Oracle 11g 預設審計選項說明

最後更新：2018-12-06 來源：互聯網

上載者：User

創建阿里雲帳戶，並獲得超過 40 款產品的免費試用版；而企業帳戶則可以享有總值 $1200 的免費試用版。立即註冊！

一. Oracle 11g 預設審計說明

之前整理的一篇有關審計的說明：

Oracle Audit 審計說明

http://blog.csdn.net/tianlesoftware/article/details/4712932

在Maclean 的blog上看到了2篇介紹Oracle 11g 預設審計的文章，原文連結如下：

11g預設審計選項

http://www.oracledatabase12g.com/archives/11g%E9%BB%98%E8%AE%A4%E5%AE%A1%E8%AE%A1%E9%80%89%E9%A1%B9.html

Find password cracker in 11g

http://www.oracledatabase12g.com/archives/script-find-password-cracker.html

根據這2篇文章重新整理一下。

在Oracle 11g中預設啟用審計選項，AUDIT_TRAIL參數的預設值為DB，而在Oracle 10g中該參數預設值為none，即不啟用審計。關於這些參數的說明，可以參考我之前整理的審計的文章。

審計資料預設存放SYSTEM 資料表空間下的AUD$審計字典基表上。Oracle官方宣稱預設啟用的審計日誌不會對絕大多數產品資料庫的效能帶來過大的負面影響，同時Oracle公司還推薦使用基於OS檔案的審計日誌記錄方式(OS audit trail files)。

注意在Oracle11g中CREATE SESSION將被作為受審計的許可權來被記錄，因此當SYSTEM資料表空間因磁碟空間而無法擴充時將導致這部分審計記錄無法產生，這將最終導致普通使用者的新會話將無法正常建立，普通使用者將無法登陸資料庫。在這種情境中仍可以使用SYSDBA身份的使用者建立會話，在將審計資料合適備份後刪除一部分記錄，或者乾脆TRUNCATE AUD$都可以解決上述問題。

當AUDIT_TRAIL設定為OS時，審計記錄檔案將在AUDIT_FILE_DEST參數所指定的目錄中產生。全部這些檔案均可以隨時被刪除或複製。

注意在預設情況下會以AUTOEXTEND ON自動擴充選項建立SYSTEM資料表空間，因此系統資料表空間在必要情況下還是會自動成長的，我們所需注意的是磁碟上的剩餘空間是否能夠滿足其增長需求，以及資料檔案擴充的上限，對於普通的8k smallfile資料表空間而言單個資料檔案的最大尺寸是32G。

SQL> select * from v$version whererownum=1;

BANNER

--------------------------------------------------------------------------------

Oracle Database 11g Enterprise EditionRelease 11.2.0.1.0 - Production

以下許可權將對所有使用者審計:

DBA_PRIV_AUDIT_OPTS describescurrent system privileges being audited across the system and by user.

http://download.oracle.com/docs/cd/E11882_01/server.112/e17110/statviews_4183.htm#REFRN23167

SQL> select privilege,success,failurefrom dba_priv_audit_opts;

PRIVILEGE SUCCESS FAILURE

-------------------------------------------------- ----------

CREATE EXTERNAL JOB BY ACCESS BY ACCESS

CREATE ANY JOB BY ACCESS BY ACCESS

GRANT ANY OBJECT PRIVILEGE BY ACCESS BY ACCESS

EXEMPT ACCESS POLICY BY ACCESS BY ACCESS

CREATE ANY LIBRARY BY ACCESS BY ACCESS

GRANT ANY PRIVILEGE BY ACCESS BY ACCESS

DROP PROFILE BY ACCESS BY ACCESS

ALTER PROFILE BY ACCESS BY ACCESS

DROP ANY PROCEDURE BY ACCESS BY ACCESS

ALTER ANY PROCEDURE BY ACCESS BY ACCESS

CREATE ANY PROCEDURE BY ACCESS BY ACCESS

PRIVILEGE SUCCESS FAILURE

-------------------------------------------------- ----------

ALTER DATABASE BY ACCESS BY ACCESS

GRANT ANY ROLE BY ACCESS BY ACCESS

CREATE PUBLIC DATABASE LINK BY ACCESS BY ACCESS

DROP ANY TABLE BY ACCESS BY ACCESS

ALTER ANY TABLE BY ACCESS BY ACCESS

CREATE ANY TABLE BY ACCESS BY ACCESS

DROP USER BY ACCESS BY ACCESS

ALTER USER BY ACCESS BY ACCESS

CREATE USER BY ACCESS BY ACCESS

CREATE SESSION BY ACCESS BY ACCESS

AUDIT SYSTEM BY ACCESS BY ACCESS

PRIVILEGE SUCCESS FAILURE

-------------------------------------------------- ----------

ALTER SYSTEM BY ACCESS BY ACCESS

23 rows selected.

SQL>

以下語句也將對所有使用者審計:

DBA_STMT_AUDIT_OPTS describescurrent system auditing options across the system and by user.

http://download.oracle.com/docs/cd/E11882_01/server.112/e17110/statviews_4292.htm#REFRN23255

SQL> select audit_option,success,failurefrom dba_stmt_audit_opts;

AUDIT_OPTION SUCCESS FAILURE

-------------------------------------------------- ----------

ALTER SYSTEM BY ACCESS BY ACCESS

SYSTEM AUDIT BY ACCESS BY ACCESS

CREATE SESSION BY ACCESS BY ACCESS

CREATE USER BY ACCESS BY ACCESS

ALTER USER BY ACCESS BY ACCESS

DROP USER BY ACCESS BY ACCESS

PUBLIC SYNONYM BY ACCESS BY ACCESS

DATABASE LINK BY ACCESS BY ACCESS

ROLE BYACCESS BY ACCESS

PROFILE BYACCESS BY ACCESS

CREATE ANY TABLE BY ACCESS BY ACCESS

AUDIT_OPTION SUCCESS FAILURE

-------------------------------------------------- ----------

ALTER ANY TABLE BY ACCESS BY ACCESS

DROP ANY TABLE BY ACCESS BY ACCESS

CREATE PUBLIC DATABASE LINK BY ACCESS BY ACCESS

GRANT ANY ROLE BY ACCESS BY ACCESS

SYSTEM GRANT BY ACCESS BY ACCESS

ALTER DATABASE BY ACCESS BY ACCESS

CREATE ANY PROCEDURE BY ACCESS BY ACCESS

ALTER ANY PROCEDURE BY ACCESS BY ACCESS

DROP ANY PROCEDURE BY ACCESS BY ACCESS

ALTER PROFILE BY ACCESS BY ACCESS

DROP PROFILE BY ACCESS BY ACCESS

AUDIT_OPTION SUCCESS FAILURE

-------------------------------------------------- ----------

GRANT ANY PRIVILEGE BY ACCESS BY ACCESS

CREATE ANY LIBRARY BY ACCESS BY ACCESS

EXEMPT ACCESS POLICY BY ACCESS BY ACCESS

GRANT ANY OBJECT PRIVILEGE BY ACCESS BY ACCESS

CREATE ANY JOB BY ACCESS BY ACCESS

CREATE EXTERNAL JOB BY ACCESS BY ACCESS

28 rows selected.

查詢當前資料庫中的現有的審計記錄:

DBA_AUDIT_TRAIL displaysall standard audit trail entries.

http://download.oracle.com/docs/cd/E11882_01/server.112/e17110/statviews_3081.htm#REFRN23023

SQL> select action_name,count(*) from dba_audit_trail group by action_name;

ACTION_NAME COUNT(*)

---------------------------- ----------

SYSTEM REVOKE 1

LOGON 90

DROP DATABASE LINK 5

LOGOFF 59

ALTER SYSTEM 5

CREATE PUBLIC SYNONYM 2

ALTER DATABASE 3

DROP PUBLIC SYNONYM 2

CREATE DATABASE LINK 5

9 rows selected.

二. 審計應用一例

在使用者的profile 屬性裡面有一個屬性：FAILED_LOGIN_ATTEMPTS, 該參數預設值是10. 即當我們使用者連續10次輸入錯誤密碼，這個使用者就會被鎖住。使用者連詞失敗次數是在表USER$ 中的lcount欄位記錄的。該值預設為0. 當失敗一次，該值加1. 成功登入，該值清零。

一般在生產環境下，會根據具體情況設定這個參數，如果防止使用者被鎖，則將這個參數設定為UNLIMITED。這個是注意的地方。當然設定成無限也有它的弊端，比如不能防止暴力破解資料庫密碼。

有關profile 的更多內容參考：

Oracle 使用者 profile 屬性

http://blog.csdn.net/tianlesoftware/article/details/6238279

在11g中預設啟用了對登入登出操作LOGON/LOGOFF的審計，那麼如果我們發現使用者被鎖，那麼可以應用11g的審計功能來查看從哪台機器上發來的連結失敗導致使用者被鎖，可以協助我們定位問題。

指令碼如下：

SQL> selectos_username,userhost,terminal,username,count(*)

2 from dba_audit_trail

3 where returncode = 1017

4 group byos_username,userhost,username,terminal;

OS_USERNAME USERHOST TERMINAL USERNAME COUNT(*)

------------------------------------------------------------ ------------ ------------ ----------

DavidDai\Administrator WORKGROUP\DAVIDDAI DAVIDDAI ICD 7

DavidDai\Administrator WORKGROUP\DAVIDDAI DAVIDDAI SYSTEM 9

DavidDai\Administrator WORKGROUP\DAVIDDAI DAVIDDAI SYS 3

DavidDai\Administrator WORKGROUP\DAVIDDAI DAVIDDAI EXIT 1

注意對於LOGON PER SECOND很高的資料庫，如果應用程式設定檔中的資料庫使用者密碼不正確，同時應用在短期內發起大量會話登入資料庫的話可能引發頻繁的dc_users字典緩衝鎖，使用者登入無法成功，乃至整個執行個體hang住。這個問題直接參考Maclean的blog：

Row Cache lock Problem

http://www.oracledatabase12g.com/archives/row-cache-lock-problem.html

-------------------------------------------------------------------------------------------------------

Blog： http://blog.csdn.net/tianlesoftware

Weibo: http://weibo.com/tianlesoftware

Email: dvd.dba@gmail.com

DBA1 群：62697716(滿); DBA2 群：62697977(滿) DBA3 群：62697850(滿)

DBA 超級群：63306533(滿); DBA4 群： 83829929(滿) DBA5群： 142216823(滿)

DBA6 群：158654907(滿) 聊天群：40132017(滿) 聊天2群：69087192(滿)

--加群需要在備忘說明Oracle資料表空間和資料檔案的關係，否則拒絕申請

本文章原先以中文撰寫並發佈於 aliyun.com，亦設英文版本，僅作資訊用途。本網站不對文章的準確性，完整性或可靠性或其任何翻譯作出任何明示或暗示的陳述或保證。如對該文章有任何疑慮或投訴，請傳送電郵至 info-contact@alibabacloud.com 並提供相關疑慮或投訴的詳細說明。職員會於 5 個工作天內與您聯絡，一經驗證之後，即會刪除該侵權內容。

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More