oracle 11gR2啟用對sys用戶操作行為的審計

在oracle 11gR2中，缺省在audit_file_dest目錄會記錄sys用戶的登錄審計信息，但并不會審計操作內(nèi)容。

啟用對sys用戶操作行為的審計

SQL> alter system set audit_sys_operations=TRUE scope=spfile;

System altered.

因為是audit_sys_operations是靜態(tài)參數(shù)，需要重新數(shù)據(jù)庫

SQL> shutdown immediate;

Database closed.

Database dismounted.

ORACLE instance shut down.

SQL> startup;

SQL> show parameter audit;

NAME                                 TYPE        VALUE

------------------------------------ ----------- ------------------------------

audit_file_dest                      string      /u01/app/oracle/admin/orcl/adu

                                                 mp

audit_sys_operations                 boolean     TRUE

audit_syslog_level                   string

audit_trail                          string      DB

接著刪除一個測試用戶

SQL> drop user lineqi cascade;

User dropped.

[oracle@orcl adump]$ more orcl_ora_32424_20150418163852720955143795.aud

Audit file /u01/app/oracle/admin/orcl/adump/orcl_ora_32424_20150418163852720955143795.aud

Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production

With the Partitioning, OLAP, Data Mining and Real Application Testing options

ORACLE_HOME = /u01/app/oracle/product/11.2.0/dbhome_1

System name:    Linux

Node name:      orcl

Release:        2.6.32-358.el6.x86_64

Version:        #1 SMP Tue Jan 29 11:47:41 EST 2013

Machine:        x86_64

VM name:        VMWare Version: 6

Instance name: orcl

Redo thread mounted by this instance: 1

Oracle process number: 19

Unix process pid: 32424, p_w_picpath: oracle@orcl (TNS V1-V3)

注意：sys登陸的記錄

Sat Apr 18 16:38:52 2015 +08:00

LENGTH : '160'

ACTION :[7] 'CONNECT'

DATABASE USER:[1] '/'

PRIVILEGE :[6] 'SYSDBA'

CLIENT USER:[6] 'oracle'

CLIENT TERMINAL:[5] 'pts/0'

STATUS:[1] '0'

DBID:[10] '1405073182'

Sat Apr 18 16:38:57 2015 +08:00

LENGTH : '173'

ACTION :[19] 'ALTER DATABASE OPEN'

DATABASE USER:[1] '/'

PRIVILEGE :[6] 'SYSDBA'

CLIENT USER:[6] 'oracle'

CLIENT TERMINAL:[5] 'pts/0'

STATUS:[1] '0'

DBID:[10] '1405073182'

Sat Apr 18 16:39:08 2015 +08:00

LENGTH : '216'

ACTION :[60] 'BEGIN dbms_cmp_int.drop_cmp_by_cmpid(:sb1, :sb2, :sb3); END;'

DATABASE USER:[3] 'SYS'

PRIVILEGE :[6] 'SYSDBA'

CLIENT USER:[6] 'oracle'

CLIENT TERMINAL:[5] 'pts/0'

STATUS:[1] '0'

DBID:[10] '1405073182'

注意：sys操作的記錄

Sat Apr 18 16:39:15 2015 +08:00

LENGTH : '178'

ACTION :[24] 'drop user lineqi cascade'

DATABASE USER:[1] '/'

PRIVILEGE :[6] 'SYSDBA'

CLIENT USER:[6] 'oracle'

CLIENT TERMINAL:[5] 'pts/0'

STATUS:[1] '0'

DBID:[10] '1405073182'

Sat Apr 18 16:39:25 2015 +08:00

LENGTH : '197'

ACTION :[43] 'select tablespace_name from dbA_tablespaces'

DATABASE USER:[1] '/'

PRIVILEGE :[6] 'SYSDBA'

CLIENT USER:[6] 'oracle'

CLIENT TERMINAL:[5] 'pts/0'

STATUS:[1] '0'

DBID:[10] '1405073182'