Oracle 数据库安全:11g     默认审计选项     by Maclean.liu           liu.maclean@gmail.com       www.oracledatabase12g.com
About Mel Email:liu.maclean@gmail.coml Blog:www.oracledatabase12g.coml Oracle Certified Database Administrator Master 10ga...
11g 默认启用强大的审计选项,AUDIT_TRAIL 参数的缺省值为 DB,这意为着审计数据将记录在数据库中的 AUD$审计字典基表上。 Oracle 官方宣称默认启用的审计日志不会对绝大多数产品数据库的性能带来过大的负面影响,同时 Orac...
SQL> select privilege,success,failure from dba_priv_audit_opts;PRIVILEGE                                  SUCCESS      FAI...
ALTER DATABASE                             BY   ACCESS   BY   ACCESSCREATE ANY PROCEDURE                       BY   ACCESS...
where returncode = 1017order by timestamp desc;USERNAME              USERHOST                                TERMINALTIMES...
Upcoming SlideShare
Loading in...5
×

Oracle数据库安全:11g默认审计选项

898

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
898
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
18
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Oracle数据库安全:11g默认审计选项"

  1. 1. Oracle 数据库安全:11g 默认审计选项 by Maclean.liu liu.maclean@gmail.com www.oracledatabase12g.com
  2. 2. About Mel Email:liu.maclean@gmail.coml Blog:www.oracledatabase12g.coml Oracle Certified Database Administrator Master 10gand 11gl Over 6 years experience with Oracle DBA technologyl Over 7 years experience with Linux technologyl Member Independent Oracle Users Groupl Member All China Users Groupl Presents for advanced Oracle topics: RAC,DataGuard, Performance Tuning and Oracle Internal.
  3. 3. 11g 默认启用强大的审计选项,AUDIT_TRAIL 参数的缺省值为 DB,这意为着审计数据将记录在数据库中的 AUD$审计字典基表上。 Oracle 官方宣称默认启用的审计日志不会对绝大多数产品数据库的性能带来过大的负面影响,同时 Oracle 公司还推荐使用基于 OS 文件的审计日志记录 方式(OS audit trail files)。注意因为在 11g 中 CREATE SESSION 将被作为受审计的权限来被记录,因此当 SYSTEM 表空间因磁盘空间而无法扩展时将导致这部分审计记录无法生成,这将最终导致普通用户的新会话将无法正常创建,普通用户将无法登陆数据库。在这种场景中仍可以使用 SYSDBA 身份的用户创建会话,在将审计数据合适备份后删除一部分记录,或者干 脆 TRUNCATEAUD$都可以解决上述问题。当 AUDIT_TRAIL 设置为 OS 时,审计记录文件将在 AUDIT_FILE_DEST 参数所指定的目录中生成。全部这些文件均可以随时被删除或复制。注意在默认情况下会以 AUTOEXTEND ON 自动扩展选项创建 SYSTEM 表空间,因此系统表空间在必要情况下还是会自动增长的,我们所需注意的是磁盘上的剩余空间是否能够满足其增长需求,以及 数据文件扩展的上限,对于普通的 8k smallfile 表空间而言单个数据文件的最大尺寸是 32G。以下权限将对所有用户审计:SQL> select * from v$version;BANNER--------------------------------------------------------------------------------Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit ProductionPL/SQL Release 11.2.0.2.0 - ProductionCORE 11.2.0.2.0 ProductionTNS for Linux: Version 11.2.0.2.0 - ProductionNLSRTL Version 11.2.0.2.0 - ProductionSQL> select * from global_name;GLOBAL_NAME--------------------------------------------------------------------------------www.oracledatabase12g.com
  4. 4. SQL> select privilege,success,failure from dba_priv_audit_opts;PRIVILEGE SUCCESS FAILURE---------------------------------------- ---------- ----------CREATE EXTERNAL JOB BY ACCESS BY ACCESSCREATE ANY JOB BY ACCESS BY ACCESSGRANT ANY OBJECT PRIVILEGE BY ACCESS BY ACCESSEXEMPT ACCESS POLICY BY ACCESS BY ACCESSCREATE ANY LIBRARY BY ACCESS BY ACCESSGRANT ANY PRIVILEGE BY ACCESS BY ACCESSDROP PROFILE BY ACCESS BY ACCESSALTER PROFILE BY ACCESS BY ACCESSDROP ANY PROCEDURE BY ACCESS BY ACCESSALTER ANY PROCEDURE BY ACCESS BY ACCESSCREATE ANY PROCEDURE BY ACCESS BY ACCESSPRIVILEGE SUCCESS FAILURE---------------------------------------- ---------- ----------ALTER DATABASE BY ACCESS BY ACCESSGRANT ANY ROLE BY ACCESS BY ACCESSCREATE PUBLIC DATABASE LINK BY ACCESS BY ACCESSDROP ANY TABLE BY ACCESS BY ACCESSALTER ANY TABLE BY ACCESS BY ACCESSCREATE ANY TABLE BY ACCESS BY ACCESSDROP USER BY ACCESS BY ACCESSALTER USER BY ACCESS BY ACCESSCREATE USER BY ACCESS BY ACCESSCREATE SESSION BY ACCESS BY ACCESSAUDIT SYSTEM BY ACCESS BY ACCESSPRIVILEGE SUCCESS FAILURE---------------------------------------- ---------- ----------ALTER SYSTEM BY ACCESS BY ACCESS23 rows selected.以下语句也将对所有用户审计:SQL> select audit_option,success,failure from dba_stmt_audit_opts;AUDIT_OPTION SUCCESS FAILURE---------------------------------------- ---------- ----------ALTER SYSTEM BY ACCESS BY ACCESSSYSTEM AUDIT BY ACCESS BY ACCESSCREATE SESSION BY ACCESS BY ACCESSCREATE USER BY ACCESS BY ACCESSALTER USER BY ACCESS BY ACCESSDROP USER BY ACCESS BY ACCESSPUBLIC SYNONYM BY ACCESS BY ACCESSDATABASE LINK BY ACCESS BY ACCESSROLE BY ACCESS BY ACCESSPROFILE BY ACCESS BY ACCESSCREATE ANY TABLE BY ACCESS BY ACCESSAUDIT_OPTION SUCCESS FAILURE---------------------------------------- ---------- ----------ALTER ANY TABLE BY ACCESS BY ACCESSDROP ANY TABLE BY ACCESS BY ACCESSCREATE PUBLIC DATABASE LINK BY ACCESS BY ACCESSGRANT ANY ROLE BY ACCESS BY ACCESSSYSTEM GRANT BY ACCESS BY ACCESS
  5. 5. ALTER DATABASE BY ACCESS BY ACCESSCREATE ANY PROCEDURE BY ACCESS BY ACCESSALTER ANY PROCEDURE BY ACCESS BY ACCESSDROP ANY PROCEDURE BY ACCESS BY ACCESSALTER PROFILE BY ACCESS BY ACCESSDROP PROFILE BY ACCESS BY ACCESSAUDIT_OPTION SUCCESS FAILURE---------------------------------------- ---------- ----------GRANT ANY PRIVILEGE BY ACCESS BY ACCESSCREATE ANY LIBRARY BY ACCESS BY ACCESSEXEMPT ACCESS POLICY BY ACCESS BY ACCESSGRANT ANY OBJECT PRIVILEGE BY ACCESS BY ACCESSCREATE ANY JOB BY ACCESS BY ACCESSCREATE EXTERNAL JOB BY ACCESS BY ACCESS28 rows selected.当前数据库中的现有的审计记录:SQL> select action_name,count(*) from dba_audit_trail group by action_name;ACTION_NAME COUNT(*)---------------------------- ----------LOGOFF BY CLEANUP 40LOGON 460LOGOFF 377ALTER USER 2SYSTEM GRANT 12ALTER SYSTEM 10CREATE PUBLIC SYNONYM 5ALTER DATABASE 2CREATE DATABASE LINK 1DROP PUBLIC SYNONYM 510 rows selected.在 11g 中默认启用了对登录注销操作 LOGON/LOGOFF 的审计,详见<11g 默认审计选项>。利用这一点我们可以很方便地从审计日志中找出数据库中的密码暴力破解者。如以下演示:C:UsersMaclean Liu>sqlplus system/try_password@G11R2SQL*Plus: Release 11.2.0.1.0 Production on Mon Jul 4 21:37:44 2011Copyright (c) 1982, 2010, Oracle. All rights reserved.ERROR:ORA-01017: invalid username/password; logon deniedselect username,userhost,terminal,timestamp,action_name,os_process from dba_audit_trail
  6. 6. where returncode = 1017order by timestamp desc;USERNAME USERHOST TERMINALTIMESTAMP ACTION_NAME OS_PROCESS-------------------- ------------------------------------------------------------ ------------------ ---------------- ------------SYSTEM WORKGROUPMACLEANLIU-PC MACLEANLIU-PC 04-JUL-11 LOGON 4240:2700Script:set linesize 140 pagesize 1400col os_username for a30col userhost for a30col terminal for a30select os_username,userhost,terminal,username,count(*) from dba_audit_trail where returncode = 1017 group by os_username,userhost,username,terminal having count(*)>10 /注意对于 LOGON PER SECOND 很高的数据库,如果应用程序配置文件中的数据库用户密码不正确,同时应用在短期内发起大量会话登录数据库的话可能引发频繁的 dc_users 字典缓存锁,用户登录无法成功,乃至整个实例 hang 住,该问题具体可见<Row Cache lockProblem>。针对该问题如果是在 11g 中的话,可以利用以上脚本快速找到因密码不正确登录失败的数据库用户名,从而减少排查时间。© 2011, www.oracledatabase12g.com. 版权所有.文章允许转载,但必须以链接方式注明源地址,否则追求法律责任.

×