show parameter audit 查看數據庫的audit參數
_transaction_auditing boolean TRUE
If TRANSACTION_AUDITING is TRUE, the transaction layer generates a special redo record which contains session and user information. This information includes the user logon name, user name, the session ID, some operating system information, and client information. On each successive commit, the transaction layer generates a record that contains only the session ID (which links back to the first record since it also contains the session ID). These records might be useful if using a redo log analysis tool.
If TRANSACTION_AUDITING is FALSE, no redo record will be generated.
audit_file_dest string /u01/app/oracle/admin/orcl/adump
在os上,audit文件的位置
audit_sys_operations boolean TRUE
是否對sys用戶SQL語句的行為進行審計,配合audit_syslog_level
audit_syslog_level string USER.NOTICE
開啟對sys用戶的審計,配合audit_sys_operations可以進行細粒度的SQL審計
配合os的支持:
修改/etc/syslog.conf添加
# About Oracle Syslog
user.notice /var/log/oracle_dbms
通過kill向audit發信號,reload配置文件
ps -ef |grep syslogd
root 2963 1 0 08:59 ? 00:00:00 syslogd -m 0
kill -HUP 2963
重啟數據庫
查看/var/log/oracle_dbms中的審計信息,此文件root用戶擁有,故oracle用戶無法查看
audit_trail string db
開啟對非特权用户的審計
none or false
Disables database auditing.
os
Enables database auditing and directs all audit records to the operating system's audit trail.
db or true
Enables database auditing and directs all audit records to the database audit trail (the SYS.AUD$ table).
db_extended
Enables database auditing and directs all audit records to the database audit trail (the SYS.AUD$ table). In addition, populates the SQLBIND and SQLTEXT CLOB columns of the SYS.AUD$ table.
寫在最後!
即使audit_trail為none,對特權用戶的connect,startup,shutdown也會審計,放置在$ORACLE_HOME/rdbms/audit/
syslog僅僅只有在數據庫啟動後,才會開始審計操作
開啟audit_sys_operations會產生更多的審計跟蹤記錄,對性能略有影響
在使用sys特權用戶進行update等授權操作時,可以關閉audit_sys_operations
如若駭客侵入Oracle數據庫,如果沒有破解root用戶密碼,那麼依然無法修改審計文件