- 对于权限审计和大部分语句,by session无效,无论指定by session/by access还是不指定,审计都自动为by access。
- 审计的语句级可以指定ALL,但是ALL只包括大部分语句,它不包括下面这些语句。
ALTER SEQUENCE, ALTER TABLE, COMMENT TABLE, DELETE TABLE, EXECUTE PROCEDURE, GRANT DIRECTORY, GRANT PROCEDURE, GRANT SEQUENCE, GRANT TABLE, GRANT TYPE, INSERT TABLE, LOCK TABLE, SELECT SEQUENCE, SELECT TABLE, UPDATE TABLE
- 对于语句和权限审计,生效从执行语句后下一个登陆用户开始,当前的所有session不受影响。而对象的审计,则从审计语句开始后对当前所有的用户生效。
- 可以使用NOAUDIT ALL、NOAUDIT ALL PRIVILEGE取消所有的语句、权限的审计,但是如果在审计的时候指定了用户,则NOAUDIT ALL或NOAUDIT ALL PRIVILEGE的时候,不会取消这些明确用户的审计,必须在NOAUDIT的时候也明确的指出相应的用户。
例1.只有少数语句审计可以设置BY SESSION,其他的语句审计和所有权限审计都只能设置为BY ACCESS。
SQL> audit create table;
审计已成功。
SQL> audit create any table by session;
审计已成功。
SQL> audit create view by access;
审计已成功。
SQL> select user_name, privilege, success, failure from dba_priv_audit_opts;
USER_NAME PRIVILEGE SUCCESS FAILURE
-------------------- ---------------------------- ---------- --------
CREATE TABLE BY ACCESS BY ACCESS
CREATE ANY TABLE BY ACCESS BY ACCESS
CREATE VIEW BY ACCESS BY ACCESS
SQL> NOAUDIT ALL PRIVILEGE;
审计未成功。
SQL> AUDIT TABLE;
审计已成功。
SQL> AUDIT VIEW BY SESSION;
审计已成功。
SQL> AUDIT TRIGGER BY ACCESS;
审计已成功。
SQL> SELECT USER_NAME, AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS;
USER_NAME AUDIT_OPTION SUCCESS FAILURE
----------------------- ----------------------- ---------- ----------
TRIGGER BY ACCESS BY ACCESS
TABLE BY ACCESS BY ACCESS
VIEW BY ACCESS BY ACCESS
SQL> AUDIT LOCK TABLE BY SESSION;
审计已成功。
SQL> SELECT USER_NAME, AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS;
USER_NAME AUDIT_OPTION SUCCESS FAILURE
----------------------- ----------------------- ---------- ----------
TRIGGER BY ACCESS BY ACCESS
TABLE BY ACCESS BY ACCESS
VIEW BY ACCESS BY ACCESS
LOCK TABLE BY SESSION BY SESSION
通过测试,我们发现对于大部分的语句和权限,只能设置为BY ACCESS。
例2.接着上面的例子
我们取消对所有语句的审计,但是发现对于LOCK TABLE无效
SQL> NOAUDIT ALL;
审计未成功。
SQL> SELECT USER_NAME, AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS;
USER_NAME AUDIT_OPTION SUCCESS FAILURE
---------------------- ---------------------- ---------- -------
LOCK TABLE BY SESSION BY SESSION
SQL> NOAUDIT LOCK TABLE;
审计未成功。
SQL> SELECT USER_NAME, AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS;
未选定行
例3.
SQL> SELECT USER_NAME, AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS;
未选定行
SQL> SELECT USERID, ACTION#, OBJ$NAME, PRIV$USED FROM SYS.AUD$;
未选定行
SQL> AUDIT TABLE;
审计已成功。
SQL> AUDIT CREATE ANY TABLE;
审计已成功。
SQL> AUDIT SELECT ON TEST;
审计已成功。
SQL> CREATE TABLE TEST_AUDIT (ID NUMBER);
表已创建。
SQL> CREATE TABLE TEST.TEST_AUDIT (ID NUMBER);
表已创建。
SQL> SELECT COUNT(*) FROM TEST;
COUNT(*)
----------
18651
SQL> SELECT USERID, ACTION#, OBJ$NAME, PRIV$USED FROM SYS.AUD$;
USERID ACTION# OBJ$NAME PRIV$USED
----------------------- ---------- ----------------------- ----------
YANGTK 103 TEST
SQL> DROP TABLE TEST_AUDIT;
表已丢弃。
SQL> DROP TABLE TEST.TEST_AUDIT;
表已丢弃。
SQL> SELECT USERID, ACTION#, OBJ$NAME, PRIV$USED FROM SYS.AUD$;
USERID ACTION# OBJ$NAME PRIV$USED
----------------------- ---------- ----------------------- ----------
YANGTK 103 TEST
我们发现只有对象审计生效了,要使语句级审计和权限级审计生效,必须重新登陆。
SQL> CONN YANGTK/YANGTK@TEST
已连接。
SQL> CREATE TABLE TEST_AUDIT (ID NUMBER);
表已创建。
SQL> CREATE TABLE TEST.TEST_AUDIT (ID NUMBER);
表已创建。
SQL> SELECT COUNT(*) FROM TEST;
COUNT(*)
----------
18651
SQL> SELECT USERID, ACTION#, OBJ$NAME, PRIV$USED FROM SYS.AUD$;
USERID ACTION# OBJ$NAME PRIV$USED
----------------------- ---------- ----------------------- ----------
YANGTK 1 TEST_AUDIT 41
YANGTK 103 TEST
YANGTK 103 TEST
YANGTK 1 TEST_AUDIT 40
例4.
SQL> NOAUDIT ALL;
审计未成功。
SQL> NOAUDIT ALL PRIVILEGE;
审计未成功。
SQL> NOAUDIT SELECT ON TEST;
审计未成功。
SQL> AUDIT TABLE;
审计已成功。
SQL> AUDIT VIEW BY YANGTK;
审计已成功。
SQL> AUDIT TABLE BY TEST;
审计已成功。
SQL> SELECT USER_NAME, AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS;
USER_NAME AUDIT_OPTION SUCCESS FAILURE
----------------------- ----------------------- ---------- -------
TABLE BY ACCESS BY ACCESS
TEST TABLE BY ACCESS BY ACCESS
YANGTK VIEW BY ACCESS BY ACCESS
SQL> NOAUDIT ALL;
审计未成功。
SQL> SELECT USER_NAME, AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS;
USER_NAME AUDIT_OPTION SUCCESS FAILURE
----------------------- ---------------------- ---------- --------
TEST TABLE BY ACCESS BY ACCESS
YANGTK VIEW BY ACCESS BY ACCESS
SQL> NOAUDIT TABLE BY TEST;
审计未成功。
SQL> NOAUDIT VIEW BY YANGTK;
审计未成功。
SQL> SELECT USER_NAME, AUDIT_OPTION, SUCCESS, FAILURE FROM DBA_STMT_AUDIT_OPTS;
未选定行
审计从审计表中不成功的删除
Audit delete on sys.aud$ whenever not successful;
利用下列sql语句来审计从所有表中不成功的删除
Audit not exists;
利用下列语句来审计有system用户所执行的过程上的所有授权和取消授权语句
Audit grant procedure by system;