oracle默认策略,Oracle 11g Database和ASM默认的审计策略和相关操作

2.对SYSDBA和SYSOPER进行审计。

对SYSDBA和SYSOPER的审计具有如下的特点：

1).审计线索必须存储在数据库外部。

2).始终会对以SYSDBA或SYSOPER身份执行的连接进行审计。

3).可使用AUDIT_SYS_OPERATIONS启用对SYSDBA或SYSOPER操作的附加审计。

4).可使用AUDIT_FILE_DEST控制审计线索。

无论是远程或本地SYSDBA、SYSOPER权限用户登录都会在audit_file_dest指定的目的地生成相应审计文件，记录登录信息。Windows平台SYSDBA权限用户的审计记录会被写到事件查看器中。

下面讨论一下AUDIT_SYS_OPERATIONS和AUDIT_TRIAL两个初始化参数的含义：

AUDIT_SYS_OPERATIONS

Property

Description

Parameter type

Boolean

Default value

false

Modifiable

No

Range of values

true | false

Basic

No

AUDIT_SYS_OPERATIONS enables or disables the auditing of top-level operations, which are SQL statements directly issued by users when connecting with SYSDBAor SYSOPER privileges. (SQL statements run from within PL/SQL procedures or functions are not considered top-level.) The audit records are written to the operating system's audit trail. The audit records will be written in XML format if the AUDIT_TRAIL initialization parameter is set to xml or xml, extended.

On UNIX platforms, if the AUDIT_SYSLOG_LEVEL parameter has also been set, then it overrides the AUDIT_TRAIL parameter and SYS audit records are written to the system audit log using the SYSLOG utility.

audit_sys_operations参数为false时，系统只以os文件记录sysdba身份的登录、开关数据库的操作。

audit_sys_operations参数为true时，系统以os文件记录sysdba身份的登录、开关数据库的操作，以及其它辅助的操作。

下面是该参数的例子：

a).audit_sys_operations=false生成的审计记录：Audit file /u01/app/oracle/admin/ractest/adump/ractest2_ora_21523_1.aud

Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production

With the Partitioning, Real Application Clusters, Automatic Storage Management, OLAP,

Data Mining and Real Application Testing options

ORACLE_HOME = /u01/app/oracle/product/11.2.0/db_1

System name:    Linux

Node name:      rhel2.localdomain

Release:        2.6.18-164.el5xen

Version:        #1 SMP Tue Aug 18 15:59:52 EDT 2009

Machine:        x86_64

VM name:        Xen Version: 3.1 (PVM)

Instance name: ractest2

Redo thread mounted by this instance: 2

Oracle process number: 69

Unix process pid: 21523, image: oracle@rhel2.localdomain (TNS V1-V3)

Tue May 21 12:44:08 2013 +08:00

LENGTH : '160'

ACTION :[7] 'CONNECT'

DATABASE USER:[1] '/'

PRIVILEGE :[6] 'SYSDBA'

CLIENT USER:[6] 'oracle'

CLIENT TERMINAL:[5] 'pts/0'

STATUS:[1] '0'

DBID:[10] '3282490722'

Tue May 21 12:44:44 2013 +08:00

LENGTH : '150'

ACTION :[8] 'SHUTDOWN'

DATABASE USER:[1] '/'

PRIVILEGE :[6] 'SYSDBA'

CLIENT USER:[6] 'oracle'

CLIENT TERMINAL:[5] 'pts/0'

STATUS:[1] '0'

DBID:[0] ''

只对SHUTDOWN和STARTUP进行记录。

b).audit_sys_operations=true生成的审计记录：

Audit file /u01/app/oracle/admin/ractest/adump/ractest2_ora_23473_1.aud

Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production

With the Partitioning, Real Application Clusters, Automatic Storage Management, OLAP,

Data Mining and Real Application Testing options

ORACLE_HOME = /u01/app/oracle/product/11.2.0/db_1

System name:    Linux

Node name:      rhel2.localdomain

Release:        2.6.18-164.el5xen

Version:        #1 SMP Tue Aug 18 15:59:52 EDT 2009

Machine:        x86_64

VM name:        Xen Version: 3.1 (PVM)

Instance name: ractest2

Redo thread mounted by this instance: 2

Oracle process number: 86

Unix process pid: 23473, image: oracle@rhel2.localdomain (TNS V1-V3)

Tue May 21 12:58:55 2013 +08:00

LENGTH : '160'

ACTION :[7] 'CONNECT'

DATABASE USER:[1] '/'

PRIVILEGE :[6] 'SYSDBA'

CLIENT USER:[6] 'oracle'

CLIENT TERMINAL:[5] 'pts/1'

STATUS:[1] '0'

DBID:[10] '3282490722'

Tue May 21 12:58:55 2013 +08:00

LENGTH : '159'

ACTION :[6] 'COMMIT'

DATABASE USER:[1] '/'

PRIVILEGE :[6] 'SYSDBA'

CLIENT USER:[6] 'oracle'

CLIENT TERMINAL:[5] 'pts/1'

STATUS:[1] '0'

DBID:[10] '3282490722'

Tue May 21 12:58:55 2013 +08:00

LENGTH : '159'

ACTION :[6] 'COMMIT'

DATABASE USER:[1] '/'

PRIVILEGE :[6] 'SYSDBA'

CLIENT USER:[6] 'oracle'

CLIENT TERMINAL:[5] 'pts/1'

STATUS:[1] '0'

DBID:[10] '3282490722'

Tue May 21 12:59:11 2013 +08:00

LENGTH : '184'

ACTION :[30] 'select count(1) from v$process'

DATABASE USER:[1] '/'

PRIVILEGE :[6] 'SYSDBA'

CLIENT USER:[6] 'oracle'

CLIENT TERMINAL:[5] 'pts/1'

STATUS:[1] '0'

DBID:[10] '3282490722'

对简单的SELECT操作也会记录。

注意：

1).数据库实例的启动过程会产生多个审计文件，频繁的启停会产生大量的审计文件。

2).以上对SYS用户的审计特性在10g的数据库就已经存在。

AUDIT_TRAIL

Property

Description

Parameter type

String

Syntax

AUDIT_TRAIL = { none | os | db [, extended] | xml [, extended] }

Default value

none

Modifiable

No

Basic

No

AUDIT_TRAIL enables or disables database auditing.

Values:

none

Disables standard auditing. This value is the default if the AUDIT_TRAIL parameter was not set in the initialization parameter file or if you created the database using a method other than Database Configuration Assistant. If you created the database using Database Configuration Assistant, then the default is db.

os

Directs all audit records to an operating system file. Oracle recommends that you use the os setting, particularly if you are using an ultra-secure database configuration.

db

Directs audit records to the database audit trail (the SYS.AUD$ table), except for records that are always written to the operating system audit trail. Use this setting for a general database for manageability.

If the database was started in read-only mode with AUDIT_TRAIL set to db, then Oracle Database internally sets AUDIT_TRAIL to os. Check the alert log for details.

db, extended

Performs all actions of AUDIT_TRAIL=db, and also populates the SQL bind and SQL text CLOB-type columns of the SYS.AUD$ table, when available. These two columns are populated only when this parameter is specified.

If the database was started in read-only mode with AUDIT_TRAIL set to db, extended, then Oracle Database internally sets AUDIT_TRAIL to os. Check the alert log for details.

xml

Writes to the operating system audit record file in XML format. Records all elements of the AuditRecord node except Sql_Text and Sql_Bind to the operating system XML audit file.

xml, extended

Performs all actions of AUDIT_TRAIL=xml, and populates the SQL bind and SQL text CLOB-type columns of the SYS.AUD$ table, wherever possible. These columns are populated only when this parameter is specified.

You can use the SQL AUDIT statement to set auditing options regardless of the setting of this parameter.

注意：audit_syslog_level参数只在unix和Linux平台存在。

3.ASM默认的审计策略。

下面是在ASM实例下的操作：

SQL> show parameter audit

NAME                                 TYPE

------------------------------------ ----------------------

VALUE

------------------------------

audit_file_dest                      string

/u01/app/11.2.0/grid/rdbms/aud

it

audit_sys_operations                 boolean

FALSE

audit_syslog_level                   string

可以注意到ASM实例参数中没有包含audit_trail参数，ASM实例的所有审计记录只能被写到audit_file_dest参数指定的目的地。

与Oracle数据库实例相同，以sysasm、sysdba登录到ASM实例都会在audit_file_dest目录下生成相应的审计文件，过于频繁的登录ASM实例将产生大量的审计文件。

4.默认审计功能的管理。

1).关闭Database审计功能。

将数据库实例的audit_trail设置为none，重启数据库实例即可关闭数据库实例对非SYSDBA、SYSOPER权限用户的审计功能；该设置并不能关闭对SYSDBA权限用户的审计，SYSDBA权限用户登录依然会在audit_file_dest指定目录下生成相应的审计文件。

2).关闭ASM审计功能。

同样没法关闭对以SYSASM和SYSDBA、SYSOPER登录用户的审计。

3).迁移AUD$表。

AUD$表默认被存放到SYSTEM表空间下，频繁的登录会导致SYSTEM表空间较快扩大，最终可能影响数据库系统的正常运行。参考如下文章：http://yangtingkun.itpub.net/post/468/496990可完成对AUD$表的迁移。

4).AUD$表记录的清除操作。

AUD$表可以被直接TRUNCATE，也可以参考如下文章：http://yangtingkun.itpub.net/post/468/498990清除部分AUD$表数据。可以创建并调度JOB对AUD$表进行自动化的清理。