Implementing Oracle Database Auditing 实现Oracle数据库审计
Objectives
After completing this lesson, you should be able to:
• Describe DBA responsibilities for security and auditing
• Enable unified auditing
• Create unified audit policies
• Maintain the audit trail
目标
完成本课程后,您应该能够:
•描述DBA对安全和审计的责任
•启用统一审核
•创建统一的审核策略
•保持审计跟踪
Database Security
A secure system ensures the confidentiality of the data that it contains. There are several aspects of security:
• Restricting access to data and services
• Authenticating users
• Monitoring for suspicious activity
数据库安全
一个安全的系统确保它所包含的数据的机密性。安全有几个方面:
•限制访问数据和服务
•认证用户
•监测可疑活动
Monitoring for Compliance
• Monitoring or auditing must be an integral part of your security procedures.
• Review the following:
– Mandatory auditing
– Standard database auditing
– Value-based auditing
– Fine-grained auditing (FGA)
合规性监测
•监控或审计必须是您安全程序的组成部分。
•审查以下内容:
–强制性审计
–标准数据库审计
–基于价值的审计
–细粒度审计(FGA)
Types of Activities to be Audited
You can audit the following types of activities:
• User accounts, roles, and privileges
• Object actions
• Application context values
• Oracle Data Pump
• Oracle Database Real Application Security
• Oracle Database Vault
• Oracle Label Security
• Oracle Recovery Manager
• Oracle SQL*Loader direct path events
待审计活动的类型
您可以审核以下类型的活动:
•用户帐户、角色和权限
•目标动作
•应用程序上下文值
•Oracle数据泵
•Oracle数据库真实应用程序安全
•Oracle数据库保险库
•Oracle标签安全
•Oracle恢复管理器
•Oracle SQL*加载程序直接路径事件
Mandatorily Audited Activities
The following activities are audited:
• CREATE/ALTER/DROP AUDIT POLICY
• AUDIT/NOAUDIT
• EXECUTE of:
– DBMS_FGA
– DBMS_AUDIT_MGMT
• ALTER TABLE against AUDSYS audit trail table
• Top-level statements by administrative users (SYS,
SYSDBA, SYSOPER, SYSASM, SYSBACKUP, SYSDG, and SYSKM) until the database opens
强制性审计活动
审计下列活动:
•创建/更改/删除审核策略
•审计/无审计
•执行:
–数据库管理系统
–数据库管理系统审计管理
•根据AUDSYS审计跟踪表修改表
•管理用户的顶级声明(SYS,
SYSDBA、SYSOPER、SYSASM、SYSBACKUP、SYSDG和SYSKM),直到数据库打开
Understanding Auditing Implementation
• Mixed mode auditing is the default when a new Oracle
Database 12c database is created.
• Mixed mode auditing enables the use of:
– Pre–Oracle Database 12c auditing features
– Unified auditing features of Oracle Database 12c
• The recommendation from Oracle is to migrate to unified auditing.
• Query V$OPTION to determine if the database has been migrated to unified auditing:
SELECT value FROM v$option WHERE parameter = 'Unified Auditing'
了解审计实施
•当新的Oracle
数据库12c数据库已创建。
•混合模式审计允许使用:
–预Oracle数据库12c审计功能
–Oracle数据库12c的统一审计功能
•Oracle的建议是迁移到统一审计。
•查询V$选项以确定数据库是否已迁移到统一审核:
SELECT value FROM v$option
WHERE parameter = 'Unified Auditing'
Administering the Roles Required for Auditing
A user must be granted one of the following roles to perform auditing:
• AUDIT_ADMIN enables the user to:
– Create unified and fine-grained audit policies
– Execute the AUDIT and NOAUDIT SQL statements
– View audit data
– Manage the audit trail (table in the AUDSYS schema)
• AUDIT_VIEWER enables the user to:
– View and analyze audit data
管理审核所需的角色
必须授予用户以下角色之一才能执行审核:
•AUDIT_ADMIN允许用户:
–创建统一的细粒度审计策略
–执行AUDIT和NOAUDIT SQL语句
–查看审核数据
–管理审计跟踪(AUDSYS模式中的表)
•AUDIT_查看器允许用户:
–查看和分析审计数据
Database Auditing: Overview 数据库审核:概述
Understanding the Audit Architecture 了解审计架构
Enabling Unified Auditing
1. In SQL*Plus, shut down the database instance:
SQL> SHUTDOWN IMMEDIATE
2. Shut down the listener:
$ lsnrctl stop
3. At the operating system prompt, enable the unified auditing
executable:
$ cd $ORACLE_HOME/rdbms/lib
$ make –f ins_rdbms.mk uniaud_on ioracle ORACLE_HOME=$ORACLE_HOME
4. Restart the listener:
$ lsnrctl start
5. In SQL*Plus, restart the database instance:
SQL> STARTUP
启用统一审核
一。在SQL*Plus中,关闭数据库实例:
SQL>立即关闭
2。关闭侦听器:
$lsnrctl停止
三。在操作系统提示下,启用统一审核
可执行文件:
$cd$ORACLE_主页/rdbms/lib
$make-f英寸_关系数据库管理系统.mkuniaud_on ioracle ORACLE_HOME=$ORACLE_HOME
四。重新启动侦听器:
$lsnrctl开始
5个。在SQL*Plus中,重新启动数据库实例:
SQL>启动
Configuring Auditing
Method Description
Unified audit policies Group audit settings into a policy
Default unified audit policies Three default policies:
ORA_SECURECONFIG
ORA_DATABASE_PARAMETER_AUDIT
ORA_ACCOUNT_MGMT_AUDIT
Fine-grained audit policies Define specific conditions that must be met for auditing to take place
配置审核
方法描述
统一审核策略将审核设置分组到策略中
默认统一审核策略三个默认策略:
安全配置
数据库参数审计
账户管理审计
细粒度的审计策略定义了进行审计必须满足的特定条件
Creating a Unified Audit Policy 创建统一的审核策略
• Use the CREATE AUDIT POLICY statement:
CREATE AUDIT POLICY select_emp_pol
ACTIONS select on hr.employees
• Use Enterprise Manager Cloud Control:
•使用创建审核策略声明:
•使用Enterprise Manager云控制:
Creating an Audit Policy:
System-Wide Audit Options
• System privileges:
CREATE AUDIT POLICY audit_syspriv_pol1
PRIVILEGES SELECT ANY TABLE, CREATE LIBRARY
• Actions:
CREATE AUDIT POLICY audit_actions_pol2
ACTIONS AUDIT, ALTER TRIGGER
• Roles:
CREATE AUDIT POLICY audit_role_pol3
ROLES mgr_role
• System privileges, actions, and roles:
CREATE AUDIT POLICY audit_mixed_pol4
PRIVILEGES DROP ANY TABLE
ACTIONS CREATE TABLE, DROP TABLE, TRUNCATE TABLE
ROLES emp_role
创建审核策略:
全系统审计选项
•系统权限:
•行动:
•角色:
•系统特权、操作和角色:
Creating an Audit Policy:
Object-Specific Actions
Create audit policies based on object-specific options.
CREATE AUDIT POLICY audit_objpriv_pol5 ACTIONS SELECT, UPDATE, LOCK ON hr.employees
CREATE AUDIT POLICY audit_objpriv_pol6 ACTIONS ALL 不建议打开所有表的审计功能
CREATE AUDIT POLICY audit_objpriv_pol7 ACTIONS EXECUTE, GRANT ON hr.raise_salary_proc
创建审核策略:
特定于对象的操作
基于特定于对象的选项创建审核策略。
Creating an Audit Policy: Specifying Conditions
• Condition and evaluation PER SESSION
• Condition and evaluation PER STATEMENT
• Condition and evaluation PER INSTANCE
创建审核策略:指定条件
•每节课的条件和评估
•每个报表的条件和评估
•每个实例的条件和评估
CREATE AUDIT POLICY audit_mixed_pol5
ACTIONS RENAME ON hr.employees,ALTER ON hr.jobs,
WHEN 'SYS_CONTEXT (''USERENV'', ''SESSION_USER'')=''JIM'''
EVALUATE PER SESSION
CREATE AUDIT POLICY audit_objpriv_pol6
ACTIONS ALTER ON OE.ORDERS
WHEN 'SYS_CONTEXT(''USERENV'',''CLIENT_IDENTIFIER'')=''OE'''
EVALUATE PER STATEMENT
CREATE AUDIT POLICY audit_objpriv_pol7
ROLES dba
WHEN SYS_CONTEXT(''USERENV'',''INSTANCE_NAME'')=''sales'''
EVALUATE PER INSTANCE
Enabling and Disabling Audit Policies
Enable audit policies:
• Apply to all users.
SQL> AUDIT POLICY audit_syspriv_pol1;
• Apply only to some users.
SQL> AUDIT POLICY audit_pol2 BY scott, oe;
SQL> AUDIT POLICY audit_pol3 BY sys;
• Exclude some users.
SQL> AUDIT POLICY audit_pol4 EXCEPT jim, george;
• Audit the recording based on failed or succeeded actions.
SQL> AUDIT POLICY audit_syspriv_pol1 WHENEVER SUCCESSFUL ;
SQL> AUDIT POLICY audit_objpriv_pol2 WHENEVER NOT SUCCESSFUL ;
SQL> AUDIT POLICY auditpol5 BY joe WHENEVER SUCCESSFUL ;
Disable audit policies by using the NOAUDIT command.
启用和禁用审核策略
启用审核策略:
•适用于所有用户。
•仅适用于部分用户。
•排除一些用户。
•根据失败或成功的操作审核记录。
使用NOAUDIT命令禁用审核策略。
SQL>审计策略审计;
SQL>审计政策审计2,由scott,oe编写;
系统审计策略审计;
除jim,george外的审计政策审计;
SQL>AUDIT POLICY AUDIT_syspriv_pol1只要成功;
SQL>AUDIT POLICY AUDIT_objpriv_pol2,如果不成功;
成功时由joe审核策略auditpol5;
Altering a Unified Audit Policy
• Use the ALTER AUDIT POLICY statement:
ALTER AUDIT POLICY select_emp_pol
ADD ACTIONS select on hr.job_history
• Use Enterprise Manager Cloud Control:
更改统一审核策略
•使用ALTER AUDIT POLICY语句:
更改审核策略选择
添加操作选择打开人力资源工作历史
•使用Enterprise Manager云控制:
Viewing Audit Policy Information
SQL> SELECT policy_name, audit_option, condition_eval_opt
2 FROM audit_unified_policies;
POLICY_NAME AUDIT_OPTION CONDITION_EVAL_OPT
-------------------- ---------------- ----------------
POL1 DELETE INSTANCE
POL2 TRUNCATE TABLE NONE
POL3 RENAME SESSION
POL4 ALL ACTIONS STATEMENT
SQL> SELECT policy_name, enabled_opt, user_name, success, failure
2 FROM audit_unified_enabled_policies;
POLICY_NAME ENABLED_ USER_NAME SUC FAI
-------------------- -------- ---------- --- ---
POL3 BY PM NO YES
POL2 EXCEPT SYSTEM NO YES
POL4 BY SYS YES YES
POL6 BY ALL USERS YES NO
查看审核策略信息
SQL>选择策略名称、审核选项、条件评估选项
2来自审计统一政策;
策略名称审核选项条件评估选项
-------------------- ---------------- ----------------
POL1删除实例
POL2截断表无
POL3重命名会话
POL4所有行动声明
SQL>选择策略名称,启用选项,用户名,成功,失败
(二)来自统一的审计政策;
策略名称已启用用户名称SUC FAI
-------------------- -------- ---------- --- ---
下午POL3否是
POL2系统除外否是
POL4 BY SYS是的
所有用户提供POL6是否
Setting the Write Mode for Audit Trail Records
Actions audited
• select * from hr.employees
• create Database Vault realm
• expdp, impdp, backup, recover
Audit records generated
Read-Only AUDSYS Table
2
4
Audit records in
SGA in-memory queues
Instance
Crash
1
Audit records lost
3
Audit records
immediately
written to disk
No audit records
lost
2
3
DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_PROPERTY
设置审核跟踪记录的写入模式
审计的行动
•从*中选择人力资源员工
•创建数据库保险库领域
•expdp、impdp、备份、恢复
生成的审核记录
只读AUDSYS表
2个
4个
审计记录
SGA内存队列
实例
撞车
1个
审计记录丢失
三
审计记录
立即
写入磁盘
无审计记录
迷路的
2个
三
数据库管理系统审计_管理集审计跟踪属性
Value-Based Auditing 价值导向审计
Fine-Grained Auditing
• Monitors data access on the basis of content
• Audits SELECT, INSERT, UPDATE, DELETE, and MERGE
• Can be linked to one or more columns in a table or view
• May execute a procedure
• Is administered with the DBMS_FGA package
employees
Policy: AUDIT_EMPS_SALARY
SELECT name, salary
FROM employees
WHERE
department_id = 10;
细粒度审计
•根据内容监控数据访问
•审核选择、插入、更新、删除和合并
•可以链接到表或视图中的一个或多个列
•可以执行程序
•与DBMS_FGA包一起管理
员工
政策:审计薪酬
选择姓名、薪资
来自员工
哪里
部门id=10;
FGA Policy
• Defines:
– Audit criteria
– Audit action
• Is created with
DBMS_FGA
.ADD_POLICY
FGA政策
•定义:
–审计标准
–审计行动
•是用
数据库管理系统
.添加策略
Audited DML Statement: Considerations
• Records are audited if the FGA predicate is satisfied and
the relevant columns are referenced.
• DELETE statements are audited regardless of columns
specified.
• MERGE statements are audited with the underlying INSERT,
UPDATE, and DELETE generated statements.
UPDATE hr.employees
SET salary = 1000
WHERE commission_pct = .2;
UPDATE hr.employees
SET salary = 1000
WHERE employee_id = 200;
Not audited because none
of the employees are in
department 10
Audited because the
employee is in department
经审计的DML报表:注意事项
•如果满足FGA谓词并
相关列被引用。
•不管列是什么,删除语句都会被审计
明确规定。
•合并报表通过底层插入进行审核,
更新和删除生成的语句。
更新人力资源员工
设定薪资=1000
其中佣金=0.2;
更新人力资源员工
设定薪资=1000
其中雇员id=200;
未审核,因为没有
员工的
部门10
因为
员工在部门