(一)打开数据库关键操作日志审计开关
Alter system set audit_sys_operations=true;
审计日志产生在$ORACLE_HOME/rdbms/audit目录下,因该日志所占空间较大,保存时间较短,如一周。
文件样本:
Audit file /oracle/app/oracle/product/9.2.0.6/rdbms/audit/ora_10010.aud
Oracle9i Enterprise Edition Release 9.2.0.6.0 - 64bit Production
With the Partitioning and Real Application Clusters options
JServer Release 9.2.0.6.0 - Production
ORACLE_HOME = /oracle/app/oracle/product/9.2.0.6
System name: HP-UX
Node name: order_ht1
Release: B.11.23
Version: U
Machine: 9000/800
Instance name: order1
Redo thread mounted by this instance: 1
Oracle process number: 1250
Unix process pid: 10010, image: oracle@order_ht1 (TNS V1-V3)
Alter system set audit_sys_operations=true;
审计日志产生在$ORACLE_HOME/rdbms/audit目录下,因该日志所占空间较大,保存时间较短,如一周。
文件样本:
Audit file /oracle/app/oracle/product/9.2.0.6/rdbms/audit/ora_10010.aud
Oracle9i Enterprise Edition Release 9.2.0.6.0 - 64bit Production
With the Partitioning and Real Application Clusters options
JServer Release 9.2.0.6.0 - Production
ORACLE_HOME = /oracle/app/oracle/product/9.2.0.6
System name:
Node name:
Release:
Version:
Machine:
Instance name: order1
Redo thread mounted by this instance: 1
Oracle process number: 1250
Unix process pid: 10010, image: oracle@order_ht1 (TNS V1-V3)
Mon Feb 13 15:20:21 2006
ACTION : 'CONNECT'
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: oracle
CLIENT TERMINAL: pts/ta
STATUS: 0
ACTION : 'CONNECT'
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: oracle
CLIENT TERMINAL: pts/ta
STATUS: 0
Mon Feb 13 15:23:23 2006
ACTION : 'alter system set log_archive_dest_state_2=DEFER scope=spfile'
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: oracle
CLIENT TERMINAL: pts/ta
STATUS: 0
(二)日志审核
因为日志包含所有sys用户的所有操作信息,可能会包含大量查询select信息,日志量较大,使用纯人工方式的方式审计费时费力,可以通过脚本实现。
ACTION : 'alter system set log_archive_dest_state_2=DEFER scope=spfile'
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: oracle
CLIENT TERMINAL: pts/ta
STATUS: 0
(二)日志审核
因为日志包含所有sys用户的所有操作信息,可能会包含大量查询select信息,日志量较大,使用纯人工方式的方式审计费时费力,可以通过脚本实现。
其中audconf.txt 可以根据需要,包含被审计的action,如比较重要的操作:
startup
shutdown
alter tablespace
alter database
alter system
drop
truncate
delete
create user
alter user
grant
revoke
startup
shutdown
alter tablespace
alter database
alter system
drop
truncate
delete
create user
alter user
grant
revoke
每天1点系统自动调度/oracle/audit.sh
0 1 * * * /oracle/audit.sh
/oracle/audit.sh脚本如下:
. /oracle/.profile
cd $ORACLE_HOME/rdbms/audit
filename=aud`date +%y%m`.log
filedir=aud`date +%y%m`_detail
if [ ! -f $filename ]
then
>$filename
fi
if [ ! -d $filedir ]
then
mkdir $filedir
fi
egrep 'ACTION :' *.aud|egrep -if audconf.txt|egrep -v 'alter system archive log current'>>$filename
if [ $? -eq 1 ]
then
exit
fi
egrep 'ACTION :' *.aud|egrep -if audconf.txt|egrep -v 'alter system archive log current'|cut -d : -f 1|xargs grep -l 'ACTION
0 1 * * * /oracle/audit.sh
/oracle/audit.sh脚本如下:
. /oracle/.profile
cd $ORACLE_HOME/rdbms/audit
filename=aud`date +%y%m`.log
filedir=aud`date +%y%m`_detail
if [ ! -f $filename ]
then
fi
if [ ! -d $filedir ]
then
fi
egrep
if [ $? -eq 1 ]
then
fi
egrep
:'|while read file
do
mv $file ./$filedir/$file.sys
done
do
done
该脚本实现如下功能,
每月自动生成审计汇总文件$ORACLE_HOME/rdbms/audit/audyymm.log,该汇总文件保存时间可以较长,如保存一年
汇总文件样本aud0602.log:
ACTION : 'alter system set log_archive_dest_state_2=DEFER scope=spfile'
每天自动从日志文件中查找日志中是否包含关键操作,如果包含关键操作添加到汇总文件
每月自动生成审计汇总文件$ORACLE_HOME/rdbms/audit/audyymm.log,该汇总文件保存时间可以较长,如保存一年
汇总文件样本aud0602.log:
ACTION : 'alter system set log_archive_dest_state_2=DEFER scope=spfile'
每天自动从日志文件中查找日志中是否包含关键操作,如果包含关键操作添加到汇总文件
中$ORACLE_HOME/rdbms/audit/audyymm.log,同时将详细日志文件备份到$ORACLE_HOME/rdbms/audit/audyymm_detail目录下