数据库审计

参数：audit_trail
SQL> show parameter audit
 
NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest                      string      /data/admin/oral/adump
audit_sys_operations                 boolean     FALSE
audit_syslog_level                   string     
audit_trail                          string      NONE

参数查询：
可看是否静态参数v$system_parameter
查看audit_trail可设置的值：v$parameter_valid_values
 
 
配置审计需要重启实例，配置之前，需要备份好spfile;
create pfile='/oracle/app/product/10.2/dbs/pfile826.ora' from spfile;
alter system set AUDIT_TRAIL =DB_EXTENDED scope=spfile;
alter system set audit_sys_operations=true scope=spfile;
shutdown immediate
startup

如需关闭审计
alter system set audit_trail=none scope=spfile;
重启数据库

如果审计表aud$不存在,需要手工创建
SQL> conn / as sysdba
 SQL> @?/rdbms/admin/cataudit.sql

将审计记录表移动到新的表空间
select * from aud$ ;
create tablespace aud datafile '/data/oradata/oral/aud01.dbf' size 10m autoextend on;
alter table aud$ move tablespace aud;
alter table aud$ move lob(sqlbind) store as (tablespace aud);
alter table aud$ move lob(sqltext) store as (tablespace aud);
alter index I_AUD1 rebuild tablespace aud;

如需删除审计记录，则将sys.aud$表中记录删除，将释放表空间；

开通的审计策略
如何检测潜在的登录攻击
audit create session by access whenever not successful;
audit connect by access whenever not successful;

对用户的所有行为进行审计
audit all by scott;

可查看到审计策略；
select * from dba_stmt_audit_opts ;--语句审计：statement
select * from dba_priv_audit_opts ; ---系统权限审计状态
select * from dba_obj_audit_opts ;--对象权限审计状态，中S:SESSION, A:ACCESS；按成功次数进行审计：audit select on t by access；SESSION 意思就是只记录一次成功；是默认值；

查询审计结果：
select * from dba_audit_trail ;   ---审计结果存放的表
select * from dba_fga_audit_trail;
select * from dba_common_audit_trail;

DBA_AUDIT_EXISTS;列出audit not exists和audit exists产生的审计跟踪,我们默认的都是audit exists.
DBA_AUDIT_OBJECT;可以查询所有对象跟踪信息.(例如,对grant,revoke等记录),信息完全包含于dba_audit_trail
DBA_AUDIT_SESSION;所得到的数据都是有关logon或者logoff的信息.
DBA_AUDIT_STATEMENT;列出grant ,revoke ,audit ,noaudit ,alter system语句的审计跟踪信息.
ALL_DEF_AUDIT_OPTS

查看审计内容，主要字段：os_username, userhost, timestamp, owner，sql_bind, sql_text
SQL> select * from dba_audit_trail where  owner = 'AUDIT_TEST' order by timestamp;
注意：owner的值必须大写，例如 owner = 'AUDIT_TEST'

辅助视图
1.SYS.AUD$
审计功能的底层视图,如果需要对数据进行删除,只需要对aud$视图进行删除既可,其他视图里的数据都是由aud$所得.
select * from sys.audit_actions;---审计的可用命令动作，可以查询出在aud$等视图中actions列的含义
select * from SYSTEM_PRIVILEGE_MAP;--可以查询出aud$等视图中priv$used列的含义(注意前面加'-')

审计策略示例：
对某用户某动作开启审计：audit create session by a;
停止审计：noaudit create session;
对表开启查询审计：audit select on t whenever successful;
对用户a执行的语句中有table的进行审计： audit table by a;
audit CREATE TABLE by scott;
 audit CREATE TABLE, CREATE VIEW, ALTER USER;
 audit INDEX;  --包括CREATE INDEX, DROP INDEX, ALTER INDEX and ANALYZE INDEX
 audit INDEX by scott;
 audit ALL whenever SUCCESSFUL;
 AUDIT DELETE ANY TABLE BY ACCESS WHENEVER NOT SUCCESSFUL;
 audit select any table;
 audit select any table, delete any table by scott, system;
 audit select on SCOTT.EMP whenever successful;
 audit delete on SCOTT.EMP by access;
 audit ALL on SCOTT.EMP;
 audit select on DEFAULT;
 AUDIT NETWORK;
 AUDIT ROLE WHENEVER NOT SUCCESSFUL;
 AUDIT CREATE ANY DIRECTORY;
 

审计速查
Quick Reference to Auditing Information

 Database Audit mode
 ~~~~~~~~~~~~~~~~~~~
 show parameter audit

 AUDIT_TRAIL   --> DB, DB_EXTENDED, OS, XML, XML_EXTENDED, FALSE or NONE
 AUDIT_FILE_DEST --> Audit File location
 AUDIT_SYS_OPERATIONS --> Controls whether the activities of SYSDBA are audited or not.
 AUDIT_SYSLOG_LEVEL    --> specifies a SYSLOG facility that will receive the audit information

 What Statements are being audited ?
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 To set audit:

 AUDIT [option] [BY user|SESSION|ACCESS] [WHENEVER {NOT} SUCCESSFUL]

 select * from dba_stmt_audit_opts where USER_NAME='...';

 Columns are:
 AUDIT_OPTION from STMT_AUDIT_OPTION_MAP
 SUCCESS 'BY SESSION', 'BY ACCESS' or 'NOT SET'
 FAILURE ""

 What Privileges are being audited ?
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 To set audit:
 AUDIT [option] [BY user|SESSION|ACCESS] [WHENEVER {NOT} SUCCESSFUL]

 select * from dba_priv_audit_opts where USER_NAME='...';

 Columns are:
 PRIVILEGE from SYSTEM_PRIVILEGE_MAP
 SUCCESS 'BY SESSION', 'BY ACCESS' or 'NOT SET'
 FAILURE ""

 What Objects are being audited ?
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 To set Auditing:
 AUDIT [object_option] ON [schema].object|DEFAULT [BY SESSION|ACCESS]
 [WHENEVER {NOT} SUCCESSFUL]

 select * from dba_obj_audit_opts where owner='..' and OBJECT_NAME='...';
 select * from all_def_audit_opts;

 Columns are:
 ALT AUD COM DEL GRA IND INS LOC REN SEL UPD REF EXE FBK REA

 X/Y - is no option set
 X is when successful
 Y is when Unsuccessful
 S set by session
 A set by access

 Audit results
 ~~~~~~~~~~~~~
 Raw results can go to various places depending on the value of parameter AUDIT_TRAIL:

 - when audit_trail is DB or DB_EXTENDED the audit data will go to AUD$ (DBA_AUDIT_TRAIL is a view on top of this table ).
 Main where columns are: USERNAME, TIMESTAMP, OWNER
 - when audit_trail is OS or XML or XML_EXTENDED the audit data will be written to files located in the AUDIT_FILE_DEST directory
 - when AUDIT_SYSLOG_LEVEL is defined and audit_trail is set to OS the audit data will be sent to SYSLOG

 For underlying results see:

 Select STATEMENT, TIMESTAMP, ACTION, USERID from AUD$;

 Auditing administrative connections
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 The administrative user connections (CONNECT / AS SYSDBA or CONNECT / AS SYSOPER) are always logged regardless of audit setting.
 On UNIX platforms these are logged to *.aud files in $ORACLE_HOME/rdbms/audit when the instance is stopped and to AUDIT_FILE_DEST
 when the instance is started regardless of any init.ora parameter settings. See Note 103964.1 for more details.
 ---------------------------------------------------