审计信息可以保存在数据库中,也可以保存在操作系统中,这是由初始化参数AUDIT_TRAIL决定的:

SQL> show parameter audit_trail

SRE实战 互联网时代守护先锋,助力企业售后服务体系运筹帷幄!一键直达领取阿里云限量特价优惠。

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
audit_trail                          string      DB

即使是AUDIT_TRAIL设置为DB,有些审计信息仍然会存储在操作系统上,比如操作系统验证的登陆信息。在进行操作系统验证的时候,数据库有可能都没有启动,因此这种信息比如存储在操作系统上。

无论是设置TRAIL保存在OS上,还是这种操作系统验证的审计信息,以前都只能通过手工的方式删除。

11gr2开始,可以在数据库中执行操作系统上审计信息的删除操作:

[oracle@bjtest adump]$ cd $ORACLE_BASE/admin/test112/adump
[oracle@bjtest adump]$ ls 
test112_ora_10207_1.aud  test112_ora_15316_1.aud  test112_ora_27301_1.aud  test112_ora_32614_1.aud  test112_ora_6250_1.aud
test112_ora_10226_1.aud  test112_ora_15317_1.aud  test112_ora_27318_1.aud  test112_ora_32626_1.aud  test112_ora_6312_1.aud
test112_ora_10243_1.aud  test112_ora_15318_1.aud  test112_ora_27423_1.aud  test112_ora_32753_1.aud  test112_ora_6312_2.aud
test112_ora_10256_1.aud  test112_ora_15321_1.aud  test112_ora_27482_1.aud  test112_ora_3524_1.aud   test112_ora_6408_1.aud
.
.
.
test112_ora_15288_1.aud  test112_ora_26780_1.aud  test112_ora_32356_1.aud  test112_ora_6016_2.aud
test112_ora_15311_1.aud  test112_ora_26848_1.aud  test112_ora_32386_1.aud  test112_ora_6057_1.aud
test112_ora_15312_1.aud  test112_ora_27210_1.aud  test112_ora_32520_1.aud  test112_ora_6110_1.aud
test112_ora_15315_1.aud  test112_ora_27210_2.aud  test112_ora_32520_2.aud  test112_ora_6122_1.aud
[oracle@bjtest adump]$ ls |grep aud -c
266
[oracle@bjtest adump]$ more test112_ora_9649_1.aud
Audit file /data/oracle/admin/test112/adump/test112_ora_9649_1.aud
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
ORACLE_HOME = /data/oracle/product/11.2
System name:    Linux
Node name:      bjtest
Release:        2.6.18-8.el5xen
Version:        #1 SMP Tue Jun 5 23:53:34 EDT 2007
Machine:        x86_64
Instance name: test112
Redo thread mounted by this instance: 1
Oracle process number: 22
Unix process pid: 9649, image: oracle@bjtest (TNS V1-V3)

Tue May  4 18:55:27 2010 +08:00
LENGTH : '160'
ACTION :[7] 'CONNECT'
DATABASE USER:[1] '/'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[6] 'oracle'
CLIENT TERMINAL:[5] 'pts/2'
STATUS:[1] '0'
DBID:[10] '4284478783'

在数据库中调用DBMS_AUDIT_MGMT包的CLEAN_AUDIT_TRAIL过程,并指定AUDIT_TRAIL_OS类型:

[oracle@bjtest ~]$ sqlplus / as sysdba

SQL*Plus: Release 11.2.0.1.0 Production on 星期五 9 3 23:41:23 2010

Copyright (c) 1982, 2009, Oracle.  All rights reserved.


连接到: 
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> select * from v$version;

BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
PL/SQL Release 11.2.0.1.0 - Production
CORE    11.2.0.1.0      Production
TNS for Linux: Version 11.2.0.1.0 - Production
NLSRTL Version 11.2.0.1.0 - Production

SQL> BEGIN
  2  DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL(
  3  DBMS_AUDIT_MGMT.AUDIT_TRAIL_OS, 
  4  FALSE);
  5  END;
  6  /

PL/SQL 过程已成功完成。

再次检查当前目录下的AUDIT信息:

[oracle@bjtest adump]$ ls
test112_ora_14431_1.aud  test112_ora_15213_1.aud  test112_ora_15215_1.aud  test112_ora_15217_1.aud

绝大部分的AUDIT记录都被清除。不过似乎Oracle在清除操作系统级的审计记录时还存在一点小bug,因为留下4个记录没有被清除,而从这四个记录的内容上看,并没有任何的特别之处。



扫码关注我们
微信号:SRE实战
拒绝背锅 运筹帷幄