12c新特性
12c开始oracle引入了统一审计(unified auditing)的概念,统一审计默认是关闭的。
- 如果保持默认(关闭统一审计),传统的审计方式生效,将audit_trail设为none\os\db\xml,与11g无异
- 如果开启统一审计,传统的审计方式设置的audit_trail无效,审计记录会自动存储在AUDSYS用户下(AUDSYS.AUD$UNIFIED表),SYSAUX表空间中。
参考:AUDIT (Traditional Auditing)
有一段描述如下:
AUDIT (Traditional Auditing)
This section describes the AUDIT statement for traditional auditing, which is the same auditing functionality used in releases earlier than Oracle Database 12c.
Beginning with Oracle Database 12c, Oracle introduces unified auditing, which provides a full set of enhanced auditing features. For backward compatibility, traditional auditing is still supported. However, Oracle recommends that you plan the migration of your existing audit settings to the new unified audit policy syntax. For new audit requirements, Oracle recommends that you use the new unified auditing. Traditional auditing may be desupported in a future major release.
传统审计(默认)
1、确认统一审计为false:
col parameter for a30
col value for a20
select PARAMETER,VALUE FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';
Unified Auditing为false说明关闭统一审计,开启传统审计
2、检查audit_trail
(1)若为none,因为audit_sys_operations默认为true,只能记录sys登录数据库(默认在$ORACLE_BASE/admin/$ORACLE_SID/adump),其他审计规则无效;
sys登录的内容如下:
如果audit_syslog_level设为非空值,如LOCAL1.INFO,则oracle会将sys的审计日志写到/var/log/messages日志;
如果数据库是asm管理的(非rac),asm实例默认的audit_syslog_level为LOCAL0.INFO,则会将数据库和asm实例的sys登录记录写到/var/log/messages;此时因为数据库实例的audit_syslog_level为空,默认写道audit_file_dest下,asm实例的audit_syslog_level不为空,默认写道/var/log/message下,导致写了双份
(2)若为非none(os,db,xml,extended等),audit_sys_operations默认为true,会记录sys登录和执行的sql,此时若有需要审计,建议将audit_trail设为os,而不是db,os相对较为容易清理(设为db查询较容易)
I、audit_trail=os时审计的sys sql如下:
II、此时还可以进行审计其他对象和行为,如:
audit create table;
审计文件记录如下:
查询所有的权限审计:
select user_name,PRIVILEGE from dba_priv_audit_opts;
取消上述审计:
noaudit create table;
III、类似的,如果某些表安全级别较高,客户希望审计此表相关的所有操作,可以对开启表级审计:
audit all on cc.test2;
审计文件如下:
查看所有审计对象:
col owner for a30
col object_name for a40
col object_type for a40
set lines 400 pages 999 long 9999
select owner,OBJECT_NAME,OBJECT_TYPE from dba_obj_audit_opts order by owner ;
取消上述审计:
noaudit all on cc.test2;
统一审计
1、开启统一审计
cd $ORACLE_HOME/rdbms/lib
make -f ins_rdbms.mk uniaud_on ioracle
确认开启成功(true):
col parameter for a30
col value for a20
select PARAMETER,VALUE FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';
关闭统一审计即开启传统审计(make -f ins_rdbms.mk **uniaud_off **ioracle )
2、检查默认enabled的统一审计策略
col policy_name format A18
col audit_option format A40
col ENTITY_NAME for a20
set lines 400 pages 9999 long 9999
select * from audit_unified_enabled_policies;
这两个统一审计策略(ORA_SECURECONFIG和ORA_LOGON_FAILURES)是12c之后默认创建的,分别包含的审计内容如下:
select AUDIT_OPTION from audit_unified_policies where POLICY_NAME='ORA_LOGON_FAILURES' order by AUDIT_OPTION;
AUDIT_OPTION
----------------------------------------
LOGON
select AUDIT_OPTION from audit_unified_policies where POLICY_NAME='ORA_SECURECONFIG' order by AUDIT_OPTION;
AUDIT_OPTION
----------------------------------------
ADMINISTER KEY MANAGEMENT
ALTER ANY PROCEDURE
ALTER ANY SQL TRANSLATION PROFILE
ALTER ANY TABLE
ALTER DATABASE
ALTER DATABASE DICTIONARY
ALTER DATABASE LINK
ALTER PLUGGABLE DATABASE
ALTER PROFILE
ALTER ROLE
ALTER SYSTEM
ALTER USER
AUDIT SYSTEM
BECOME USER
CREATE ANY JOB
CREATE ANY LIBRARY
CREATE ANY PROCEDURE
CREATE ANY SQL TRANSLATION PROFILE
CREATE ANY TABLE
CREATE DATABASE LINK
CREATE DIRECTORY
CREATE EXTERNAL JOB
CREATE PLUGGABLE DATABASE
CREATE PROFILE
CREATE PUBLIC SYNONYM
CREATE ROLE
CREATE SQL TRANSLATION PROFILE
CREATE USER
DROP ANY PROCEDURE
DROP ANY SQL TRANSLATION PROFILE
DROP ANY TABLE
DROP DATABASE LINK
DROP DIRECTORY
DROP PLUGGABLE DATABASE
DROP PROFILE
DROP PUBLIC SYNONYM
DROP ROLE
DROP USER
EXECUTE
EXECUTE
EXEMPT ACCESS POLICY
EXEMPT REDACTION POLICY
GRANT ANY OBJECT PRIVILEGE
GRANT ANY PRIVILEGE
GRANT ANY ROLE
LOGMINING
PURGE DBA_RECYCLEBIN
SET ROLE
TRANSLATE ANY SQL
3、查看统一审计的属性
set pages 9999
set lines 400
col PARAMETER_NAME for a30
col PARAMETER_VALUE for a40
select * from DBA_AUDIT_MGMT_CONFIG_PARAMS;
与统一审计相关的view:
View
Description
DBA_AUDIT_MGMT_CLEAN_EVENTS
Displays the cleanup event history
DBA_AUDIT_MGMT_CLEANUP_JOBS
Displays the currently configured audit trail purge jobs
DBA_AUDIT_MGMT_CONFIG_PARAMS
Displays the currently configured audit trail properties
DBA_AUDIT_MGMT_LAST_ARCH_TS
Displays the last archive timestamps set for the audit trails
4、创建其他的统一审计策略
(1)查看可以统计的标准系统行为:
set pages 9999 lines 400
col name for a60
SELECT name FROM **auditable_system_actions **WHERE component = 'Standard' ORDER BY name;
(2)手动关闭某些审计策略:noaudit policy ORA_SECURECONFIG;
关闭审计策略只会在新连接中关闭生效,已有的连接依旧会审计响应的策略
(3)开启审计策略:audit policy ORA_SECURECONFIG;
同理,开启审计策略只有新连接才能生效,已有的连接仍旧不会审计
注:从上图中可以看出,dml时即使不提交也会有相应的审计记录
(4)创建统计策略:
审计所有标准系统行为:CREATE AUDIT POLICY all_actions_pol ACTIONS ALL;
需要手动显式的将策略开启:audit POLICY all_actions_pol;
并查看是否在audit_unified_enabled_policies中:
col policy_name format A18
col audit_option format A40
col ENTITY_NAME for a20
set lines 400 pages 9999 long 9999
select * from audit_unified_enabled_policies;
(5)查看对应审计策略的审计行为:
select AUDIT_OPTION from audit_unified_policies where POLICY_NAME='ALL_ACTIONS_POL';
(6)审计操作权限例子:
CREATE AUDIT POLICY dml_pol ACTIONS DELETE on cc.test2,INSERT on cc.test2, UPDATE on cc.test2;
AUDIT POLICY dml_pol;
col policy_name format A18
col audit_option format A40
col ENTITY_NAME for a20
set lines 400 pages 9999 long 9999
select * from audit_unified_enabled_policies;
col OBJECT_SCHEMA for a30
col OBJECT_NAME for a30
select AUDIT_OPTION ,OBJECT_SCHEMA,OBJECT_NAME from audit_unified_policies where POLICY_NAME='DML_POL';
5、查看统一审计的记录 -- UNIFIED_AUDIT_TRAIL
select AUDIT_TYPE ,count(*) from UNIFIED_AUDIT_TRAIL group by AUDIT_TYPE order by AUDIT_TYPE;
col UNIFIED_AUDIT_POLICIES for a40
select UNIFIED_AUDIT_POLICIES ,count(*) from UNIFIED_AUDIT_TRAIL group by UNIFIED_AUDIT_POLICIES order by UNIFIED_AUDIT_POLICIES;
UNIFIED_AUDIT_TRAIL视图的基表是AUDSYS.AUD$UNIFIED,此表不允许ddl或dml,所以清理统一审计记录中能通过DBMS_AUDIT_MGMT
select max(EVENT_TIMESTAMP),min(EVENT_TIMESTAMP) from UNIFIED_AUDIT_TRAIL;
查询某个审计策略的审计记录:
select UNIFIED_AUDIT_POLICIES,OBJECT_SCHEMA,object_name,USERHOST,action_name,sql_text from UNIFIED_AUDIT_TRAIL where object_name='TEST2';
6、手动清理统一审计记录
exec DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP(AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, LAST_ARCHIVE_TIME => '10-DEC-21 08.35.33.819144 AM');
exec DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL( AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED);
7、设置清理统一审计记录自动任务
(1)创建每天1点刷新LAST_ARCHIVE_TIME的job(保留审计天数:7天)
exec DBMS_SCHEDULER.create_job(job_name =>'audit_last_archive_time',job_type=>'PLSQL_BLOCK',job_action=>'BEGIN DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP(DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,TRUNC(SYSTIMESTAMP)-7);END;',start_date=>SYSTIMESTAMP,repeat_interval => 'freq=daily; byhour=1; byminute=0; bysecond=0;',enabled => TRUE);
查看当前LAST_ARCHIVE_TIME:
select AUDIT_TRAIL,LAST_ARCHIVE_TS from DBA_AUDIT_MGMT_LAST_ARCH_TS;
(2)创建每隔24小时purge审计job:
exec dbms_audit_mgmt.create_purge_job(audit_trail_type=> DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,audit_trail_purge_interval=>24,audit_trail_purge_name=>'audit_trail_pj',use_last_arch_timestamp=>TRUE);
查看创建的清理job的属性(默认创建后是enable)
col job_name for a30
col JOB_FREQUENCY for a40
select JOB_NAME,JOB_STATUS,AUDIT_TRAIL,JOB_FREQUENCY from DBA_AUDIT_MGMT_CLEANUP_JOBS;
8、统一审计记录的落盘策略
(1) immediate-write mode 立即写
立即写是将产生的审计数据马上写入硬盘,这样可以保证不丢失审计数据,但是对系统系统会有些许影响。
(2) queued-write mode 队列写(默认)
队列写是先将审计数据写入 SGA ,而不是直接写入数据文件,根据一定的策略再将审计数据写入数据文件。此种策略提高了审计的性能,一般有两种策略:
- 时间策略:每隔三秒钟,视系统繁忙程度,也可能三秒钟了也没有写入。由隐含参数 _unified_audit_flush_interval 控制。
- 空间策略:存放在 SGA 中的审计数据容量达到 85% 。该区域默认是 1M ,由参数 unified_audit_sga_queue_size 控制,85%的比例由隐含参数 _unified_audit_flush_threshold 控制
细粒度审计
细粒度的审计使用DBMS_FGA包完成配置和管理工作,只有开启传统审计或者统一审计,才能使用细粒度审计。12c以上的细粒度审计记录在unified_audit_trail中而非之前的 fga$。只有在传统审计或者统一审计开启时才能使用细粒度审计。
exec dbms_fga.ADD_POLICY('CRM','ORDER_ITEM','TEST_FGA','PART_ID=10','ORDER_ITEM_ID,ACCT_ID',STATEMENT_TYPES=>'SELECT',AUDIT_COLUMN_OPTS=>DBMS_FGA.ANY_COLUMNS);
COL POLICY_NAME FOR A30
SELECT ENABLED,POLICY_NAME FROM ALL_AUDIT_POLICIES;
测试审计策略是否生效:
SELECT ORDER_ITEM_ID from CRM.order_item where PART_ID=10;
select sql_text from UNIFIED_AUDIT_TRAIL where FGA_POLICY_NAME='TEST_FGA';
总结:
通常,如果客户有审计要求,我们只建议开启os级别的sys审计(传统审计),如客户有特殊要求,需要性能测试评估影响;统一审计影响较大,不建议开启,除非性能测试结果在预期内。
审计规则
建议
若客户要求开启,推荐参数设置
传统审计
关闭
audit_trail=os(只记录sys操作)
统一审计
关闭
不建议开启,如果客户强制要求,可以将自带的**ORA_SECURECONFIG **关闭,audit_trail=none,按照客户要求在性能测试达标的情况下新建审计策略
细粒度审计
关闭
不建议开启
版权归原作者 Joyce.Du 所有, 如有侵权,请联系我们删除。