Oracle Database Security Audit Audit

Oracle Audit is an afterthought, that is, after the database security problems, in order to locate, find the root cause of the problem, can be traced back through the audit. The Oracle audit consists of the following 3 sections:

trigger-based Auditing (trigger)

Auditing the SYS user-(SYS user audit)

Standard Auditing (Standard audit)

Trigger auditing

The following is an example of a trigger audit, where the value of the Sal field in the EMP table increases more than 1.1 times times, and the operation is recorded in the audit table Emp_sal_audit.

CREATE TRIGGER trg_a_idu_r_emp_sal after  
INSERT or DELETE or UPDATE of the SAL on EMP for each  
ROW  
BEGIN
IF (: New.sal >: Old.sal * 1.10)  
THEN INSERT into Emp_sal_audit VALUES (: Old.empno,  
: Old.sal  
,:  
new.sal, User
, sysdate);  
End IF;  
End;  
/

The audit of the SYS user

An audit of the SYS user is special because the SYS user has too much permissions and its audit information cannot be stored in the database, otherwise SYS can modify the audit information at will, so the SYS user audit log is written to the operating system log.

Here is an example:

1 Start the audit of the SYS user first

Sql> alter system Set Audit_sys_operations = true scope = SPFile;

The system has changed.

2 The SYS user inserts a data into the test table

Sql> Show user
user is "SYS"
      
sql> insert INTO test.t (object_id) values (1);  
      
1 lines have been created.  
      
sql> commit;  
      
Submit completed.

3 The following information can be seen in the operating system log:

Audit trail:length: ' 176 ' ACTION: [7] ' CONNECT ' DATABASE user:[1] '/' privilege: [6] ' SYSDBA ' CLIENT user:[12] ' Corp\xia Nzhu ' CLIENT terminal:[14] ' l-shc-00436132 ' status:[1] ' 0 ' dbid:[10] ' 1327298419 '.
Standard Audit

Depending on the object, the standard audit can be divided into the following 4 sections:

Audit session Audit object Audit Operation Audit authorization