1.1、传统审计 vs 统一审计
|----------|---------------------|---------------------|
| 特性 | **传统审计(AUD)** | **统一审计(12c+)** |
| **接口** | AUDIT / NOAUDIT 语句 | CREATE AUDIT POLICY |
| **存储** | SYS.AUD 表 | UNIFIED_AUDIT_TRAIL |
| 性能 | 每条审计一条 INSERT | 批量写入,性能更好 |
| 灵活性 | 有限 | 支持条件、列、行级审计 |
| 管理 | 直接操作 AUD 表 | DBMS_AUDIT_MGMT 包 |
| 默认启用 | 需要设置 audit_trail 参数 | 12c 默认启用(混合模式) |
1.2、统一审计策略管理
-- 审计所有 DDL 操作
CREATE AUDIT POLICY ddl_audit_policy
ACTIONS CREATE TABLE, ALTER TABLE, DROP TABLE,
CREATE INDEX, DROP INDEX,
CREATE VIEW, DROP VIEW,
CREATE USER, ALTER USER, DROP USER;
-- 审计特定表的 DML
CREATE AUDIT POLICY dml_hr_policy
ACTIONS SELECT ON hr.employees,
INSERT ON hr.employees,
UPDATE ON hr.employees,
DELETE ON hr.employees;
-- 审计登录行为
CREATE AUDIT POLICY login_policy
ACTIONS LOGON, LOGOFF;
-- 审计权限使用
CREATE AUDIT POLICY priv_policy
SYSTEM PRIVILEGES SELECT ANY TABLE, DROP ANY TABLE, ALTER SYSTEM, GRANT ANY ROLE;
-- 审计角色使用
CREATE AUDIT POLICY role_policy ROLES DBA, IMP_FULL_DATABASE;
-- 带条件的审计
CREATE AUDIT POLICY after_hours_policy
ACTIONS LOGON
WHEN 'TO_NUMBER(TO_CHAR(SYSDATE,''HH24'')) NOT BETWEEN 8 AND 18'
EVALUATE PER SESSION;
-- 审计 SYSDBA/SYSOPER 操作
CREATE AUDIT POLICY sysdba_policy PRIVILEGES SYSDBA, SYSOPER;
-- 启用审计策略
AUDIT POLICY ddl_audit_policy;
AUDIT POLICY login_policy;
AUDIT POLICY dml_hr_policy BY hr_admin;
AUDIT POLICY sysdba_policy;
-- 查看已启用的审计策略
SELECT * FROM AUDIT_UNIFIED_ENABLED_POLICIES;
-- 查看所有审计策略
SELECT POLICY_NAME, AUDIT_CONDITION, AUDIT_OPTION FROM AUDIT_UNIFIED_POLICIES;
-- 禁用审计策略
NOAUDIT POLICY ddl_audit_policy;
-- 删除审计策略
DROP AUDIT POLICY ddl_audit_policy;
1.3、细粒度审计(FGA)
-- 创建 FGA 策略:审计查询 salary 列
BEGIN
DBMS_FGA.ADD_POLICY(
object_schema => 'HR',
object_name => 'EMPLOYEES',
policy_name => 'AUDIT_SALARY',
audit_column => 'SALARY',
audit_condition => 'SALARY > 10000',
statement_types => 'SELECT,UPDATE',
audit_trail => DBMS_FGA.DB + DBMS_FGA.EXTENDED
);
END;
-- 查看 FGA 审计记录
SELECT TIMESTAMP, DB_USER, OBJECT_NAME, SQL_TEXT, SCN
FROM DBA_FGA_AUDIT_TRAIL
WHERE POLICY_NAME = 'AUDIT_SALARY'
ORDER BY TIMESTAMP DESC;
-- 禁用 FGA 策略
BEGIN
DBMS_FGA.DISABLE_POLICY('HR', 'EMPLOYEES', 'AUDIT_SALARY');
END;
-- 删除 FGA 策略
BEGIN
DBMS_FGA.DROP_POLICY('HR', 'EMPLOYEES', 'AUDIT_SALARY');
END;
1.4、SYSDBA/SYSOPER 审计
-- 确保 SYSDBA 审计已启用
**--**在 init.ora 或 spfile 中 AUDIT_SYS_OPERATIONS = TRUE
-- 查看 SYSDBA 操作的审计记录
SELECT USERNAME, TIMESTAMP, ACTION_NAME, SQL_TEXT
FROM UNIFIED_AUDIT_TRAIL
WHERE PRIVILEGED = 'YES'
ORDER BY TIMESTAMP DESC;
-- 传统方式查看 SYS 审计(OS 文件)
-- SYS 审计记录默认写入 OS 文件
-- $ADR_HOME/audit/ 目录下
1.5、审计记录管理与归档
-- 初始化审计清理
BEGIN
DBMS_AUDIT_MGMT.INIT_CLEANUP(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,
default_cleanup_interval => 24
);
END;
-- 设置归档时间戳
BEGIN
DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,
last_archive_time => SYSTIMESTAMP - 180
);
END;
-- 执行清理
BEGIN
DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,
use_last_arch_time => TRUE
);
END;
-- 查看审计记录统计
SELECT COUNT(*) AS total,
MIN(EVENT_TIMESTAMP) AS earliest,
MAX(EVENT_TIMESTAMP) AS latest
FROM UNIFIED_AUDIT_TRAIL;
-- 按操作类型统计
SELECT ACTION_NAME, COUNT(*) AS cnt
FROM UNIFIED_AUDIT_TRAIL
GROUP BY ACTION_NAME ORDER BY cnt DESC;
实例:等保审计------全量 DDL/DML 审计
**S --- Situation(场景):**某军工企业要求:所有 DDL 操作必须审计、核心表 DML 审计、所有登录行为审计,审计记录保留 180 天。
**T --- Task(任务):**设计并实施完整的统一审计方案。
A --- Action(行动):
1、创建 3 个审计策略(DDL/DML/LOGIN);
2、启用策略并验证审计记录;
3、配置自动归档保留 180 天;
4、创建审计报表视图。
**R --- Result(结果):**方案上线后覆盖所有关键操作。一次安全演练中,10 分钟内还原完整操作链路,获得测评机构高度评价。