1.审计策略是一组审计选项,用来审计数据库用户
2.创建审计策略需要被授予audit_admin角色(create audit policy ...)
3.可以在CDB、PDB级别创建创建审计策略
4.审计策略被enable之后才能生效。标准的非策略审计不受enable/disable影响
5.创建审计策略必须要指定系统级别或者对象级别的审计选项
-系统级别:
privilege审计选项审计所有的events;action审计选项审计数据库中需要被审计的操作,比如alter trigger;role审计选项审计被直接授予mgr_role的权限
privilege、action、role选项可以包含在同一个策略中。系统级别的审计选项可以查看sys.auditable_system_actions表
SQL> create audit policy audit_mixed_po01 privileges drop any table roles emp_role;
SQL> select * from sys.auditable_system_actions;
TYPE COMPONENT ACTION NAME
---------- ------------------------------ ---------- ----------------------------------------------------------------
4 Standard 1 CREATE TABLE
4 Standard 2 INSERT
4 Standard 3 SELECT
4 Standard 4 CREATE CLUSTER
4 Standard 5 ALTER CLUSTER
4 Standard 6 UPDATE
4 Standard 7 DELETE
4 Standard 8 DROP CLUSTER
4 Standard 9 CREATE INDEX
4 Standard 10 DROP INDEX
4 Standard 11 ALTER INDEX
4 Standard 12 DROP TABLE
4 Standard 13 CREATE SEQUENCE
4 Standard 14 ALTER SEQUENCE
4 Standard 15 ALTER TABLE
4 Standard 16 DROP SEQUENCE
4 Standard 19 CREATE SYNONYM
4 Standard 20 DROP SYNONYM
4 Standard 21 CREATE VIEW
4 Standard 22 DROP VIEW
4 Standard 23 VALIDATE INDEX
4 Standard 24 CREATE PROCEDURE
4 Standard 25 ALTER PROCEDURE
4 Standard 26 LOCK TABLE
4 Standard 28 RENAME
4 Standard 29 COMMENT
4 Standard 32 CREATE DATABASE LINK
4 Standard 33 DROP DATABASE LINK
4 Standard 35 ALTER DATABASE
4 Standard 36 CREATE ROLLBACK SEGMENT
4 Standard 37 ALTER ROLLBACK SEGMENT
4 Standard 38 DROP ROLLBACK SEGMENT
4 Standard 39 CREATE TABLESPACE
4 Standard 40 ALTER TABLESPACE
4 Standard 41 DROP TABLESPACE
4 Standard 42 ALTER SESSION
4 Standard 43 ALTER USER
4 Standard 44 COMMIT
4 Standard 45 ROLLBACK
4 Standard 46 SAVEPOINT
4 Standard 48 SET TRANSACTION
4 Standard 49 ALTER SYSTEM
4 Standard 50 EXPLAIN
4 Standard 51 CREATE USER
4 Standard 52 CREATE ROLE
4 Standard 53 DROP USER
4 Standard 54 DROP ROLE
4 Standard 55 SET ROLE
4 Standard 56 CREATE SCHEMA
4 Standard 58 ALTER TRACING
4 Standard 59 CREATE TRIGGER
4 Standard 60 ALTER TRIGGER
4 Standard 61 DROP TRIGGER
4 Standard 62 ANALYZE TABLE
4 Standard 63 ANALYZE INDEX
4 Standard 64 ANALYZE CLUSTER
4 Standard 65 CREATE PROFILE
4 Standard 66 DROP PROFILE
4 Standard 67 ALTER PROFILE
4 Standard 68 DROP PROCEDURE
4 Standard 70 ALTER RESOURCE COST
4 Standard 71 CREATE MATERIALIZED VIEW LOG
4 Standard 72 ALTER MATERIALIZED VIEW LOG
4 Standard 73 DROP MATERIALIZED VIEW LOG
4 Standard 74 CREATE MATERIALIZED VIEW
4 Standard 75 ALTER MATERIALIZED VIEW
4 Standard 76 DROP MATERIALIZED VIEW
4 Standard 77 CREATE TYPE
4 Standard 78 DROP TYPE
4 Standard 79 ALTER ROLE
4 Standard 80 ALTER TYPE
4 Standard 81 CREATE TYPE BODY
4 Standard 82 ALTER TYPE BODY
4 Standard 83 DROP TYPE BODY
4 Standard 84 DROP LIBRARY
4 Standard 85 TRUNCATE TABLE
4 Standard 86 TRUNCATE CLUSTER
4 Standard 88 ALTER VIEW
4 Standard 90 SET CONSTRAINTS
4 Standard 91 CREATE FUNCTION
4 Standard 92 ALTER FUNCTION
4 Standard 93 DROP FUNCTION
4 Standard 94 CREATE PACKAGE
4 Standard 95 ALTER PACKAGE
4 Standard 96 DROP PACKAGE
4 Standard 97 CREATE PACKAGE BODY
4 Standard 98 ALTER PACKAGE BODY
4 Standard 99 DROP PACKAGE BODY
4 Standard 157 CREATE DIRECTORY
4 Standard 158 DROP DIRECTORY
4 Standard 159 CREATE LIBRARY
4 Standard 160 CREATE JAVA
4 Standard 161 ALTER JAVA
4 Standard 162 DROP JAVA
4 Standard 163 CREATE OPERATOR
4 Standard 164 CREATE INDEXTYPE
4 Standard 165 DROP INDEXTYPE
4 Standard 166 ALTER INDEXTYPE
4 Standard 167 DROP OPERATOR
4 Standard 168 ASSOCIATE STATISTICS
4 Standard 169 DISASSOCIATE STATISTICS
4 Standard 170 CALL METHOD
4 Standard 171 CREATE SUMMARY
4 Standard 172 ALTER SUMMARY
4 Standard 173 DROP SUMMARY
4 Standard 174 CREATE DIMENSION
4 Standard 175 ALTER DIMENSION
4 Standard 176 DROP DIMENSION
4 Standard 177 CREATE CONTEXT
4 Standard 178 DROP CONTEXT
4 Standard 179 ALTER OUTLINE
4 Standard 180 CREATE OUTLINE
4 Standard 181 DROP OUTLINE
4 Standard 182 UPDATE INDEXES
4 Standard 183 ALTER OPERATOR
4 Standard 184 Do not use 184
4 Standard 185 Do not use 185
4 Standard 186 Do not use 186
4 Standard 187 CREATE SPFILE
4 Standard 188 CREATE PFILE
4 Standard 190 CHANGE PASSWORD
4 Standard 191 UPDATE JOIN INDEX
4 Standard 192 ALTER SYNONYM
4 Standard 193 ALTER DISK GROUP
4 Standard 194 CREATE DISK GROUP
4 Standard 195 DROP DISK GROUP
4 Standard 196 ALTER LIBRARY
4 Standard 197 PURGE USER RECYCLEBIN
4 Standard 198 PURGE DBA RECYCLEBIN
4 Standard 199 PURGE TABLESPACE
4 Standard 200 PURGE TABLE
4 Standard 201 PURGE INDEX
4 Standard 202 UNDROP OBJECT
4 Standard 205 FLASHBACK TABLE
4 Standard 206 CREATE RESTORE POINT
4 Standard 207 DROP RESTORE POINT
4 Standard 212 CREATE EDITION
4 Standard 214 DROP EDITION
4 Standard 215 DROP ASSEMBLY
4 Standard 216 CREATE ASSEMBLY
4 Standard 217 ALTER ASSEMBLY
4 Standard 218 CREATE FLASHBACK ARCHIVE
4 Standard 219 ALTER FLASHBACK ARCHIVE
4 Standard 220 DROP FLASHBACK ARCHIVE
4 Standard 222 CREATE SCHEMA SYNONYM
4 Standard 224 DROP SCHEMA SYNONYM
4 Standard 225 ALTER DATABASE LINK
4 Standard 226 CREATE PLUGGABLE DATABASE
4 Standard 227 ALTER PLUGGABLE DATABASE
4 Standard 228 DROP PLUGGABLE DATABASE
4 Standard 229 CREATE AUDIT POLICY
4 Standard 230 ALTER AUDIT POLICY
4 Standard 231 DROP AUDIT POLICY
4 Standard 238 ADMINISTER KEY MANAGEMENT
4 Standard 239 CREATE MATERIALIZED ZONEMAP
4 Standard 240 ALTER MATERIALIZED ZONEMAP
4 Standard 241 DROP MATERIALIZED ZONEMAP
4 Standard 17 GRANT
4 Standard 18 REVOKE
4 Standard 30 AUDIT
4 Standard 31 NOAUDIT
4 Standard 100 LOGON
4 Standard 101 LOGOFF
4 Standard 47 EXECUTE
4 Standard 189 MERGE
4 Standard 242 ALL
8 Label Security 1 APPLY POLICY
8 Label Security 2 REMOVE POLICY
8 Label Security 3 SET AUTHORIZATION
8 Label Security 4 PRIVILEGED ACTION
8 Label Security 5 ENABLE POLICY
8 Label Security 6 DISABLE POLICY
8 Label Security 7 SUBSCRIBE OID
8 Label Security 8 UNSUBSCRIBE OID
8 Label Security 9 CREATE DATA LABEL
8 Label Security 10 ALTER DATA LABEL
8 Label Security 11 DROP DATA LABEL
8 Label Security 12 CREATE POLICY
8 Label Security 13 ALTER POLICY
8 Label Security 14 DROP POLICY
8 Label Security 15 CREATE LABEL COMPONENTS
8 Label Security 16 ALTER LABEL COMPONENTS
8 Label Security 17 DROP LABEL COMPONENTS
8 Label Security 18 ALL
6 XS 1 CREATE USER
6 XS 2 UPDATE USER
6 XS 3 DELETE USER
6 XS 4 CREATE ROLE
6 XS 5 UPDATE ROLE
6 XS 6 DELETE ROLE
6 XS 7 GRANT ROLE
6 XS 8 REVOKE ROLE
6 XS 9 ADD PROXY
6 XS 10 REMOVE PROXY
6 XS 11 SET USER PASSWORD
6 XS 12 SET USER VERIFIER
6 XS 13 CREATE ROLESET
6 XS 14 UPDATE ROLESET
6 XS 15 DELETE ROLESET
6 XS 16 CREATE SECURITY CLASS
6 XS 17 UPDATE SECURITY CLASS
6 XS 18 DELETE SECURITY CLASS
6 XS 19 CREATE NAMESPACE TEMPLATE
6 XS 20 UPDATE NAMESPACE TEMPLATE
6 XS 21 DELETE NAMESPACE TEMPLATE
6 XS 22 CREATE ACL
6 XS 23 UPDATE ACL
6 XS 24 DELETE ACL
6 XS 25 CREATE DATA SECURITY
6 XS 26 UPDATE DATA SECURITY
6 XS 27 DELETE DATA SECURITY
6 XS 28 ENABLE DATA SECURITY
6 XS 29 DISABLE DATA SECURITY
6 XS 30 ADD GLOBAL CALLBACK
6 XS 31 DELETE GLOBAL CALLBACK
6 XS 32 ENABLE GLOBAL CALLBACK
6 XS 33 ENABLE ROLE
6 XS 34 DISABLE ROLE
6 XS 35 SET COOKIE
6 XS 36 SET INACTIVE TIMEOUT
6 XS 37 CREATE SESSION
6 XS 38 DESTROY SESSION
6 XS 39 SWITCH USER
6 XS 40 ASSIGN USER
6 XS 41 CREATE SESSION NAMESPACE
6 XS 42 DELETE SESSION NAMESPACE
6 XS 43 CREATE NAMESPACE ATTRIBUTE
6 XS 44 GET NAMESPACE ATTRIBUTE
6 XS 45 SET NAMESPACE ATTRIBUTE
6 XS 46 DELETE NAMESPACE ATTRIBUTE
6 XS 47 SET USER PROFILE
6 XS 48 ALL
10 Datapump 1 EXPORT
10 Datapump 2 IMPORT
10 Datapump 3 ALL
7 Database Vault 1 REALM VIOLATION
7 Database Vault 2 REALM SUCCESS
7 Database Vault 3 REALM ACCESS
7 Database Vault 4 RULE SET FAILURE
7 Database Vault 5 RULE SET SUCCESS
7 Database Vault 6 RULE SET EVAL
7 Database Vault 7 FACTOR ERROR
7 Database Vault 8 FACTOR NULL
7 Database Vault 9 FACTOR VALIDATE ERROR
7 Database Vault 10 FACTOR VALIDATE FALSE
7 Database Vault 11 FACTOR TRUST LEVEL NULL
7 Database Vault 12 FACTOR TRUST LEVEL NEG
7 Database Vault 13 FACTOR ALL
11 Direct path API 1 LOAD
11 Direct path API 2 ALL
-对象级别:是动态的。修改后对当前用户和后期用户都会生效。
SQL> create audit policy audit_objpriv_po02 actions execute,grant on hr.raise_salary_proc;
-condition和evaluation:
SQL> create audit policy audit_mixed_po03 actions rename on hr.employees, alter on hr.jobs,when 'SYS_CONTEXT(''USERNAME'',''SESSION_USER'')=''JIM''' evaluate per session;
6.开启审计策略
SQL> audit policy audit_syspriv_po01;#对所有用户都生效 SQL> audit policy audit_po02 by scott,hr;#只对scott,hr用户生效 SQL> audit policy audit_po03 by sys;#只是对sys用户生效 SQL> audit policy audit_po04 except jim,scott;#jim,scott除外