Oracle 10g安全加固(审计、监听密码)

环境: Linux 6.4 + Oracle 10.2.0.4

1. Oracle 10g 审计功能

Oracle 10g审计功能默认是关闭的。
需要注意开启审计功能必然会额外消耗一部分数据库性能,开启审计需要重启数据库生效。
具体的审计策略则需要根据项目实际要求自行配置。
## 1.1 查看audit相关参数 ##
```
--查看audit相关参数
set linesize 200
show parameter audit
--结果如下
NAME TYPE VALUE
------------------------------------ -------------------------------- ------------------------------
audit_file_dest string /opt/app/oracle/admin/vas/adum
p
audit_sys_operations boolean FALSE
audit_syslog_level string
audit_trail string NONE
```
## 1.2 开启审计 ##
```
--开启审计
alter system set audit_sys_operations=TRUE scope=spfile;
alter system set audit_trail=db,extended scope=spfile;
--重启库生效
shutdown immediate
startup
--最后再次查看确定审计已开启
SQL> show parameter audit

NAME TYPE VALUE


audit_file_dest string /opt/app/oracle/admin/vas/adum

p

audit_sys_operations boolean TRUE

audit_syslog_level string

audit_trail string DB, EXTENDED

## 1.3 配置审计策略 ##

--查看审计策略

select * from DBA_STMT_AUDIT_OPTS;

--配置审计策略(参考11g默认开启的审计选项设置如下基本审计内容)

AUDIT ALTER ANY PROCEDURE ;

AUDIT ALTER ANY TABLE ;

AUDIT ALTER DATABASE ;

AUDIT ALTER PROFILE ;

AUDIT ALTER SYSTEM ;

AUDIT ALTER USER ;

AUDIT CREATE ANY JOB ;

AUDIT CREATE ANY LIBRARY ;

AUDIT CREATE ANY PROCEDURE ;

AUDIT CREATE ANY TABLE ;

AUDIT CREATE EXTERNAL JOB ;

AUDIT CREATE PUBLIC DATABASE LINK ;

AUDIT CREATE SESSION ;

AUDIT CREATE USER ;

AUDIT DATABASE LINK ;

AUDIT DIRECTORY ;

AUDIT DROP ANY PROCEDURE ;

AUDIT DROP ANY TABLE ;

AUDIT DROP PROFILE ;

AUDIT DROP USER ;

AUDIT EXEMPT ACCESS POLICY ;

AUDIT GRANT ANY OBJECT PRIVILEGE ;

AUDIT GRANT ANY PRIVILEGE ;

AUDIT GRANT ANY ROLE ;

AUDIT PROFILE ;

AUDIT PUBLIC SYNONYM ;

AUDIT ROLE ;

AUDIT SYSTEM AUDIT ;

AUDIT SYSTEM GRANT ;

--其他特殊需求的审计策略

----审计对业务用户JINGYU下的核心表T1数据的删除,更新和插入操作

AUDIT DELETE,UPDATE,INSERT ON JINGYU.T1;

----审计核心表T2(包括查询)

AUDIT ALL ON JINGYU.T2;

----审计核心表T2,每一次都生成一行审计记录

AUDIT ALL ON JINGYU.T2 BY ACCESS;

----取消特殊需求的审计策略

NOAUDIT DELETE,UPDATE,INSERT ON JINGYU.T1;

NOAUDIT ALL ON JINGYU.T2;

--取消审计策略

NOAUDIT ALTER ANY PROCEDURE ;

NOAUDIT ALTER ANY TABLE ;

NOAUDIT ALTER DATABASE ;

NOAUDIT ALTER PROFILE ;

NOAUDIT ALTER SYSTEM ;

NOAUDIT ALTER USER ;

NOAUDIT CREATE ANY JOB ;

NOAUDIT CREATE ANY LIBRARY ;

NOAUDIT CREATE ANY PROCEDURE ;

NOAUDIT CREATE ANY TABLE ;

NOAUDIT CREATE EXTERNAL JOB ;

NOAUDIT CREATE PUBLIC DATABASE LINK ;

NOAUDIT CREATE SESSION ;

NOAUDIT CREATE USER ;

NOAUDIT DATABASE LINK ;

NOAUDIT DIRECTORY ;

NOAUDIT DROP ANY PROCEDURE ;

NOAUDIT DROP ANY TABLE ;

NOAUDIT DROP PROFILE ;

NOAUDIT DROP USER ;

NOAUDIT EXEMPT ACCESS POLICY ;

NOAUDIT GRANT ANY OBJECT PRIVILEGE ;

NOAUDIT GRANT ANY PRIVILEGE ;

NOAUDIT GRANT ANY ROLE ;

NOAUDIT PROFILE ;

NOAUDIT PUBLIC SYNONYM ;

NOAUDIT ROLE ;

NOAUDIT SYSTEM AUDIT ;

NOAUDIT SYSTEM GRANT ;

--再次查看审计策略

select * from DBA_STMT_AUDIT_OPTS;

## 1.4 查看审计日志 ##

--查看审计日志

select * from DBA_AUDIT_TRAIL;

## 1.5 关闭审计 ##

--关闭审计

alter system set audit_trail=none scope=spfile;

alter system set audit_sys_operations=false scope=spfile;

--重启库生效

shutdown immediate

startup

--最后确定审计已关闭

SQL> show parameter audit

NAME TYPE VALUE


audit_file_dest string /opt/app/oracle/admin/vas/adum

p

audit_sys_operations boolean FALSE

audit_syslog_level string

audit_trail string NONE

<h1 id="2">2. 对数据库监听器的关闭和启动设置密码</h1>
可参考转载文章:[【转载】oracle 9i、10g、11g数据库设置listener密码的方法](http://www.cnblogs.com/jyzhao/articles/4860790.html)
上一篇:Codeforces Round #196 (Div. 2) B. Routine Problem


下一篇:ORACLE 10g下载地址