Oracle标准审计实战,过程详解。

2024年 6月 30日 74.3k 0

前言

最近很多咨询我Oracle的审计功能,下面我用一个案例给大家讲解下,过程非常清晰。我们都知道Oracle审计功能很强大,自身的审计功能分两种,一种是标准审计基本审计数据库和数据库对象发生了什么操作,一种是精确审计,可以审计sql级别,字段级别等。

当然Oracle也有自己的第三方审计产品,AVDF,有兴趣的可以去了解。

以下以用户密码被修改作为审计案例。

开启审计

审计级别

alter system set audit_trail=os scope=spfile;

Note:默认是DB级别,存放在system表空间,若将讲审计记录存放在表空间,可以把AUD$表迁移至专门的表空间存放,避免后期庞大影响系统登录。Oracle官方是建议审计记录存放在本地,当然也要定期清理。

审计sys的操作

alter system set audit_sys_operations=true scope=spfile;

Note:审计sys用户、sysdba、sysoper、sysasm之类的权限的操作。

查看审计日志存放目录

show parameter audit_file_dest


NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest string /oracle/app/oracle/admin/fordb
/adump
SQL>

重启数据库生效

shutdown immediate
startup

修改审计策略

查看

select * from dba_stmt_audit_opts;

Note:
dba_obj_audit_opts (对象级审计)
dba_priv_audit_opts (权限级审计)
dba_stmt_audit_opts (语句级审计)
11g默认有29个审计策略,
12c以后就取消了。

修改审计策略

noaudit all;
noaudit all statements;
noaudit all privileges;
noaudit EXEMPT ACCESS POLICY;
audit alter user by access;

Note:
本次以审计用户密码被修改作为案例,可以根据自身情况自定义。

查看

SQL> select AUDIT_OPTION from dba_stmt_audit_opts;

AUDIT_OPTION
----------------------------------------
ALTER USER

验证

修改密码

alter user system identified by oracle;

查看审计内容

[oracle@aix173 /oracle/app/oracle/admin/fordb/adump]$cat fordb_ora_16056492_20210818105717089062143795.aud
Audit file /oracle/app/oracle/admin/fordb/adump/fordb_ora_16056492_20210818105717089062143795.aud
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
ORACLE_HOME = /oracle/app/oracle/product/11.2.0.4/dbhome_1
System name: AIX
Node name: aix173
Release: 1
Version: 7
Machine: 00C310D54C00
Instance name: fordb
Redo thread mounted by this instance: 1
Oracle process number: 19
Unix process pid: 16056492, image: oracle@aix173 (TNS V1-V3)

Wed Aug 18 10:57:17 2021 -05:00
LENGTH: "240"
SESSIONID:[5] "51387" ENTRYID:[1] "1" STATEMENT:[1] "9" USERID:[6] "SYSTEM" USERHOST:[6] "aix173" TERMINAL:[5] "pts/1" ACTION:[2] "43" RETURNCODE:[1] "0" OBJ$NAME:[6] "SYSTEM" OS$USERID:[6] "oracle" DBID:[9] "498190680" PRIV$USED:[2] "22"

[oracle@aix173 /oracle/app/oracle/admin/fordb/adump]$

Note:审计文件后期会产生很多,很难查看,
因为只要用sysdba登录数据库就会产生一个文件,
不过sys产生的审计日志内容比较直观些。

sys产生的内容:

[oracle@aix173 /oracle/app/oracle/admin/fordb/adump]$cat fordb_ora_10879150_20210818105344009057143795.aud
Audit file /oracle/app/oracle/admin/fordb/adump/fordb_ora_10879150_20210818105344009057143795.aud
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
ORACLE_HOME = /oracle/app/oracle/product/11.2.0.4/dbhome_1
System name: AIX
Node name: aix173
Release: 1
Version: 7
Machine: 00C310D54C00
Instance name: fordb
Redo thread mounted by this instance: 1
Oracle process number: 19
Unix process pid: 10879150, image: oracle@aix173 (TNS V1-V3)

Wed Aug 18 10:53:44 2021 -05:00
LENGTH : '158'
ACTION :[7] 'CONNECT'
DATABASE USER:[1] '/'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[6] 'oracle'
CLIENT TERMINAL:[5] 'pts/1'
STATUS:[1] '0'
DBID:[9] '498190680'

Wed Aug 18 10:53:44 2021 -05:00
LENGTH : '157'
ACTION :[6] 'COMMIT'
DATABASE USER:[1] '/'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[6] 'oracle'
CLIENT TERMINAL:[5] 'pts/1'
STATUS:[1] '0'
DBID:[9] '498190680'

Wed Aug 18 10:53:44 2021 -05:00
LENGTH : '157'
ACTION :[6] 'COMMIT'
DATABASE USER:[1] '/'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[6] 'oracle'
CLIENT TERMINAL:[5] 'pts/1'
STATUS:[1] '0'
DBID:[9] '498190680'

Wed Aug 18 10:54:05 2021 -05:00
LENGTH : '186'
ACTION :[34] ' alter user system identified by *'
DATABASE USER:[1] '/'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[6] 'oracle'
CLIENT TERMINAL:[5] 'pts/1'
STATUS:[1] '0'
DBID:[9] '498190680'

相关文章

Oracle如何使用授予和撤销权限的语法和示例
Awesome Project: 探索 MatrixOrigin 云原生分布式数据库
下载丨66页PDF,云和恩墨技术通讯(2024年7月刊)
社区版oceanbase安装
Oracle 导出CSV工具-sqluldr2
ETL数据集成丨快速将MySQL数据迁移至Doris数据库

发布评论