随着这些年勒索病毒的爆发,各个企业对数据安全的要求越来越高,常见的办法有开启数据库审计,加数据库防火墙,网络限制等等;但是细粒度审计会消耗大量系统资源,第三方数据库防火墙一般是需要收费的;这里介绍我个人常用的四个db级别trigger,用于记录部分关键信息可以应对部分审计需要。
- logon 成功信息
session logon后触发 记录登陆session的IP,machine,program,username,logontime等关键信息
PS:如果负载很高的DB 这个trigger请谨慎使用,数据量可能会很大,也可能会对登陆的时效产生部分影响
-- Create table
create table SYS.A_DB_SUCCESSFUL_LOGINS
(
inst_id NUMBER,
username VARCHAR2(30),
osuser VARCHAR2(30),
machine VARCHAR2(64),
terminal VARCHAR2(30),
ipaddr VARCHAR2(30),
program VARCHAR2(48),
module VARCHAR2(48),
isdba VARCHAR2(10),
logon_time DATE
)
---CREATE TRIGGER
CREATE OR REPLACE TRIGGER SYSTEM.a_db_successful_login_trg
AFTER logon ON DATABASE
DECLARE
v_inst_id a_db_successful_logins.inst_id%TYPE;
v_ipaddr a_db_successful_logins.ipaddr%TYPE;
v_logon_user a_db_successful_logins.username%TYPE;
v_machine a_db_successful_logins.machine%TYPE;
v_terminal a_db_successful_logins.terminal%TYPE;
v_osuser a_db_successful_logins.osuser%TYPE;
v_program a_db_successful_logins.program%TYPE;
v_module a_db_successful_logins.module%TYPE;
v_isdba a_db_successful_logins.isdba%TYPE;
/************************************************************************
name: a_db_successful_login_trg
purpose: log and check the database LOGON action.
revisions:
ver DATE author description
1.0 2012 xiaoxiangqin record logon info
--------- ---------- --------------- ---------------------------------
************************************************************************/
BEGIN
-- read the context
v_inst_id := sys_context('USERENV','INSTANCE');
v_osuser := sys_context('USERENV','OS_USER');
v_machine := sys_context('USERENV','HOST');
v_terminal := sys_context('USERENV','TERMINAL');
v_ipaddr := sys_context('USERENV','IP_ADDRESS');
v_logon_user := sys_context('USERENV','SESSION_USER');
v_isdba := sys_context('USERENV','ISDBA');
--cut strange char for windows server.
v_machine := REPLACE(v_machine,chr(0),'');
IF v_machine <> sys_context('USERENV','SERVER_HOST