今天是2013-12-15,上周一直处理was问题,今天继续研究oracle,记录一下学习笔记。
对于oracle审计有如下参数:
SQL> show parameter audit
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest string /opt/app/oracle/admin/RHYS/adu
mp
audit_sys_operations boolean FALSE
audit_syslog_level string
audit_trail string DB
SQL>
其中audit_file_dest为审计日志路径,默认只记录简单的登录信息,如果想对sys用户进行详细 审计那么可以设置audit_sys_operations为true;
eg:
SQL> select p.addr,p.spid,s.sid from v$process p join v$session s on p.addr=s.paddr and s.sid=(select distinct(sid) from v$mystat);
ADDR SPID SID
---------------- ------------------------ ----------
0000000084CCB190 2661 58
SQL> show parameter audit
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest string /opt/app/oracle/admin/RHYS/adu
mp
audit_sys_operations boolean FALSE
audit_syslog_level string
audit_trail string DB
SQL> !more /opt/app/oracle/admin/RHYS/adump/*2661*
Audit file /opt/app/oracle/admin/RHYS/adump/RHYS_ora_2661_20131215081951980023143795.aud
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, Automatic Storage Management, OLAP, Data Mining
and Real Application Testing options
ORACLE_HOME = /opt/app/oracle/product/11.2.0/dbhome_1
System name: Linux
Node name: oracle-one
Release: 2.6.39-400.17.1.el6uek.x86_64
Version: #1 SMP Fri Feb 22 18:16:18 PST 2013
Machine: x86_64
Instance name: RHYS
Redo thread mounted by this instance: 1
Oracle process number: 37
Unix process pid: 2661, image: oracle@oracle-one (TNS V1-V3)
Sun Dec 15 08:19:52 2013 +08:00
LENGTH : '160'
ACTION :[7] 'CONNECT'
DATABASE USER:[1] '/'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[6] 'oracle'
CLIENT TERMINAL:[5] 'pts/0'
STATUS:[1] '0'
DBID:[10] '2745484551'
SQL>
审计sys用户操作记录:
SQL> alter system set audit_sys_operations=true scope=spfile;
System altered.
SQL> startup force
ORACLE instance started.
Total System Global Area 626327552 bytes
Fixed Size 2255832 bytes
Variable Size 440402984 bytes
Database Buffers 180355072 bytes
Redo Buffers 3313664 bytes
Database mounted.
Database opened.
SQL>
SQL>
SQL>
SQL> set linesize 200
SQL> select * from scott.emp ;
no rows selected
SQL> select p.addr,p.spid,s.sid from v$process p join v$session s on p.addr=s.paddr and s.sid=(select distinct(sid) from v$mystat);
ADDR SPID SID
---------------- ------------------------ ----------
0000000084CBB6C8 2803 1
SQL> !more /opt/app/oracle/admin/RHYS/adump/*2803*
::::::::::::::
/opt/app/oracle/admin/RHYS/adump/RHYS_ora_2803_20131203104828030790143795.aud
::::::::::::::
Audit file /opt/app/oracle/admin/RHYS/adump/RHYS_ora_2803_20131203104828030790143795.aud
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
ORACLE_HOME = /opt/app/oracle/product/11.2.0/dbhome_1
System name: Linux
Node name: oracle-one
Release: 2.6.39-400.17.1.el6uek.x86_64
Version: #1 SMP Fri Feb 22 18:16:18 PST 2013
Machine: x86_64
Instance name: RHYS
Redo thread mounted by this instance: 0
Oracle process number: 23
Unix process pid: 2803, image: oracle@oracle-one (TNS V1-V3)
Tue Dec 3 10:48:28 2013 +08:00
LENGTH : '142'
ACTION :[7] 'CONNECT'
DATABASE USER:[1] '/'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[4] 'grid'
CLIENT TERMINAL:[0] ''
STATUS:[1] '0'
DB