看一下Oracle的審計功能（包括FGA細粒度審計）能給我們帶來些什麼的強悍效果。
我將通過這個小文兒向您展示一下Oracle很牛的審計功能。Follow me. 
1.使用審計，需要先啟用審計功能
1）檢視系統中預設的與審計相關的引數設定
[email protected]> conn / as sysdba
Connected.
[email protected]> show parameter audit
NAME                  TYPE      VALUE
--------------------- --------- --------------------------------------
audit_file_dest       string    /oracle/app/oracle/admin/ora10g/adump
audit_sys_operations  boolean   FALSE
audit_syslog_level    string
audit_trail           string    NONE
2）對上面所列的引數進行一下解釋
（1）AUDIT_FILE_DEST = 路徑
指示出審計的檔案存放的路徑資訊，我們這裡顯示的是“/oracle/app/oracle/admin/ora10g/adump”
不管開啟還是不開啟審計功能，這個目錄項都會記錄以sysdba身份的每次登入資訊，有興趣的朋友可以到這個目錄中檢視一下。
例如：
$ cat ora_9915.aud
Audit file /oracle/app/oracle/admin/ora10g/adump/ora_9915.aud
Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP and Data Mining Scoring Engine options
ORACLE_HOME = /oracle/app/oracle/product/10.2.0/db_1
System name:    Linux
Node name:      testdb183
Release:        2.6.18-128.el5
Version:        #1 SMP Wed Dec 17 11:41:38 EST 2008
Machine:        x86_64
Instance name: ora10g
Redo thread mounted by this instance: 1
Oracle process number: 13
Unix process pid: 9915, image: 

[email protected] (TNS V1-V3)
Wed Aug 26 19:24:11 2009
ACTION : 'CONNECT'
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: oracle
CLIENT TERMINAL: pts/1
STATUS: 0
（2）audit_sys_operations
預設值是FALSE，如果開啟審計功能，這個引數需要修改為TRUE。
（3）audit_syslog_level
       語句：指定審計語句或特定型別的語句組，象審計表的語句 CREATE TABLE, TRUNCATE TABLE, COMMENT ON TABLE, and DELETE [FROM] TABLE
       許可權：使用審計語句指定系統許可權，象AUDIT CREATE ANY TRIGGER
       物件：在指定物件上指定審計語句，象ALTER TABLE on the emp table
（4）AUDIT_TRAIL = NONE|DB|OS
        DB--審計資訊記錄到資料庫中
        OS--審計資訊記錄到作業系統檔案中
        NONE--關閉審計（預設值）
3）修改引數audit_sys_operations為“TRUE”，開啟審計的功能

[email protected]> alter system set audit_sys_operations=TRUE scope=spfile;
System altered.
4）修改引數audit_trail為“db”，審計資訊記錄到資料庫中
[email protected]> alter system set audit_trail=db scope=spfile;
System altered.
5）注意，到這裡如果需要使這些引數生效，必須重新啟動一下資料庫
[email protected]> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.

[email protected]> startup;
ORACLE instance started.
Total System Global Area 1073741824 bytes
Fixed Size                  2078264 bytes
Variable Size             293603784 bytes
Database Buffers          771751936 bytes
Redo Buffers                6307840 bytes
Database mounted.
Database opened.
6）驗證一些引數修改後的結果，這裡顯示已經修改完成
[email protected]> show parameter audit;
NAME                  TYPE     VALUE
--------------------- -------- --------------------------------------
audit_file_dest       string   /oracle/app/oracle/admin/ora10g/adump
audit_sys_operations  boolean  TRUE
audit_syslog_level    string
audit_trail           string   DB
2.開啟了審計功能後，這裡有一個有趣的效果，就是所有sysdba許可權下的操作都會被記錄到這個/oracle/app/oracle/admin/ora10g/adump審計目錄下。這也是為什麼開啟了審計功能後會存在一些開銷和風險。
1）假如我們在sysdba許可權使用者下執行下面三條命令
[email protected]> alter session set nls_date_format='yyyy-mm-dd hh24:mi:ss';
Session altered.
[email protected]> select * From dual;
D
-
X
[email protected]> show parameter spfile
NAME   TYPE   VALUE
------ ------ ------------------------------------------------------------
spfile string /oracle/app/oracle/product/10.2.0/db_1/dbs/spfileora10g.ora
2）使用tail命令可以看到在相應的trace檔案中有如下的詳細記錄資訊，有點意思的發現，可以看到“show parameter spfile”命令背後真正執行了什麼樣的SQL語句
Wed Aug 26 20:04:03 2009
ACTION : 'alter session set nls_date_format='yyyy-mm-dd hh24:mi:ss''
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: oracle
CLIENT TERMINAL: pts/2
STATUS: 0
Wed Aug 26 20:04:03 2009
ACTION : 'BEGIN DBMS_OUTPUT.GET_LINES(:LINES, :NUMLINES); END;'
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: oracle
CLIENT TERMINAL: pts/2
STATUS: 0
Wed Aug 26 20:04:16 2009
ACTION : 'select * From dual'
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: oracle
CLIENT TERMINAL: pts/2
STATUS: 0
Wed Aug 26 20:04:16 2009
ACTION : 'BEGIN DBMS_OUTPUT.GET_LINES(:LINES, :NUMLINES); END;'
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: oracle
CLIENT TERMINAL: pts/2
STATUS: 0
Wed Aug 26 20:07:21 2009
ACTION : 'SELECT NAME NAME_COL_PLUS_SHOW_PARAM,DECODE(TYPE,1,'boolean',2,'string',3,'integer',4,'file',5,'number',        6,'big integer', 'unknown') TYPE,DISPLAY_VALUE VALUE_COL_PLUS_SHOW_PARAM FROM V$PARAMETER WHERE UPPER(NAME) LIKE UPPER('%spfile%') ORDER BY NAME_COL_PLUS_SHOW_PARAM,ROWNUM'
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: oracle
CLIENT TERMINAL: pts/2
STATUS: 0
3.演示一下對sec使用者的t_audit表delete操作的審計效果
1）表t_audit資訊如下
[email protected]> select * from t_audit order by 1;
         X
----------
         1
         2
         3
         4
         5
         6
6 rows selected.
2）這裡僅僅開啟對錶t_audit的delete操作的審計
[email protected]> audit delete on t_audit;
Audit succeeded.
3）檢視審計設定可以通過查詢dba_obj_audit_opts檢視來完成
[email protected]> select OWNER,OBJECT_NAME,OBJECT_TYPE,DEL,INS,SEL,UPD from dba_obj_audit_opts;
OWNER  OBJECT_NAME  OBJECT_TYPE  DEL       INS       SEL       UPD
------ ------------ ------------ --------- --------- --------- ---------
SEC    T_AUDIT      TABLE        S/S       -/-       -/-       -/-
4）嘗試插入資料
[email protected]> insert into t_audit values (7);
1 row created.
5）因為我們沒有對insert語句進行審計，所以沒有審計資訊可以得到
[email protected]> select count(*) from dba_audit_trail;
  COUNT(*)
----------
         0
6）再嘗試delete操作
[email protected]> delete from t_audit where x=1;
1 row deleted.
7）不出所料，delete操作被資料庫捕獲
這裡可以通過查詢dba_audit_trail檢視或者sys.aud$檢視得到詳細的審計資訊，這種審計方法可以得到操作的時間，操作使用者等較粗的資訊（相對後面介紹的細粒度審計來說）
[email protected]> select count(*) from dba_audit_trail;
  COUNT(*)
----------
         1
select * from dba_audit_trail;
select * from sys.aud$;
4.如想要取消對錶t_audit的全部審計，需要使用手工方式來完成
[email protected]> noaudit all on t_audit;
Noaudit succeeded.
通過查詢dba_obj_audit_opts檢視，確認確實已經取消的審計
[email protected]> select * from dba_obj_audit_opts;
no rows selected
5.【FGA】【細粒度審計】上面得到的審計資訊是較粗的，我們進一步演示一下“細粒度審計FGA”的效果：可以通過FGA得到操作的SQL語句級別的資訊
1）細粒度審計t_audit表上的增刪改查的一切操作
[email protected]> conn / as sysdba
Connected.
[email protected]> exec dbms_fga.add_policy(object_schema=>'SEC', object_name=> 't_audit', policy_name=> 'check_t_audit',statement_types => 'INSERT, UPDATE, DELETE, SELECT');
PL/SQL procedure successfully completed.
2）對t_audit表增刪改查操作一番
[email protected]> conn sec/sec
Connected.
[email protected]> select * from t_audit;
         X
----------
         2
         3
         4
         5
         6
         7
6 rows selected.
[email protected]> delete from t_audit where x=5;
1 row deleted.
[email protected]> update t_audit set x=8 where x=7;
1 row updated.
[email protected]> insert into t_audit values (1);
1 row created.
[email protected]> commit;
Commit complete.
3）OK，檢視dba_fga_audit_trail檢視得到了4條審計記錄
[email protected]> select count(*) from dba_fga_audit_trail;
  COUNT(*)
----------
         4
4）詳細檢視一下對應的SQL操作，FGA還是很強悍的
[email protected]> col DB_USER for a10
[email protected]> col SQL_TEXT for a50
[email protected]> select db_user,sql_text from dba_fga_audit_trail;
DB_USER    SQL_TEXT
---------- --------------------------------------------------
SEC        select * from t_audit
SEC        delete from t_audit where x=5
SEC        update t_audit set x=8 where x=7
SEC        insert into t_audit values (1)
5）最後再看一下這個dba_fga_audit_trail檢視的結構，可以看到這個檢視中記錄了非常詳盡的審計資訊列
[email protected]> desc dba_fga_audit_trail
 Name                Null?    Type
 ------------------- -------- ----------------------------
 SESSION_ID          NOT NULL NUMBER
 TIMESTAMP                    DATE
 DB_USER                      VARCHAR2(30)
 OS_USER                      VARCHAR2(255)
 USERHOST                     VARCHAR2(128)
 CLIENT_ID                    VARCHAR2(64)
 ECONTEXT_ID                  VARCHAR2(64)
 EXT_NAME                     VARCHAR2(4000)
 OBJECT_SCHEMA                VARCHAR2(30)
 OBJECT_NAME                  VARCHAR2(128)
 POLICY_NAME                  VARCHAR2(30)
 SCN                          NUMBER
 SQL_TEXT                     NVARCHAR2(2000)
 SQL_BIND                     NVARCHAR2(2000)
 COMMENT$TEXT                 VARCHAR2(4000)
 STATEMENT_TYPE               VARCHAR2(7)
 EXTENDED_TIMESTAMP           TIMESTAMP(6) WITH TIME ZONE
 PROXY_SESSIONID              NUMBER
 GLOBAL_UID                   VARCHAR2(32)
 INSTANCE_NUMBER              NUMBER
 OS_PROCESS                   VARCHAR2(16)
 TRANSACTIONID                RAW(8)
 STATEMENTID                  NUMBER
 ENTRYID                      NUMBER

6）針對上面新增的審計策略進行調整：disable_policy、enable_policy和drop_policy的方法
使策略失效的方法：
[email protected]> exec dbms_fga.disable_policy(object_schema=>'SEC', object_name=> 't_audit', policy_name=> 'check_t_audit');
使策略生效的方法：
[email protected]> exec dbms_fga.enable_policy(object_schema=>'SEC', object_name=> 't_audit', policy_name=> 'check_t_audit');
徹底刪除策略的方法：
[email protected]> exec dbms_fga.drop_policy(object_schema=>'SEC', object_name=> 't_audit', policy_name=> 'check_t_audit');
PL/SQL procedure successfully completed.
最後列一下dbms_fga提供給我們使用的方法都有哪些
[email protected]> desc dbms_fga
PROCEDURE ADD_POLICY
 Argument Name                  Type                    In/Out Default?
 ------------------------------ ----------------------- ------ --------
 OBJECT_SCHEMA                  VARCHAR2                IN     DEFAULT
 OBJECT_NAME                    VARCHAR2                IN
 POLICY_NAME                    VARCHAR2                IN
 AUDIT_CONDITION                VARCHAR2                IN     DEFAULT
 AUDIT_COLUMN                   VARCHAR2                IN     DEFAULT
 HANDLER_SCHEMA                 VARCHAR2                IN     DEFAULT
 HANDLER_MODULE                 VARCHAR2                IN     DEFAULT
 ENABLE                         BOOLEAN                 IN     DEFAULT
 STATEMENT_TYPES                VARCHAR2                IN     DEFAULT
 AUDIT_TRAIL                    BINARY_INTEGER          IN     DEFAULT
 AUDIT_COLUMN_OPTS              BINARY_INTEGER          IN     DEFAULT
PROCEDURE DISABLE_POLICY
 Argument Name                  Type                    In/Out Default?
 ------------------------------ ----------------------- ------ --------
 OBJECT_SCHEMA                  VARCHAR2                IN     DEFAULT
 OBJECT_NAME                    VARCHAR2                IN
 POLICY_NAME                    VARCHAR2                IN
PROCEDURE DROP_POLICY
 Argument Name                  Type                    In/Out Default?
 ------------------------------ ----------------------- ------ --------
 OBJECT_SCHEMA                  VARCHAR2                IN     DEFAULT
 OBJECT_NAME                    VARCHAR2                IN
 POLICY_NAME                    VARCHAR2                IN
PROCEDURE ENABLE_POLICY
 Argument Name                  Type                    In/Out Default?
 ------------------------------ ----------------------- ------ --------
 OBJECT_SCHEMA                  VARCHAR2                IN     DEFAULT
 OBJECT_NAME                    VARCHAR2                IN
 POLICY_NAME                    VARCHAR2                IN
 ENABLE                         BOOLEAN                 IN     DEFAULT
6.小結
以上的實驗展示了Oracle的審計功能，包括Oracle引以為傲的FGA細粒度審計。
警告：這種審計的方法是需要付出一定的代價的，如磁碟的開銷，效能的開銷，以及您的系統是否允許反覆的停啟資料庫例項等等。在生產環境中使用之前需要多方面評估。