oracle audit文件,[20191128]oracle Audit文件管理2.txt
[20191128]oracle Audit文件管理2.txt
--//以前的測(cè)試,http://blog.itpub.net/267265/viewspace-2646161/ => [20190530]oracle Audit文件管理.txt
--//今天我檢查發(fā)現(xiàn)exadata的asm實(shí)例配置的是:
SQL> show parameter audit
NAME???????????????? TYPE??????? VALUE
-------------------- ----------- ------------------------------
audit_file_dest????? string????? /u01/app/11.2.0.4/grid/rdbms/audit
audit_sys_operations boolean???? FALSE
audit_syslog_level?? string????? LOCAL0.INFO
--//exadate oracle的實(shí)施人員修改參數(shù)audit_syslog_level指向了LOCAL0.INFO.不過audit_sys_operations=false
--//而且實(shí)施人員并沒有定義LOCAL0.INFO在/etc/syslog.conf文件中(有一些系統(tǒng)使用rsyslog代替syslog)
# grep -i local0 /etc/syslog.conf
# grep -i 'local0.info' /etc/rsyslog.conf
--//兩者都無顯示.順便說一下我們使用的是rsyslog服務(wù).
# service syslog status
syslogd is stopped
klogd is stopped
#? service rsyslog status
rsyslogd (pid? 116746) is running...
--//感覺oracle的實(shí)施人員有點(diǎn)丟臉.沒注意細(xì)節(jié)....
--//補(bǔ)充測(cè)試修改這些參數(shù)是否需要重啟數(shù)據(jù)庫(kù),以及其它一些細(xì)節(jié)問題.
1.環(huán)境:
SYS@book> @ ver1
PORT_STRING??????????????????? VERSION??????? BANNER
------------------------------ -------------- ----------------------------------------------------------------------------
x86_64/Linux 2.4.xx??????????? 11.2.0.4.0???? Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
2.測(cè)試1:
--//修改參數(shù)是否需要重啟.
SYS@book> show parameter audit
NAME???????????????? TYPE??? VALUE
-------------------- ------- --------------------------------
audit_file_dest????? string? /u01/app/oracle/admin/book/adump
audit_sys_operations boolean TRUE
audit_syslog_level?? string? LOCAL0.INFO
audit_trail????????? string? DB, EXTENDED
# grep "local0" /etc/syslog.conf
local0.info???????????????????? /var/log/oracleaudit.log
SYS@book> alter system set audit_sys_operations=false ;
alter system set audit_sys_operations=false
*
ERROR at line 1:
ORA-02095: specified initialization parameter cannot be modified
SYS@book> alter system set audit_syslog_level=LOCAL1.INFO;
alter system set audit_syslog_level=LOCAL1.INFO
*
ERROR at line 1:
ORA-02095: specified initialization parameter cannot be modified
--//不行!!
--//audit_sys_operations,audit_syslog_level都不能在線修改.
3.測(cè)試2:
--//如果audit_sys_operations=false,audit_syslog_level=LOCAL0.INFO會(huì)怎樣?
SYS@book> alter system set audit_sys_operations=false scope=spfile;
System altered.
--//重啟數(shù)據(jù)庫(kù).
--//可以發(fā)現(xiàn)登錄審計(jì)依舊記錄在/var/log/oracleaudit.log,但是執(zhí)行的命令不記錄在/var/log/oracleaudit.log文件中.
# tail -f? /var/log/oracleaudit.log
--//執(zhí)行如下可以發(fā)現(xiàn)tail -f沒有輸出.
SYS@book> show sga
Total System Global Area? 643084288 bytes
Fixed Size????????????????? 2255872 bytes
Variable Size???????????? 205521920 bytes
Database Buffers????????? 427819008 bytes
Redo Buffers??????????????? 7487488 bytes
4.測(cè)試3:
SYS@book> alter system set audit_sys_operations=true scope=spfile;
System altered.
SYS@book> shutdown immediate ;
Database closed.
Database dismounted.
ORACLE instance shut down.
SYS@book> startup
ORACLE instance started.
Total System Global Area? 643084288 bytes
Fixed Size????????????????? 2255872 bytes
Variable Size???????????? 205521920 bytes
Database Buffers????????? 427819008 bytes
Redo Buffers??????????????? 7487488 bytes
Database mounted.
Database opened.
--//另外注意一點(diǎn)不管何種方式模式,啟動(dòng)的時(shí)候在目錄/u01/app/oracle/admin/book/adump都會(huì)有記錄.也就是還是有點(diǎn)東西記錄在這個(gè)
--//目錄.不過不會(huì)很多,除非你經(jīng)常重啟asm實(shí)例.
$ ls -ltr | grep 2019-11-28
-rw-r----- 1 oracle oinstall 770 2019-11-28 15:22:15 book_ora_28379_20191128152215303883143795.aud
-rw-r----- 1 oracle oinstall 770 2019-11-28 15:28:26 book_ora_28615_20191128152826802446143795.aud
-rw-r----- 1 oracle oinstall 770 2019-11-28 15:34:17 book_ora_28726_20191128153417006021143795.aud
SYS@book> select sysdate from dual ;
SYSDATE
-------------------
2019-11-28 15:35:32
# tail -f? /var/log/oracleaudit.log
Nov 28 15:34:23 xxxxxxxx Oracle Audit[28777]: LENGTH : '160' ACTION :[7] 'CONNECT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[6] 'pts/11' STATUS:[1] '0' DBID:[10] '1337401710'
Nov 28 15:34:25 xxxxxxxx Oracle Audit[28777]: LENGTH : '173' ACTION :[19] 'ALTER DATABASE OPEN' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[6] 'pts/11' STATUS:[1] '0' DBID:[10] '1337401710'
Nov 28 15:35:32 xxxxxxxx Oracle Audit[28777]: LENGTH : '179' ACTION :[25] 'select sysdate from dual ' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[6] 'pts/11' STATUS:[1] '0' DBID:[10] '1337401710'
--//最后1條記錄記錄執(zhí)行select sysdate from dual命令.
5.測(cè)試4:
--//注解如下,也就是exadate遇到的情況:
# grep "local0" /etc/syslog.conf
#local0.info???????????????????? /var/log/oracleaudit.log
--//重啟syslog服務(wù).
# service syslog restart
Shutting down kernel logger:? [? OK? ]
Shutting down system logger:? [? OK? ]
Starting system logger:?????? [? OK? ]
Starting kernel logger:?????? [? OK? ]
SYS@book> select sysdate from dual ;
SYSDATE
-------------------
2019-11-28 15:39:48
# tail -f? /var/log/oracleaudit.log
--//沒有輸出.這種情況僅僅記錄登錄的審計(jì).
--//以sys用戶登錄后檢查:
$ ls -ltr | grep 2019-11-28
-rw-r----- 1 oracle oinstall 770 2019-11-28 15:22:15 book_ora_28379_20191128152215303883143795.aud
-rw-r----- 1 oracle oinstall 770 2019-11-28 15:28:26 book_ora_28615_20191128152826802446143795.aud
-rw-r----- 1 oracle oinstall 770 2019-11-28 15:34:17 book_ora_28726_20191128153417006021143795.aud
--//在/u01/app/oracle/admin/book/adump目錄下不產(chǎn)生審計(jì)文件.
--//也就是這樣的情況會(huì)出現(xiàn)丟失審計(jì)的情況!!!
6.測(cè)試5:
--//測(cè)試audit_syslog_level參數(shù)大小寫混合輸入會(huì)是什么情況?
SYS@book> alter system set audit_syslog_level='Local0.info' scope=spfile ;
System altered.
SYS@book> show spparameter audit
SID????? NAME???????????????? TYPE??? VALUE
-------- -------------------- ------- --------------------------------
*??????? audit_file_dest????? string? /u01/app/oracle/admin/book/adump
*??????? audit_sys_operations boolean TRUE
*??????? audit_syslog_level?? string? Local0.info
*??????? audit_trail????????? string? DB
*??????? audit_trail????????? string? EXTENDED
--//取消注解,注意后面的O我輸入的大寫.
# grep "local0" /etc/syslog.conf
local0.infO???????????????????? /var/log/oracleaudit.log
--//重啟syslog服務(wù).
# service syslog restart
Shutting down kernel logger:? [? OK? ]
Shutting down system logger:? [? OK? ]
Starting system logger:?????? [? OK? ]
Starting kernel logger:?????? [? OK? ]
--//重啟數(shù)據(jù)庫(kù):
SYS@book> show spparameter audit
SID????? NAME???????????????? TYPE???? VALUE
-------- -------------------- -------- --------------------------------
*??????? audit_file_dest????? string?? /u01/app/oracle/admin/book/adump
*??????? audit_sys_operations boolean? TRUE
*??????? audit_syslog_level?? string?? Local0.info
*??????? audit_trail????????? string?? DB
*??????? audit_trail????????? string?? EXTENDED
SYS@book> show parameter audit
NAME???????????????? TYPE??? VALUE
-------------------- ------- --------------------------------
audit_file_dest????? string? /u01/app/oracle/admin/book/adump
audit_sys_operations boolean TRUE
audit_syslog_level?? string? LOCAL0.INFO
audit_trail????????? string? DB, EXTENDED
--//實(shí)際上啟動(dòng)后audit_syslog_level定義是大寫.
SYS@book> show sga
Total System Global Area? 643084288 bytes
Fixed Size????????????????? 2255872 bytes
Variable Size???????????? 205521920 bytes
Database Buffers????????? 427819008 bytes
Redo Buffers??????????????? 7487488 bytes
SYS@book> select Sysdate from dual;
SYSDATE
-------------------
2019-11-28 15:54:19
# tail -f? /var/log/oracleaudit.log
Nov 28 15:54:19 gxqyydg4 Oracle Audit[29236]: LENGTH : '178' ACTION :[24] 'select Sysdate from dual' DATABASE USER:[1]
'/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[6] 'pts/11' STATUS:[1] '0' DBID:[10] '1337401710'
總結(jié)
以上是生活随笔為你收集整理的oracle audit文件,[20191128]oracle Audit文件管理2.txt的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: linux oracle 01157,O
- 下一篇: 【IntelliJ IDEA】添加一个新