千家信息网

audit审计方法是什么

发表于:2025-01-20 作者:千家信息网编辑
千家信息网最后更新 2025年01月20日,本篇内容介绍了"audit审计方法是什么"的有关知识,在实际案例的操作过程中,不少人都会遇到这样的困境,接下来就让小编带领大家学习一下如何处理这些情况吧!希望大家仔细阅读,能够学有所成!audit_t
千家信息网最后更新 2025年01月20日audit审计方法是什么

本篇内容介绍了"audit审计方法是什么"的有关知识,在实际案例的操作过程中,不少人都会遇到这样的困境,接下来就让小编带领大家学习一下如何处理这些情况吧!希望大家仔细阅读,能够学有所成!

audit_trail 的value值为NONE表示不开启;

和审计相关的两个主要参数:
1.audit_sys_operations:默认为false,当设置为true时,审计管理用户(sysdba/sysoper角色登陆)的操作都会被记录,audit trail不会写在aud$表中,这个很好理解,如果数据库还未启动aud$不可用,那么像conn /as sysdba这样的连接信息,只能记录在其它地方。如果是windows平台,audti trail会记录在windows的事件管理中,如果是linux/unix平台则会记录在audit_file_dest参数指定的文件中。

2.audit_trail:None:是10g默认值,不做审计;11g默认值DB,将审计结果记录到aud$表中;

audit_trail 的value值为FALSE表示不开启;

audit_trail 的value值为DB表示开启;

audit_trail 的value值为TURE表示开启;

audit_trail 的value值为OS表示审计记录写入一个操作系统文

3.oracle 审计日志清理
--进入审计日志目录:
cd $ORACLE_BASE/admin/$ORACLE_SID/adump

--删除3个月前的审计文件:
find ./ -type f -name "*.aud" -mtime +91|xargs rm -f

--一次清空所有审计文件
find ./ -type f -name "*.aud"|xargs rm-f

find ./ -mtime +7 -name "*.aud" -type f -delete

注意:
oracle在$ORACLE_BASE/admin/$ORACLE_SID/adump 目录中记陆后缀为.aud的审计文件。
所以,开了DB功能,会同时将审计日志记在AUD$表中和操作系统aud文件中。设置为NONE,仍然会而且毫无其他办法的将记录在操作系统aud文件中。
*数据库的表为:sys.aud$
*操作系统目录为:$ORACLE_BASE/admin/实例名/adump/


4.审计:
4.1 强制性审计
启停数据库等动作,都记录在了 alert 日志中,这些就是强制审计,是 oracle 自动开启的。

4.2 标准数据库审计

show parameter audit_trail

4.3 基于值审计

这个是通过我们自己编写的触发器来完成的。

4.4 细粒度审计 (FGA)

可以针对某一列进行更细致的审计

4.5 DBA 审计

安全管理员对 DBA 的审计

标准数据库审计
- 审计语法:
audit sql_statement_clause by {session | access} whenever [not] successful;
by session,在一个会话中,同类型的操作只审计一条
by access,每个符合审计的操作全部审计
- 审计相关参数( audit_trail):
audit_trail = { none | os | db [, extended] | xml [, extended] }
none: 10g 默认值,不做审计;
os:将 audit trail 记录在操作系统文件中,文件名由 audit_file_dest 参数指定;
db: 11g 默认值,将审计结果记录到 aud$表中;
db,extended:将审计结果记录到 aud$表中,同时包括绑定变量及 CLOB 字段;
xml:记录 OS 文件的是 XML 格式的审计记录;
xml,extended:记录OS 文件的是 XML 格式的审计记录,同时包括绑定变量及 CLOB 字段。

oracle10g:默认审计参数为 NONE,即未开启
Oracle11g:默认审计参数为 DB

实验一:审计开启os
[oracle@wang ~]$ sqlplus / as sysdba

SQL*Plus: Release 11.2.0.4.0 Production on Sun Aug 13 08:11:24 2017

Copyright (c) 1982, 2013, Oracle. All rights reserved.Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> show parameter audit

NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest string /u01/app/oracle/admin/DBdb/adump
audit_sys_operations boolean FALSE
audit_syslog_level string
audit_trail string DB
SQL>
SQL> alter system set audit_trail='OS' scope=spfile;
System altered.

SQL> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> startup
ORACLE instance started.

Total System Global Area 835104768 bytes
Fixed Size 2257840 bytes
Variable Size 549456976 bytes
Database Buffers 281018368 bytes
Redo Buffers 2371584 bytes
Database mounted.
Database opened.
SQL>
SQL> show parameter audit

NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest string /u01/app/oracle/admin/DBdb/adump
audit_sys_operations boolean FALSE
audit_syslog_level string
audit_trail string OS
SQL>

--查看os层的审计文件
[oracle@wang adump]$ cd /u01/app/oracle/admin/DBdb/adump

--进行相关操作

SQL> conn scott/tiger; Connected.SQL> alter session set nls_date_format='yyyy-mm-dd hh34:mi:ss';Session altered.SQL> select sysdate from dual;SYSDATE-------------------2018-01-26 00:28:58

SQL> select * from tab;

TNAME TABTYPE CLUSTERID
------------------------------ ------- ----------
BONUS TABLE
DEPT TABLE
EMP TABLE
JOBS TABLE

SQL> create table a as select * from user_objects;

Table created.

SQL> insert into a select * from a;

10 rows created.

SQL> commit;

Commit complete.

SQL> update a set object_id=1;

20 rows updated.

SQL> commit;

Commit complete.

SQL> delete a where rownum <10;

9 rows deleted.

SQL> commit;

Commit complete.

SQL> truncate table a;

Table truncated.

SQL> drop table a purge;

Table dropped.


--查看审计文件:
[oracle@wang adump]$ pwd
/u01/app/oracle/admin/DBdb/adump
[oracle@wang adump]$
[oracle@wang adump]$
[oracle@wang adump]$ ll
total 24
-rw-r----- 1 oracle oinstall 772 Jan 26 00:22 DBdb_ora_27579_20180126002238441832143795.aud
-rw-r----- 1 oracle oinstall 755 Jan 26 00:26 DBdb_ora_27630_20180126002622032142143795.aud
-rw-r----- 1 oracle oinstall 762 Jan 26 00:26 DBdb_ora_27630_20180126002623437420143795.aud
-rw-r----- 1 oracle oinstall 768 Jan 26 00:26 DBdb_ora_27669_20180126002623481070143795.aud
-rw-r----- 1 oracle oinstall 772 Jan 26 00:26 DBdb_ora_27674_20180126002627838313143795.aud
-rw-r----- 1 oracle oinstall 877 Jan 26 00:28 DBdb_ora_27722_20180126002816963203143795.aud
[oracle@wang adump]$

--查看审计日志
[oracle@wang adump]$ more DBdb_ora_27722_20180126002816963203143795.aud
Audit file /u01/app/oracle/admin/DBdb/adump/DBdb_ora_27722_20180126002816963203143795.aud
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
ORACLE_HOME = /u01/app/oracle/product/11.2.0/db_1
System name: Linux
Node name: wang
Release: 3.10.0-327.el7.x86_64
Version: #1 SMP Thu Oct 29 17:29:29 EDT 2015
Machine: x86_64
Instance name: DBdb
Redo thread mounted by this instance: 1
Oracle process number: 29
Unix process pid: 27722, image: oracle@wang (TNS V1-V3)

Fri Jan 26 00:28:16 2018 +08:00
LENGTH: "266"
SESSIONID:[7] "7450116" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[5] "SCOTT" USERHOST:[4] "wang" TERMINAL:[5] "pts/1" ACTION:[3] "100" RETURNCODE:[1] "0" COMMENT$TEXT:
[26] "Authenticated by: DATABASE" OS$USERID:[6] "oracle" DBID:[10] "3282897732" PRIV$USED:[1] "5"

[oracle@wang adump]$

实验证明os层不记录数据库相关操作,只有一些登入登出数据库操作实验二:
SQL> show parameter audit

NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest string /u01/app/oracle/admin/DBdb/adump
audit_sys_operations boolean FALSE
audit_syslog_level string
audit_trail string OS
SQL>
SQL> alter system set audit_trail='DB' scope=spfile;

System altered.

SQL> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL>
SQL> startup
ORACLE instance started.

Total System Global Area 835104768 bytes
Fixed Size 2257840 bytes
Variable Size 549456976 bytes
Database Buffers 281018368 bytes
Redo Buffers 2371584 bytes
Database mounted.
Database opened.
SQL>
SQL> show parameter audit

NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest string /u01/app/oracle/admin/DBdb/adump
audit_sys_operations boolean FALSE
audit_syslog_level string
audit_trail string DB
SQL>
SQL>

--确认审计相关的表是否已经安装
select * from sys.aud$; -- 没有记录返回
select * from dba_audit_trail; -- 没有记录返回

如果做上述查询的时候发现表不存在,说明审计相关的表还没有安装,需要安装。
@$ORACLE_HOME/rdbms/admin/cataudit.sql
审计表安装在SYSTEM表空间。所以要确保SYSTEM表空间又足够的空间存放审计信息。


--查询审计表aud$情况:
SQL> col owner for a10
SQL> col table_name for a15
SQL> col TABLESPACE_NAME for a15
SQL> alter session set nls_date_format='yyyy-mm-dd hh34:mi:ss';

Session altered.

SQL> select OWNER,TABLE_NAME,TABLESPACE_NAME,STATUS,LAST_ANALYZED from dba_tables where table_name='AUD$';

OWNER TABLE_NAME TABLESPACE_NAME STATUS LAST_ANALYZED
---------- --------------- --------------- -------- -------------------
SYS AUD$ SYSTEM VALID 2018-01-24 22:01:31

SQL> col segment_name for a15
SQL> select OWNER,SEGMENT_NAME,PARTITION_NAME,TABLESPACE_NAME,BYTES/1024 size_k from dba_segments where SEGMENT_NAME='AUD$';

OWNER SEGMENT_NAME PARTITION_NAME TABLESPACE_NAME SIZE_K
---------- --------------- ------------------------------ --------------- ----------
SYS AUD$ SYSTEM 128


SQL> conn scott/tiger
Connected.

SQL> create table temp as select * from user_objects;

Table created.

SQL> insert into temp select * from temp;

10 rows created.

SQL> commit;

Commit complete.

SQL> update temp set object_name='WANG' where object_id=10;

0 rows updated.

SQL> update temp set object_name='WANG' where object_id=87107;

2 rows updated.

SQL> commit;

Commit complete.

SQL> delete temp where rownum <10;

9 rows deleted.

SQL> commit;

Commit complete.

SQL> truncate table temp;

Table truncated.

SQL> drop table temp purge;

Table dropped.


--查询审计表aud$:


SQL> select os_username,
username,
obj_name,
action_name,
audit_option,
logoff_time,
sessionid,
os_process,
instance_number,
sql_text,
sql_bind
from dba_audit_trail
where sql_text like '%TEMP%';

no rows selected

实验三:指定对t表进行更新审计

登录 scott 用户,创建 t 表并开启 update 审计,使用 by access 子句,每次 update 都审计
SQL> conn scott/tiger;
Connected.
SQL> create table t(x int);

Table created.

SQL> insert into t values(9);

1 row created.

SQL> commit;

Commit complete. --在scott用户下对t表进行access级别的审计
SQL> audit update on t by access;

Audit succeeded.

表示对t表的每次更新操作进行审计(by access,每个符合审计的操作全部审计;by session,在一个会话中,同类型的操作只审计一条)--使用绑定变量的 sql 进行 update 测试

SQL>var v_num number;

SQL>exec :v_num:=1000; (:v_num绑定变量,:v_num:=给绑定变量授予一个值)

PL/SQL procedure successfully completed.

SQL>update t set x=:v_num;

1 row updated.

SQL>commit;

commit complete.

--关闭审计
SQL> noaudit update on t;

Noaudit succeeded.

--查询审计结果

set lines 200
col OS_USERNAME for a10
col USERNAME for a10
col OBJ_NAME for a10
col SQL_BIND for a10
col SQL_TEXT for a10
col OWNER for a10
col ACTION_NAME for a10
alter session set nls_date_format='yyyy-mm-dd hh34:mi:ss';
select os_username,
username,
timestamp,
owner,
obj_name,
action_name,
sessionid,
instance_number,
os_process,
transactionid,
sql_bind,
sql_text
from dba_audit_trail
where sql_text like '%T%';


结果说明开启DB级的审计,必须指定对某个表或某个session(by access 或 by session),才会对相应操作进行审计并记录在dba_audit_trail表中

"audit审计方法是什么"的内容就介绍到这里了,感谢大家的阅读。如果想了解更多行业相关的知识可以关注网站,小编将为大家输出更多高质量的实用文章!

0