[20190530]oracle Audit文件管理.txt

[20190530]oracle Audit文件管理.txt

--//昨天聽課,講一些oracle相關安全的問題,對方提到audit file的管理,應該引入OS audit,這樣目的是僅僅root查看audit信息.
--//增長必定安全性,而且對方提到原來的目錄就沒有任何記錄.本身測試看看.
--//像咱們生產系統這個目錄簡直是暴漲,使用一些我本身都不知道的監測軟件,感受每15秒就使用sys用戶登陸一次.
--//參考連接:https://www.cnblogs.com/lfree/p/10475829.html
--//本身在測試環境測試看看.

1.環境:
SYS@book> @ ver1
PORT_STRING                    VERSION        BANNER
------------------------------ -------------- --------------------------------------------------------------------------------
x86_64/Linux 2.4.xx            11.2.0.4.0     Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production

SYS@book> alter system set AUDIT_SYS_OPERATIONS=TRUE scope=spfile sid='*';
System altered.

SYS@book> alter system set AUDIT_SYSLOG_LEVEL='local0.info' scope=spfile sid='*';
System altered.

--//修改/etc/syslog.conf加入以下,注意若是使用rsyslog,修改/etc/rsyslog.conf文件.
# vi /etc/syslog.conf
local0.info                     /var/log/oracleaudit.log

--//重啓syslog服務.
# service syslog restart
Shutting down kernel logger:  [  OK  ]
Shutting down system logger:  [  OK  ]
Starting system logger:       [  OK  ]
Starting kernel logger:       [  OK  ]

SYS@book> shutdown immediate ;
Database closed.
Database dismounted.
ORACLE instance shut down.

SYS@book> startup
ORACLE instance started.
Total System Global Area  643084288 bytes
Fixed Size                  2255872 bytes
Variable Size             205521920 bytes
Database Buffers          427819008 bytes
Redo Buffers                7487488 bytes
Database mounted.
Database opened.

2.檢查:
SYS@book> show parameter audit_file_dest
NAME            TYPE   VALUE
--------------- ------ --------------------------------
audit_file_dest string /u01/app/oracle/admin/book/adump

$ rm -f /u01/app/oracle/admin/book/adump/*.aud         */
$ ls -l /u01/app/oracle/admin/book/adump
total 0

--//以sys用戶登陸看看:
$ ls -l /u01/app/oracle/admin/book/adump
total 0

--//能夠發現這樣操做後根本不會在/u01/app/oracle/admin/book/adump目錄創建文件.

$ ls  -l /var/log/oracleaudit.log
-rw------- 1 root root 6894 2019-05-30 10:40:11 /var/log/oracleaudit.log

--//能夠發現創建的/var/log/oracleaudit.log僅僅root用戶能夠查看.
SYS@book> show sga
Total System Global Area  643084288 bytes
Fixed Size                  2255872 bytes
Variable Size             205521920 bytes
Database Buffers          427819008 bytes
Redo Buffers                7487488 bytes

--//查看/var/log/oracleaudit.log文件:
May 30 10:42:38 xxx Oracle Audit[38014]: LENGTH : '435' ACTION :[281] 'SELECT DECODE(null,'','Total System Global Area','') NAME_COL_PLUS_SHOW_SGA,   SUM(VALUE), DECODE (null,'', 'bytes','') units_col_plus_show_sga FROM V$SGA    UNION ALL    SELECT NAME NAME_COL_PLUS_SHOW_SGA , VALUE,    DECODE (null,'', 'bytes','') units_col_plus_show_sga FROM V$SGA' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[5] 'pts/7' STATUS:[1] '0' DBID:[10] '1337401710'

--//能夠發現執行的sql語句也有記錄.纔想起來之前也作過相似測試.
--//參考連接:http://blog.itpub.net/267265/viewspace-740683/=>[20120810]linux使用syslog審計數據庫.txt

# tail -1 /var/log/oracleaudit.log | sed -e "s/' /'\n/g"
May 30 10:42:38 xxxx Oracle Audit[38014]: LENGTH : '435'
ACTION :[281] 'SELECT DECODE(null,'','Total System Global Area','') NAME_COL_PLUS_SHOW_SGA,   SUM(VALUE), DECODE (null,'', 'bytes','') units_col_plus_show_sga FROM V$SGA    UNION ALL    SELECT NAME NAME_COL_PLUS_SHOW_SGA , VALUE,    DECODE (null,'', 'bytes','') units_col_plus_show_sga FROM V$SGA'
DATABASE USER:[1] '/'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[6] 'oracle'
CLIENT TERMINAL:[5] 'pts/7'
STATUS:[1] '0'
DBID:[10] '1337401710'

--//語句格式化以下:
SELECT DECODE(null,'','Total System Global Area','') NAME_COL_PLUS_SHOW_SGA, SUM(VALUE), DECODE (null,'',
       'bytes','') units_col_plus_show_sga
  FROM V$SGA
 UNION ALL
SELECT NAME NAME_COL_PLUS_SHOW_SGA, VALUE, DECODE (null,'', 'bytes','') units_col_plus_show_sga
  FROM V$SGA

3.配置logrotate來管理syslog日誌文件

--//這樣生成多個文件變成僅僅存在1個文件,像咱們生產系統我估計增長仍是很快的,必須定時清理控制大小加入以下:
# cat /etc/logrotate.d/oracle
/var/log/oracleaudit.log {
  weekly
  rotate 4
  compress
  copytruncate
  delaycompress
  notifempty
}


--//我的建議修改以下:

/var/log/oracleaudit.log {
  size=40M
  rotate 4
  copytruncate
  delaycompress
  notifempty
}

--//size大小根據業務修改,我建議至少保存1年的數據量.
--//我很奇怪爲何作等保時候,對方沒有提出這麼好的建議,提供的修改都是一些按照文檔修改模板,許多根本不符合實際工做的需求...
--//看來之後要把這個做爲安裝配置oracle數據庫的一個關鍵步驟,就像要配置hugepages同樣.包括asm實例的審計也是同樣.