12C的审计模式

郑全

1.Mixed Auditing Policy

混合审计模式支持新的审计引擎和老的审计引擎一起工作
数据库升级后，已有的审计设置不会受到影响。但是官方建议迁移到统一审计模式。数据库创建后，默认是使用混合模式。
在决定使用unified auditing模式之前，可以使用混合模式创建审计策略然后开启该策略。
也可以使用已经创建的策略：ora_secureconfig、ora_account_mgmt、ora_database_parameter开启混合模式。

数据库创建后，默认是使用ora_secureconfig策略开启混合模式。

2.Unified Auditing Policy
要开启统一审计模式，需要relink。缺省情况下，统一审计模式将审计数据放在sysaux表空间中。

也可以创建新的表空间用来存放这些只读的审计表，属主是audsys，该用户默认是被锁定的。
一旦开启统一审计模式之后，老的审计参数就不在有效了。比如：audit_trail、audit_file_dest、audit_sys_operations、audit_syslog_level。

3.开启Unified Auditing Policy
3.1.关闭所有的进程和数据库实例
3.2.开启

1 2	$ cd $ORACLE_HOME/rdbms/lib $ make -f ins_rdbms.mk uniaud_on ioracle ORACLE_HOME=$ORACLE_HOME

1 2 3 4 5 6 7 8 9 10 11 12 13

$ cd $ORACLE_HOME/rdbms/lib $ make -f ins_rdbms.mk uniaud_on ioracle ORACLE_HOME=$ORACLE_HOME /usr/bin/ar d /u12/app/oracle/product/12.1.0/dbhome_1/rdbms/lib/libknlopt.a kzanang.o /usr/bin/ar cr /u12/app/oracle/product/12.1.0/dbhome_1/rdbms/lib/libknlopt.a /u12/app/oracle/product/12.1.0/dbhome_1/rdbms/lib/kzaiang.o chmod 755 /u12/app/oracle/product/12.1.0/dbhome_1/bin - Linking Oracle rm -f /u12/app/oracle/product/12.1.0/dbhome_1/rdbms/lib/oracle /u12/app/oracle/product/12.1.0/dbhome_1/bin/orald  -o /u12/app/oracle/product/12.1.0/dbhome_1/rdbms/lib/oracle -m64 -z noexecstack -Wl,--disable-new-dtags -L/u12/app/oracle/product/12.1.0/dbhome_1/rdbms/lib/ -L/u12/app/oracle/product/12.1.0/dbhome_1/lib/ -L/u12/app/oracle/product/12.1.0/dbhome_1/lib/stubs/   -Wl,-E /u12/app/oracle/product/12.1.0/dbhome_1/rdbms/lib/opimai.o /u12/app/oracle/product/12.1.0/dbhome_1/rdbms/lib/ssoraed.o /u12/app/oracle/product/12.1.0/dbhome_1/rdbms/lib/ttcsoi.o -Wl,--whole-archive -lperfsrv12 -Wl,--no-whole-archive /u12/app/oracle/product/12.1.0/dbhome_1/lib/nautab.o /u12/app/oracle/product/12.1.0/dbhome_1/lib/naeet.o /u12/app/oracle/product/12.1.0/dbhome_1/lib/naect.o /u12/app/oracle/product/12.1.0/dbhome_1/lib/naedhs.o /u12/app/oracle/product/12.1.0/dbhome_1/rdbms/lib/config.o  -lserver12 -lodm12 -lcell12 -lnnet12 -lskgxp12 -lsnls12 -lnls12  -lcore12 -lsnls12 -lnls12 -lcore12 -lsnls12 -lnls12 -lxml12 -lcore12 -lunls12 -lsnls12 -lnls12 -lcore12 -lnls12 -lclient12  -lvsn12 -lcommon12 -lgeneric12 -lknlopt `if /usr/bin/ar tv /u12/app/oracle/product/12.1.0/dbhome_1/rdbms/lib/libknlopt.a | grep xsyeolap.o > /dev/null 2>&1 ; then echo "-loraolap12" ; fi` -lskjcx12 -lslax12 -lpls12  -lrt -lplp12 -lserver12 -lclient12  -lvsn12 -lcommon12 -lgeneric12 `if [ -f /u12/app/oracle/product/12.1.0/dbhome_1/lib/libavserver12.a ] ; then echo "-lavserver12" ; else echo "-lavstub12"; fi` `if [ -f /u12/app/oracle/product/12.1.0/dbhome_1/lib/libavclient12.a ] ; then echo "-lavclient12" ; fi` -lknlopt -lslax12 -lpls12  -lrt -lplp12 -ljavavm12 -lserver12  -lwwg  `cat /u12/app/oracle/product/12.1.0/dbhome_1/lib/ldflags`    -lncrypt12 -lnsgr12 -lnzjs12 -ln12 -lnl12 -lnro12 `cat /u12/app/oracle/product/12.1.0/dbhome_1/lib/ldflags`    -lncrypt12 -lnsgr12 -lnzjs12 -ln12 -lnl12 -lnnzst12 -lzt12 -lztkg12 -lmm -lsnls12 -lnls12  -lcore12 -lsnls12 -lnls12 -lcore12 -lsnls12 -lnls12 -lxml12 -lcore12 -lunls12 -lsnls12 -lnls12 -lcore12 -lnls12 -lztkg12 `cat /u12/app/oracle/product/12.1.0/dbhome_1/lib/ldflags`    -lncrypt12 -lnsgr12 -lnzjs12 -ln12 -lnl12 -lnro12 `cat /u12/app/oracle/product/12.1.0/dbhome_1/lib/ldflags`    -lncrypt12 -lnsgr12 -lnzjs12 -ln12 -lnl12 -lnnzst12 -lzt12 -lztkg12   -lsnls12 -lnls12  -lcore12 -lsnls12 -lnls12 -lcore12 -lsnls12 -lnls12 -lxml12 -lcore12 -lunls12 -lsnls12 -lnls12 -lcore12 -lnls12 `if /usr/bin/ar tv /u12/app/oracle/product/12.1.0/dbhome_1/rdbms/lib/libknlopt.a | grep "kxmnsd.o" > /dev/null 2>&1 ; then echo " " ; else echo "-lordsdo12 -lserver12"; fi` -L/u12/app/oracle/product/12.1.0/dbhome_1/ctx/lib/ -lctxc12 -lctx12 -lzx12 -lgx12 -lctx12 -lzx12 -lgx12 -lordimt12 -lclsra12 -ldbcfg12 -lhasgen12 -lskgxn2 -lnnzst12 -lzt12 -lxml12 -locr12 -locrb12 -locrutl12 -lhasgen12 -lskgxn2 -lnnzst12 -lzt12 -lxml12  -lgeneric12 -loraz -llzopro -lorabz2 -lipp_z -lipp_bz2 -lippdcemerged -lippsemerged -lippdcmerged  -lippsmerged -lippcore  -lippcpemerged -lippcpmerged  -lsnls12 -lnls12  -lcore12 -lsnls12 -lnls12 -lcore12 -lsnls12 -lnls12 -lxml12 -lcore12 -lunls12 -lsnls12 -lnls12 -lcore12 -lnls12 -lsnls12 -lunls12  -lsnls12 -lnls12  -lcore12 -lsnls12 -lnls12 -lcore12 -lsnls12 -lnls12 -lxml12 -lcore12 -lunls12 -lsnls12 -lnls12 -lcore12 -lnls12 -lasmclnt12 -lcommon12 -lcore12  -laio -lons    `cat /u12/app/oracle/product/12.1.0/dbhome_1/lib/sysliblist` -Wl,-rpath,/u12/app/oracle/product/12.1.0/dbhome_1/lib -lm    `cat /u12/app/oracle/product/12.1.0/dbhome_1/lib/sysliblist` -ldl -lm   -L/u12/app/oracle/product/12.1.0/dbhome_1/lib test ! -f /u12/app/oracle/product/12.1.0/dbhome_1/bin/oracle ||\            mv -f /u12/app/oracle/product/12.1.0/dbhome_1/bin/oracle /u12/app/oracle/product/12.1.0/dbhome_1/bin/oracleO mv /u12/app/oracle/product/12.1.0/dbhome_1/rdbms/lib/oracle /u12/app/oracle/product/12.1.0/dbhome_1/bin/oracle chmod 6751 /u12/app/oracle/product/12.1.0/dbhome_1/bin/oracle

4.关闭Unified Auditing Policy

1 2	SQL> noaudit policy ORA_SECURECONFIG; SQL> noaudit policy ORA_LOGON_FAILURES;

郑全

要关闭审计功能

SQL> conn /as sysdba
SQL> SHUTDOWN IMMEDIATE
SQL> EXIT

$ lsnrctl stop listener_name
$ cd $ORACLE_HOME/rdbms/lib
$ make -f ins_rdbms.mk uniaud_off ioracle
$ lsnrctl start listener_name

SQL> conn /as sysdba
SQL> STARTUP

郑全

郑全 发表于 2019-8-3 09:40
要关闭审计功能

SQL> conn /as sysdba

Auditing Oracle Recovery Manager Events

You can use the CREATE AUDIT POLICY statement to audit Oracle Recovery Manager events.

Topics:

• About Auditing Oracle Recovery Manager Events
• Oracle Recovery Manager Unified Audit Trail Events
• How Oracle Recovery Manager Audited Events Appear in the Audit Trail
  
  

See Also:

Oracle Database Backup and Recovery User's Guide

About Auditing Oracle Recovery Manager Events

The UNIFIED_AUDIT_TRAIL data dictionary view automatically stores Oracle Recovery Manager audit events in the RMAN_column.

Unlike other Oracle Database components, you do not create a unified audit policy for Oracle Recovery Manager events.

However, you must have the AUDIT_ADMIN or AUDIT_VIEWER role in order to query the UNIFIED_AUDIT_TRAIL view to see these events. If you have the SYSBACKUP or the SYSDBA administrative privilege, then you can find additional information about Recovery Manager jobs by querying views such as V$RMAN_STATUS or V$RMAN_BACKUP_JOB_DETAILS.

See Also:

Oracle Database Backup and Recovery User's Guide

Oracle Recovery Manager Unified Audit Trail Events

The unified audit trail can capture Oracle Recovery Manager events.

Table 22-8 describes these events.

Table 22-8 Oracle Recovery Manager Columns in UNIFIED_AUDIT_TRAIL View

[tr=rgb(63, 63, 63)][td][td]

Recovery Manager Column

Description                      [/td]
RMAN_SESSION_RECID	Recovery Manager session identifier. Together with the RMAN_SESSION_STAMP column, this column uniquely identifies the Recovery Manager job. The Recovery Manager session ID is a a RECID value in the control file that identifies the Recovery Manager job. (Note that the Recovery Manager session ID is not the same as a user session ID.)
RMAN_SESSION_STAMP	Timestamp for the session. Together with the RMAN_SESSION_RECID column, this column identifies Recovery Manager jobs.
RMAN_OPERATION	The Recovery Manager operation executed by the job. One row is added for each distinct operation within a Recovery Manager session. For example, a backup job contains BACKUP as the RMAN_OPERATION value.
RMAN_OBJECT_TYPE	Type of objects involved in a Recovery Manager session. It contains one of the following values. If the Recovery Manager session does not satisfy more than one of them, then preference is given in the following order, from top to bottom of the list. DB FULL (Database Full) refers to a full backup of the database RECVR AREA refers to the Fast Recovery area DB INCR (Database Incremental) refers to incremental backups of the database DATAFILE FULL refers to a full backup of the data files DATAFILE INCR refers to incremental backups of the data files ARCHIVELOG refers to archived redo log files CONTROLFILE refers to control files SPFILE refers to the server parameter file BACKUPSET refers to backup files
RMAN_DEVICE_TYPE	Device associated with a Recovery Manager session. This column can be DISK, SBT (system backup tape), or * (asterisk). An asterisk indicates more than one device. In most cases, the value will be DISK and SBT.

How Oracle Recovery Manager Audited Events Appear in the Audit Trail

The UNIFIED_AUDIT_TRAIL data dictionary view lists Oracle Recovery Manager audit events.

If necessary, you should run the DBMS_AUDIT_MGMT.FLUSH_UNIFIIED_AUDIT_TRAIL procedure to write the audit records to disk.

EXEC DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL;

See Manually Flushing Audit Records to the Audit Trail in Queued-Write Mode for more information.

Table 22-8 lists the columns in the UNIFIED_AUDIT_TRAIL data dictionary view that you can query to find Oracle Recovery Manager-specific audit data.

For example:

SELECT RMAN_OPERATION FROM UNIFIED_AUDIT_TRAIL WHERE RMAN_OBJECT_TYPE = 'DB FULL';
RMAN_OPERATION
---------------
BACKUP

郑全

12c 12.1.0.2的官方文档：Database Security Guide/22 Configuring Audit Policies
https://docs.oracle.com/database ... onfig.htm#DBSEG1025