Oracle審計sys操作記錄到作業系統系統日誌中
阿新 • • 發佈:2019-01-02
此次以Linux系統為例!
1、檢視當前資料庫版本及狀態資訊
SQL> select * from v$version;BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
PL/SQL Release 11.2.0.4.0 - Production
CORE 11.2.0.4.0 Production
TNS for Linux: Version 11.2.0.4.0 - Production
NLSRTL Version 11.2.0.4.0 - Production
SQL> select dbid,name,open_mode from v$database;
DBID NAME OPEN_MODE
---------- --------- --------------------
1435632369 ORCL READ WRITE
2、檢查audit預設設定
SQL> show parameter audit
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest string /u01/app/oracle/admin/orcl/adu
mp
audit_sys_operations boolean FALSE
audit_syslog_level string
audit_trail string DB
3、修改如下引數,將sys操作記入/var/log/message中
SQL> alter system set audit_syslog_level='USER.NOTICE' scope=spfile;
System altered.
SQL> alter system set audit_sys_operations=TRUE scope=spfile;
System altered.
SQL> alter system set audit_trail=none scope=spfile;
System altered.SQL> startup force ---生產環境中嚴禁此操作(強烈建議使用shundown immediate--startup)
ORACLE instance started.
Total System Global Area 413372416 bytes
Fixed Size 2253784 bytes
Variable Size 327158824 bytes
Database Buffers 79691776 bytes
Redo Buffers 4268032 bytes
Database mounted.
Database opened.
SQL> show parameter audit
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest string /u01/app/oracle/admin/orcl/adu
mp
audit_sys_operations boolean TRUE
audit_syslog_level string USER.NOTICE
audit_trail string NONE
ID
----------
2
1
3
4、測試結果如下
(1)在伺服器上執行select * from test.t1;查詢,/var/log/message日誌記錄如下:
Apr 21 15:41:54 db Oracle Audit[7156]: LENGTH : '174' ACTION :[21] 'select * from test.t1' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[5] 'pts/0' STATUS:[1] '0' DBID:[10] '1435632369'
Apr 21 15:42:32 db Oracle Audit[7264]: LENGTH : '159' ACTION :[7] 'CONNECT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[5] 'pts/2' STATUS:[1] '0' DBID:[10] '1435632369'
Apr 21 15:42:32 db Oracle Audit[7264]: LENGTH : '158' ACTION :[6] 'COMMIT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[5] 'pts/2' STATUS:[1] '0' DBID:[10] '1435632369'
Apr 21 15:42:32 db Oracle Audit[7264]: LENGTH : '158' ACTION :[6] 'COMMIT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[5] 'pts/2' STATUS:[1] '0' DBID:[10] '1435632369'
Apr 21 15:42:35 db Oracle Audit[7264]: LENGTH : '174' ACTION :[21] 'alter system register' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[5] 'pts/2' STATUS:[1] '0' DBID:[10] '1435632369'
(2)plsql developer用sys as sysdba連線,/var/log/message日誌記錄如下:
Apr 21 15:42:52 db Oracle Audit[7268]: LENGTH : '158' ACTION :[7] 'CONNECT' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369'
Apr 21 15:42:52 db Oracle Audit[7268]: LENGTH : '254' ACTION :[101] 'select length(chr(2000000000)) l4, length(chr(2000000)) l3, length(chr(20000)) l2, 'c' c1 from dual ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369'
Apr 21 15:42:52 db Oracle Audit[7268]: LENGTH : '197' ACTION :[45] 'select lengthb(nchr(20)), nchr(20) from dual ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369'
Apr 21 15:42:52 db Oracle Audit[7268]: LENGTH : '176' ACTION :[24] 'select * from v$version ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369'
Apr 21 15:42:52 db Oracle Audit[7268]: LENGTH : '175' ACTION :[23] 'begin :n := user; end; ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369'
Apr 21 15:42:52 db Oracle Audit[7268]: LENGTH : '293' ACTION :[138] 'select grantee, name from sys.plsqldev_authorization where grantee in (user, 'PUBLIC') or grantee in (select role from sys.session_roles) ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[3] '942' DBID:[10] '1435632369'
Apr 21 15:42:52 db Oracle Audit[7270]: LENGTH : '158' ACTION :[7] 'CONNECT' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369'
Apr 21 15:42:52 db Oracle Audit[7268]: LENGTH : '174' ACTION :[22] 'select null from dual ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369'
Apr 21 15:42:52 db Oracle Audit[7268]: LENGTH : '230' ACTION :[78] 'begin sys.dbms_application_info.set_module('PL/SQL Developer', :action); end; ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369'
Apr 21 15:42:52 db Oracle Audit[7268]: LENGTH : '228' ACTION :[76] 'select value from v$nls_parameters where parameter = 'NLS_LENGTH_SEMANTICS' ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369'
Apr 21 15:42:52 db Oracle Audit[7270]: LENGTH : '305' ACTION :[152] 'select object_name, object_type from sys.user_objects o where o.object_type in ('TABLE', 'VIEW', 'PACKAGE','TYPE', 'PROCEDURE', 'FUNCTION', 'SEQUENCE') ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369'
Apr 21 15:42:52 db Oracle Audit[7268]: LENGTH : '235' ACTION :[83] 'select value from sys.nls_database_parameters where parameter = 'NLS_CHARACTERSET' ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369'
Apr 21 15:42:53 db Oracle Audit[7270]: LENGTH : '439' ACTION :[286] 'select s.synonym_name object_name, o.object_type from sys.all_synonyms s, sys.all_objects o where s.owner in ('PUBLIC', user) and o.owner = s.table_owner and o.object_name = s.table_name and o.object_type in ('TABLE', 'VIEW', 'PACKAGE','TYPE', 'PROCEDURE', 'FUNCTION', 'SEQUENCE') ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369'
(3)plsql developer中執行select * from test.t1;查詢,/var/log/message日誌記錄如下:
Apr 21 15:43:15 db Oracle Audit[7279]: LENGTH : '158' ACTION :[7] 'CONNECT' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369'
Apr 21 15:43:15 db Oracle Audit[7279]: LENGTH : '174' ACTION :[22] 'select null from dual ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369'
Apr 21 15:43:15 db Oracle Audit[7279]: LENGTH : '254' ACTION :[101] 'select length(chr(2000000000)) l4, length(chr(2000000)) l3, length(chr(20000)) l2, 'c' c1 from dual ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369'
Apr 21 15:43:15 db Oracle Audit[7279]: LENGTH : '197' ACTION :[45] 'select lengthb(nchr(20)), nchr(20) from dual ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369'
Apr 21 15:43:15 db Oracle Audit[7279]: LENGTH : '230' ACTION :[78] 'begin sys.dbms_application_info.set_module('PL/SQL Developer', :action); end; ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369'
Apr 21 15:43:15 db Oracle Audit[7279]: LENGTH : '223' ACTION :[71] 'select sid, serial# from v$session where audsid = userenv('SESSIONID') ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369'
Apr 21 15:43:15 db Oracle Audit[7279]: LENGTH : '267' ACTION :[114] 'begin if :enable = 0 then sys.dbms_output.disable; else sys.dbms_output.enable(:size); end if; end; ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369'
Apr 21 15:43:15 db Oracle Audit[7268]: LENGTH : '200' ACTION :[48] 'select name from v$statname order by statistic# ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369'
Apr 21 15:43:16 db Oracle Audit[7268]: LENGTH : '217' ACTION :[65] 'select value from v$sesstat where sid = :sid order by statistic# ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369'
Apr 21 15:43:16 db Oracle Audit[7279]: LENGTH : '213' ACTION :[61] 'begin :id := sys.dbms_transaction.local_transaction_id; end; ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369'
Apr 21 15:43:16 db Oracle Audit[7279]: LENGTH : '174' ACTION :[22] 'select * from test.t1 ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369'
Apr 21 15:43:16 db Oracle Audit[7279]: LENGTH : '213' ACTION :[61] 'begin :id := sys.dbms_transaction.local_transaction_id; end; ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369'
Apr 21 15:43:16 db Oracle Audit[7268]: LENGTH : '217' ACTION :[65] 'select value from v$sesstat where sid = :sid order by statistic# ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369'
Apr 21 15:43:16 db Oracle Audit[7279]: LENGTH : '225' ACTION :[73] 'begin sys.dbms_output.get_line(line => :line, status => :status); end; ' DATABASE USER:[3] 'SYS' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[3] 'l&k' CLIENT TERMINAL:[5] 'ORAPC' STATUS:[1] '0' DBID:[10] '1435632369'
5、說明
因此項設定會造成message日誌增長較快,建議實時監控檔案系統使用率。