Part01-基础概念与理论知识
1.1 标准审计的概念
标准审计是Oracle数据库中最基本的审计机制,它可以审计系统权限、对象权限和SQL语句的执行情况。标准审计通过audit_trail参数控制,可以将审计记录存储在数据库表或操作系统文件中。
学习交流加群风哥QQ113257174
1.2 标准审计的类型
- 语句审计:审计特定类型的SQL语句
- 权限审计:审计特定系统权限的使用
- 对象审计:审计特定对象上的操作
- 网络审计:审计网络连接和断开
风哥提示:标准审计是最常用的审计方式,可以满足大多数安全监控需求
1.3 标准审计的配置参数
- audit_trail:控制审计记录的存储位置和格式
- audit_file_dest:指定审计文件的存储目录
- audit_sys_operations:控制是否审计系统级操作
- audit_syslog_level:指定审计记录的系统日志级别
更多视频教程www.fgedu.net.cn
Part02-生产环境规划与建议
2.1 标准审计策略设计
- 明确审计目标:确定需要审计的操作和对象
- 分类审计:根据操作类型和重要性进行分类审计
- 重点审计:对敏感操作和对象进行重点审计
- 定期审查:定期审查审计策略的有效性
2.2 标准审计性能考虑
在生产环境中,标准审计可能会对性能产生影响,建议:
- 只审计必要的操作,避免过度审计
- 合理设置audit_trail参数,选择合适的存储方式
- 定期清理审计记录,避免审计表过大
- 考虑使用分区表存储审计记录
学习交流加群风哥微信: itpux-com
2.3 标准审计存储管理
- 设置适当的审计表空间
- 配置审计记录的保留时间
- 定期归档审计记录
- 监控审计表的大小和增长趋势
更多学习教程公众号风哥教程itpux_com
Part03-生产环境项目实施方案
风哥教程参考Oracle官方文档Security部分,我们将实施以下步骤:
- 配置标准审计参数
- 创建审计策略
- 测试审计效果
- 查询审计记录
- 管理审计存储
from oracle:www.itpux.com
Part04-生产案例与实战讲解
4.1 配置标准审计参数
命令:— 查看当前审计配置
SHOW PARAMETER audit;– 配置标准审计
ALTER SYSTEM SET audit_trail = ‘DB,EXTENDED’ SCOPE=SPFILE;ALTER SYSTEM SET audit_file_dest = ‘/oracle/admin/fgedudb/adump’ SCOPE=SPFILE;ALTER SYSTEM SET audit_sys_operations = TRUE SCOPE=SPFILE;– 重启数据库使配置生效
SHUTDOWN IMMEDIATE;STARTUP;执行:输出日志:NAME TYPE VALUE
———————————— ———– ——————————
audit_file_dest string /oracle/admin/fgedudb/adump
audit_sys_operations boolean FALSE
audit_syslog_level string
audit_trail string NONESystem altered.System altered.System altered.Database closed.Database dismounted.ORACLE instance shut down.ORACLE instance started.Database mounted.Database opened.
SHOW PARAMETER audit;– 配置标准审计
ALTER SYSTEM SET audit_trail = ‘DB,EXTENDED’ SCOPE=SPFILE;ALTER SYSTEM SET audit_file_dest = ‘/oracle/admin/fgedudb/adump’ SCOPE=SPFILE;ALTER SYSTEM SET audit_sys_operations = TRUE SCOPE=SPFILE;– 重启数据库使配置生效
SHUTDOWN IMMEDIATE;STARTUP;执行:输出日志:NAME TYPE VALUE
———————————— ———– ——————————
audit_file_dest string /oracle/admin/fgedudb/adump
audit_sys_operations boolean FALSE
audit_syslog_level string
audit_trail string NONESystem altered.System altered.System altered.Database closed.Database dismounted.ORACLE instance shut down.ORACLE instance started.Database mounted.Database opened.
4.2 创建审计策略
命令:— 审计系统权限
AUDIT CREATE USER, DROP USER, ALTER USER BY ACCESS;AUDIT CREATE TABLE, DROP TABLE, ALTER TABLE BY ACCESS;AUDIT CREATE ROLE, DROP ROLE, ALTER ROLE BY ACCESS;– 审计对象权限
AUDIT SELECT, INSERT, UPDATE, DELETE ON fgedu.employees BY ACCESS;AUDIT SELECT, INSERT, UPDATE, DELETE ON fgedu.departments BY ACCESS;– 审计语句
AUDIT SESSION BY ACCESS;AUDIT DATABASE LINK BY ACCESS;执行:输出日志:Audit succeeded.Audit succeeded.Audit succeeded.Audit succeeded.Audit succeeded.Audit succeeded.Audit succeeded.
AUDIT CREATE USER, DROP USER, ALTER USER BY ACCESS;AUDIT CREATE TABLE, DROP TABLE, ALTER TABLE BY ACCESS;AUDIT CREATE ROLE, DROP ROLE, ALTER ROLE BY ACCESS;– 审计对象权限
AUDIT SELECT, INSERT, UPDATE, DELETE ON fgedu.employees BY ACCESS;AUDIT SELECT, INSERT, UPDATE, DELETE ON fgedu.departments BY ACCESS;– 审计语句
AUDIT SESSION BY ACCESS;AUDIT DATABASE LINK BY ACCESS;执行:输出日志:Audit succeeded.Audit succeeded.Audit succeeded.Audit succeeded.Audit succeeded.Audit succeeded.Audit succeeded.
4.3 测试审计效果
命令:— 执行一些操作以生成审计记录
CONN fgedu_user/password123;SELECT * FROM fgedu.employees WHERE department_id = 90;INSERT INTO fgedu.employees (employee_id, first_name, last_name, email, hire_date, job_id) VALUES (1004, ‘Alice’, ‘Smith’, ‘alice.smith@fgedu.net.cn’, SYSDATE, ‘IT_PROG’);COMMIT;CONN / AS SYSDBA;CREATE USER test_user IDENTIFIED BY password123;DROP USER test_user;执行:输出日志:Connected.EMPLOYEE_ID EMP_NAME EMP_EMP_EMP_LAST_NAME EMAIL HIRE_DATE JOB_ID
———– ——————– ————————- ————————- ——— ———- 100 Steven King steven.king@fgedu.net.cn 2003-06-17 AD_PRES 101 Neena Kochhar neena.kochhar@fgedu.net.cn 2005-09-21 AD_VP 102 Lex De Haan lex.dehaan@fgedu.net.cn 2001-01-13 AD_VP1 row created.Commit complete.Connected.User created.User dropped.
CONN fgedu_user/password123;SELECT * FROM fgedu.employees WHERE department_id = 90;INSERT INTO fgedu.employees (employee_id, first_name, last_name, email, hire_date, job_id) VALUES (1004, ‘Alice’, ‘Smith’, ‘alice.smith@fgedu.net.cn’, SYSDATE, ‘IT_PROG’);COMMIT;CONN / AS SYSDBA;CREATE USER test_user IDENTIFIED BY password123;DROP USER test_user;执行:输出日志:Connected.EMPLOYEE_ID EMP_NAME EMP_EMP_EMP_LAST_NAME EMAIL HIRE_DATE JOB_ID
———– ——————– ————————- ————————- ——— ———- 100 Steven King steven.king@fgedu.net.cn 2003-06-17 AD_PRES 101 Neena Kochhar neena.kochhar@fgedu.net.cn 2005-09-21 AD_VP 102 Lex De Haan lex.dehaan@fgedu.net.cn 2001-01-13 AD_VP1 row created.Commit complete.Connected.User created.User dropped.
4.4 查询审计记录
命令:— 查询审计记录
SELECT username, action_name, object_name, timestamp, sql_text
FROM dba_audit_trail
WHERE timestamp > SYSDATE – 1
ORDER BY timestamp DESC;执行:输出日志:USERNAME ACTION_NAME OBJECT_NAME TIMESTAMP SQL_TEXT
—————————— ——————– ——————– ——————- ——————————————————————————–
SYS DROP USER TEST_USER 2026-04-01 11:05:30 DROP USER test_user
SYS CREATE USER TEST_USER 2026-04-01 11:05:25 CREATE USER test_user IDENTIFIED BY password123
FGEDU_USER INSERT EMPLOYEES 2026-04-01 11:05:15 INSERT INTO fgedu.employees (employee_id, first_name, last_name, email, hire_date, job_id) VALUES (1004, ‘Alice’, ‘Smith’, ‘alice.smith@fgedu.net.cn’, SYSDATE, ‘IT_PROG’)
FGEDU_USER SELECT EMPLOYEES 2026-04-01 11:05:10 SELECT * FROM fgedu.employees WHERE department_id = 90
FGEDU_USER LOGON
2026-04-01 11:05:05
SELECT username, action_name, object_name, timestamp, sql_text
FROM dba_audit_trail
WHERE timestamp > SYSDATE – 1
ORDER BY timestamp DESC;执行:输出日志:USERNAME ACTION_NAME OBJECT_NAME TIMESTAMP SQL_TEXT
—————————— ——————– ——————– ——————- ——————————————————————————–
SYS DROP USER TEST_USER 2026-04-01 11:05:30 DROP USER test_user
SYS CREATE USER TEST_USER 2026-04-01 11:05:25 CREATE USER test_user IDENTIFIED BY password123
FGEDU_USER INSERT EMPLOYEES 2026-04-01 11:05:15 INSERT INTO fgedu.employees (employee_id, first_name, last_name, email, hire_date, job_id) VALUES (1004, ‘Alice’, ‘Smith’, ‘alice.smith@fgedu.net.cn’, SYSDATE, ‘IT_PROG’)
FGEDU_USER SELECT EMPLOYEES 2026-04-01 11:05:10 SELECT * FROM fgedu.employees WHERE department_id = 90
FGEDU_USER LOGON
2026-04-01 11:05:05
4.5 管理审计存储
命令:— 查看审计表空间使用情况
SELECT tablespace_name, bytes/1024/1024 “Size (MB)”,
(bytes – free_bytes)/1024/1024 “Used (MB)”,
free_bytes/1024/1024 “Free (MB)”,
ROUND((bytes – free_bytes)/bytes * 100, 2) “Used %”
FROM dba_tablespaces t, (SELECT tablespace_name, SUM(bytes) free_bytes
FROM dba_free_space
GROUP BY tablespace_name) f
WHERE t.tablespace_name = f.tablespace_name(+)
AND t.tablespace_name = ‘SYSAUX’;– 清理旧的审计记录
EXEC DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL(audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_DB_STD, use_last_arch_timestamp => TRUE);– 查看审计文件
HOST ls -la /oracle/admin/fgedudb/adump/;执行:输出日志:TABLESPACE_NAME Size (MB) Used (MB) Free (MB) Used %
—————————— ———- ———- ———- ———-
SYSAUX 1000 360 640 36PL/SQL procedure successfully completed.total 128
-rw-r—–. 1 oracle oinstall 10240 Apr 1 11:00 fgedudb_ora_12345_1.aud
-rw-r—–. 1 oracle oinstall 10240 Apr 1 11:05 fgedudb_ora_67890_1.aud
SELECT tablespace_name, bytes/1024/1024 “Size (MB)”,
(bytes – free_bytes)/1024/1024 “Used (MB)”,
free_bytes/1024/1024 “Free (MB)”,
ROUND((bytes – free_bytes)/bytes * 100, 2) “Used %”
FROM dba_tablespaces t, (SELECT tablespace_name, SUM(bytes) free_bytes
FROM dba_free_space
GROUP BY tablespace_name) f
WHERE t.tablespace_name = f.tablespace_name(+)
AND t.tablespace_name = ‘SYSAUX’;– 清理旧的审计记录
EXEC DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL(audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_DB_STD, use_last_arch_timestamp => TRUE);– 查看审计文件
HOST ls -la /oracle/admin/fgedudb/adump/;执行:输出日志:TABLESPACE_NAME Size (MB) Used (MB) Free (MB) Used %
—————————— ———- ———- ———- ———-
SYSAUX 1000 360 640 36PL/SQL procedure successfully completed.total 128
-rw-r—–. 1 oracle oinstall 10240 Apr 1 11:00 fgedudb_ora_12345_1.aud
-rw-r—–. 1 oracle oinstall 10240 Apr 1 11:05 fgedudb_ora_67890_1.aud
风哥提示:定期清理审计记录可以避免审计表过大,影响数据库性能
4.6 禁用审计
命令:— 禁用特定审计
NOAUDIT SELECT, INSERT, UPDATE, DELETE ON fgedu.employees;– 禁用系统权限审计
NOAUDIT CREATE USER, DROP USER, ALTER USER;– 禁用所有审计
NOAUDIT ALL;– 关闭审计功能
ALTER SYSTEM SET audit_trail = ‘NONE’ SCOPE=SPFILE;执行:输出日志:Noaudit succeeded.Noaudit succeeded.Noaudit succeeded.System altered.
NOAUDIT SELECT, INSERT, UPDATE, DELETE ON fgedu.employees;– 禁用系统权限审计
NOAUDIT CREATE USER, DROP USER, ALTER USER;– 禁用所有审计
NOAUDIT ALL;– 关闭审计功能
ALTER SYSTEM SET audit_trail = ‘NONE’ SCOPE=SPFILE;执行:输出日志:Noaudit succeeded.Noaudit succeeded.Noaudit succeeded.System altered.
更多视频教程www.fgedu.net.cn
Part05-风哥经验总结与分享
5.1 最佳实践
- 根据业务需求制定合理的审计策略
- 只审计必要的操作,避免过度审计
- 使用DB,EXTENDED模式,记录详细的SQL语句
- 定期审查审计记录,发现安全问题
5.2 常见问题与解决方案
- 问题:审计影响性能
解决方案:优化审计策略,只审计必要的操作 - 问题:审计表空间不足
解决方案:定期清理审计记录,增加表空间大小 - 问题:审计记录过多难以管理
解决方案:使用DBMS_AUDIT_MGMT包管理审计记录
学习交流加群风哥QQ113257174
5.3 性能优化
- 使用DB Audit Vault集中管理审计数据
- 配置审计记录的异步写入
- 为审计表创建适当的索引
- 考虑使用外部表存储审计记录
更多学习教程公众号风哥教程itpux_com
5.4 安全建议
- 定期备份审计记录,防止审计数据丢失
- 限制对审计记录的访问权限
- 监控审计配置的变更
- 结合其他安全特性,如VPD和数据加密
from oracle:www.itpux.com
