数据库级别的审计

审计： 跟踪数据库中的可以操作

超级用户的审计

超级用户有三种操作一定会被审计：

• 超级用户的连接
• 数据库的启动
• 数据库的停止

打开超级用户的额外审计：

alter system set audit_sys_operation=true scope=spfile;

超级用户审计的跟踪文件记录在哪里？

show parameter audit_file_dest


SQL> show parameter audit_file_dest

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest                      string      /u01/app/oracle/admin/cdb1/adu
                                                 mp
SQL>

普通用户的审计：

普通用户审计的线索记录在哪里？

audit_trail=DB --> 使用数据字典aud$记录审计的线索

audit_trail=OS --> 使用audit_file_dest指向的目录保存审计文件

打开语句审计：

• audit delete table； -->会话级成功，失败都审计
• audit delete table whenever sucessful; --> 会话级成功
• audit delete table whenever not sucessful; --> 会话级失败
• audit delete table by access; --> 访问级成功、失败都审计
• audit delete table by access whenever successful; --> 访问级成功
• audit delete table by access whenever not successful;--> 访问级失败

audit delete table by scott;

audit delete table by scott whenever successful;

audit delete table by scott whenever not successful;

audit delete table by scott by access;

audit delete table by scott by access whenever successful;

audit delete table by scott by access whenever not sucessful;

查看哪些语句已经被打开了审计：

SQL> 
SQL> select audit_option,success,failure from dba_stmt_audit_opts where user_name='SCOTT';

no rows selected

SQL>

查看审计线索

SQL> delete aud$;

1 row deleted.

SQL> commit;

Commit complete.

SQL> select * from aud$;

no rows selected

查看操作代码对应的操作名称：

select name from audit_actions where action=1;

关闭语句审计：

noaudit delete table by scott;

exec print_table('select * from aud$ where userid="SCOTT"');

特权审计： 刚刚打开的审计对已持续的连接无效！！

audit create any table by scott;

查看特权审计：

select PRIVILEGE,SUCCESS,FAILURE from dba_priv_audit_opts where user_name='SCOTT';

对象审计：在具体某一个对象上面打开的审计选项

audit delete on scott.emp;
audit insert on scott.emp by access whenever not successful;

SQL> 
SQL> select audit_option,success,failure from dba_stmt_audit_opts;

no rows selected

SQL>