<<<< 要想捕获SQL语句和绑定变量值需要设置DBMS_FGA.EXTENDED,默认值即包含该设置,参数设置示例请参考下面的使用注意事项。
Each audit policy is applied to the query individually. However, at most one audit record may be generated for each policy, no matter how many rows being returned satisfy that policy's audit_condition. In other words, whenever any number of rows being returned satisfy an audit condition defined on the table, a single audit record will be generated for each such policy.
If a table with an FGA policy defined on it receives a Fast Path insert or a vectored update, the hint is automatically disabled before any such operations. Disabling the hint allows auditing to occur according to the policy's terms. (One example of a Fast Path insert is the statement INSERT-WITH-APPEND-hint.)
Specifying an audit condition of "1=1" to force auditing of all specified statements ("statement_types") affecting the specified column ("audit_column") is no longer needed to achieve this purpose. NULL will cause audit even if no rows were processed, so that all actions on a table with this policy are audited.
The audit function (handler_module) is an alerting mechanism for the administrator. The required interface for such a function is as follows:
PROCEDURE ( object_schema VARCHAR2, object_name VARCHAR2, policy_name VARCHAR2 ) AS ...
where fname is the name of the procedure, object_schema is the name of the schema of the table audited, object_name is the name of the table to be audited, and policy_name is the name of the policy being enforced. The audit function will be executed with the function owner's privilege.
If audit_trail includes XML, then fine-grained audit records are written to XML-format operating system files stored in the directory specified by an AUDIT_FILE_DEST statement in SQL. (The default AUDIT_FILE_DEST is $ORACLE_BASE/admin/$DB_UNIQUE_NAME/adump on Unix-based systems, and $ORACLE_BASE\admin\$DB_UNIQUE_NAME\adump on Windows systems.)
When audit_column_opts is set to DBMS_FGA.ALL_COLUMNS, a SQL statement is audited only when all the columns mentioned in audit_column have been explicitly referenced in the statement. And these columns must be referenced in the same SQL-statement or in the sub-select.
Also, all these columns must refer to a single table/view or alias.
Thus, if a SQL statement selects the columns from different table aliases, the statement will not be audited.
1).SYS.FGA_LOG$:如果audit_trail参数包含DB,那么审计记录会被记录在FGA_LOG$表中。
2).AUDIT_FILE_DEST初始化参数:设置审计操作系统文件的存放位置。
3).V$XML_AUDIT_TRAIL:如果audit_trail参数包含XML,那么审计记录会记录在AUDIT_FILE_DEST初始化参数指定的目的地下的XML文件中,Oracle会读取这些XML文件,生成V$XML_AUDIT_TRAIL动态性能视图,方便DBA查看审计详细信息。
4).DBA_AUDIT_POLICIES:详细记录了审计配置的策略信息。
5).DBA_FGA_AUDIT_TRAIL:查看到审计的SQL语句和绑定变量。
6).DBA_COMMON_AUDIT_TRAIL:包含V$XML_AUDIT_TRAIL动态性能视图的内容,是标准和细粒度审计记录。
启用细粒度的审计功能不需要设置数据库的AUDIT_TRAIL初始化参数,只需要设置DBMS_FGA.ADD_POLICY存储过程中的AUDIT_TRAIL参数或使用默认值即可。
参考文章:《【实验】【审计】【FGA】使用Oracle的审计功能监控数据库中的可疑操作》:http://space.itpub.net/519536/viewspace-613323
三.Oracle数据对SYS用户的审计以及11g默认开启的审计功能。
参考文章:
《Oracle 11gR2 Database和ASM默认的审计策略和相关操作》:http://space.itpub.net/23135684/viewspace-723442
Oracle 11g Database和ASM默认的审计策略和相关操作
这篇文章详细讨论一下Oracle 11gR2 Database中ASM实例和Database实例默认的审计策略和相关操作。
1.Oracle 11g DATABASE默认的审计策略。
11gR2 Database的audit_trail被默认设置为DB,Oracle Database自动标准开启审计功能。下面是11g默认开启的标准审计功能:
上图展示的第一部分是默认开启的权限审计,可以通过DBA_PRIV_AUDIT_OPTS获得开启的权限;第二部分是默认开启的语句审计,可以通过DBA_OBJ_AUDIT_OPTS获得开启的权限。
非SYSDBA、SYSOPER用户的审计记录将存放到SYSTEM表空间下的sys.aud$表中,随着时间的推移,SYSTEM表空间可能因此急剧扩张。
下面是在11g数据库实例下的操作:
SQL> show parameter audit
1).审计线索必须存储在数据库外部。
2).始终会对以SYSDBA或SYSOPER身份执行的连接进行审计。
3).可使用AUDIT_SYS_OPERATIONS启用对SYSDBA或SYSOPER操作的附加审计。
4).可使用AUDIT_FILE_DEST控制审计线索。
无论是远程或本地SYSDBA、SYSOPER权限用户登录都会在audit_file_dest指定的目的地生成相应审计文件,记录登录信息。Windows平台SYSDBA权限用户的审计记录会被写到事件查看器中。
下面讨论一下AUDIT_SYS_OPERATIONS和AUDIT_TRIAL两个初始化参数的含义:
AUDIT_SYS_OPERATIONS
AUDIT_SYS_OPERATIONS enables or disables the auditing of top-level operations, which are SQL statements directly issued by users when connecting with SYSDBAor SYSOPER privileges. (SQL statements run from within PL/SQL procedures or functions are not considered top-level.) The audit records are written to the operating system's audit trail. The audit records will be written in XML format if the AUDIT_TRAIL initialization parameter is set to xml or xml, extended.
On UNIX platforms, if the AUDIT_SYSLOG_LEVEL parameter has also been set, then it overrides the AUDIT_TRAIL parameter and SYS audit records are written to the system audit log using the SYSLOG utility.
audit_sys_operations参数为false时,系统只以os文件记录sysdba身份的登录、开关数据库的操作。
audit_sys_operations参数为true时,系统以os文件记录sysdba身份的登录、开关数据库的操作,以及其它辅助的操作。
下面是该参数的例子:
a).audit_sys_operations=false生成的审计记录:
Audit file /u01/app/oracle/admin/ractest/adump/ractest2_ora_21523_1.aud
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production
With the Partitioning, Real Application Clusters, Automatic Storage Management, OLAP,
Data Mining and Real Application Testing options
ORACLE_HOME = /u01/app/oracle/product/11.2.0/db_1
System name: Linux
Node name: rhel2.localdomain
Release: 2.6.18-164.el5xen
Version: #1 SMP Tue Aug 18 15:59:52 EDT 2009
Machine: x86_64
VM name: Xen Version: 3.1 (PVM)
Instance name: ractest2
Redo thread mounted by this instance: 2
Oracle process number: 69
Unix process pid: 21523, image: oracle@rhel2.localdomain (TNS V1-V3)
Disables standard auditing. This value is the default if the AUDIT_TRAIL parameter was not set in the initialization parameter file or if you created the database using a method other than Database Configuration Assistant. If you created the database using Database Configuration Assistant, then the default is db.
Directs audit records to the database audit trail (the SYS.AUD$ table), except for records that are always written to the operating system audit trail. Use this setting for a general database for manageability.
If the database was started in read-only mode with AUDIT_TRAIL set to db, then Oracle Database internally sets AUDIT_TRAIL to os. Check the alert log for details.
Performs all actions of AUDIT_TRAIL=db, and also populates the SQL bind and SQL text CLOB-type columns of the SYS.AUD$ table, when available. These two columns are populated only when this parameter is specified.
If the database was started in read-only mode with AUDIT_TRAIL set to db, extended, then Oracle Database internally sets AUDIT_TRAIL to os. Check the alert log for details.
You can use the SQL AUDIT statement to set auditing options regardless of the setting of this parameter.
注意:audit_syslog_level参数只在unix和Linux平台存在。
3.ASM默认的审计策略。
下面是在ASM实例下的操作:
SQL> show parameter audit
可以注意到ASM实例参数中没有包含audit_trail参数,ASM实例的所有审计记录只能被写到audit_file_dest参数指定的目的地。
与Oracle数据库实例相同,以sysasm、sysdba登录到ASM实例都会在audit_file_dest目录下生成相应的审计文件,过于频繁的登录ASM实例将产生大量的审计文件。
4.默认审计功能的管理。
1).关闭Database审计功能。
将数据库实例的audit_trail设置为none,重启数据库实例即可关闭数据库实例对非SYSDBA、SYSOPER权限用户的审计功能;该设置并不能关闭对SYSDBA权限用户的审计,SYSDBA权限用户登录依然会在audit_file_dest指定目录下生成相应的审计文件。
2).关闭ASM审计功能。
同样没法关闭对以SYSASM和SYSDBA、SYSOPER登录用户的审计。
3).迁移AUD$表。
AUD$表默认被存放到SYSTEM表空间下,频繁的登录会导致SYSTEM表空间较快扩大,最终可能影响数据库系统的正常运行。参考如下文章:http://yangtingkun.itpub.net/post/468/496990可完成对AUD$表的迁移。
4).AUD$表记录的清除操作。
AUD$表可以被直接TRUNCATE,也可以参考如下文章:http://yangtingkun.itpub.net/post/468/498990清除部分AUD$表数据。可以创建并调度JOB对AUD$表进行自动化的清理。
--end--
db,extended 启用数据库审计,并将数据库所有审计记录定向到数据库的SYS.AUD$表。另外,填充SYS.AUD$表的SQLBIND 列和SQLTEXT CLOB 列。
xml 启用数据库审计,并将所有记录写到XML格式的操作系统文件中。
xml,extended 启用数据库审计,输出审计记录的所有列,包括SqlText和SqlBind的值。
Oracle公司还推荐使用基于OS文件的审计日志记录方式(OS audit trail files)。
2. 不同设置下audit trail的位置如下:
DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_LOCATION(audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_DB_STD,
audit_trail_location_value => 'USERS');
Oracle 数据库审计功能非常强大,通常包括标准审计(包括用户级审计和系统级审计)和细粒度审计。尽管如此,一不小心就容易造成性能问题。同时会把系统表空间给撑爆。下面的内容描述的是如何将审计从系统表空间剥离以及清理Oracle审计记录,供大家参考。
一、审计的相关配置
SQL> select * from v$version where rownum=1;
BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
SQL> show parameter audit
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest string /home/oraprod/app/product/11.2
.0/dbhome_1/rdbms/audit
audit_sys_operations boolean FALSE
audit_syslog_level string
audit_trail string DB --此值为当前Oracle 11gR2缺省配置
--从下面的查询中可以看出,当前的审计位于system表空间
SQL> col segment_name FOR a10
SQL> SELECT owner,segment_name,tablespace_name FROM dba_segments WHERE segment_name ='AUD$';
OWNER SEGMENT_NA TABLESPACE_NAME
------------------------------ ---------- ------------------------------
SYS AUD$ SYSTEM
新增一个表空间用于存储审计日志
SQL> CREATE tablespace audit_data datafile '/home/oracle/app/oradata/orcl/audit01.dbf'
2 SIZE 100M autoextend ON NEXT 50M;
SQL> @tbs_free.sql
TABLESPACE_NAME USED (MB FREE (MB TOTAL (M PER_FR
------------------------------ -------- -------- -------- ------
AUDIT_DATA 1 1,199 1,200 100 %
SYSAUX 1,133 77 1,210 6 %
SYSTEM 1,875 15 1,890 1 %
-- 设定审计数据存放表空间
SQL> BEGIN
2 DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_LOCATION(
3 AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD,
4 AUDIT_TRAIL_LOCATION_VALUE => 'AUDIT_DATA'
5 );
6 END;
BEGIN
ERROR at line 1:
ORA-46267: Insufficient space in 'AUDIT_DATA' tablespace, cannot complete
operation
ORA-06512: at "SYS.DBMS_AUDIT_MGMT", line 1576
ORA-06512: at line 2
-- 错误提示,尽管我们使用了自动扩展表空间,依旧提示空间不够
-- 查看当前审计数据大小,如下为1152MB
SQL> select segment_name,bytes/1024/1024 from dba_segments where segment_name='AUD$';
SEGMENT_NAME BYTES/1024/1024
------------------------- ---------------
AUD$ 1152
-- 下面调整数据文件大小
SQL> alter database datafile '/home/oracle/app/oradata/orcl/audit01.dbf' resize 1200m;
Database altered.
-- 再次设定审计数据存放表空间OK
SQL> BEGIN
2 DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_LOCATION(
3 AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD,
4 AUDIT_TRAIL_LOCATION_VALUE => 'AUDIT_DATA'
5 );
6 END;
PL/SQL procedure successfully completed.
Elapsed: 00:02:23.10
--整个过程花费了2m23s,主要是期间进行了数据搬迁
SQL> SELECT owner,segment_name,tablespace_name FROM dba_segments WHERE segment_name ='AUD$';
OWNER SEGMENT_NAME TABLESPACE_NAME
------------------------------ ------------------------------ ------------------------------
SYS AUD$ AUDIT_DATA
SQL> @tbs_free.sql
TABLESPACE_NAME USED (MB FREE (MB TOTAL (M PER_FR
------------------------------ -------- -------- -------- ------
AUDIT_DATA 1,153 47 1,200 4 %
SYSAUX 1,143 67 1,210 6 %
SYSTEM 724 1,166 1,890 62 %
-- 从上面的这个查询可以看出,原来位于system表空间的AUD$被迁移到了AUDIT_DATA
-- 相应地AUDIT_DATA表空间已使用增加,而SYSTEM表空间使用率下降
-- 查看审计数据字典配置信息
SQL> col PARAMETER_NAME FOR a30
SQL> col PARAMETER_VALUE FOR a15
SQL> col AUDIT_TRAIL FOR a20
SQL> SELECT PARAMETER_NAME, PARAMETER_VALUE, AUDIT_TRAIL
2 FROM DBA_AUDIT_MGMT_CONFIG_PARAMS
3 WHERE audit_trail = 'STANDARD AUDIT TRAIL';
PARAMETER_NAME PARAMETER_VALUE AUDIT_TRAIL
------------------------------ --------------- --------------------
DB AUDIT TABLESPACE AUDIT_DATA STANDARD AUDIT TRAIL
DB AUDIT CLEAN BATCH SIZE 10000 STANDARD AUDIT TRAIL
SQL> BEGIN
2 DBMS_AUDIT_MGMT.init_cleanup(
3 audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_ALL,
4 default_cleanup_interval => 120 /* hours */);
5 END;
PL/SQL procedure successfully completed.
-- 下面严验证审计日志清除是否已开启
SQL> SET SERVEROUTPUT ON
SQL> BEGIN
2 IF DBMS_AUDIT_MGMT.is_cleanup_initialized(DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD) THEN
3 DBMS_OUTPUT.put_line('YES');
4 ELSE
5 DBMS_OUTPUT.put_line('NO');
6 END IF;
7 END;
PL/SQL procedure successfully completed.
SQL> select segment_name,bytes/1024/1024 from dba_segments where segment_name='AUD$';
SEGMENT_NAME BYTES/1024/1024
------------------- ---------------
AUD$ 1152
SQL> select 'Leshami' As author,'http://blog.csdn.net/leshami' as Blog from dual;
AUTHOR BLOG
------- ----------------------------
Leshami http://blog.csdn.net/leshami
SQL> select count(*) from AUD$;
COUNT(*)
----------
5908086
SQL> select min(ntimestamp#) from aud$;
MIN(NTIMESTAMP#)
---------------------------------------------------------------------------
20-AUG-14 06.11.09.901253 AM
-- 设定归档间隔
SQL> BEGIN
2 DBMS_AUDIT_MGMT.set_last_archive_timestamp(
3 audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD,
4 last_archive_time => SYSTIMESTAMP-10);
5 END;
PL/SQL procedure successfully completed
--查看设定的归档间隔
SQL> SELECT * FROM dba_audit_mgmt_last_arch_ts;
AUDIT_TRAIL RAC_INSTANCE LAST_ARCHIVE_TS
-------------------- ------------ ---------------------------------------------------------------------------
STANDARD AUDIT TRAIL 0 09-OCT-15 01.27.17.000000 PM +00:00
--通过调用DBMS_AUDIT_MGMT.clean_audit_trail进行手动清理审计日志
BEGIN
DBMS_AUDIT_MGMT.clean_audit_trail(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD,
use_last_arch_timestamp => TRUE);
DBMS_AUDIT_MGMT.clean_audit_trail
This procedure deletes audit trail records. The CLEAN_AUDIT_TRAIL procedure is usually called after the
SET_LAST_ARCHIVE_TIMESTAMP Procedure has been used to set the last archived timestamp for the audit records.
--也可以通过创建一个purge Job来进行清理已归档的历史审计记录
SQL> BEGIN
2 DBMS_AUDIT_MGMT.CREATE_PURGE_JOB(
3 AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD,
4 AUDIT_TRAIL_PURGE_INTERVAL => 24 /* hours */,
5 AUDIT_TRAIL_PURGE_NAME => 'Daily_Audit_Purge_Job',
6 USE_LAST_ARCH_TIMESTAMP => TRUE
7 );
8 END;
PL/SQL procedure successfully completed.
-- 本次测试使用了job进行清理,注,上面的purge job 并非使用DBMS_SCHEDULER.CREATE_JOB创建
-- 执行job用于清理归档,通过观察,由于redo log size为50MB,切换较为频繁,花费了19分钟
-- 同时伴随有Checkpoint not complete等待事件,可见redo size过小
SQL> exec DBMS_SCHEDULER.RUN_JOB(job_name => 'SYS.DAILY_AUDIT_PURGE_JOB');
PL/SQL procedure successfully completed.
Elapsed: 00:19:26.38
SQL> select count(*) from AUD$;
COUNT(*)
----------
--经查看,清理后空间并没有释放
SQL> select segment_name,bytes/1024/1024 from dba_segments where segment_name='AUD$';
SEGMENT_NAME BYTES/1024/1024
------------------------------ ---------------
AUD$ 1152
SQL> alter table sys.aud$ shrink space cascade;
alter table sys.aud$ shrink space cascade
ERROR at line 1:
ORA-10636: ROW MOVEMENT is not enabled
SQL> alter table sys.aud$ enable row movement;
Table altered.
SQL> alter table sys.aud$ shrink space cascade;
Table altered.
SQL> alter table sys.aud$ disable row movement;
Table altered.
-- 下面的查询可以看到,空间已经被释放
SQL> select segment_name,bytes/1024/1024 from dba_segments where segment_name='AUD$';
SEGMENT_NAME BYTES/1024/1024
-------------------- ---------------
AUD$ .0625
a、对于Oracle 11g,审计功能默认被开启,因此如果在必须启用的情况下应考虑性能影响;
b、开启审计的情况下,建议将审计从system或sysaux表空间剥离,使用单独的表空间;
c、对于历史审计日志的清除,应考虑清除期间所带来的性能影响;
d、调用DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_LOCATION这个过程已经开始了搬迁过程,如果审计日志很庞大,应考虑IO影响;
e、审计日志的清除需要先设定归档,已归档的审计日志会被清理;
f、也可以通过trunate table aud$ reuse storage以及deallocate非常规方式来处理。
...............................................................................................................................
● 本文整理自网络
● 本文在itpub(http://blog.itpub.net/26736162)、博客园(http://www.cnblogs.com/lhrbest)和个人微信公众号(xiaomaimiaolhr)上有同步更新
● 本文itpub地址:http://blog.itpub.net/26736162/abstract/1/
● 本文博客园地址:http://www.cnblogs.com/lhrbest
● 本文pdf版及小麦苗云盘地址:http://blog.itpub.net/26736162/viewspace-1624453/
● 数据库笔试面试题库及解答:http://blog.itpub.net/26736162/viewspace-2134706/
● QQ群:230161599 微信群:私聊
● 联系我请加QQ好友(646634621),注明添加缘由
● 于 2017-06-02 09:00 ~ 2017-06-30 22:00 在魔都完成
● 文章内容来源于小麦苗的学习笔记,部分整理自网络,若有侵权或不当之处还请谅解
...............................................................................................................................
拿起手机使用微信客户端扫描下边的左边图片来关注小麦苗的微信公众号:xiaomaimiaolhr,扫描右边的二维码加入小麦苗的QQ群,学习最实用的数据库技术。
【QQ:646634621】【微信:db_bao】【微信公众号:DB宝】【QQ群:230161599】【Oracle OCP、OCM、高可用(RAC+DG+OGG)、MySQL OCP、PGCA+PGCE+PGCM等都可以找麦老师了】【个人网站:xmmup.com】
注册时间:2012-09-23
10683920
广播电视节目制作经营许可证(京) 字第1234号 中国互联网协会会员
