我在Oracle 12 c第2版中遇到以下问题。
我在SYS创建并拥有的After Logon系统事件上有一个数据库触发器。它将数据库连接自定义审计登录记录插入名为AUDIT_LOGON(不由SYS拥有)的表中。 如果连接到数据库的用户在INSERT TABLE的标准(传统)审核下,则会在SYS.AUD $表中创建一个新记录,该记录与数据库触发器所做的插入相关,但是在连接用户 - 字段USERID =连接用户。
如上所述,登录后的数据库触发器由SYS拥有(并创建)。 在其内部执行的所有操作都不应在标准审计跟踪表SYS.AUD $中生成任何审计跟踪,因为它们是在SYS权限下执行的,因此标准(传统)审计无法执行。 在Oracle 11g R2一切正常之前,在连接用户调用的DB触发器内执行的INSERT(表)操作的SYS.AUD $中没有创建记录,同时被INSERT TABLE审计。
在12c(经过R2验证)中,我在SYIT.AUD $中为AUDIT_LOGON表上的每个插件获取一条记录,并且(再次)连接用户在INSERT TABLE审计下。
这不是预期的行为,因为在SYS拥有的触发器主体内执行的操作不应该在SYS.AUD $上生成任何内容!
提示:
使用审计的INSERT TABLE的插图只是一种情况。如果将更多的系统特权审核给用户[s]并且DB Trigger将执行它们,情况也是如此。在现实生活中,一些连接用户正在进行全面审计(所有审计选项),触发器更复杂。因此,对于DB触发器内部在自定义登录审计表中具有单行的操作,在AUD $中具有数十(如果不是更多)记录是不可接受的。 正是这就是SYS创建(并拥有)DB触发器的原因 - 以避免AUD $中的额外触发器内部日志。并且它正确地以这种方式工作,直到11g R2。
新的(12c)字段CURRENT_USER在上面的用例中显示了SYS
如何在上面提供11g行为?
随时可以提供进一步的查询 最好的问候
阿尔通
使用-CASE-CODE:
-- = = = = = = = = = = = = = = SETUP = = = = = = = = = = = = = =
-- Create the audit repository schema user
create user TESTREPO identified by manager
default tablespace USERS
temporary tablespace TEMP
profile DEFAULT
password expire
quota unlimited on USERS;
-- Create the audit repository table
create table TESTREPO.AUDIT_LOGON
(
logon_date DATE,
username VARCHAR2(100),
hostname VARCHAR2(200)
)
tablespace USERS
pctfree 10
initrans 1
maxtrans 255
storage
(
initial 64K
next 1M
minextents 1
maxextents unlimited
);
-- Create the testing user
create user TESTUSER identified by manager
default tablespace USERS
temporary tablespace TEMP
profile DEFAULT
password expire;
-- Grant/Revoke system privileges
grant create session to TESTUSER;
-- Create Database After Logon Trigger as SYS (owned by SYS!)
CREATE OR REPLACE TRIGGER "LOGON_TRIGGER"
AFTER LOGON ON DATABASE
BEGIN
insert into TESTREPO.AUDIT_LOGON
values (sysdate, USER, SYS_CONTEXT('userenv', 'host'));
END;
/
-- = = = = = = = = = = = = = = SETUP = = = = = = = = = = = = = =
-- = = = = = = = = = = = = = = TEST PREREQUISITES = = = = = = = = = = = = = =
-- Audit the TESTUSER for System Privilege INSERT TABLE
audit insert table by testuser by access;
-- = = = = = = = = = = = = = = TEST PREREQUISITES = = = = = = = = = = = = = =
-- = = = = = = = = = = = = = = TEST = = = = = = = = = = = = = =
1. Logon as TESTUSER
2. Query the TESTREPO.AUDIT_LOGON table. A new record is created by TESTUSER - expected behaviour
3. Query the SYS.AUD$ table.
Oracle 11g R2 and below: NO standard audit record created by TESTUSER - expected behaviour
Oracle 12c R1 and above: Standard audit record IS created by TESTUSER - unexpected (!) behaviour
-- = = = = = = = = = = = = = = TEST = = = = = = = = = = = = = =