看一下Oracle的審計功能（包括FGA細粒度審計）能給我們帶來些什么的強悍效果。
我將通過這個小文兒向您展示一下Oracle很牛的審計功能。Follow me.?
1.使用審計，需要先激活審計功能
1）查看系統中默認的與審計相關的參數設置
sys@ora10g> conn / as sysdba
Connected.
sys@ora10g> show parameter audit
NAME????????????????? TYPE????? VALUE
--------------------- --------- --------------------------------------
audit_file_dest?????? string??? /oracle/app/oracle/admin/ora10g/adump
audit_sys_operations? boolean?? FALSE
audit_syslog_level??? string
audit_trail?????????? string??? NONE
2）對上面所列的參數進行一下解釋
（1）AUDIT_FILE_DEST = 路徑
指示出審計的文件存放的路徑信息，我們這里顯示的是“/oracle/app/oracle/admin/ora10g/adump”
不管打開還是不打開審計功能，這個目錄項都會記錄以sysdba身份的每次登錄信息，有興趣的朋友可以到這個目錄中查看一下。
例如：
$ cat ora_9915.aud
Audit file /oracle/app/oracle/admin/ora10g/adump/ora_9915.aud
Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP and Data Mining Scoring Engine options
ORACLE_HOME = /oracle/app/oracle/product/10.2.0/db_1
System name:??? Linux
Node name:????? testdb183
Release:??????? 2.6.18-128.el5
Version:??????? #1 SMP Wed Dec 17 11:41:38 EST 2008
Machine:??????? x86_64
Instance name: ora10g
Redo thread mounted by this instance: 1
Oracle process number: 13
Unix process pid: 9915, image:?oracle@testdb183?(TNS V1-V3)
Wed Aug 26 19:24:11 2009
ACTION : 'CONNECT'
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: oracle
CLIENT TERMINAL: pts/1
STATUS: 0
（2）audit_sys_operations
默認值是FALSE，如果開啟審計功能，這個參數需要修改為TRUE。
（3）audit_syslog_level
?????? 語句：指定審計語句或特定類型的語句組，象審計表的語句 CREATE TABLE, TRUNCATE TABLE, COMMENT ON TABLE, and DELETE [FROM] TABLE
?????? 權限：使用審計語句指定系統權限，象AUDIT CREATE ANY TRIGGER
?????? 對象：在指定對象上指定審計語句，象ALTER TABLE on the emp table
（4）AUDIT_TRAIL = NONE|DB|OS
??????? DB--審計信息記錄到數據庫中
??????? OS--審計信息記錄到操作系統文件中
??????? NONE--關閉審計（默認值）
3）修改參數audit_sys_operations為“TRUE”，開啟審計的功能
sys@ora10g> alter system set audit_sys_operations=TRUE scope=spfile;
System altered.
4）修改參數audit_trail為“db”，審計信息記錄到數據庫中
sys@ora10g> alter system set audit_trail=db scope=spfile;
System altered.
5）注意，到這里如果需要使這些參數生效，必須重新啟動一下數據庫
sys@ora10g> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
sys@ora10g> startup;
ORACLE instance started.
Total System Global Area 1073741824 bytes
Fixed Size????????????????? 2078264 bytes
Variable Size???????????? 293603784 bytes
Database Buffers????????? 771751936 bytes
Redo Buffers??????????????? 6307840 bytes
Database mounted.
Database opened.
6）驗證一些參數修改后的結果，這里顯示已經修改完成
sys@ora10g> show parameter audit;
NAME????????????????? TYPE???? VALUE
--------------------- -------- --------------------------------------
audit_file_dest?????? string?? /oracle/app/oracle/admin/ora10g/adump
audit_sys_operations? boolean? TRUE
audit_syslog_level??? string
audit_trail?????????? string?? DB
2.開啟了審計功能后，這里有一個有趣的效果，就是所有sysdba權限下的操作都會被記錄到這個/oracle/app/oracle/admin/ora10g/adump審計目錄下。這也是為什么開啟了審計功能后會存在一些開銷和風險。
1）假如我們在sysdba權限用戶下執行下面三條命令
sys@ora10g> alter session set nls_date_format='yyyy-mm-dd hh24:mi:ss';
Session altered.
sys@ora10g> select * From dual;
D
-
X
sys@ora10g> show parameter spfile
NAME?? TYPE?? VALUE
------ ------ ------------------------------------------------------------
spfile string /oracle/app/oracle/product/10.2.0/db_1/dbs/spfileora10g.ora
2）使用tail命令可以看到在相應的trace文件中有如下的詳細記錄信息，有點意思的發現，可以看到“show parameter spfile”命令背后真正執行了什么樣的SQL語句
Wed Aug 26 20:04:03 2009
ACTION : 'alter session set nls_date_format='yyyy-mm-dd hh24:mi:ss''
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: oracle
CLIENT TERMINAL: pts/2
STATUS: 0
Wed Aug 26 20:04:03 2009
ACTION : 'BEGIN DBMS_OUTPUT.GET_LINES(:LINES, :NUMLINES); END;'
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: oracle
CLIENT TERMINAL: pts/2
STATUS: 0
Wed Aug 26 20:04:16 2009
ACTION : 'select * From dual'
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: oracle
CLIENT TERMINAL: pts/2
STATUS: 0
Wed Aug 26 20:04:16 2009
ACTION : 'BEGIN DBMS_OUTPUT.GET_LINES(:LINES, :NUMLINES); END;'
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: oracle
CLIENT TERMINAL: pts/2
STATUS: 0
Wed Aug 26 20:07:21 2009
ACTION : 'SELECT NAME NAME_COL_PLUS_SHOW_PARAM,DECODE(TYPE,1,'boolean',2,'string',3,'integer',4,'file',5,'number',??????? 6,'big integer', 'unknown') TYPE,DISPLAY_VALUE VALUE_COL_PLUS_SHOW_PARAM FROM V$PARAMETER WHERE UPPER(NAME) LIKE UPPER('%spfile%') ORDER BY NAME_COL_PLUS_SHOW_PARAM,ROWNUM'
DATABASE USER: '/'
PRIVILEGE : SYSDBA
CLIENT USER: oracle
CLIENT TERMINAL: pts/2
STATUS: 0
3.演示一下對sec用戶的t_audit表delete操作的審計效果
1）表t_audit信息如下
sec@ora10g> select * from t_audit order by 1;
???????? X
----------
???????? 1
???????? 2
???????? 3
???????? 4
???????? 5
???????? 6
6 rows selected.
2）這里僅僅開啟對表t_audit的delete操作的審計
sec@ora10> audit delete on t_audit;
Audit succeeded.
3）查看審計設置可以通過查詢dba_obj_audit_opts視圖來完成
sec@ora10g> select OWNER,OBJECT_NAME,OBJECT_TYPE,DEL,INS,SEL,UPD from dba_obj_audit_opts;
OWNER? OBJECT_NAME? OBJECT_TYPE? DEL?????? INS?????? SEL?????? UPD
------ ------------ ------------ --------- --------- --------- ---------
SEC??? T_AUDIT????? TABLE??????? S/S?????? -/-?????? -/-?????? -/-
4）嘗試插入數據
sec@ora10g> insert into t_audit values (7);
1 row created.
5）因為我們沒有對insert語句進行審計，所以沒有審計信息可以得到
sec@ora10g> select count(*) from dba_audit_trail;
? COUNT(*)
----------
???????? 0
6）再嘗試delete操作
sec@ora10g> delete from t_audit where x=1;
1 row deleted.
7）不出所料，delete操作被數據庫捕獲
這里可以通過查詢dba_audit_trail視圖或者sys.aud$視圖得到詳細的審計信息，這種審計方法可以得到操作的時間，操作用戶等較粗的信息（相對后面介紹的細粒度審計來說）
sec@ora10g> select count(*) from dba_audit_trail;
? COUNT(*)
----------
???????? 1
select * from dba_audit_trail;
select * from sys.aud$;
4.如想要取消對表t_audit的全部審計，需要使用手工方式來完成
sec@ora10> noaudit all on t_audit;
Noaudit succeeded.
通過查詢dba_obj_audit_opts視圖，確認確實已經取消的審計
sec@ora10g> select * from dba_obj_audit_opts;
no rows selected
5.【FGA】【細粒度審計】上面得到的審計信息是較粗的，我們進一步演示一下“細粒度審計FGA”的效果：可以通過FGA得到操作的SQL語句級別的信息
1）細粒度審計t_audit表上的增刪改查的一切操作
sec@ora10g> conn / as sysdba
Connected.
sys@ora10g> exec dbms_fga.add_policy(object_schema=>'SEC', object_name=> 't_audit', policy_name=> 'check_t_audit',statement_types => 'INSERT, UPDATE, DELETE, SELECT');
PL/SQL procedure successfully completed.
2）對t_audit表增刪改查操作一番
sys@ora10g> conn sec/sec
Connected.
sec@ora10g> select * from t_audit;
???????? X
----------
???????? 2
???????? 3
???????? 4
???????? 5
???????? 6
???????? 7
6 rows selected.
sec@ora10g> delete from t_audit where x=5;
1 row deleted.
sec@ora10g> update t_audit set x=8 where x=7;
1 row updated.
sec@ora10g> insert into t_audit values (1);
1 row created.
sec@ora10g> commit;
Commit complete.
3）OK，查看dba_fga_audit_trail視圖得到了4條審計記錄
sec@ora10g> select count(*) from dba_fga_audit_trail;
? COUNT(*)
----------
???????? 4
4）詳細查看一下對應的SQL操作，FGA還是很強悍的
sec@ora10g> col DB_USER for a10
sec@ora10g> col SQL_TEXT for a50
sec@ora10g> select db_user,sql_text from dba_fga_audit_trail;
DB_USER??? SQL_TEXT
---------- --------------------------------------------------
SEC??????? select * from t_audit
SEC??????? delete from t_audit where x=5
SEC??????? update t_audit set x=8 where x=7
SEC??????? insert into t_audit values (1)
5）最后再看一下這個dba_fga_audit_trail視圖的結構，可以看到這個視圖中記錄了非常詳盡的審計信息列
sec@ora10g> desc dba_fga_audit_trail
?Name??????????????? Null???? Type
?------------------- -------- ----------------------------
?SESSION_ID????????? NOT NULL NUMBER
?TIMESTAMP??????????????????? DATE
?DB_USER????????????????????? VARCHAR2(30)
?OS_USER????????????????????? VARCHAR2(255)
?USERHOST???????????????????? VARCHAR2(128)
?CLIENT_ID??????????????????? VARCHAR2(64)
?ECONTEXT_ID????????????????? VARCHAR2(64)
?EXT_NAME???????????????????? VARCHAR2(4000)
?OBJECT_SCHEMA??????????????? VARCHAR2(30)
?OBJECT_NAME????????????????? VARCHAR2(128)
?POLICY_NAME????????????????? VARCHAR2(30)
?SCN????????????????????????? NUMBER
?SQL_TEXT???????????????????? NVARCHAR2(2000)
?SQL_BIND???????????????????? NVARCHAR2(2000)
?COMMENT$TEXT???????????????? VARCHAR2(4000)
?STATEMENT_TYPE?????????????? VARCHAR2(7)
?EXTENDED_TIMESTAMP?????????? TIMESTAMP(6) WITH TIME ZONE
?PROXY_SESSIONID????????????? NUMBER
?GLOBAL_UID?????????????????? VARCHAR2(32)
?INSTANCE_NUMBER????????????? NUMBER
?OS_PROCESS?????????????????? VARCHAR2(16)
?TRANSACTIONID??????????????? RAW(8)
?STATEMENTID????????????????? NUMBER
?ENTRYID????????????????????? NUMBER

6）針對上面添加的審計策略進行調整：disable_policy、enable_policy和drop_policy的方法
使策略失效的方法：
sys@ora10g> exec dbms_fga.disable_policy(object_schema=>'SEC', object_name=> 't_audit', policy_name=> 'check_t_audit');
使策略生效的方法：
sys@ora10g> exec dbms_fga.enable_policy(object_schema=>'SEC', object_name=> 't_audit', policy_name=> 'check_t_audit');
徹底刪除策略的方法：
sec@ora10g> exec dbms_fga.drop_policy(object_schema=>'SEC', object_name=> 't_audit', policy_name=> 'check_t_audit');
PL/SQL procedure successfully completed.
最后列一下dbms_fga提供給我們使用的方法都有哪些
sec@ora10g> desc dbms_fga
PROCEDURE ADD_POLICY
?Argument Name????????????????? Type??????????????????? In/Out Default?
?------------------------------ ----------------------- ------ --------
?OBJECT_SCHEMA????????????????? VARCHAR2??????????????? IN???? DEFAULT
?OBJECT_NAME??????????????????? VARCHAR2??????????????? IN
?POLICY_NAME??????????????????? VARCHAR2??????????????? IN
?AUDIT_CONDITION??????????????? VARCHAR2??????????????? IN???? DEFAULT
?AUDIT_COLUMN?????????????????? VARCHAR2??????????????? IN???? DEFAULT
?HANDLER_SCHEMA???????????????? VARCHAR2??????????????? IN???? DEFAULT
?HANDLER_MODULE???????????????? VARCHAR2??????????????? IN???? DEFAULT
?ENABLE???????????????????????? BOOLEAN???????????????? IN???? DEFAULT
?STATEMENT_TYPES??????????????? VARCHAR2??????????????? IN???? DEFAULT
?AUDIT_TRAIL??????????????????? BINARY_INTEGER????????? IN???? DEFAULT
?AUDIT_COLUMN_OPTS????????????? BINARY_INTEGER????????? IN???? DEFAULT
PROCEDURE DISABLE_POLICY
?Argument Name????????????????? Type??????????????????? In/Out Default?
?------------------------------ ----------------------- ------ --------
?OBJECT_SCHEMA????????????????? VARCHAR2??????????????? IN???? DEFAULT
?OBJECT_NAME??????????????????? VARCHAR2??????????????? IN
?POLICY_NAME??????????????????? VARCHAR2??????????????? IN
PROCEDURE DROP_POLICY
?Argument Name????????????????? Type??????????????????? In/Out Default?
?------------------------------ ----------------------- ------ --------
?OBJECT_SCHEMA????????????????? VARCHAR2??????????????? IN???? DEFAULT
?OBJECT_NAME??????????????????? VARCHAR2??????????????? IN
?POLICY_NAME??????????????????? VARCHAR2??????????????? IN
PROCEDURE ENABLE_POLICY
?Argument Name????????????????? Type??????????????????? In/Out Default?
?------------------------------ ----------------------- ------ --------
?OBJECT_SCHEMA????????????????? VARCHAR2??????????????? IN???? DEFAULT
?OBJECT_NAME??????????????????? VARCHAR2??????????????? IN
?POLICY_NAME??????????????????? VARCHAR2??????????????? IN
?ENABLE???????????????????????? BOOLEAN???????????????? IN???? DEFAULT
6.小結
以上的實驗展示了Oracle的審計功能，包括Oracle引以為傲的FGA細粒度審計。
警告：這種審計的方法是需要付出一定的代價的，如磁盤的開銷，性能的開銷，以及您的系統是否允許反復的停啟數據庫實例等等。在生產環境中使用之前需要多方面評估。?

總結

以上是生活随笔為你收集整理的使用Oracle的审计功能监控数据库中的可疑操作的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。