本文介绍了“什么是审计方法”的知识。很多人在实际案件操作中都会遇到这样的困难。接下来,让边肖带领大家学习如何应对这些情况!希望大家认真阅读,学点东西!
audit_trail的值为NONE,表示不会打开;
和审计相关的两个主要参数:1.audit_sys_operations:默认为false,当设置为true时,审计管理用户(sysdba/sysoper角色登陆)的操作都会被记录,audit trail不会写在aud$表中,这个很好理解,如果数据库还未启动aud$不可用,那么像conn /as sysdba这样的连接信息,只能记录在其它地方。如果是windows平台,audti trail会记录在windows的事件管理中,如果是linux/unix平台则会记录在audit_file_dest参数指定的文件中。2.audit_trail:None:是10g默认值,不做审计;11g默认值DB,将审计结果记录到aud$表中;
audit_trail的值为FALSE,表示不会打开;
audit_trail的值为DB,表示开放;
audit_trail的值为true,表示开放;
audit_trail的值是OS,这意味着审计记录被写入操作系统文本。
3.oracle审计日志清理
-输入审核日志目录:
CD $ ORACLE _ BASE/admin/$ ORACLE _ SID/adum p
-删除3个月前的审核文件:
找到。/-键入f -name '*。aud' -mtime 91|xargs rm -f
-立即清空所有审计文件。
找到。/-键入f -name '*。aud“| xargs RM-f
找到。/-mtime 7 -name '*。“aud”类型f删除
注意:
用后缀记录审计文件。Oracle $ Oracle _ base/admin/$ Oracle _ sid/adump目录中的aud。
因此,数据库功能打开,审计日志同时记录在aud$表和操作系统aud文件中。设置为NONE,它仍将记录在操作系统aud文件中,没有其他方法。
*数据库的表为:系统澳元$
*操作系统目录为$ ORACLE _ BASE/admin/instance name/adump/http://www . Sina.com/4.审计:启停数据库,其他操作记录在警报日志中。这些是强制性审计,这是甲骨文。
自动打开。
4.2标准数据库审计4.1 强制性审计
4.3基于价值的审计show parameter audit_trail
4.4精细审计(FGA)这个是通过我们自己编写的触发器来完成的。
4.5数据库管理员审核可以针对某一列进行更细致的审计安全管理员对 DBA 的审计标准数据库审计- 审计语法:audit sql_statement_clause by {session | access} whenever [not] successful;by session,在一个会话中,同类型的操作只审计一条by access,每个符合审计的操作全部审计- 审计相关参数( audit_trail):http://
os:将 audit trail 记录在操作系统文件中,文件名由 audit_file_dest 参数指定;
db: 11g 默认值,将审计结果记录到 aud$表中;
db,extended:将审计结果记录到 aud$表中,同时包括绑定变量及 CLOB 字段;
xml:记录 OS 文件的是 XML 格式的审计记录;
xml,extended:记录OS 文件的是 XML 格式的审计记录,同时包括绑定变量及 CLOB 字段。
oracle10g:默认审计参数为 NONE,即未开启
Oracle11g:默认审计参数为 DB
实验一:审计开启os
[oracle@wang ~]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.4.0 Production on Sun Aug 13 08:11:24 2017
Copyright (c) 1982, 2013, Oracle. All rights reserved.Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> show parameter audit
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest string /u01/app/oracle/admin/DBdb/adump
audit_sys_operations boolean FALSE
audit_syslog_level string
audit_trail string DB
SQL>
SQL> alter system set audit_trail='OS' scope=spfile;
System altered.
SQL> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> startup
ORACLE instance started.
Total System Global Area 835104768 bytes
Fixed Size 2257840 bytes
Variable Size 549456976 bytes
Database Buffers 281018368 bytes
Redo Buffers 2371584 bytes
Database mounted.
Database opened.
SQL>
SQL> show parameter audit
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest string /u01/app/oracle/admin/DBdb/adump
audit_sys_operations boolean FALSE
audit_syslog_level string
audit_trail string OS
SQL>
--查看os层的审计文件
[oracle@wang adump]$ cd /u01/app/oracle/admin/DBdb/adump
--进行相关操作
SQL> conn scott/tiger; Connected. SQL> alter session set nls_date_format='yyyy-mm-dd hh34:mi:ss'; Session altered. SQL> select sysdate from dual; SYSDATE ------------------- 2018-01-26 00:28:58
SQL> select * from tab;
TNAME TABTYPE CLUSTERID
------------------------------ ------- ----------
BONUS TABLE
DEPT TABLE
EMP TABLE
JOBS TABLE
SQL> create table a as select * from user_objects;
Table created.
SQL> insert into a select * from a;
10 rows created.
SQL> commit;
Commit complete.
SQL> update a set object_id=1;
20 rows updated.
SQL> commit;
Commit complete.
SQL> delete a where rownum <10;
9 rows deleted.
SQL> commit;
Commit complete.
SQL> truncate table a;
Table truncated.
SQL> drop table a purge;
Table dropped.
--查看审计文件:
[oracle@wang adump]$ pwd
/u01/app/oracle/admin/DBdb/adump
[oracle@wang adump]$
[oracle@wang adump]$
[oracle@wang adump]$ ll
total 24
-rw-r----- 1 oracle oinstall 772 Jan 26 00:22 DBdb_ora_27579_20180126002238441832143795.aud
-rw-r----- 1 oracle oinstall 755 Jan 26 00:26 DBdb_ora_27630_20180126002622032142143795.aud
-rw-r----- 1 oracle oinstall 762 Jan 26 00:26 DBdb_ora_27630_20180126002623437420143795.aud
-rw-r----- 1 oracle oinstall 768 Jan 26 00:26 DBdb_ora_27669_20180126002623481070143795.aud
-rw-r----- 1 oracle oinstall 772 Jan 26 00:26 DBdb_ora_27674_20180126002627838313143795.aud
-rw-r----- 1 oracle oinstall 877 Jan 26 00:28 DBdb_ora_27722_20180126002816963203143795.aud
[oracle@wang adump]$
--查看审计日志
[oracle@wang adump]$
more DBdb_ora_27722_20180126002816963203143795.aud
Audit file /u01/app/oracle/admin/DBdb/adump/DBdb_ora_27722_20180126002816963203143795.aud
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
ORACLE_HOME = /u01/app/oracle/product/11.2.0/db_1
System name: Linux
Node name: wang
Release: 3.10.0-327.el7.x86_64
Version: #1 SMP Thu Oct 29 17:29:29 EDT 2015
Machine: x86_64
Instance name: DBdb
Redo thread mounted by this instance: 1
Oracle process number: 29
Unix process pid: 27722, image: oracle@wang (TNS V1-V3)
Fri Jan 26 00:28:16 2018 +08:00
LENGTH: "266"
SESSIONID:[7] "7450116" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[5] "SCOTT" USERHOST:[4] "wang" TERMINAL:[5] "pts/1" ACTION:[3] "100" RETURNCODE:[1] "0" COMMENT$TEXT:
[26] "Authenticated by: DATABASE" OS$USERID:[6] "oracle" DBID:[10] "3282897732" PRIV$USED:[1] "5"
[oracle@wang adump]$
实验证明os层不记录数据库相关操作,只有一些登入登出数据库操作实验二:
SQL> show parameter audit
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest string /u01/app/oracle/admin/DBdb/adump
audit_sys_operations boolean FALSE
audit_syslog_level string
audit_trail string OS
SQL>
SQL> alter system set audit_trail='DB' scope=spfile;
System altered.
SQL> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL>
SQL> startup
ORACLE instance started.
Total System Global Area 835104768 bytes
Fixed Size 2257840 bytes
Variable Size 549456976 bytes
Database Buffers 281018368 bytes
Redo Buffers 2371584 bytes
Database mounted.
Database opened.
SQL>
SQL> show parameter audit
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest string /u01/app/oracle/admin/DBdb/adump
audit_sys_operations boolean FALSE
audit_syslog_level string
audit_trail string DB
SQL>
SQL>
--确认审计相关的表是否已经安装
select * from sys.aud$; -- 没有记录返回
select * from dba_audit_trail; -- 没有记录返回
如果做上述查询的时候发现表不存在,说明审计相关的表还没有安装,需要安装。
@$ORACLE_HOME/rdbms/admin/cataudit.sql
审计表安装在SYSTEM表空间。所以要确保SYSTEM表空间又足够的空间存放审计信息。
--查询审计表aud$情况:
SQL> col owner for a10
SQL> col table_name for a15
SQL> col TABLESPACE_NAME for a15
SQL> alter session set nls_date_format='yyyy-mm-dd hh34:mi:ss';
Session altered.
SQL> select OWNER,TABLE_NAME,TABLESPACE_NAME,STATUS,LAST_ANALYZED from dba_tables where table_name='AUD$';
OWNER TABLE_NAME TABLESPACE_NAME STATUS LAST_ANALYZED
---------- --------------- --------------- -------- -------------------
SYS AUD$ SYSTEM VALID 2018-01-24 22:01:31
SQL> col segment_name for a15
SQL> select OWNER,SEGMENT_NAME,PARTITION_NAME,TABLESPACE_NAME,BYTES/1024 size_k from dba_segments where SEGMENT_NAME='AUD$';
OWNER SEGMENT_NAME PARTITION_NAME TABLESPACE_NAME SIZE_K
---------- --------------- ------------------------------ --------------- ----------
SYS AUD$ SYSTEM 128
SQL> conn scott/tiger
Connected.
SQL> create table temp as select * from user_objects;
Table created.
SQL> insert into temp select * from temp;
10 rows created.
SQL> commit;
Commit complete.
SQL> update temp set object_name='WANG' where object_id=10;
0 rows updated.
SQL> update temp set object_name='WANG' where object_id=87107;
2 rows updated.
SQL> commit;
Commit complete.
SQL> delete temp where rownum <10;
9 rows deleted.
SQL> commit;
Commit complete.
SQL> truncate table temp;
Table truncated.
SQL> drop table temp purge;
Table dropped.
--查询审计表aud$:
SQL> select os_username,
username,
obj_name,
action_name,
audit_option,
logoff_time,
sessionid,
os_process,
instance_number,
sql_text,
sql_bind
from dba_audit_trail
where sql_text like '%TEMP%';
no rows selected
实验三:指定对t表进行更新审计
登录 scott 用户,创建 t 表并开启 update 审计,使用 by access 子句,每次 update 都审计
SQL> conn scott/tiger;
Connected.
SQL> create table t(x int);
Table created.
SQL> insert into t values(9);
1 row created.
SQL> commit;
Commit complete. --在scott用户下对t表进行access级别的审计
SQL> audit update on t by access;
Audit succeeded.
表示对t表的每次更新操作进行审计(by access,每个符合审计的操作全部审计;by session,在一个会话中,同类型的操作只审计一条)--使用绑定变量的 sql 进行 update 测试
SQL>var v_num number;
SQL>exec :v_num:=1000; (:v_num绑定变量,:v_num:=给绑定变量授予一个值)
PL/SQL procedure successfully completed.
SQL>update t set x=:v_num;
1 row updated.
SQL>commit;
commit complete.
--关闭审计
SQL> noaudit update on t;
Noaudit succeeded.
--查询审计结果
set lines 200
col OS_USERNAME for a10
col USERNAME for a10
col OBJ_NAME for a10
col SQL_BIND for a10
col SQL_TEXT for a10
col OWNER for a10
col ACTION_NAME for a10
alter session set nls_date_format='yyyy-mm-dd hh34:mi:ss';
select os_username,
username,
timestamp,
owner,
obj_name,
action_name,
sessionid,
instance_number,
os_process,
transactionid,
sql_bind,
sql_text
from dba_audit_trail
where sql_text like '%T%';
结果说明开启DB级的审计,必须指定对某个表或某个session(by access 或 by session),才会对相应操作进行审计并记录在dba_audit_trail表中
“audit审计方法是什么”的内容就介绍到这里了,感谢大家的阅读。如果想了解更多行业相关的知识可以关注网站,小编将为大家输出更多高质量的实用文章!
内容来源网络,如有侵权,联系删除,本文地址:https://www.230890.com/zhan/155155.html