[Oracle] database security-audit

[Oracle] database security-audit Oracle audit is an afterthought task. After a database security problem occurs, you can trace the source of the problem to locate and discover it. Oracle audit mainly includes the following three parts: Trigger-based Auditing (Trigger) Auditing the sys User-(SYS User audit) Standard Auditing (Standard audit) the following is an example of trigger audit. Once the sal field value of the emp table increases by more than 1.1 times, this operation is recorded in the audit table emp_sal_audit. [SQL] CREATE TRIGGER trg_a_idu_r_emp_sal AFTER INSERT OR DELETE OR UPDATE OF sal ON emp FOR EACH ROW BEGIN IF (: NEW. sal>: OLD. sal * 1.10) then insert into emp_sal_audit VALUES (: OLD. empno,: OLD. sal,: NEW. sal, user, sysdate); end if; END;/SYS user's audit is special for SYS users because SYS users have too many permissions, its audit information cannot be stored in the database; otherwise, SYS can modify the audit information at will. Therefore, sys user audit logs are written to operating system logs. The following is an example: 1) first, start the audit of SYS users [SQL] SQL> alter system set audit_sys_operations = true scope = spfile; the system has changed. 2) The SYS user inserts a piece of data into the test table [SQL] SQL> show USER user is "SYS" SQL> insert into test. t (object_id) values (1); 1 row has been created. SQL> commit; submitted completely. 3) the following information is displayed in the Operating System Log: [plain] Audit trail: LENGTH: '000000' ACTION: [7] 'connection' database user: [1] '/'privilege: [6] 'sysdb' client user: [12] 'corp \ xianzhu' client terminal: [14] 'l-SHC-00436132 'STATUS: [1] '0' DBID: [10] '123 '. the standard audit can be divided into the following four parts based on different objects: Audit Session Audit Object audit operation audit authorization the following uses the Audit object as an example: 1) first, enable standard audit [SQL] SQL> ALTER SYSTEM SET AUDIT_TRAIL = DB, EXTENDED SCOPE = SPFILE; the SYSTEM has changed. SQL> audit select, insert, update, delete on test. t; audit successful. 2) perform DML operations on the table [SQL] SQL> delete from test. t; delete 72768 rows. SQL> insert into t (object_id) values (1); 1 row has been created. SQL> commit; submitted completely. 3) view the corresponding audit information in the audit table [SQL] SQL> col userid for a10 SQL> col obj $ name for a10 SQL> col sqltext for a40 SQL> select userid, obj $ name, sqltext from sys. aud $ where userid = 'test' and obj $ name = 'T'; userid obj $ name sqltext ---------- ------------------------------------------ test t delete from TEST. t test t insert into t (object_id) values (1)