After Oracle 11G, database audit function is enabled by default, so sometimes we forget to turn off this feature results in SYSTEM table space is overcrowded, but due to the closure audit function need to restart the database, operating under such a production environment is not allowed, so we need to find out what kind of audit to produce more, and then the individual will be closed; we can look through the following methods:
If you find this table AUD $ relatively large, which audited accounts for the space under examination is:
SQL> action_name the SELECT, count (*) from dba_audit_trail group by action_name; generally the most LOGON and LOGOFF audit types. Cancellation of such audit:
SQL> the NOAUDIT the session the WHENEVER successful; In general, if space is not particularly large accounts, such audit or retention as well. Audit Log can cancel some particularly frequent users, such as DBSNMP user:
SQL> the session by the NOAUDIT DBSNMP;
After closing the audit, to clean up the table sys.aud $
truncate table sys.aud $;
1. What is the audit
Audit (Audit) for monitoring performed by the user database operations, and Oracle will store the results of the audit trail to the OS file (the default location is $ ORACLE_BASE / admin / $ ORACLE_SID / adump /) or database (stored in the system tablespace SYS.AUD $ table, you can see) by the view dba_audit_trail. By default, 11g before the audit is not open.
Regardless of whether you open the database auditing features, the following operating system will force the record: Connection Instance with administrator privileges; start the database; close the database.
2, and audit-related two main parameters
Audit_sys_ Opera tions:
The default is false, when set to true, all sys users (including user with sysdba, sysoper logged in) operations will be recorded, audit trail will not be written in the aud $ table, this is well understood, If the database has not been started aud $ is not available, then the connection information such as conn / as sysdba, can only be recorded elsewhere. If the windows platform, audti trail will be recorded in the windows event management, if a Linux / UNIX platforms will be recorded in the audit_file_dest parameter specifies the file.
Audit_trail:
None: Before 11G is the default, not the audit;
DB: the audit trail recorded in the audit related database tables, such as AUD $, only the results of the audit connection information;
DB, Extended: the results of which are connected so that information in addition to audit also it contains a specific statement was executed;
OS: the operating system audit trail records in the file, the file name specified by the audit_file_dest parameters;
xml : 10g in the new.
Note: These two parameters are static parameters, need to restart the database to take effect.
3, audit level
When enabling audit function, the database audit at three levels: Statement (Statement), PR ivilege (authority), object (the object).
Statement:
press statement to the audit, such as audit table will audit all database create table, drop table, truncate table statement, the ALTER the session by cmy cmy user will audit all database connections.
Privilege:
When you press the authority to audit, when the user uses the permissions were audited, such as the implementation of grant select any table to a, when the implementation of the audit select any table statement, when users access a user b table (such as select * from bt) will be used select any table rights, it will be audited. Note that the user is the owner of his own table, so users access their list will not be audited.
Object:
by object audit, audit only on keyword specifies the object-related operations, such as aduit alter, delete, drop, insert on cmy.t by scott; t here will cmy user audit table, but at the same time by using a child sentence, it will only scott user-initiated operations audit. Note that Oracle does not provide audit function for all schema objects, only a one object auditing for objects created later, Oracle provides on default clause to automatically audit, such as drop on default by the Executive Audit Access ; later, for drop operation will audit objects subsequently created. But all the database objects created after the default would be effective, it seems no way to specify the object is only valid for a certain user-created, think may be "audit" of the DDL schema than trigger, this function slightly less.
4, audit some of the other options
Access by / the session by:
by each audited Access operations will generate an audit trail.
a session by session of the same type of operation which generates only one audit trail, default by session.
whenever [not] successful:
Success whenever successful operation (in DBA_AUDIT_TRAIL returncode field 0) before the audit,
WHENEVER Not successful vice versa. Omit this clause, then, regardless of the success of the operation will be audited.
5, and audit-related view
dba_audit_trail: Save all audit trail, it is actually just a aud $-based view. Other views dba_audit_session, dba_audit_object, dba_audit_statement are only a subset of dba_audit_trail.
dba_stmt_audit_opts: it can be used to view the statement audit level audit options, namely database settings Which statement-level audit. dba_obj_audit_opts, dba_priv_audit_opts View feature Similarly
all_def_audit_opts: used to view the databases used on default clause which sets the default object audit.
6, cancel audit
Audit statement corresponding to NOAUDIT to audit, such as audit session whenever successful audit statement corresponding cancellation noaudit session whenever successful;
7,10g of audit inform all
Oracle Database 10g audit in a very detailed level to capture user behavior, it can eliminate the manual, trigger-based audit.
Joe assumes the user has permission to update that table, as shown in the following manner in accordance update a row in the data table:
Update SCOTT.EMP the SET salary = 12000 the WHERE empno = 123456;
you how to track this behavior in the database do? In Oracle 9i Database and lower versions, the audit can only capture the "who" do this, but can not capture the implementation of the "what" content. For example, it lets you know all SCOTT Joe updated the table EMP, but it does not show that he updated the table number for the employee salary column 123456. It is the value of the salary column before the changes do not appear - to capture such detailed changes, you will have to write your own triggers to capture the value before the change, or use LogMiner to retrieve them from the archive log.
Fine-grained auditing (FGA), was introduced in Oracle 9i, and can record SCN number and row-level changes to reconstruct old data, but they can only be used in select statement, and not for DML, such as update, insert, and delete statements. Thus, for the previous version of 10g Oracle database, use row-level triggers While tracking the user to the initial change is not an attractive option, but it is also the only reliable method.
8, examples to explain
8.1, activate audit
sqlplus / as sysdba
SQL> show parameter audit
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest string /u01/app/oracle/admin/ORCL/adump
audit_sys_operations boolean FALSE
audit_syslog_level string
audit_trail string NONE
SQL> alter system set audit_sys_operations=TRUE scope=spfile; --审计管理用户(以sysdba/sysoper角色登陆)
SQL> alter system set audit_trail=db,extended scope=spfile;
SQL> startup force;
SQL> show parameter audit
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest string /u01/app/oracle/admin/ORCL/adump
audit_sys_operations boolean TRUE
audit_syslog_level string
audit_trail string DB, EXTENDED
8.2, began to audit
sqlplus / as sysdba
SQL> audit all on t_test;
SQL> conn u_test
SQL> select * from t_test;
SQL> insert into u_test.t_test (c2,c5) values ('test1','2');
SQL> commit;
SQL> delete from u_test.t_test;
SQL> commit;
SQL> conn /as sysdba
SQL> col DEST_NAME format a30
col OS_USERNAME format a15
col USERNAME format a15
col USERHOST format a15
col TERMINAL format a15
col OBJ_NAME format a30
col SQL_TEXT format a60
SQL> select OS_USERNAME,username,USERHOST,TERMINAL,TIMESTAMP,OWNER,obj_name,ACTION_NAME,sessionid,os_process,sql_text from dba_audit_trail;
sql> audit select table by u_test by access;
if only added by user operation of the user of the audit command followed by, if omitted by the user, then the system audit all users (without user sys).
Example:
the AUDIT DELETE the ANY TABLE; - audit delete table operation
AUDIT DELETE ANY TABLE WHENEVER NOT SUCCESSFUL; - only delete the audit failed
AUDIT DELETE ANY TABLE WHENEVER SUCCESSFUL; - only delete the audit is successful
AUDIT DELETE, UPDATE, INSERT oN user.table by test; - test audit table user.table the user delete, update, insert operation
8.3 revoke audit
SQL> noaudit all on t_test;
9, the audit statement
Audit under multilayer environment: appserve- application servers, Jackson-Client
the AUDIT the SELECT. OF TABLE BY appserve the ON BEHALF Jackson;
Audit connect or disconnect:
the AUDIT the SESSION;
the AUDIT the SESSION BY Jeff, Lori; - specifies the user
Audit authority (to use the privilege to perform the operation):
the AUDIT DELETE the ANY TABLE BY ACCESS the WHENEVER the NOT SUCCESSFUL;
the AUDIT DELETE the ANY TABLE;
the AUDIT TABLE the SELECT, INSERT TABLE, DELETE TABLE, EXECUTE PROCEDURE BY ACCESS the WHENEVER the NOT SUCCESSFUL;
对象审计:
AUDIT DELETE ON jeff.emp;
AUDIT SELECT, INSERT, DELETE ON jward.dept BY ACCESS WHENEVER SUCCESSFUL;
Cancel audit:
the NOAUDIT the session;
the NOAUDIT the session BY jeff, Lori;
the NOAUDIT DELETE the ANY TABLE;
the NOAUDIT the SELECT TABLE, INSERT TABLE, DELETE TABLE, EXECUTE PROCEDURE;
the NOAUDIT ALL; - Cancel all statement audit
NOAUDIT ALL PRIVILEGES; - cancel all privileges audit
NOAUDIT ALL ON DEFAULT; - cancel all objects audit
10, clear audit information
DELETE FROM SYS.AUD$;
DELETE FROM SYS.AUD$ WHERE obj$name='EMP';
11, view audit
STMT_AUDIT_OPTION_MAP - auditing option type codes
AUDIT_ACTIONS - action codes
ALL_DEF_AUDIT_OPTS - the default when the object is to create an object audit options
DBA_STMT_AUDIT_OPTS - the current database system auditing options
DBA_PRIV_AUDIT_OPTS - Permissions auditing options
DBA_OBJ_AUDIT_OPTS
USER_OBJ_AUDIT_OPTS - Object Audit Options
DBA_AUDIT_TRAIL
USER_AUDIT_TRAIL - audit records
DBA_AUDIT_OBJECT
USER_AUDIT_OBJECT - audit object list
DBA_AUDIT_SESSION
USER_AUDIT_SESSION - the session audit
DBA_AUDIT_STATEMENT
USER_AUDIT_STATEMENT - statement audit
DBA_AUDIT_EXISTS - use BY aUDIT NOT EXISTS option of audit
DBA_AUDIT_POLICIES - audit POLICIES
DBA_COMMON_AUDIT_TRAIL - fine audit standard audit +
12, the result table is moved from the audit system tablespace to another tablespace
Actually consists of two fields on sys.aud $ lob table, not simply move table can be.
The following is a specific procedure:
ALTER TABLESPACE Table SYS.AUD $ Move Users;
ALTER Table SYS.AUD $ Move LOB (SQLBind) Store AS (TABLESPACE the USERS);
ALTER Table SYS.AUD $ Move LOB (SQLTEXT) Store AS (TABLESPACE the USERS );
ALTER TABLESPACE index sys.I_AUD1 the you rebuild U