1.审计策略是一组审计选项,用来审计数据库用户
2.创建审计策略需要被授予audit_admin角色(create audit policy ...)
3.可以在CDB、PDB级别创建创建审计策略
4.审计策略被enable之后才能生效。标准的非策略审计不受enable/disable影响
5.创建审计策略必须要指定系统级别或者对象级别的审计选项
-系统级别:
privilege审计选项审计所有的events;action审计选项审计数据库中需要被审计的操作,比如alter trigger;role审计选项审计被直接授予mgr_role的权限
privilege、action、role选项可以包含在同一个策略中。系统级别的审计选项可以查看sys.auditable_system_actions表
SQL> create audit policy audit_mixed_po01 privileges drop any table roles emp_role; SQL> select * from sys.auditable_system_actions; TYPE COMPONENT ACTION NAME---------- ------------------------------ ---------- ---------------------------------------------------------------- 4 Standard 1 CREATE TABLE 4 Standard 2 INSERT 4 Standard 3 SELECT 4 Standard 4 CREATE CLUSTER 4 Standard 5 ALTER CLUSTER 4 Standard 6 UPDATE 4 Standard 7 DELETE 4 Standard 8 DROP CLUSTER 4 Standard 9 CREATE INDEX 4 Standard 10 DROP INDEX 4 Standard 11 ALTER INDEX 4 Standard 12 DROP TABLE 4 Standard 13 CREATE SEQUENCE 4 Standard 14 ALTER SEQUENCE 4 Standard 15 ALTER TABLE 4 Standard 16 DROP SEQUENCE 4 Standard 19 CREATE SYNONYM 4 Standard 20 DROP SYNONYM 4 Standard 21 CREATE VIEW 4 Standard 22 DROP VIEW 4 Standard 23 VALIDATE INDEX 4 Standard 24 CREATE PROCEDURE 4 Standard 25 ALTER PROCEDURE 4 Standard 26 LOCK TABLE 4 Standard 28 RENAME 4 Standard 29 COMMENT 4 Standard 32 CREATE DATABASE LINK 4 Standard 33 DROP DATABASE LINK 4 Standard 35 ALTER DATABASE 4 Standard 36 CREATE ROLLBACK SEGMENT 4 Standard 37 ALTER ROLLBACK SEGMENT 4 Standard 38 DROP ROLLBACK SEGMENT 4 Standard 39 CREATE TABLESPACE 4 Standard 40 ALTER TABLESPACE 4 Standard 41 DROP TABLESPACE 4 Standard 42 ALTER SESSION 4 Standard 43 ALTER USER 4 Standard 44 COMMIT 4 Standard 45 ROLLBACK 4 Standard 46 SAVEPOINT 4 Standard 48 SET TRANSACTION 4 Standard 49 ALTER SYSTEM 4 Standard 50 EXPLAIN 4 Standard 51 CREATE USER 4 Standard 52 CREATE ROLE 4 Standard 53 DROP USER 4 Standard 54 DROP ROLE 4 Standard 55 SET ROLE 4 Standard 56 CREATE SCHEMA 4 Standard 58 ALTER TRACING 4 Standard 59 CREATE TRIGGER 4 Standard 60 ALTER TRIGGER 4 Standard 61 DROP TRIGGER 4 Standard 62 ANALYZE TABLE 4 Standard 63 ANALYZE INDEX 4 Standard 64 ANALYZE CLUSTER 4 Standard 65 CREATE PROFILE 4 Standard 66 DROP PROFILE 4 Standard 67 ALTER PROFILE 4 Standard 68 DROP PROCEDURE 4 Standard 70 ALTER RESOURCE COST 4 Standard 71 CREATE MATERIALIZED VIEW LOG 4 Standard 72 ALTER MATERIALIZED VIEW LOG 4 Standard 73 DROP MATERIALIZED VIEW LOG 4 Standard 74 CREATE MATERIALIZED VIEW 4 Standard 75 ALTER MATERIALIZED VIEW 4 Standard 76 DROP MATERIALIZED VIEW 4 Standard 77 CREATE TYPE 4 Standard 78 DROP TYPE 4 Standard 79 ALTER ROLE 4 Standard 80 ALTER TYPE 4 Standard 81 CREATE TYPE BODY 4 Standard 82 ALTER TYPE BODY 4 Standard 83 DROP TYPE BODY 4 Standard 84 DROP LIBRARY 4 Standard 85 TRUNCATE TABLE 4 Standard 86 TRUNCATE CLUSTER 4 Standard 88 ALTER VIEW 4 Standard 90 SET CONSTRAINTS 4 Standard 91 CREATE FUNCTION 4 Standard 92 ALTER FUNCTION 4 Standard 93 DROP FUNCTION 4 Standard 94 CREATE PACKAGE 4 Standard 95 ALTER PACKAGE 4 Standard 96 DROP PACKAGE 4 Standard 97 CREATE PACKAGE BODY 4 Standard 98 ALTER PACKAGE BODY 4 Standard 99 DROP PACKAGE BODY 4 Standard 157 CREATE DIRECTORY 4 Standard 158 DROP DIRECTORY 4 Standard 159 CREATE LIBRARY 4 Standard 160 CREATE JAVA 4 Standard 161 ALTER JAVA 4 Standard 162 DROP JAVA 4 Standard 163 CREATE OPERATOR 4 Standard 164 CREATE INDEXTYPE 4 Standard 165 DROP INDEXTYPE 4 Standard 166 ALTER INDEXTYPE 4 Standard 167 DROP OPERATOR 4 Standard 168 ASSOCIATE STATISTICS 4 Standard 169 DISASSOCIATE STATISTICS 4 Standard 170 CALL METHOD 4 Standard 171 CREATE SUMMARY 4 Standard 172 ALTER SUMMARY 4 Standard 173 DROP SUMMARY 4 Standard 174 CREATE DIMENSION 4 Standard 175 ALTER DIMENSION 4 Standard 176 DROP DIMENSION 4 Standard 177 CREATE CONTEXT 4 Standard 178 DROP CONTEXT 4 Standard 179 ALTER OUTLINE 4 Standard 180 CREATE OUTLINE 4 Standard 181 DROP OUTLINE 4 Standard 182 UPDATE INDEXES 4 Standard 183 ALTER OPERATOR 4 Standard 184 Do not use 184 4 Standard 185 Do not use 185 4 Standard 186 Do not use 186 4 Standard 187 CREATE SPFILE 4 Standard 188 CREATE PFILE 4 Standard 190 CHANGE PASSWORD 4 Standard 191 UPDATE JOIN INDEX 4 Standard 192 ALTER SYNONYM 4 Standard 193 ALTER DISK GROUP 4 Standard 194 CREATE DISK GROUP 4 Standard 195 DROP DISK GROUP 4 Standard 196 ALTER LIBRARY 4 Standard 197 PURGE USER RECYCLEBIN 4 Standard 198 PURGE DBA RECYCLEBIN 4 Standard 199 PURGE TABLESPACE 4 Standard 200 PURGE TABLE 4 Standard 201 PURGE INDEX 4 Standard 202 UNDROP OBJECT 4 Standard 205 FLASHBACK TABLE 4 Standard 206 CREATE RESTORE POINT 4 Standard 207 DROP RESTORE POINT 4 Standard 212 CREATE EDITION 4 Standard 214 DROP EDITION 4 Standard 215 DROP ASSEMBLY 4 Standard 216 CREATE ASSEMBLY 4 Standard 217 ALTER ASSEMBLY 4 Standard 218 CREATE FLASHBACK ARCHIVE 4 Standard 219 ALTER FLASHBACK ARCHIVE 4 Standard 220 DROP FLASHBACK ARCHIVE 4 Standard 222 CREATE SCHEMA SYNONYM 4 Standard 224 DROP SCHEMA SYNONYM 4 Standard 225 ALTER DATABASE LINK 4 Standard 226 CREATE PLUGGABLE DATABASE 4 Standard 227 ALTER PLUGGABLE DATABASE 4 Standard 228 DROP PLUGGABLE DATABASE 4 Standard 229 CREATE AUDIT POLICY 4 Standard 230 ALTER AUDIT POLICY 4 Standard 231 DROP AUDIT POLICY 4 Standard 238 ADMINISTER KEY MANAGEMENT 4 Standard 239 CREATE MATERIALIZED ZONEMAP 4 Standard 240 ALTER MATERIALIZED ZONEMAP 4 Standard 241 DROP MATERIALIZED ZONEMAP 4 Standard 17 GRANT 4 Standard 18 REVOKE 4 Standard 30 AUDIT 4 Standard 31 NOAUDIT 4 Standard 100 LOGON 4 Standard 101 LOGOFF 4 Standard 47 EXECUTE 4 Standard 189 MERGE 4 Standard 242 ALL 8 Label Security 1 APPLY POLICY 8 Label Security 2 REMOVE POLICY 8 Label Security 3 SET AUTHORIZATION 8 Label Security 4 PRIVILEGED ACTION 8 Label Security 5 ENABLE POLICY 8 Label Security 6 DISABLE POLICY 8 Label Security 7 SUBSCRIBE OID 8 Label Security 8 UNSUBSCRIBE OID 8 Label Security 9 CREATE DATA LABEL 8 Label Security 10 ALTER DATA LABEL 8 Label Security 11 DROP DATA LABEL 8 Label Security 12 CREATE POLICY 8 Label Security 13 ALTER POLICY 8 Label Security 14 DROP POLICY 8 Label Security 15 CREATE LABEL COMPONENTS 8 Label Security 16 ALTER LABEL COMPONENTS 8 Label Security 17 DROP LABEL COMPONENTS 8 Label Security 18 ALL 6 XS 1 CREATE USER 6 XS 2 UPDATE USER 6 XS 3 DELETE USER 6 XS 4 CREATE ROLE 6 XS 5 UPDATE ROLE 6 XS 6 DELETE ROLE 6 XS 7 GRANT ROLE 6 XS 8 REVOKE ROLE 6 XS 9 ADD PROXY 6 XS 10 REMOVE PROXY 6 XS 11 SET USER PASSWORD 6 XS 12 SET USER VERIFIER 6 XS 13 CREATE ROLESET 6 XS 14 UPDATE ROLESET 6 XS 15 DELETE ROLESET 6 XS 16 CREATE SECURITY CLASS 6 XS 17 UPDATE SECURITY CLASS 6 XS 18 DELETE SECURITY CLASS 6 XS 19 CREATE NAMESPACE TEMPLATE 6 XS 20 UPDATE NAMESPACE TEMPLATE 6 XS 21 DELETE NAMESPACE TEMPLATE 6 XS 22 CREATE ACL 6 XS 23 UPDATE ACL 6 XS 24 DELETE ACL 6 XS 25 CREATE DATA SECURITY 6 XS 26 UPDATE DATA SECURITY 6 XS 27 DELETE DATA SECURITY 6 XS 28 ENABLE DATA SECURITY 6 XS 29 DISABLE DATA SECURITY 6 XS 30 ADD GLOBAL CALLBACK 6 XS 31 DELETE GLOBAL CALLBACK 6 XS 32 ENABLE GLOBAL CALLBACK 6 XS 33 ENABLE ROLE 6 XS 34 DISABLE ROLE 6 XS 35 SET COOKIE 6 XS 36 SET INACTIVE TIMEOUT 6 XS 37 CREATE SESSION 6 XS 38 DESTROY SESSION 6 XS 39 SWITCH USER 6 XS 40 ASSIGN USER 6 XS 41 CREATE SESSION NAMESPACE 6 XS 42 DELETE SESSION NAMESPACE 6 XS 43 CREATE NAMESPACE ATTRIBUTE 6 XS 44 GET NAMESPACE ATTRIBUTE 6 XS 45 SET NAMESPACE ATTRIBUTE 6 XS 46 DELETE NAMESPACE ATTRIBUTE 6 XS 47 SET USER PROFILE 6 XS 48 ALL 10 Datapump 1 EXPORT 10 Datapump 2 IMPORT 10 Datapump 3 ALL 7 Database Vault 1 REALM VIOLATION 7 Database Vault 2 REALM SUCCESS 7 Database Vault 3 REALM ACCESS 7 Database Vault 4 RULE SET FAILURE 7 Database Vault 5 RULE SET SUCCESS 7 Database Vault 6 RULE SET EVAL 7 Database Vault 7 FACTOR ERROR 7 Database Vault 8 FACTOR NULL 7 Database Vault 9 FACTOR VALIDATE ERROR 7 Database Vault 10 FACTOR VALIDATE FALSE 7 Database Vault 11 FACTOR TRUST LEVEL NULL 7 Database Vault 12 FACTOR TRUST LEVEL NEG 7 Database Vault 13 FACTOR ALL 11 Direct path API 1 LOAD 11 Direct path API 2 ALL
-对象级别:是动态的。修改后对当前用户和后期用户都会生效。
SQL> create audit policy audit_objpriv_po02 actions execute,grant on hr.raise_salary_proc;
-condition和evaluation:
SQL> create audit policy audit_mixed_po03 actions rename on hr.employees, alter on hr.jobs,when 'SYS_CONTEXT(''USERNAME'',''SESSION_USER'')=''JIM''' evaluate per session; 6.开启审计策略
SQL> audit policy audit_syspriv_po01;#对所有用户都生效SQL> audit policy audit_po02 by scott,hr;#只对scott,hr用户生效SQL> audit policy audit_po03 by sys;#只是对sys用户生效SQL> audit policy audit_po04 except jim,scott;#jim,scott除外