Decode360's Blog

業(yè)精于勤而荒于嬉 QQ:150355677 MSN:decode360@hotmail.com

BlogJava :: 首頁(yè) :: 新隨筆 :: 聯(lián)系 :: :: 管理 ::

397 隨筆 :: 33 文章 :: 29 評(píng)論 :: 0 Trackbacks

DBMS_FGA包使用介紹

??? 從Oracle9i開(kāi)始，就可以使用DBMS_FGA對(duì)指定的表的SELECT語(yǔ)句進(jìn)行審計(jì)，但是在9i中只能對(duì)select語(yǔ)句進(jìn)行審計(jì)，在10g中可以實(shí)現(xiàn)對(duì)DML的審計(jì)功能。簡(jiǎn)單得看看這個(gè)包的使用方法：

??? 首先按照慣例列出Oracle自帶說(shuō)明：

******************************************************************************

CREATE OR REPLACE PACKAGE SYS.dbms_fga AS

? -- ------------------------------------------------------------------------

? -- CONSTANTS

? --

? EXTENDED??? CONSTANT PLS_INTEGER := 1 ;

? DB????????? CONSTANT PLS_INTEGER := 2 ;

? DB_EXTENDED CONSTANT PLS_INTEGER := 3 ;???????????? -- (default)

? XML???????? CONSTANT PLS_INTEGER := 4 ;

? ALL_COLUMNS CONSTANT BINARY_INTEGER := 1 ;

? ANY_COLUMNS CONSTANT BINARY_INTEGER := 0 ;????????? -- (default)

? -- add_policy -? add a fine grained auditing policy to a table or view

? --

? -- INPUT PARAMETERS

? --?? object_schema?? - schema owning the table/view, current user if NULL

? --?? object_name???? - name of table or view

? --?? policy_name???? - name of policy to be added

? --?? audit_column??? - column to be audited

? --?? audit_condition - predicates for this policy

? --?? handler_schema? - schema where the event handler procedure is

? --?? handler_module? - name of the event handler

? --?? enable????????? - policy is enabled by DEFAULT

? --?? statement_type? - statement type a policy applies to (default SELECT)

? --?? audit_trail???? - Write sqltext and sqlbind into audit trail by default (DB_EXTENDED)

? --?? audit_column_options - option of using 'Any' or 'All' on audit columns for the policy

? PROCEDURE add_policy(object_schema?? IN VARCHAR2 := NULL ,

?????????????????????? object_name???? IN VARCHAR2 ,

?????????????????????? policy_name???? IN VARCHAR2 ,

?????????????????????? audit_condition IN VARCHAR2 := NULL ,

?????????????????????? audit_column??? IN VARCHAR2 := NULL ,

?????????????????????? handler_schema? IN VARCHAR2 := NULL ,

?????????????????????? handler_module? IN VARCHAR2 := NULL ,

?????????????????????? enable????????? IN BOOLEAN ? := TRUE ,

??????????????? ???????statement_types IN VARCHAR2 := 'SELECT' ,

?????????????????????? audit_trail???? IN PLS_INTEGER ? := 3 ,

?????????????????????? audit_column_opts IN BINARY_INTEGER DEFAULT 0 );

? -- drop_policy - drop a fine grained auditing policy from a table or view

? --

? -- INPUT PARAMETERS

? --?? object_schema?? - schema owning the table/view, current user if NULL

? --?? object_name???? - name of table or view

? --?? policy_name???? - name of policy to be dropped

? PROCEDURE drop_policy(object_schema IN VARCHAR2 := NULL ,

??????????????????????? object_name?? IN VARCHAR2 ,

??????????????????????? policy_name?? IN VARCHAR2 );

? -- enable_policy - enable a security policy for a table or view

? --

? -- INPUT PARAMETERS

? --?? object_schema?? - schema owning the table/view, current user if NULL

? --?? object_name???? - name of table or view

? --?? policy_name???? - name of policy to be enabled or disabled

? PROCEDURE enable_policy(object_schema IN VARCHAR2 := NULL ,

?????? ???????????????????object_name?? IN VARCHAR2 ,

????????????????????????? policy_name?? IN VARCHAR2 ,

????????????????????????? enable??????? IN BOOLEAN := TRUE );

? -- disable_policy - disable a security policy for a table or view

? --

? -- INPUT PARAMETERS

? --?? object_schema?? - schema owning the table/view, current user if NULL

? --?? object_name???? - name of table or view

? --?? policy_name???? - name of policy to be enabled or disabled

? PROCEDURE disable_policy(object_schema IN VARCHAR2 := NULL ,

?????????????????????????? object_name?? IN VARCHAR2 ,

?????????????????????????? policy_name?? IN VARCHAR2 );

END dbms_fga;

******************************************************************************

??? 基本上每個(gè)部分的功能上面就已經(jīng)說(shuō)了，簡(jiǎn)單得介紹一下需要注意的幾個(gè)地方：

??? 1、在審計(jì)策略生效之前，必須對(duì)表進(jìn)行分析，因?yàn)橹挥性贑BO模式，DBMS_FGA才能正確的工作

??? 2、指定audit_condition可以設(shè)定監(jiān)控條件(例如select某部分記錄)

??? 3、可以指定audit_column來(lái)審計(jì)專(zhuān)門(mén)的字段

??? 4、statement_types包括“SELECT,UPDATE,INSERT.DELETE”四種，如需多種以','分開(kāi)

舉例：

begin

dbms_fga.add_policy(object_schema => 'wangxiaoqi',? --schema名(默認(rèn)當(dāng)前操作用戶(hù))

??????????????????? object_name => 't_check',?????? --被操作object對(duì)象

??????????????????? policy_name => 't_check_audit', --policy名(唯一)

??????????????????? audit_condition => NULL,

??????????????????? audit_column => 'tno,type,modifydate', --監(jiān)視的字段(默認(rèn)為全部)

??????????????????? handler_schema => NULL,

??????????????????? handler_module => NULL,

??????????????????? enable => TRUE,

??????????????????? statement_types => 'insert,update,delete', --受影響的操作?

??????????????????? audit_trail => dbms_fga.DB_EXTENDED,?????? --默認(rèn)值

??????????????????? audit_column_opts => dbms_fga.ANY_COLUMNS);--默認(rèn)值

end;

??? 當(dāng)然也可以不用 => 來(lái)指定每個(gè)參數(shù)，只需要列出前幾個(gè)就可以了，有默認(rèn)值的參數(shù)如果不需要改變默認(rèn)值，可以不給出。但是必須要按照定義的順序來(lái)指定。例如：

begin

dbms_fga.add_policy('wangxiaoqi','T1','T1_AUDIT','B>=20','B');

end;

??? 最后看一下，如何查看審計(jì)的結(jié)果：

??? select * from dba_audit_policies; --所有policy的列表
?
??? select db_user,timestamp,sql_text,sql_bind from dba_fga_audit_trail; --審計(jì)結(jié)果

??? SELECT text FROM dba_Views where view_name=upper('DBA_FGA_AUDIT_TRAIL'); --查看記錄來(lái)源

??? 注：如果指定了XML類(lèi)型的審計(jì)，則在V$XML_AUDIT_TRAIL試圖中查看信息.

最后給一個(gè)對(duì)DBMS_FGA的詳細(xì)介紹文章：

***************************************

《現(xiàn)實(shí)中的細(xì)粒度審計(jì)》第一部分

《現(xiàn)實(shí)中的細(xì)粒度審計(jì)》第二部分

《現(xiàn)實(shí)中的細(xì)粒度審計(jì)》第三部分

***************************************

posted on 2008-08-10 21:17 decode360 閱讀(1140) 評(píng)論(0) 編輯收藏所屬分類(lèi): 06.PLSQL

新用戶(hù)注冊(cè) 刷新評(píng)論列表


只有注冊(cè)用戶(hù)登錄后才能發(fā)表評(píng)論。




網(wǎng)站導(dǎo)航: 博客園 IT新聞 Chat2DB C++博客博問(wèn) 管理
相關(guān)文章: DBMS_CRYPTO包對(duì)Oracle加密使用UTL_SMTP包發(fā)送郵件 DBMS_TRACE包來(lái)追蹤PLSQL運(yùn)行 DBMS_XPLAN包以及執(zhí)行計(jì)劃 DBMS_ROWID包查詢(xún)r(jià)owid資料 DBMS_OUTPUT包學(xué)習(xí) 最小源代碼擂臺(tái)[ITPub] utl_file包介紹使用DBMS_MONITOR包單獨(dú)TRACE SQL AnyData Type 的使用

Decode360's Blog

公告

常用鏈接

留言簿(13)

隨筆分類(lèi)(397)

隨筆檔案(397)

文章分類(lèi)(33)

新聞分類(lèi)(15)

收藏夾(74)

Blog_List

IT_Web

My_Link

最新隨筆

最新評(píng)論