中文字幕av专区_日韩电影在线播放_精品国产精品久久一区免费式_av在线免费观看网站

溫馨提示×

溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊×
其他方式登錄
點擊 登錄注冊 即表示同意《億速云用戶服務條款》

Oracle標準數據庫審核

發布時間:2020-08-08 00:58:13 來源:ITPUB博客 閱讀:168 作者:llnnmc 欄目:關系型數據庫

Oracle標準數據庫審核可以對一般用戶(不包括SYS)的各種權限操作進行審核和跟蹤。


一、標準數據庫審核的基本方法


1、開啟標準數據庫審核


初始化參數audit_trail是一個靜態參數,該參數確定如何啟用審核,不同的值表示是否開啟審核以及如何記錄審核。

該參數可以設定為如下的值:

noneflase10g為默認):不審核;

dbtrue11g為默認):審核結果記錄到數據庫表sys.aud$,可以通過視圖dba_audit_trail來查看結果;

os:審核結果記錄到操作系統文件中,Unixaudit_file_dest參數中指定,Windows則在應用程序日志中(事件查看器eventvwr);

db_extended:與db大致相同,但審核結果包含了具有綁定變量的SQL語句;

xml:與os大致相同,但使用xml來標記;

xml_extended:與xml大致相同,但審核結果包含了具有綁定變量的SQL語句。


2、指定審核選項


使用audit命令可以配置數據庫審核,標準數據庫審核包含以下幾類:


1)系統權限審核


審核系統權限的操作,如

audit create any table;

audit create any trigger;

審核某用戶的系統權限操作,如

audit select any table by scott;

訪問自己的表時不會做審核。

審核用戶的創建和刪除

audit create user, drop user;

查開啟的系統權限審核,通過數據字典dba_priv_audit_opts11g默認會開啟以下審核

col user_name for a20

col proxy_name for a20

col privilege for a30

col success for a20

col failure for a20

select * from dba_priv_audit_opts;


USER_NAME       PROXY_NAME      PRIVILEGE                                SUCCESS    FAILURE

--------------- --------------- ---------------------------------------- ---------- ----------

                                CREATE EXTERNAL JOB                      BY ACCESS  BY ACCESS

                                CREATE ANY JOB                           BY ACCESS  BY ACCESS

                                GRANT ANY OBJECT PRIVILEGE               BY ACCESS  BY ACCESS

                                EXEMPT ACCESS POLICY                     BY ACCESS  BY ACCESS

                                CREATE ANY LIBRARY                       BY ACCESS  BY ACCESS

                                GRANT ANY PRIVILEGE                      BY ACCESS  BY ACCESS

                                DROP PROFILE                             BY ACCESS  BY ACCESS

                                ALTER PROFILE                            BY ACCESS  BY ACCESS

                                DROP ANY PROCEDURE                       BY ACCESS  BY ACCESS

                                ALTER ANY PROCEDURE                      BY ACCESS  BY ACCESS

                                CREATE ANY PROCEDURE                     BY ACCESS  BY ACCESS

                                ALTER DATABASE                           BY ACCESS  BY ACCESS

                                GRANT ANY ROLE                           BY ACCESS  BY ACCESS

                                CREATE PUBLIC DATABASE LINK              BY ACCESS  BY ACCESS

                                DROP ANY TABLE                           BY ACCESS  BY ACCESS

                                ALTER ANY TABLE                          BY ACCESS  BY ACCESS

                                CREATE ANY TABLE                         BY ACCESS  BY ACCESS

                                DROP USER                                BY ACCESS  BY ACCESS

                                ALTER USER                               BY ACCESS  BY ACCESS

                                CREATE USER                              BY ACCESS  BY ACCESS

                                CREATE SESSION                           BY ACCESS  BY ACCESS

                                AUDIT SYSTEM                             BY ACCESS  BY ACCESS

                                ALTER SYSTEM                             BY ACCESS  BY ACCESS


2)對象權限審核


對所有用戶(不包括syssys是不審核的),如

aduit alter, delete, drop, insert on scott.emp;

對某個用戶,如

audit select on hr.employees by scott;

對所有操作,如

audit all on hr.employees;

查開啟的對象審核,通過數據字典dba_obj_audit_opts,默認是都沒有開啟

select * from dba_obj_audit_opts;


OWNER      OBJECT_NAME     OBJECT_TYPE     ALT   AUD   COM   DEL   GRA   IND   INS   LOC   REN   SEL   UPD   REF EXE   CRE   REA   WRI   FBK

---------- --------------- --------------- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- --- ----- ----- ----- ----- -----


3)語句審核


如審核表的所有DDL操作

audit table;

查開啟的語句審核,通過數據字典dba_stmt_audit_opts11g默認會開啟以下審核,其中也包含了上述屬于系統權限的審核

col user_name for a20

col proxy_name for a20

col audit_option for a30

col success for a20

col failure for a20

select * from dba_stmt_audit_opts;


USER_NAME       PROXY_NAME      AUDIT_OPTION                             SUCCESS    FAILURE

--------------- --------------- ---------------------------------------- ---------- ----------

                                ALTER SYSTEM                             BY ACCESS  BY ACCESS

                                SYSTEM AUDIT                             BY ACCESS  BY ACCESS

                                CREATE SESSION                           BY ACCESS  BY ACCESS

                                CREATE USER                              BY ACCESS  BY ACCESS

                                ALTER USER                               BY ACCESS  BY ACCESS

                                DROP USER                                BY ACCESS  BY ACCESS

                                PUBLIC SYNONYM                           BY ACCESS  BY ACCESS

                                DATABASE LINK                            BY ACCESS  BY ACCESS

                                ROLE                                     BY ACCESS  BY ACCESS

                                PROFILE                                  BY ACCESS  BY ACCESS

                                CREATE ANY TABLE                         BY ACCESS  BY ACCESS

                                ALTER ANY TABLE                          BY ACCESS  BY ACCESS

                                DROP ANY TABLE                           BY ACCESS  BY ACCESS

                                CREATE PUBLIC DATABASE LINK              BY ACCESS  BY ACCESS

                                GRANT ANY ROLE                           BY ACCESS  BY ACCESS

                                SYSTEM GRANT                             BY ACCESS  BY ACCESS

                                ALTER DATABASE                           BY ACCESS  BY ACCESS

                                CREATE ANY PROCEDURE                     BY ACCESS  BY ACCESS

                                ALTER ANY PROCEDURE                      BY ACCESS  BY ACCESS

                                DROP ANY PROCEDURE                       BY ACCESS  BY ACCESS

                                ALTER PROFILE                            BY ACCESS  BY ACCESS

                                DROP PROFILE                             BY ACCESS  BY ACCESS

                                GRANT ANY PRIVILEGE                      BY ACCESS  BY ACCESS

                                CREATE ANY LIBRARY                       BY ACCESS  BY ACCESS

                                EXEMPT ACCESS POLICY                     BY ACCESS  BY ACCESS

                                GRANT ANY OBJECT PRIVILEGE               BY ACCESS  BY ACCESS

                                CREATE ANY JOB                           BY ACCESS  BY ACCESS

                                CREATE EXTERNAL JOB                      BY ACCESS  BY ACCESS


4)其它審核配置


審核會話登錄

audit session;

這與審核create session權限的使用效果相同。

取消審核,通過noaudit命令指定

noaudit session;

noaudit all on scott.emp;

審核成功的操作,通過whenever successful選項指定,如審核表的成功插入

audit insert on scott.emp whenever successful;

審核不成功的操作,通過whenever not successful選項指定,如審核失敗的會話登錄

audit session whenever not successful;

默認情況下是審核所有的操作,不論成功與否。

會話級別上的審核,通過by session選項指定

audit update on scott.emp by session;

操作級別上的審核,通過by access選項指定

audit update on scott.emp by access;

對象權限審核默認是by session

系統權限審核默認是by access


3、查看審核記錄


如果審核針對數據庫(audit_trail=dbdb_extended),則審核記錄寫入數據字典表sys.aud$中,雖然可以直接查看,但通過建立在其上的視圖來查看將更加方便。

常用的視圖是dba_audit_trail,其常用列的解釋如下:

os_username:執行操作的用戶的操作系統用戶名

username:執行操作的用戶的Oracle用戶名

userhost:運行用戶進程的計算機名稱

timestamp:審核事件的發生時間

ownerobj_name:受影響對象的模式和名稱

actionaction_name:審核的操作,操作代碼action的對照含義可查數據字典表audit_actions

priv_used:使用的系統權限

sql_text:執行的語句

如果沒有表aud$及視圖dba_audit_trail,則需要執行審核相關的數據字典表的安裝腳本,安裝后要重啟數據庫,安裝腳本位于

%ORACLE_HOME%\rdbms\admin\cataudit.sql

其它審核視圖顯示了dba_audit_trail視圖的一個子集:

dba_audit_object

dba_audit_statement

dba_audit_session


二、標準數據庫審核實驗


1、創建實驗用表

create table scott.emp1 as select * from scott.emp;

grant all on scott.emp1 to hr;


2、啟用審核

audit all on scott.emp1 by access;

audit table;

alter system set audit_sys_operations=true scope=spfile;

alter system set audit_trail='db_extended' scope=spfile;

重啟數據庫實例

shutdown immediate

startup

實驗前可先清除審核結果表的所有記錄

truncate table sys.aud$;


3、進行sysdba的活動,并查看審核結果

以sysdba身份登錄并操作

select * from dba_users;

select * from scott.emp1;

create user audr1 identified by audr1;

drop user audr1;

create table scott.emp2 as select * from scott.emp1;

select * from scott.emp2;

drop table scott.emp2 purge;

查看sysdba的審核結果,由于開啟了sysdba審核,所以可以在操作系統文件和日志中看到所有操作記錄。Unix查看audit_file_dest指定的目標文件,Windows通過事件查看器eventvwr查看應用程序日志。另外可以看到SYS管理員的操作不會記入aud$中,視圖dba_audit_trail沒有相關記錄。


4、用system用戶登錄操作,并查看審核結果

select * from scott.emp;

select * from scott.emp1;

create user audr1 identified by audr1;

grant connect to audr1;

create table audr1.t1(n number);

select * from audr1.t1;

drop table audr1.t1 purge;

drop user audr1;

退出system的登錄

查看審核結果

col os_username for a20

col username for a20

col userhost for a20

col owner for a10

col obj_name for a20

col action_name for a20

col priv_used for a20

col sql_text for a50

select os_username, username, userhost, timestamp, owner, obj_name, action, action_name, priv_used, sql_text from dba_audit_trail order by timestamp desc;


OS_USERNAME          USERNAME             USERHOST             TIMESTAMP           OWNER      OBJ_NAME                 ACTION ACTION_NAME          PRIV_USED            SQL_TEXT

-------------------- -------------------- -------------------- ------------------- ---------- -------------------- ---------- -------------------- -------------------- --------------------------------------------------

Administrator        SYSTEM               WORKGROUP\MYPC       2017-09-20 10:36:05                                101 LOGOFF

Administrator        SYSTEM               WORKGROUP\MYPC       2017-09-20 10:35:59            AUDR1                53 DROP USER            DROP USER            drop user audr1

Administrator        SYSTEM               WORKGROUP\MYPC       2017-09-20 10:35:49 AUDR1      T1                   12 DROP TABLE           DROP ANY TABLE       drop table audr1.t1 purge

Administrator        SYSTEM               WORKGROUP\MYPC       2017-09-20 10:35:32 AUDR1      T1                    1 CREATE TABLE         CREATE ANY TABLE     create table audr1.t1(n number)

Administrator        SYSTEM               WORKGROUP\MYPC       2017-09-20 10:35:24            CONNECT                     114 GRANT ROLE           GRANT ANY ROLE       grant connect to audr1

Administrator        SYSTEM               WORKGROUP\MYPC       2017-09-20 10:35:14            AUDR1                51 CREATE USER          CREATE USER          create user audr1 identified by *****

Administrator        SYSTEM               WORKGROUP\MYPC       2017-09-20 10:35:04 SCOTT      EMP1                  3 SELECT               SELECT ANY TABLE     select * from scott.emp1

Administrator        SYSTEM               WORKGROUP\MYPC       2017-09-20 10:34:33                                100 LOGON                CREATE SESSION


由于沒有對表scott.emp加入審核,因此對它的查詢未計入表中,而會話的登入登出、建表、刪表、授權是默認開啟的系統權限審核,因此這些操作被記入表中,同樣對表audr1.t1的查詢也不會加入審核。


5、清空aud$記錄,在sys下創建用戶audr1,并分別用audr1和hr用戶登錄操作,查看審核結果

sys的操作

create user audr1 identified by audr1;

grant connect to audr1;

audr1用戶登錄操作

select * from scott.emp1;

由于沒有給audr1訪問scott.emp1的權限,因此以上查詢將失敗

audr1用戶退出登錄

hr用戶登錄操作

select * from scott.emp1;

update scott.emp1 set sal=2000 where empno=7369;

commit;

update scott.emp1 set sal=2500 where empno=7369;

rollback;

hr用戶退出登錄

查看審核記錄

col os_username for a20

col username for a20

col userhost for a20

col owner for a10

col obj_name for a20

col action_name for a20

col priv_used for a20

col sql_text for a50

select os_username, username, userhost, timestamp, owner, obj_name, action, action_name, priv_used, sql_text from dba_audit_trail order by timestamp desc;


OS_USERNAME          USERNAME             USERHOST             TIMESTAMP           OWNER      OBJ_NAME                 ACTION ACTION_NAME          PRIV_USED            SQL_TEXT

-------------------- -------------------- -------------------- ------------------- ---------- -------------------- ---------- -------------------- -------------------- --------------------------------------------------

Administrator        HR                   WORKGROUP\MYPC       2017-09-20 10:42:29                                101 LOGOFF

Administrator        HR                   WORKGROUP\MYPC       2017-09-20 10:45:33 SCOTT      EMP1                  6 UPDATE                                    update scott.emp1 set sal=2500 where empno=7369

Administrator        HR                   WORKGROUP\MYPC       2017-09-20 10:42:17 SCOTT      EMP1                  6 UPDATE                                    update scott.emp1 set sal=2000 where empno=7369

Administrator        HR                   WORKGROUP\MYPC       2017-09-20 10:42:09 SCOTT      EMP1                  3 SELECT                                    select * from scott.emp1

Administrator        HR                   WORKGROUP\MYPC       2017-09-20 10:41:49                                100 LOGON                CREATE SESSION

Administrator        AUDR1                WORKGROUP\MYPC       2017-09-20 10:41:41                                101 LOGOFF

Administrator        AUDR1                WORKGROUP\MYPC       2017-09-20 10:41:29 SCOTT      EMP1                  3 SELECT                                    select * from scott.emp1

Administrator        AUDR1                WORKGROUP\MYPC       2017-09-20 10:41:01                                100 LOGON                CREATE SESSION


由于默認是操作不論成功與否都會納入審核,因此audr1用戶失敗的查詢也被記錄,commit和rollback語句并沒有記錄,不管執行的語句最后是被提交還是回滾,更新操作總是被審核的。


6、取消對象審核

noaudit all on scott.emp1;

hr用戶再次登錄操作

select * from scott.emp1;

hr用戶退出登錄

查看審核記錄,確認審核只有用戶的登入登出,其它已取消。如果要將會話的登入登出記錄也取消,則執行noaudit session,但這樣一來,默認的系統權限審核將不再包括該項,除非執行audit session重新加入。


7、清空aud$記錄,改為會話級別的審核,并查看結果

audit all on scott.emp1 by session;

再次以hr用戶登錄并操作

select * from scott.emp1;

update scott.emp1 set sal=800 where empno=7369;

commit;

hr用戶退出登錄

查看審核記錄

col os_username for a20

col username for a20

col userhost for a20

col owner for a10

col obj_name for a20

col action_name for a20

col priv_used for a20

col sql_text for a50

select os_username, username, userhost, timestamp, owner, obj_name, action, action_name, priv_used, sql_text from dba_audit_trail order by timestamp desc;


OS_USERNAME          USERNAME             USERHOST             TIMESTAMP           OWNER      OBJ_NAME                 ACTION ACTION_NAME          PRIV_USED            SQL_TEXT

-------------------- -------------------- -------------------- ------------------- ---------- -------------------- ---------- -------------------- -------------------- --------------------------------------------------

Administrator        HR                   WORKGROUP\MYPC       2017-09-20 10:54:55                                101 LOGOFF

Administrator        HR                   WORKGROUP\MYPC       2017-09-20 10:54:44 SCOTT      EMP1                103 SESSION REC                               update scott.emp1 set sal=800 where empno=7369

Administrator        HR                   WORKGROUP\MYPC       2017-09-20 10:54:36 SCOTT      EMP1                103 SESSION REC                               select * from scott.emp1

Administrator        HR                   WORKGROUP\MYPC       2017-09-20 10:54:29                                100 LOGON                CREATE SESSION


比較可知,操作級別的審核明確記錄了action_name為select、update等,而會話級別的審核action_name只標明為session rec,但sql_text仍記錄了會話中每一步操作的SQL語句。


8、取消審核,清理恢復

noaudit all on scott.emp1;

drop user audr1;

drop table scott.emp1 purge;

alter system set audit_trail=false scope=spfile;

alter system set audit_sys_operations=false scope=spfile;

重啟數據庫實例

清空aud$記錄


向AI問一下細節

免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。

AI

左云县| 舒兰市| 宁安市| 麟游县| 林甸县| 营口市| 卢龙县| 教育| 莎车县| 乃东县| 吉隆县| 宜丰县| 依兰县| 沅陵县| 南投市| 临安市| 衡南县| 永靖县| 南汇区| 辉县市| 剑河县| 华坪县| 古浪县| 鄂托克前旗| 杭锦后旗| 福建省| 尤溪县| 望奎县| 扎赉特旗| 长春市| 敖汉旗| 康乐县| 武胜县| 宁海县| 化隆| 平湖市| 南皮县| 深泽县| 海南省| 金坛市| 绵阳市|