBA_AUDIT_POLICY_COLUMNS | 查看细粒度审计策略中被审计的列 |
| DBA_AUDIT_SESSION | 与CONNECT和DISCONNECT相关的所有审计跟踪记录 |
| DBA_AUDIT_STATEMENT | 与GRANT、REVOKE、AUDIT、NOAUDIT和ALTER SYSTEM命令相关的审计跟踪条目 |
| DBA_AUDIT_TRAIL | 包含标准审计跟踪条目,USER_AUDIT_TRAIL只包含已连接用户的审计行 |
| DBA_FGA_AUDIT_TRAIL | 细粒度审计策略的审计跟踪条目 |
| DBA_COMMON_AUDIT_TRAIL | 将标准的审计行和细粒度的审计行结合在一个视图中 |
| DBA_OBJ_AUDIT_OPTS | 对数据库对象生效的审计选项 |
| DBA_PRIV_AUDIT_OPTS | 对系统权限生效的审计选项 |
| DBA_STMT_AUDIT_OPTS | 对语句生效的审计选项 |