Escolar Documentos
Profissional Documentos
Cultura Documentos
This article presents an overview of auditing in Oracle 10g Release 2. Many of the topics presented here have been covered in previous articles, but this serves to bring them all together.
erver etup !udit Options "iew !udit Trail Maintenance and ecurity #ine $rained !uditing
Related articles.
#ine $rained !uditing %&i' #ine $rained !uditing (nhancements %10g' )niform !udit Trail %10g' !udit Trail *ontents %10g' !uditing (nhancements %+,M -!)+.T-M$MT' in Oracle +atabase 11g Release 2
Server Setup
!uditing is a default feature of the Oracle server. The initiali/ation parameters that influence its behaviour can be displayed using the SHOW PARAMETER 0123lus command.
SQL> SHOW PARAMETER AUDIT NAME TYPE VALUE ------------------------------------ ---------------------------------------audit_file_dest st i!" #$%ORA#LE%PRODU#T%&'()('%ADMIN %D*&'+%ADUMP audit_s,s_-.e ati-!s /--lea! 0ALSE audit_t ail st i!" NONE SQL>
!uditing is disabled by default, but can enabled by setting the allowed values.
!-!e or false 5 !uditing is disabled. d/ or t ue 5 !uditing is enabled, with all audit records stored in the database audit trial %SYS(AUD8'. d/4e5te!ded 5 !s d/, but the SQL_*IND and SQL_TE9T columns are also populated. 56l5 !uditing is enabled, with all audit records stored as 6M1 format O
files.
56l4e5te!ded 5 !s 56l, but the SQL_*IND and SQL_TE9T columns are also populated. -s5 !uditing is enabled, with all audit records directed to the operating system7s audit trail.
8ote. .n Oracle 10g Release 1, d/_e5te!ded was used in place of d/4e5te!ded. The 6M1 options are new to Oracle 10g Release 2. The AUDIT_SYS_OPERATIONS static parameter enables or disables the auditing of operations issued by users connecting with 9 +,! or 9 O3(R privileges, including the 9 user. !ll audit records are written to the O audit trail. The AUDIT_0ILE_DEST parameter specifies the O directory used for the audit trail when the -s, 56l and 56l4e5te!ded options are used. .t is also the location for all mandatory auditing specified by the AUDIT_SYS_OPERATIONS parameter. To enable auditing and direct audit records to the database audit trail, we would do the following.
SQL> ALTER SYSTEM SET audit_t ail1d/ S#OPE1SP0ILE: S,ste6 alte ed( SQL> SHUTDOWN Data/ase ;l-sed( Data/ase dis6-u!ted( ORA#LE i!sta!;e s<ut d-=!( SQL> STARTUP ORA#LE i!sta!;e sta ted( T-tal S,ste6 +l-/al A ea 0i5ed SiCe Va ia/le SiCe Data/ase *uffe s Red- *uffe s Data/ase 6-u!ted( Data/ase -.e!ed( SQL> )>?@'A?BA &)@>A'' B&D'D>@> )&D?'?E'@ )?@E')@ /,tes /,tes /,tes /,tes /,tes
Audit Options
One loo: at the !)+.T command synta; should give you an idea of how fle;ible Oracle auditing is. There is no point repeating all this information, so instead we will loo: at a simple e;ample. #irst we create a new user called !)+.T-T( T.
#ONNE#T s,sF.ass=- d AS SYSD*A #REATE USER audit_test IDENTI0IED *Y .ass=- d DE0AULT TA*LESPA#E use s TEMPORARY TA*LESPA#E te6. QUOTA UNLIMITED ON use s: +RANT ;-!!e;t TO audit_test: +RANT ; eate ta/le4 ; eate . -;edu e TO audit_test:
8e;t we audit all operations by the !)+.T-T( T user.
AUDIT ALL *Y audit_test *Y A##ESS: AUDIT SELE#T TA*LE4 UPDATE TA*LE4 INSERT TA*LE4 DELETE TA*LE *Y audit_test *Y A##ESS: AUDIT E9E#UTE PRO#EDURE *Y audit_test *Y A##ESS:
These options audit all ++1 and +M1, along with some system events.
++1 %*R(!T(, !1T(R < +RO3 of ob=ects' +M1 %.8 (RT )3+!T(, +(1(T(, (1(*T, (6(*)T('. 9 T(M ("(8T %1O$O8, 1O$O## etc.'
#ONN audit_testF.ass=- d #REATE TA*LE test_ta/ G id NUM*ER H: INSERT UPDATE SELE#T DELETE INTO test_ta/ GidH VALUES G&H: test_ta/ SET id 1 id: I 0ROM test_ta/: 0ROM test_ta/:
SELE#T Jie=_!a6e 0ROM d/a_Jie=s WHERE Jie=_!a6e LIKE LD*AMAUDITML ORDER *Y Jie=_!a6e: VIEW_NAME -----------------------------D*A_AUDIT_E9ISTS D*A_AUDIT_O*NE#T D*A_AUDIT_POLI#IES D*A_AUDIT_POLI#Y_#OLUMNS D*A_AUDIT_SESSION D*A_AUDIT_STATEMENT D*A_AUDIT_TRAIL D*A_#OMMON_AUDIT_TRAIL D*A_0+A_AUDIT_TRAIL D*A_O*N_AUDIT_OPTS D*A_PRIV_AUDIT_OPTS D*A_REPAUDIT_ATTRI*UTE D*A_REPAUDIT_#OLUMN D*A_STMT_AUDIT_OPTS
&@ SQL>
-=s sele;ted(
D*A_AUDIT_TRAIL 5 tandard auditing only %from AUD8'. D*A_0+A_AUDIT_TRAIL 5 #ine5grained auditing only %from 0+A_LO+8'. D*A_#OMMON_AUDIT_TRAIL 5 ,oth standard and fine5grained auditing.
The most basic view of the database audit trail is provided by the D*A_AUDIT_TRAIL view, which contains a wide variety of information. The following >uery displays the some of the information from the database audit trail.
use !a6e 0ORMAT A&' -=!e 0ORMAT A&' -/O_!a6e 0ORMAT A&' e5te!ded_ti6esta6. 0ORMAT ADE
SELE#T use !a6e4 e5te!ded_ti6esta6.4 -=!e 4 -/O_!a6e4 a;ti-!_!a6e 0ROM d/a_audit_t ail WHERE -=!e 1 LAUDIT_TESTL ORDER *Y ti6esta6.: USERNAME E9TENDED_TIMESTAMP A#TION_NAME ---------- -------------------------------------------------------------AUDIT_TEST &A-0E*-)''A &@$&A$EE(@DE''' P''$'' TA*LE AUDIT_TEST &A-0E*-)''A &@$&A$EE(E&@''' P''$'' AUDIT_TEST &A-0E*-)''A &@$&A$EE(E@E''' P''$'' AUDIT_TEST &A-0E*-)''A &@$&A$EE(E?)''' P''$'' AUDIT_TEST &A-0E*-)''A &@$&A$EE(AB'''' P''$'' AUDIT_TEST &A-0E*-)''A &@$&B$''('@E''' P''$'' TA*LE A -=s sele;ted( OWNER O*N_NAME
---------- ---------AUDIT_TEST TEST_TA* AUDIT_TEST AUDIT_TEST AUDIT_TEST AUDIT_TEST AUDIT_TEST TEST_TA* TEST_TA* TEST_TA* TEST_TA* TEST_TA* #REATE INSERT UPDATE SELE#T DELETE DROP
SQL>
?hen the audit trail is directed to an 6M1 format O file, it can be read using a te;t editor or via the V89ML_AUDIT_TRAIL view, which contains similar information to theD*A_AUDIT_TRAIL view.
d/_use 0ORMAT A&' -/Oe;t_s;<e6a 0ORMAT A&' -/Oe;t_!a6e 0ORMAT A&' e5te!ded_ti6esta6. 0ORMAT ADE
-/Oe;t_!a6e4 a;ti-! 0ROM J856l_audit_t ail WHERE -/Oe;t_s;<e6a 1 LAUDIT_TESTL ORDER *Y e5te!ded_ti6esta6.: D*_USER A#TION ------------------AUDIT_TEST & AUDIT_TEST ) AUDIT_TEST A AUDIT_TEST D AUDIT_TEST B AUDIT_TEST &) A E9TENDED_TIMESTAMP O*NE#T_S#H O*NE#T_NAM
----------------------------------- ---------- ---------&A-0E*-)''A &@$&@$DD(@&B''' P''$'' &A-0E*-)''A &@$&@$DD(@A@''' P''$'' &A-0E*-)''A &@$&@$DD(E&&''' P''$'' &A-0E*-)''A &@$&@$DD(E@)''' P''$'' &A-0E*-)''A &@$&@$DD(A'E''' P''$'' &A-0E*-)''A &@$&@$D@(?&B''' P''$'' AUDIT_TEST TEST_TA* AUDIT_TEST TEST_TA* AUDIT_TEST TEST_TA* AUDIT_TEST TEST_TA* AUDIT_TEST TEST_TA* AUDIT_TEST TEST_TA*
-=s sele;ted(
SQL>
everal fields were added to both the standard and fine5grained audit trails in Oracle 10g, including the following.
E9TENDED_TIMESTAMP 5 ! more precise value than the e;ising TIMESTAMP column. PRO9Y_SESSIONID 5 3ro;y session serial number when an enterprise user is logging in via the pro;y method. +LO*AL_UID 5 $lobal )niversal .dentifier for an enterprise user. INSTAN#E_NUM*ER 5 The INSTAN#E_NUM*ER value from the actioning instance. OS_PRO#ESS 5 Operating system process id for the oracle process. TRANSA#TIONID 5 Transaction identifier for the audited transaction. This column can be used to =oin to the 9ID column on the 0LASH*A#K_TRANSA#TION_QUERY view. S#N 5
ystem change number of the >uery. This column can be used in flashbac: >ueries.
The SQL_*IND and SQL_TE9T columns are only populated when the to d/4e5te!ded or 56l4e5te!ded.
#ONN audit_testF.ass=- d #REATE TA*LE e6. G e6.!NUM*ERG@H NOT NULL4 e!a6e VAR#HAR)G&'H4 O-/ VAR#HAR)G?H4 6" NUM*ERG@H4 <i edate DATE4 sal NUM*ERGB4)H4 ;-66 NUM*ERGB4)H4 de.t!NUM*ERG)H H: INSERT INTO e6. Ge6.!-4 e!a6e4 salH VALUES G????4 LTi6L4 &H: INSERT INTO e6. Ge6.!-4 e!a6e4 salH VALUES G????4 LLa ,L4 E'''&H: #OMMIT:
The following policy audits any >ueries of salaries greater than @A0,000.
#ONN s,sF.ass=- d AS s,sd/a *E+IN D*MS_0+A(add_.-li;,G -/Oe;t_s;<e6a 1> -/Oe;t_!a6e 1> .-li;,_!a6e 1> audit_;-!diti-! 1> audit_;-lu6! 1> END: F
#ONN audit_testF.ass=- d SELE#T sal 0ROM e6. WHERE e!a6e 1 LTi6L: SELE#T sal 0ROM e6. WHERE e!a6e 1 LLa ,L: #ONN s,sF.ass=- d AS SYSD*A SELE#T sQl_te5t 0ROM d/a_f"a_audit_t ail: SQL_TE9T
SQL>
(;tra processing can be associated with an #$! event by defining a database procedure and associating this to the audit event. The following e;ample assumes the 0IRE_#LERKprocedure has been defined.
*E+IN D*MS_0+A(add_.-li;,G -/Oe;t_s;<e6a 1> -/Oe;t_!a6e 1> .-li;,_!a6e 1> audit_;-!diti-! 1> audit_;-lu6! 1> <a!dle _s;<e6a 1> <a!dle _6-dule 1> e!a/le 1> END: F
LAUDIT_TESTL4 LEMPL4 LSALARY_#HK_AUDITL4 LSAL > E''''L4 LSALL4 LAUDIT_TESTL4 L0IRE_#LERKL4 TRUEH:
.n Oracle&i fine grained auditing was limited >ueries, but in Oracle 10g it has been e;tended to include +M1 statements, as shown by the following e;ample.
-- #lea d-=! t<e audit t ail( #ONN s,sF.ass=- d AS SYSD*A TRUN#ATE TA*LE f"a_l-"8: SELE#T sQl_te5t 0ROM d/a_f"a_audit_t ail: !-=s sele;ted( t<e SAL ;-lu6! -f t<e EMP ta/le( LAUDIT_TESTL4 LEMPL4 LSAL_AUDITL4 NULL4 -- EQuiJale!t t- TRUE LSALL4 LSELE#T4INSERT4UPDATE4DELETELH:
-- A..l, t<e .-li;, t*E+IN D*MS_0+A(add_.-li;,G -/Oe;t_s;<e6a 1> -/Oe;t_!a6e 1> .-li;,_!a6e 1> audit_;-!diti-! 1> audit_;-lu6! 1> state6e!t_t,.es 1> END: F
SELE#T I 0ROM e6. WHERE e6.!- 1 ???>: INSERT INTO e6. Ge6.!-4 e!a6e4 salH VALUES G???>4 L*illL4 &H: UPDATE e6. SET sal 1 &' WHERE e6.!- 1 ???>: DELETE e6. WHERE e6.!- 1 ???>: ROLL*A#K: -- #<e;R t<e audit t ail( #ONN s,sF.ass=- d AS SYSD*A SELE#T sQl_te5t 0ROM d/a_f"a_audit_t ail: SQL_TE9T -------------------------------------SELE#T I 0ROM e6. WHERE e6.!- 1 ???> INSERT INTO e6. Ge6.!-4 e!a6e4 salH VALUES G???>4 L*illL4 &H UPDATE e6. SET sal 1 &' WHERE e6.!- 1 ???> DELETE e6. WHERE e6.!- 1 ???> @ -=s sele;ted(
-- D -. t<e .-li;,( #ONN s,sF.ass=- d AS SYSD*A *E+IN D*MS_0+A(d -._.-li;,G -/Oe;t_s;<e6a 1> LAUDIT_TESTL4 -/Oe;t_!a6e 1> LEMPL4 .-li;,_!a6e 1> LSAL_AUDITLH: END: F