Implementing Oracle Database Auditing 实现Oracle数据库审计
Objectives
After completing this lesson, you should be able to:
• Describe DBA responsibilities for security and auditing
• Enable unified auditing
• Create unified audit policies
• Maintain the audit trail
目标
完成本课程后,您应该能够:
•描述DBA对安全和审计的责任
•启用统一审核
•创建统一的审核策略
•保持审计跟踪
Database Security
A secure system ensures the confidentiality of the data that it contains. There are several aspects of security:
• Restricting access to data and services
• Authenticating users
• Monitoring for suspicious activity
数据库安全
一个安全的系统确保它所包含的数据的机密性。安全有几个方面:
•限制访问数据和服务
•认证用户
•监测可疑活动
Monitoring for Compliance
• Monitoring or auditing must be an integral part of your security procedures.
• Review the following:
– Mandatory auditing
– Standard database auditing
– Value-based auditing
– Fine-grained auditing (FGA)
合规性监测
•监控或审计必须是您安全程序的组成部分。
•审查以下内容:
–强制性审计
–标准数据库审计
–基于价值的审计
–细粒度审计(FGA)
Types of Activities to be Audited
You can audit the following types of activities:
• User accounts, roles, and privileges
• Object actions
• Application context values
• Oracle Data Pump
• Oracle Database Real Application Security
• Oracle Database Vault
• Oracle Label Security
• Oracle Recovery Manager
• Oracle SQL*Loader direct path events
待审计活动的类型
您可以审核以下类型的活动:
•用户帐户、角色和权限
•目标动作
•应用程序上下文值
•Oracle数据泵
•Oracle数据库真实应用程序安全
•Oracle数据库保险库
•Oracle标签安全
•Oracle恢复管理器
•Oracle SQL*加载程序直接路径事件
Mandatorily Audited Activities
The following activities are audited:
• CREATE/ALTER/DROP AUDIT POLICY
• AUDIT/NOAUDIT
• EXECUTE of:
– DBMS_FGA
– DBMS_AUDIT_MGMT
• ALTER TABLE against AUDSYS audit trail table
• Top-level statements by administrative users (SYS,
SYSDBA, SYSOPER, SYSASM, SYSBACKUP, SYSDG, and SYSKM) until the database opens
强制性审计活动
审计下列活动:
•创建/更改/删除审核策略
•审计/无审计
•执行:
–数据库管理系统
–数据库管理系统审计管理
•根据AUDSYS审计跟踪表修改表
•管理用户的顶级声明(SYS,
SYSDBA、SYSOPER、SYSASM、SYSBACKUP、SYSDG和SYSKM),直到数据库打开
Understanding Auditing Implementation
• Mixed mode auditing is the default when a new Oracle
Database 12c database is created.
• Mixed mode auditing enables the use of:
– Pre–Oracle Database 12c auditing features
– Unified auditing features of Oracle Database 12c
• The recommendation from Oracle is to migrate to unified auditing.
• Query V$OPTION to determine if the database has been migrated to unified auditing:
SELECT value FROM v$option WHERE parameter = 'Unified Auditing' 打开统一审计
了解审计实施
•当新的Oracle
数据库12c数据库已创建。
•混合模式审计允许使用:
–预Oracle数据库12c审计功能
–Oracle数据库12c的统一审计功能
•Oracle的建议是迁移到统一审计。
•查询V$选项以确定数据库是否已迁移到统一审核:
SELECT value FROM v$option
WHERE parameter = 'Unified Auditing'
Administering the Roles Required for Auditing
A user must be granted one of the following roles to perform auditing:
• AUDIT_ADMIN enables the user to:
– Create unified and fine-grained audit policies
– Execute the AUDIT and NOAUDIT SQL statements
– View audit data
– Manage the audit trail (table in the AUDSYS schema)
• AUDIT_VIEWER enables the user to:
– View and analyze audit data
管理审核所需的角色
必须授予用户以下角色之一才能执行审核:
•AUDIT_ADMIN允许用户:
–创建统一的细粒度审计策略
–执行AUDIT和NOAUDIT SQL语句
–查看审核数据
–管理审计跟踪(AUDSYS模式中的表)
•AUDIT_查看器允许用户:
–查看和分析审计数据
Database Auditing: Overview 数据库审核:概述
Understanding the Audit Architecture 了解审计架构
Enabling Unified Auditing
1. In SQL*Plus, shut down the database instance:
SQL> SHUTDOWN IMMEDIATE
2. Shut down the listener:
$ lsnrctl stop
3. At the operating system prompt, enable the unified auditing
executable:
$ cd $ORACLE_HOME/rdbms/lib
$ make –f ins_rdbms.mk uniaud_on ioracle ORACLE_HOME=$ORACLE_HOME
4. Restart the listener:
$ lsnrctl start
5. In SQL*Plus, restart the database instance:
SQL> STARTUP
启用统一审核
1、在SQL*Plus中,关闭数据库实例:
SQL>立即关闭
2、关闭侦听器:
$lsnrctl停止
3、在操作系统提示下,启用统一审核
可执行文件:
$cd$ORACLE_主页/rdbms/lib
$make-f英寸_关系数据库管理系统.mkuniaud_on ioracle ORACLE_HOME=$ORACLE_HOME
4、重新启动侦听器:
$lsnrctl开始
5个。在SQL*Plus中,重新启动数据库实例:
SQL>启动
Configuring Auditing
Method Description
Unified audit policies Group audit settings into a policy
Default unified audit policies Three default policies:
ORA_SECURECONFIG
ORA_DATABASE_PARAMETER_AUDIT
ORA_ACCOUNT_MGMT_AUDIT
Fine-grained audit policies Define specific conditions that must be met for auditing to take place
配置审核
方法描述
统一审核策略将审核设置分组到策略中
默认统一审核策略三个默认策略:
安全配置
数据库参数审计
账户管理审计
细粒度的审计策略定义了进行审计必须满足的特定条件
Creating a Unified Audit Policy 创建统一的审核策略
• Use the CREATE AUDIT POLICY statement:
CREATE AUDIT POLICY select_emp_pol
ACTIONS select on hr.employees
• Use Enterprise Manager Cloud Control:
•使用创建审核策略声明:
•使用Enterprise Manager云控制:
Creating an Audit Policy:
System-Wide Audit Options
• System privileges:
CREATE AUDIT POLICY audit_syspriv_pol1
PRIVILEGES SELECT ANY TABLE, CREATE LIBRARY
• Actions:
CREATE AUDIT POLICY audit_actions_pol2
ACTIONS AUDIT, ALTER TRIGGER
• Roles:
CREATE AUDIT POLICY audit_role_pol3
ROLES mgr_role
• System privileges, actions, and roles:
CREATE AUDIT POLICY audit_mixed_pol4
PRIVILEGES DROP ANY TABLE
ACTIONS CREATE TABLE, DROP TABLE, TRUNCATE TABLE
ROLES emp_role
创建审核策略:
全系统审计选项
•系统权限:
•行动:
•角色:
•系统特权、操作和角色:
Creating an Audit Policy:
Object-Specific Actions
Create audit policies based on object-specific options.
CREATE AUDIT POLICY audit_objpriv_pol5 ACTIONS SELECT, UPDATE, LOCK ON hr.employees
CREATE AUDIT POLICY audit_objpriv_pol6 ACTIONS ALL 不建议打开所有表的审计功能
CREATE AUDIT POLICY audit_objpriv_pol7 ACTIONS EXECUTE, GRANT ON hr.raise_salary_proc
创建审核策略:
特定于对象的操作
基于特定于对象的选项创建审核策略。
Creating an Audit Policy: Specifying Conditions
• Condition and evaluation PER SESSION
• Condition and evaluation PER STATEMENT
• Condition and evaluation PER INSTANCE
创建审核策略:指定条件
•每节课的条件和评估
•每个报表的条件和评估
•每个实例的条件和评估
CREATE AUDIT POLICY audit_mixed_pol5
ACTIONS RENAME ON hr.employees,ALTER ON hr.jobs,
WHEN 'SYS_CONTEXT (''USERENV'', ''SESSION_USER'')=''JIM'''
EVALUATE PER SESSION
CREATE AUDIT POLICY audit_objpriv_pol6
ACTIONS ALTER ON OE.ORDERS
WHEN 'SYS_CONTEXT(''USERENV'',''CLIENT_IDENTIFIER'')=''OE'''
EVALUATE PER STATEMENT
CREATE AUDIT POLICY audit_objpriv_pol7
ROLES dba
WHEN SYS_CONTEXT(''USERENV'',''INSTANCE_NAME'')=''sales'''
EVALUATE PER INSTANCE
Enabling and Disabling Audit Policies
Enable audit policies:
• Apply to all users.
SQL> AUDIT POLICY audit_syspriv_pol1;
• Apply only to some users.
SQL> AUDIT POLICY audit_pol2 BY scott, oe;
SQL> AUDIT POLICY audit_pol3 BY sys;
• Exclude some users.
SQL> AUDIT POLICY audit_pol4 EXCEPT jim, george;
• Audit the recording based on failed or succeeded actions.
SQL> AUDIT POLICY audit_syspriv_pol1 WHENEVER SUCCESSFUL ;
SQL> AUDIT POLICY audit_objpriv_pol2 WHENEVER NOT SUCCESSFUL ;
SQL> AUDIT POLICY auditpol5 BY joe WHENEVER SUCCESSFUL ;
Disable audit policies by using the NOAUDIT command.
启用和禁用审核策略
启用审核策略:
•适用于所有用户。
•仅适用于部分用户。
•排除一些用户。
•根据失败或成功的操作审核记录。
使用NOAUDIT命令禁用审核策略。
SQL>审计策略审计;
SQL>审计政策审计2,由scott,oe编写;
系统审计策略审计;
除jim,george外的审计政策审计;
SQL>AUDIT POLICY AUDIT_syspriv_pol1只要成功;
SQL>AUDIT POLICY AUDIT_objpriv_pol2,如果不成功;
成功时由joe审核策略auditpol5;
Altering a Unified Audit Policy
• Use the ALTER AUDIT POLICY statement:
ALTER AUDIT POLICY select_emp_pol
ADD ACTIONS select on hr.job_history
• Use Enterprise Manager Cloud Control:
更改统一审核策略
•使用ALTER AUDIT POLICY语句:
更改审核策略选择
添加操作选择打开人力资源工作历史
•使用Enterprise Manager云控制:
Viewing Audit Policy Information
SQL> SELECT policy_name, audit_option, condition_eval_opt
2 FROM audit_unified_policies;
POLICY_NAME AUDIT_OPTION CONDITION_EVAL_OPT
-------------------- ---------------- ----------------
POL1 DELETE INSTANCE
POL2 TRUNCATE TABLE NONE
POL3 RENAME SESSION
POL4 ALL ACTIONS STATEMENT
SQL> SELECT policy_name, enabled_opt, user_name, success, failure
2 FROM audit_unified_enabled_policies;
POLICY_NAME ENABLED_ USER_NAME SUC FAI
-------------------- -------- ---------- --- ---
POL3 BY PM NO YES
POL2 EXCEPT SYSTEM NO YES
POL4 BY SYS YES YES
POL6 BY ALL USERS YES NO
查看审核策略信息
SQL>选择策略名称、审核选项、条件评估选项
2来自审计统一政策;
策略名称审核选项条件评估选项
-------------------- ---------------- ----------------
POL1删除实例
POL2截断表无
POL3重命名会话
POL4所有行动声明
SQL>选择策略名称,启用选项,用户名,成功,失败
(二)来自统一的审计政策;
策略名称已启用用户名称SUC FAI
-------------------- -------- ---------- --- ---
下午POL3否是
POL2系统除外否是
POL4 BY SYS是的
所有用户提供POL6是否
Setting the Write Mode for Audit Trail Records
Actions audited
• select * from hr.employees
• create Database Vault realm
• expdp, impdp, backup, recover
Audit records generated
Read-Only AUDSYS Table
2
4
Audit records in
SGA in-memory queues
Instance
Crash
1
Audit records lost
3
Audit records
immediately
written to disk
No audit records
lost
2
3
DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_PROPERTY
设置审核跟踪记录的写入模式
审计的行动
•从*中选择人力资源员工
•创建数据库保险库领域
•expdp、impdp、备份、恢复
生成的审核记录
只读AUDSYS表
2个
4个
审计记录
SGA内存队列
实例
撞车
1个
审计记录丢失
三
审计记录
立即
写入磁盘
无审计记录
迷路的
2个
三
数据库管理系统审计_管理集审计跟踪属性
Value-Based Auditing 价值导向审计
The trigger fires.触发器
Fine-Grained Auditing
• Monitors data access on the basis of content
• Audits SELECT, INSERT, UPDATE, DELETE, and MERGE
• Can be linked to one or more columns in a table or view
• May execute a procedure
• Is administered with the DBMS_FGA package
employees
Policy: AUDIT_EMPS_SALARY
SELECT name, salary
FROM employees
WHERE
department_id = 10;
细粒度审计
•根据内容监控数据访问
•审核选择、插入、更新、删除和合并
•可以链接到表或视图中的一个或多个列
•可以执行程序
•与DBMS_FGA包一起管理
员工
政策:审计薪酬
选择姓名、薪资
来自员工
哪里
部门id=10;
FGA Policy
• Defines:
– Audit criteria
– Audit action
• Is created with
DBMS_FGA
.ADD_POLICY
FGA政策
•定义:
–审计标准
–审计行动
•是用
数据库管理系统
.添加策略
将下图红框中的department_id=10限定命令改成department_id=null 即可对所有部门进行审计
handler_module 可对满足事件的条目进行处理,不如发送邮件等
Audited DML Statement: Considerations
• Records are audited if the FGA predicate is satisfied and
the relevant columns are referenced.
• DELETE statements are audited regardless of columns
specified.
• MERGE statements are audited with the underlying INSERT,
UPDATE, and DELETE generated statements.
UPDATE hr.employees
SET salary = 1000
WHERE commission_pct = .2;
UPDATE hr.employees
SET salary = 1000
WHERE employee_id = 200;
Not audited because none
of the employees are in
department 10
Audited because the
employee is in department
经审计的DML报表:注意事项
•如果满足FGA谓词并
相关列被引用。
•不管列是什么,删除语句都会被审计
明确规定。
•合并报表通过底层插入进行审核,
更新和删除生成的语句。
更新人力资源员工
设定薪资=1000
其中佣金=0.2;
更新人力资源员工
设定薪资=1000
其中雇员id=200;
未审核,因为没有
员工的
部门10
因为
员工在部门
示例
SQL> shit immediate; 关闭数据库
SQL> exit
oracle@yf ~]$ lsnrctl stop 关闭监听
[oracle@yf ~]$ ps -ef|grep smon 查看后台数据库进程
oracle 64265 3426 0 21:49 pts/0 00:00:00 grep --color=auto smon
[oracle@yf ~]$ ps -ef|grep tns 查看监听进程
root 19 2 0 6月21 ? 00:00:00 [netns]
oracle 64350 3426 0 21:49 pts/0 00:00:00 grep --color=auto tns
[oracle@yf ~]$ cd $ORACLE_HOME/rdbms/lib
[oracle@yf lib]$ pwd
/u01/app/oracle/product/18c/rdbms/lib
[oracle@yf lib]$ make -f ins_rdbms.mk uniaud_on ioracle 打开数据库通用审计
[oracle@yf lib]$ lsnrctl start 重启监听
[oracle@yf lib]$ sqlplus / as sysdba
SQL> startup 重启数据库
SQL> SELECT value FROM v$option WHERE parameter = 'Unified Auditing'; 查看统一审计是否打开
VALUE
----------------------------------------------------------------
TRUE 至此说明统一审计已经打开
SQL> create user audmgr identified by oracle_4U default tablespace sysaux temporary tablespace temp; 创建审计超级用户 audmgr 权限identified 密码oracle_4U 默认表空间sysaux 临时表空间temp
User created.
SQL> conn / as sysdba
Connected.
SQL> grant connect to audmgr; 给用户授权
SQL> grant audit_admin to audmgr; 给用户授权
SQL> conn audmgr/oracle_4U 新用户登陆成功
Connected.
SQL> create user audvwr identified by oracle_4U default tablespace sysaux temporary tablespace temp; 创建审计查询用户 audvwr
登陆audmgr用户
SQL> ,object_name from audit_unified_policies;
SQL> l (查看上一条sql命令)
1* select audit_option,audit_option_type,object_schema ,object_name from audit_unified_policies
SQL> create audit policy jobs_audit_upd actions update on hr.jobs; 创建策略名jobs_audit_upd 行为是actions update on hr.jobs 意义:当对hr.jobs表进行修改时存放审计条件
Audit policy created.
SQL> select audit_option,audit_option_type,object_schema ,object_name from audit_unified_policies where policy_name='JOBS_AUDIT_UPD'; 在数据字典audit_unified_policies中查看policy_name的审计条件
AUDIT_OPTION
--------------------------------------------------------------------------------
AUDIT_OPTION_TYPE
------------------
OBJECT_SCHEMA
--------------------------------------------------------------------------------
OBJECT_NAME
--------------------------------------------------------------------------------
UPDATE 设计条件
OBJECT ACTION
HR
JOBS
SQL> audit policy JOBS_AUDIT_UPD; 打开JOBS_AUDIT_UPD审计策略
Audit succeeded.
SQL> select policy_name,enabled_opt,user_name,success,failure from audit_unified_enabled_policies; 查看设计策略是否打开
POLICY_NAME
--------------------------------------------------------------------------------
ENABLED
-------
USER_NAME
--------------------------------------------------------------------------------
SUC FAI
--- ---
ORA_SECURECONFIG
BY
ALL USERS
YES YES
POLICY_NAME
--------------------------------------------------------------------------------
ENABLED
-------
USER_NAME
--------------------------------------------------------------------------------
SUC FAI
--- ---
ORA_LOGON_FAILURES
BY
ALL USERS
NO YES
POLICY_NAME
--------------------------------------------------------------------------------
ENABLED
-------
USER_NAME
--------------------------------------------------------------------------------
SUC FAI
--- ---
JOBS_AUDIT_UPD 新建的策略名
BY
ALL USERS
YES YES
另起窗口登陆hr用户
SQL> desc hr.jobs 查看表结构命令
Name Null? Type
----------------------------------------- -------- ----------------------------
JOB_ID NOT NULL VARCHAR2(10)
JOB_TITLE NOT NULL VARCHAR2(35)
MIN_SALARY NUMBER(6)
MAX_SALARY NUMBER(6)
SQL> select * from hr.jobs where job_title='President';
JOB_ID JOB_TITLE MIN_SALARY MAX_SALARY
---------- ----------------------------------- ---------- ----------
AD_PRES President 20080 40000
SQL> update hr.jobs set max_salary=50000 where job_id='AD_PRES'; 修改了JOB_ID为AD_PRES的最大工资
1 row updated.
用sysdba查看审计记录
SQL> select unified_audit_policies,action_name,object_schema,object_name from unified_audit_trail where dbusername='HR';
UNIFIED_AUDIT_POLICIES
--------------------------------------------------------------------------------
ACTION_NAME
----------------------------------------------------------------
OBJECT_SCHEMA
--------------------------------------------------------------------------------
OBJECT_NAME
--------------------------------------------------------------------------------
JOBS_AUDIT_UPD 上面hr用户做的update记录在这里出现了
UPDATE
HR
JOBS
UNIFIED_AUDIT_POLICIES
--------------------------------------------------------------------------------
ACTION_NAME
----------------------------------------------------------------
OBJECT_SCHEMA
--------------------------------------------------------------------------------
OBJECT_NAME
--------------------------------------------------------------------------------
ORA_LOGON_FAILURES
LOGON
UNIFIED_AUDIT_POLICIES
--------------------------------------------------------------------------------
ACTION_NAME
----------------------------------------------------------------
OBJECT_SCHEMA
--------------------------------------------------------------------------------
OBJECT_NAME
--------------------------------------------------------------------------------
ORA_SECURECONFIG
CREATE DATABASE LINK
HR
DB_LINK2
FGA Guidelines
• To audit all rows, use a null audit condition.
• To audit all columns, use a null audit column.
• Policy names must be unique.
• The audited table or view must already exist when you create the policy.
• If the audit condition syntax is invalid, an ORA-28112 error is raised when the audited object is accessed.
• If the audited column does not exist in the table, no rows are audited.
• If the event handler does not exist, no error is returned and the audit record is still created.
FGA指南
•要审核所有行,请使用空审核条件。
•要审核所有列,请使用空审核列。
•策略名称必须唯一。
•创建策略时,已审核的表或视图必须已存在。
•如果审计条件语法无效,则在访问被审计对象时会引发ORA-28112错误。
•如果表中不存在已审核列,则不审核任何行。
•如果事件处理程序不存在,则不会返回错误,并且仍会创建审核记录。
Archiving and Purging the Audit Trail
• Periodically archive and purge the audit trail to prevent it from growing too large.
• Create an archive by:
– Copying audit trail records to a database table
– Using Oracle Audit Vault
• Purge the audit trail by:
– Creating and scheduling a purge job to run at a specified time by using the DBMS_AUDIT_MGMT.CREATE_PURGE_JOB
PL/SQL procedure
– Manually by using the
DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL PL/SQL procedure
存档和清除审核跟踪
•定期存档和清除审计跟踪,以防止其变得过大。
•通过以下方式创建存档:
–将审计跟踪记录复制到数据库表
–使用Oracle Audit Vault
•通过以下方式清除审计跟踪:
–使用DBMS_AUDIT创建并调度要在指定时间运行的清除作业_管理创建清除作业
PL/SQL过程
–使用
数据库管理系统审计_清洁审计跟踪管理PL/SQL过程
Purging Audit Trail Records
• Schedule an automatic purge job:
• Manually purge the audit records:
DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL(
AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED )
DBMS_AUDIT_MGMT.CREATE_PURGE_JOB
(AUDIT_TRAIL_TYPE=> DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,
AUDIT_TRAIL_PURGE_INTERVAL => 12,
AUDIT_TRAIL_PURGE_NAME => 'Audit_Trail_PJ',
USE_LAST_ARCH_TIMESTAMP => TRUE,
CONTAINER => DBMS_AUDIT_MGMT.CONTAINER_CURRENT);
清除审核跟踪记录
•安排自动清除作业:
•手动清除审核记录:
数据库管理系统审计_清洁审计跟踪管理(
AUDIT_TRAIL_TYPE=>数据库管理系统审计_统一审计追踪管理)
数据库管理系统审计_管理创建清除作业
(AUDIT_TRAIL_TYPE=>数据库管理系统审计_统一审计追踪管理,
审核跟踪清除间隔=>12,
AUDIT_TRAIL_PURGE_NAME=>“审计跟踪_PJ”,
使用最后一个时间戳=>TRUE,
容器=>数据库管理系统审计_管理容器电流);
Quiz
Top-level statements performed before the database opens by administrative users such as SYS and SYSDBA are mandatorily audited.
测验
SYS和SYSDBA等管理用户在打开数据库之前执行的顶级语句将被强制审核。 对的