如何让Oracle 12c不审核SYS拥有的数据库触发器内部执行的操作?

时间:2018-06-17 20:59:33

标签: oracle oracle12c database-trigger

我在Oracle 12 c第2版中遇到以下问题。

我在SYS创建并拥有的After Logon系统事件上有一个数据库触发器。它将数据库连接自定义审计登录记录插入名为AUDIT_LOGON(不由SYS拥有)的表中。 如果连接到数据库的用户在INSERT TABLE的标准(传统)审核下,则会在SYS.AUD $表中创建一个新记录,该记录与数据库触发器所做的插入相关,但是在连接用户 - 字段USERID =连接用户。

如上所述,登录后的数据库触发器由SYS拥有(并创建)。 在其内部执行的所有操作都不应在标准审计跟踪表SYS.AUD $中生成任何审计跟踪,因为它们是在SYS权限下执行的,因此标准(传统)审计无法执行。 在Oracle 11g R2一切正常之前,在连接用户调用的DB触发器内执行的INSERT(表)操作的SYS.AUD $中没有创建记录,同时被INSERT TABLE审计。

在12c(经过R2验证)中,我在SYIT.AUD $中为AUDIT_LOGON表上的每个插件获取一条记录,并且(再次)连接用户在INSERT TABLE审计下。

这不是预期的行为,因为在SYS拥有的触发器主体内执行的操作不应该在SYS.AUD $上生成任何内容!

提示:

  1. 使用审计的INSERT TABLE的插图只是一种情况。如果将更多的系统特权审核给用户[s]并且DB Trigger将执行它们,情况也是如此。在现实生活中,一些连接用户正在进行全面审计(所有审计选项),触发器更复杂。因此,对于DB触发器内部在自定义登录审计表中具有单行的操作,在AUD $中具有数十(如果不是更多)记录是不可接受的。 正是这就是SYS创建(并拥有)DB触发器的原因 - 以避免AUD $中的额外触发器内部日志。并且它正确地以这种方式工作,直到11g R2。

  2. 新的(12c)字段CURRENT_USER在上面的用例中显示了SYS

  3. 如何在上面提供11g行为?

    随时可以提供进一步的查询 最好的问候

    阿尔通

    使用-CASE-CODE:

    -- = = = = = = = = = = = = = = SETUP = = = = = = = = = = = = = = 
    
    -- Create the audit repository schema user 
    create user TESTREPO identified by manager
      default tablespace USERS
      temporary tablespace TEMP
      profile DEFAULT
      password expire
      quota unlimited on USERS;
    
    
    -- Create the audit repository table
    create table TESTREPO.AUDIT_LOGON
    (
      logon_date DATE,
      username   VARCHAR2(100),
      hostname   VARCHAR2(200)
    )
    tablespace USERS
      pctfree 10
      initrans 1
      maxtrans 255
      storage
      (
        initial 64K
        next 1M
        minextents 1
        maxextents unlimited
      );
    
    
    -- Create the testing user 
    create user TESTUSER identified by manager
      default tablespace USERS
      temporary tablespace TEMP
      profile DEFAULT
      password expire;
    -- Grant/Revoke system privileges 
    grant create session to TESTUSER;
    
    
    -- Create Database After Logon Trigger as SYS (owned by SYS!)
    CREATE OR REPLACE TRIGGER "LOGON_TRIGGER"
    AFTER LOGON ON DATABASE
    
    BEGIN
    insert into TESTREPO.AUDIT_LOGON
    values (sysdate, USER, SYS_CONTEXT('userenv', 'host')); 
    END;
    /
    
    -- = = = = = = = = = = = = = = SETUP = = = = = = = = = = = = = = 
    
    
    -- = = = = = = = = = = = = = = TEST PREREQUISITES = = = = = = = = = = = = = = 
    
    -- Audit the TESTUSER for System Privilege INSERT TABLE
    audit insert table by testuser by access;
    
    -- = = = = = = = = = = = = = = TEST PREREQUISITES = = = = = = = = = = = = = = 
    
    
    -- = = = = = = = = = = = = = = TEST = = = = = = = = = = = = = = 
    
    1. Logon as TESTUSER 
    
    2. Query the TESTREPO.AUDIT_LOGON table. A new record is created by TESTUSER - expected behaviour
    
    3. Query the SYS.AUD$ table.  
    Oracle 11g R2 and below:    NO standard audit record created by TESTUSER - expected behaviour 
    Oracle 12c R1 and above:    Standard audit record IS created by TESTUSER - unexpected (!) behaviour
    
    -- = = = = = = = = = = = = = = TEST = = = = = = = = = = = = = = 
    

0 个答案:

没有答案