[20111230]11Gr2审计.txt

[20111230]11Gr2审计.txt

昨天查看v$open_cursor视图,无意中发现如下语句:
INSERT INTO SYS.aud$
            (sessionid, entryid, STATEMENT, ntimestamp#, userid, userhost, terminal, action#, returncode, obj$creator,
             obj$name, auth$privileges, auth$grantee, new$owner, new$name, ses$actions, ses$tid, logoff$pread, logoff$lwrite,
             logoff$dead, comment$text, spare1, spare2, priv$used, clientid, sessioncpu, proxy$sid, user$guid, instance#,
             process#, xid, SCN, auditid, sqlbind, sqltext, obj$edition, dbid
            )
     VALUES (:1, :2, :3, SYS_EXTRACT_UTC (SYSTIMESTAMP), :4, :5, :6, :7, :8, :9,
             :10, :11, :12, :13, :14, :15, :16, :17, :18,
             :19, :20, :21, :22, :23, :24, :25, :26, :27, :28,
             :29, :30, :31, :32, :33, :34, :35, :36
            )

感觉很奇怪,难道11GR2缺省是打开审计功能吗?

SQL> show parameter audit

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------------------------------------
audit_file_dest                      string      /u01/app/oracle/admin/test/adump
audit_sys_operations                 boolean     FALSE
audit_syslog_level                   string
audit_trail                          string      DB

使用toad自带sqlmonitor跟踪,看看关联哪些视图:

SELECT owner, object_type, object_name, object_id, status
  FROM SYS.dba_objects
 WHERE object_id IN (SELECT     object_id
                           FROM public_dependency
                     CONNECT BY PRIOR object_id = referenced_object_id
                     START WITH referenced_object_id = (SELECT object_id
                                                          FROM SYS.dba_objects
                                                         WHERE wner = :owner AND object_name = :NAME AND object_type = :TYPE))
   AND wner = 'SYS'

:OWNER = 'SYS'
:NAME = 'AUD$'
:TYPE = 'TABLE'

OWNER,OBJECT_TYPE,OBJECT_NAME,OBJECT_ID,STATUS
=============================================
SYS,VIEW,DBA_AUDIT_TRAIL,3466,VALID
SYS,VIEW,USER_AUDIT_TRAIL,3468,VALID
SYS,VIEW,DBA_AUDIT_SESSION,3470,VALID
SYS,VIEW,USER_AUDIT_SESSION,3472,VALID
SYS,VIEW,DBA_AUDIT_STATEMENT,3474,VALID
SYS,VIEW,USER_AUDIT_STATEMENT,3476,VALID
SYS,VIEW,DBA_AUDIT_OBJECT,3478,VALID
SYS,VIEW,USER_AUDIT_OBJECT,3480,VALID
SYS,VIEW,DBA_AUDIT_EXISTS,3482,VALID
SYS,VIEW,DBA_COMMON_AUDIT_TRAIL,5348,VALID

我记忆11GR1版本并没有启动审计,而11GR2 AUDIT_TRAIL参数的缺省值为DB,如果对于生产系统如果设计不好,会对基表sys.aud$产生大量的操作,
而且sys.aud$位于system表空间,会导致system表空间占用太大,最好将它移动到单独的表空间,便于维护与管理。

SQL> select * from v$version;
BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
PL/SQL Release 11.2.0.1.0 - Production
CORE    11.2.0.1.0      Production
TNS for Linux: Version 11.2.0.1.0 - Production
NLSRTL Version 11.2.0.1.0 - Production

看看做一些什么审计(我的是测试环境,如果是生产系统logon,logoff会很多):

SQL> select action_name,count(*) from dba_audit_trail group by action_name order by 2 desc;
ACTION_NAME                    COUNT(*)
----------------------------          ----------
LOGON                                        1403
LOGOFF                                      1116
ALTER SYSTEM                          110
CREATE PUBLIC SYNONYM      26
ALTER USER                                 16
EXPLAIN                                          13
SYSTEM GRANT                            10
DROP PUBLIC SYNONYM             6
CREATE PROCEDURE                  6
ALTER DATABASE                           4
GRANT ROLE                                   4
CREATE ROLE                                 3
DROP TABLE                                    3
DROP PROCEDURE                      3
CREATE USER                                2
ALTER TABLE                                  2
ALTER PROCEDURE                    2
GRANT OBJECT                             2
CREATE TABLE                              2
DROP USER                                   1
ALTER PUBLIC SYNONYM          1
ASSOCIATE STATISTICS              1
SYSTEM REVOKE                          1
REVOKE ROLE                               1

24 rows selected.

我们知道如果登录密码错误,返回错误是ORA-01017,如下:

ERROR:
ORA-01017: invalid username/password; logon denied

$oerr ora 1017
$ oerr ora 1017
01017, 00000, "invalid username/password; logon denied"
// *Cause:
// *Action:

查询如下,可以知道哪些用户longon失败:
select *  from dba_audit_trail  where returncode = 1017 and trunc(timestamp)>=trunc(sysdate)  order by timestamp desc;

时间: 2024-10-01 15:58:38

[20111230]11Gr2审计.txt的相关文章

[20111230]11Gr2 result cache[1].txt

11G的result cache是一个很吸引人的特性,可以大幅减少逻辑读取,特别对于一些经常执行的语句,而结果不是经常变化的,效果不错,我的测试遇到一个小问题. SQL> select * from v$version; BANNER--------------------------------------------------------------------------------Oracle Database 11g Enterprise Edition Release 11.2.0

052011GR2 _optimizer_null_aware_antijoin

[20150520]11GR2 _optimizer_null_aware_antijoin.txt --好久没写sql 优化的帖子: http://www.killdb.com/2015/04/19/_optimizer_null_aware_antijoin%E5%BC%95%E5%8F%91%E7%9A%84sql%E6%80%A7%E8%83%BD%E9%97%AE%E9%A2%98.html --参考这个链接自己重复测试看看在11G下的情况: 1.建立测试环境: SCOTT@test>

[20170207]11G审计日志清除.txt

[20170207]11G审计日志清除.txt --//11G缺省打开了许多审计,比如登录审计(我个人建议仅仅审计不成功的登录,特别对登录密集的系统),如果系统上线时没有关闭或者取 --//消一些审计,sys.aud$在system表空间,会导致空间异常增加,而且占用system表空间不是很合理.必须建立良好的监测清理机制. 1.环境: SCOTT@book> @ &r/ver1 PORT_STRING                    VERSION        BANNER ---

[20171116]11GR2控制文件自动备份.txt

20171116]11GR2控制文件自动备份.txt SYS@book> @ &r/ver1 PORT_STRING                    VERSION        BANNER ------------------------------ -------------- -------------------------------------------------------------------------------- x86_64/Linux 2.4.xx  

[20170518]11G审计日志清除3.txt

[20170518]11G审计日志清除3.txt --//以前写的链接:http://blog.itpub.net/267265/viewspace-2133145/ --//我当时写存在许多问题,仅仅清除sys.aud$内容,参数audit_file_dest目录的文件不清除,而这里参数大量的aud文件,重新测试看看. 1.环境: SYS@book> @ &r/ver1 PORT_STRING                    VERSION        BANNER -------

[20151212]审计统计分析.txt

[20151212]审计统计分析.txt --昨天看了一个帖子,连接如下: http://www.itpub.net/thread-2048266-1-1.html --对方在脚本有如下语句:    EXECUTE IMMEDIATE          'begin dbms_stats.set_index_stats(ownname  => '''       || SOWNER       || ''',indname  => '''       || SIDXNAME       ||

[20130217]11GR2 adrci的学习.txt

[20130217]11GR2 adrci的学习.txt 春节放假,学习一下adrci的使用.adrci (Automatic Diagnostic Repository Command Interpreter). ADRCI: Release 11.2.0.1.0 - Production on Tue Aug 21 16:35:06 2012Copyright (c) 1982, 2009, Oracle and/or its affiliates.  All rights reserved

[20130305]Cardinality Feedback on 11gR2.txt

[20130305]Cardinality Feedback on 11gR2.txt http://blogs.oracle.com/optimizer/entry/cardinality_feedback Cardinality Feedback是11G的新特性,它可以自动调整执行计划.但是具体如何实现的呢?按照上面的链接的例子做一些测试看看. 1.测试环境以及问题提出: SQL> select * from v$version where rownum BANNER -----------

[20120420]11GR2新特性ACS的使用问题.txt

[20120420]11GR2新特性ACS的使用问题.txt 11GR2中采用Adaptive Cursor Sharing一定程度解决了bind peeking的问题.在我的测试中遇到一些问题,自己写一个例子测试如下: 1.建立测试环境: SQL> select * from v$version ; BANNER -------------------------------------------------------------------------------- Oracle Dat