Oracle审计篇 —— 审计数据表空间迁移及定期数据清理设置

编号

需求项

需求细节内容

准备工作

1

检查是否打开审计

show parameter audit

2

检查审计表现在所在表空间

SELECT table_name, tablespace_name FROM dba_tables

WHERE table_name IN ('AUD$', 'FGA_LOG$') ORDER BY table_name;

3

检查审计相关表数据量

select segment_name,bytes/1024/1024 size_in_megabytes from dba_segments where segment_name in ('AUD$','FGA_LOG$');

4

创建新审计表空间

create tablespace TBAUDIT datafile size 1g autoextend on next 100m maxsize 30g;

5

检查当前数据库的失效对象

select OWNER,OBJECT_NAME,OBJECT_TYPE,status,TIMESTAMP,LAST_DDL_TIME from dba_objects where  STATUS ='INVALID';

迁移审计表

6

迁移AUD$表

BEGIN

DBMS_AUDIT_MGMT.set_audit_trail_location(

audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD,

audit_trail_location_value => 'TBAUDIT');

END;

/

7

迁移FGA_LOG$表

BEGIN

DBMS_AUDIT_MGMT.set_audit_trail_location(

audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_FGA_STD,

audit_trail_location_value => 'TBAUDIT');

END;

/

8

检查迁移结果

SELECT table_name, tablespace_name FROM dba_tables WHERE table_name IN ('AUD$','FGA_LOG$') ORDER BY table_name;

初始化清理对象和间隔（168h）

9

AUD$表

BEGIN

  DBMS_AUDIT_MGMT.init_cleanup(

    audit_trail_type         => DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD,

    default_cleanup_interval => 168 );

END;

/

10

FGA_LOG$表

BEGIN

  DBMS_AUDIT_MGMT.init_cleanup(

    audit_trail_type         => DBMS_AUDIT_MGMT.AUDIT_TRAIL_FGA_STD,

    default_cleanup_interval => 168 );

END;

/

验证审计日志清除是否已开启

11

验证审计日志清除是否已开启

SET SERVEROUTPUT ON

BEGIN

  IF DBMS_AUDIT_MGMT.is_cleanup_initialized(DBMS_AUDIT_MGMT.AUDIT_TRAIL_DB_STD) THEN

    DBMS_OUTPUT.put_line('YES');

  ELSE

    DBMS_OUTPUT.put_line('NO');

  END IF;

END;

/

设置审计信息保留时间（90天）

12

AUD$表

BEGIN

DBMS_AUDIT_MGMT.set_last_archive_timestamp(

audit_trail_type  => dbms_audit_mgmt.audit_trail_aud_std,

last_archive_time => SYSTIMESTAMP-90);

END;

/

13

FGA_LOG$表

BEGIN

DBMS_AUDIT_MGMT.set_last_archive_timestamp(

audit_trail_type  => dbms_audit_mgmt.audit_trail_fga_std,

last_archive_time => SYSTIMESTAMP-90);

END;

/

查看审计数据最后归档时间

14

查看审计数据最后归档时间

SELECT * FROM dba_audit_mgmt_last_arch_ts;

schedule及job设置

15

创建清理的schedule

BEGIN

DBMS_AUDIT_MGMT.create_purge_job(

audit_trail_type           => DBMS_AUDIT_MGMT.AUDIT_TRAIL_DB_STD,

audit_trail_purge_interval => 168 /* hours */,

audit_trail_purge_name     => 'PURGE_STD_AUDIT_TRAILS',

use_last_arch_timestamp    => TRUE);

END;

/

16

修改清理job运行时间

BEGIN

SYS.DBMS_SCHEDULER.SET_ATTRIBUTE

    ( name      => 'AUDSYS.PURGE_STD_AUDIT_TRAILS'

     ,attribute => 'START_DATE'

     ,value     => TO_TIMESTAMP_TZ('2019/11/28 02:05:00.000000 +08:00','yyyy/mm/dd hh24:mi:ss.ff tzr')

     );

SYS.DBMS_SCHEDULER.SET_ATTRIBUTE

    ( name      => 'AUDSYS.PURGE_STD_AUDIT_TRAILS'

     ,attribute => 'REPEAT_INTERVAL'

     ,value     => 'FREQ=WEEKLY; BYDAY=SAT'

     );

END;

/

17

创建schedule每天设置保留时间为90天前

BEGIN

  SYS.DBMS_SCHEDULER.CREATE_JOB

    (

       job_name        => 'SYS.MOVE_LAST_TIMESTAMP_FORWARD'

      ,start_date      => TO_TIMESTAMP_TZ('2018/12/19 01:05:00.000000 +08:00','yyyy/mm/dd hh24:mi:ss.ff tzr')

      ,repeat_interval => 'FREQ=WEEKLY; BYDAY=SAT'

      ,end_date        => NULL

      ,job_class       => 'DEFAULT_JOB_CLASS'

      ,job_type        => 'PLSQL_BLOCK'

      ,job_action      => 'BEGIN

  DBMS_AUDIT_MGMT.set_last_archive_timestamp(

   audit_trail_type  => DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD,

   last_archive_time => SYSTIMESTAMP-90);

  DBMS_AUDIT_MGMT.set_last_archive_timestamp(

   audit_trail_type  => DBMS_AUDIT_MGMT.AUDIT_TRAIL_FGA_STD,

   last_archive_time => SYSTIMESTAMP-90);

END;'

      ,comments        => NULL

    );

  SYS.DBMS_SCHEDULER.SET_ATTRIBUTE

    ( name      => 'SYS.MOVE_LAST_TIMESTAMP_FORWARD'

     ,attribute => 'RESTARTABLE'

     ,value     => FALSE);

  SYS.DBMS_SCHEDULER.SET_ATTRIBUTE

    ( name      => 'SYS.MOVE_LAST_TIMESTAMP_FORWARD'

     ,attribute => 'LOGGING_LEVEL'

     ,value     => SYS.DBMS_SCHEDULER.LOGGING_OFF);

  SYS.DBMS_SCHEDULER.SET_ATTRIBUTE_NULL

    ( name      => 'SYS.MOVE_LAST_TIMESTAMP_FORWARD'

     ,attribute => 'MAX_FAILURES');

  SYS.DBMS_SCHEDULER.SET_ATTRIBUTE_NULL

    ( name      => 'SYS.MOVE_LAST_TIMESTAMP_FORWARD'

     ,attribute => 'MAX_RUNS');

  BEGIN

    SYS.DBMS_SCHEDULER.SET_ATTRIBUTE

      ( name      => 'SYS.MOVE_LAST_TIMESTAMP_FORWARD'

       ,attribute => 'STOP_ON_WINDOW_CLOSE'

       ,value     => FALSE);

  EXCEPTION

    -- could fail if program is of type EXECUTABLE...

    WHEN OTHERS THEN

      NULL;

  END;

  SYS.DBMS_SCHEDULER.SET_ATTRIBUTE

    ( name      => 'SYS.MOVE_LAST_TIMESTAMP_FORWARD'

     ,attribute => 'JOB_PRIORITY'

     ,value     => 3);

  SYS.DBMS_SCHEDULER.SET_ATTRIBUTE_NULL

    ( name      => 'SYS.MOVE_LAST_TIMESTAMP_FORWARD'

     ,attribute => 'SCHEDULE_LIMIT');

  SYS.DBMS_SCHEDULER.SET_ATTRIBUTE

    ( name      => 'SYS.MOVE_LAST_TIMESTAMP_FORWARD'

     ,attribute => 'AUTO_DROP'

     ,value     => TRUE);

  SYS.DBMS_SCHEDULER.ENABLE

    (name                  => 'SYS.MOVE_LAST_TIMESTAMP_FORWARD');

END;

/

18

检查2个schedule是否设置

SELECT owner,job_name,run_count,next_run_date FROM DBA_SCHEDULER_JOBS WHERE job_name IN ('PURGE_STD_AUDIT_TRAILS','MOVE_LAST_TIMESTAMP_FORWARD');

检查是否有新增的审计相关失效对象

19

如果跟AUDIT相关的，需重编译一下

COLUMN OBJECT_NAME FORMAT A30

COLUMN OBJECT_TYPE FORMAT A20

COLUMN status FORMAT A20

COLUMN TIMESTAMP FORMAT A26

COLUMN LAST_DDL_TIME FORMAT A26

select OWNER,OBJECT_NAME,OBJECT_TYPE,status,TIMESTAMP,LAST_DDL_TIME from dba_objects where  STATUS ='INVALID';

1

反向初始化方法

exec sys.DBMS_AUDIT_MGMT.deinit_cleanup(audit_trail_type=> DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD);

2

exec sys.DBMS_AUDIT_MGMT.deinit_cleanup(audit_trail_type=> DBMS_AUDIT_MGMT.AUDIT_TRAIL_FGA_STD);

3

删除清理schedule

exec sys.DBMS_AUDIT_MGMT.drop_purge_job('PURGE_STD_AUDIT_TRAILS');