oracle 11gR2启用对sys用户操作行为的审计
在oracle 11gR2中,缺省在audit_file_dest目录会记录sys用户的登录审计信息,但并不会审计操作内容。
启用对sys用户操作行为的审计
SQL> alter system set audit_sys_operations=TRUE scope=spfile;
System altered.
因为是audit_sys_operations是静态参数,需要重新数据库
SQL> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> startup;
SQL> show parameter audit;
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest string /u01/app/oracle/admin/orcl/adu
mp
audit_sys_operations boolean TRUE
audit_syslog_level string
audit_trail string DB
接着删除一个测试用户
SQL> drop user lineqi cascade;
User dropped.
[oracle@orcl adump]$ more orcl_ora_32424_20150418163852720955143795.aud
Audit file /u01/app/oracle/admin/orcl/adump/orcl_ora_32424_20150418163852720955143795.aud
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
ORACLE_HOME = /u01/app/oracle/product/11.2.0/dbhome_1
System name: Linux
Node name: orcl
Release: 2.6.32-358.el6.x86_64
Version: #1 SMP Tue Jan 29 11:47:41 EST 2013
Machine: x86_64
VM name: VMWare Version: 6
Instance name: orcl
Redo thread mounted by this instance: 1
Oracle process number: 19
Unix process pid: 32424, p_w_picpath: oracle@orcl (TNS V1-V3)
注意:sys登陆的记录
Sat Apr 18 16:38:52 2015 +08:00
LENGTH : '160'
ACTION :[7] 'CONNECT'
DATABASE USER:[1] '/'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[6] 'oracle'
CLIENT TERMINAL:[5] 'pts/0'
STATUS:[1] '0'
DBID:[10] '1405073182'
Sat Apr 18 16:38:57 2015 +08:00
LENGTH : '173'
ACTION :[19] 'ALTER DATABASE OPEN'
DATABASE USER:[1] '/'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[6] 'oracle'
CLIENT TERMINAL:[5] 'pts/0'
STATUS:[1] '0'
DBID:[10] '1405073182'
Sat Apr 18 16:39:08 2015 +08:00
LENGTH : '216'
ACTION :[60] 'BEGIN dbms_cmp_int.drop_cmp_by_cmpid(:sb1, :sb2, :sb3); END;'
DATABASE USER:[3] 'SYS'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[6] 'oracle'
CLIENT TERMINAL:[5] 'pts/0'
STATUS:[1] '0'
DBID:[10] '1405073182'
注意:sys操作的记录
Sat Apr 18 16:39:15 2015 +08:00
LENGTH : '178'
ACTION :[24] 'drop user lineqi cascade'
DATABASE USER:[1] '/'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[6] 'oracle'
CLIENT TERMINAL:[5] 'pts/0'
STATUS:[1] '0'
DBID:[10] '1405073182'
Sat Apr 18 16:39:25 2015 +08:00
LENGTH : '197'
ACTION :[43] 'select tablespace_name from dbA_tablespaces'
DATABASE USER:[1] '/'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[6] 'oracle'
CLIENT TERMINAL:[5] 'pts/0'
STATUS:[1] '0'
DBID:[10] '1405073182'