|
Oracle 数据库审计功能非常强大,通常包括标准审计(包括用户级审计和系统级审计)和细粒度审计。尽管如此,一不小心就容易造成性能问题。同时会把系统表空间给撑爆。下面的内容描述的是如何将审计从系统表空间剥离以及清理Oracle审计记录,供大家参考。
一、审计的相关配置
--环境
SQL> select * from v$version where rownum=1;
BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
SQL> show parameter audit
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_file_dest string /home/oraprod/app/product/11.2
.0/dbhome_1/rdbms/audit
audit_sys_operations boolean FALSE
audit_syslog_level string
audit_trail string DB --此值为当前Oracle 11gR2缺省配置
--从下面的查询中可以看出,当前的审计位于system表空间
SQL> col segment_name FOR a10
SQL> SELECT owner,segment_name,tablespace_name FROM dba_segments WHERE segment_name ='AUD$';
OWNER SEGMENT_NA TABLESPACE_NAME
------------------------------ ---------- ------------------------------
SYS AUD$ SYSTEM
二、修改审计存储表空间
新增一个表空间用于存储审计日志
SQL> CREATE tablespace audit_data datafile '/home/oracle/app/oradata/orcl/audit01.dbf'
2 SIZE 100M autoextend ON NEXT 50M;
SQL> @tbs_free.sql
TABLESPACE_NAME USED (MB FREE (MB TOTAL (M PER_FR
------------------------------ -------- -------- -------- ------
AUDIT_DATA 1 1,199 1,200 100 %
SYSAUX 1,133 77 1,210 6 %
SYSTEM 1,875 15 1,890 1 %
-- 设定审计数据存放表空间
SQL> BEGIN
2 DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_LOCATION(
3 AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD,
4 AUDIT_TRAIL_LOCATION_VALUE => 'AUDIT_DATA'
5 );
6 END;
7 /
BEGIN
*
ERROR at line 1:
ORA-46267: Insufficient space in 'AUDIT_DATA' tablespace, cannot complete
operation
ORA-06512: at "SYS.DBMS_AUDIT_MGMT", line 1576
ORA-06512: at line 2
-- 错误提示,尽管我们使用了自动扩展表空间,依旧提示空间不够
-- 查看当前审计数据大小,如下为1152MB
SQL> select segment_name,bytes/1024/1024 from dba_segments where segment_name='AUD$';
SEGMENT_NAME BYTES/1024/1024
------------------------- ---------------
AUD$ 1152
-- 下面调整数据文件大小
SQL> alter database datafile '/home/oracle/app/oradata/orcl/audit01.dbf' resize 1200m;
Database altered.
-- 再次设定审计数据存放表空间OK
SQL> BEGIN
2 DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_LOCATION(
3 AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD,
4 AUDIT_TRAIL_LOCATION_VALUE => 'AUDIT_DATA'
5 );
6 END;
7 /
PL/SQL procedure successfully completed.
Elapsed: 00:02:23.10
--整个过程花费了2m23s,主要是期间进行了数据搬迁
SQL> SELECT owner,segment_name,tablespace_name FROM dba_segments WHERE segment_name ='AUD$';
OWNER SEGMENT_NAME TABLESPACE_NAME
------------------------------ ------------------------------ ------------------------------
SYS AUD$ AUDIT_DATA
SQL> @tbs_free.sql
TABLESPACE_NAME USED (MB FREE (MB TOTAL (M PER_FR
------------------------------ -------- -------- -------- ------
AUDIT_DATA 1,153 47 1,200 4 %
SYSAUX 1,143 67 1,210 6 %
SYSTEM 724 1,166 1,890 62 %
-- 从上面的这个查询可以看出,原来位于system表空间的AUD$被迁移到了AUDIT_DATA
-- 相应地AUDIT_DATA表空间已使用增加,而SYSTEM表空间使用率下降
-- 查看审计数据字典配置信息
SQL> col PARAMETER_NAME FOR a30
SQL> col PARAMETER_VALUE FOR a15
SQL> col AUDIT_TRAIL FOR a20
SQL> SELECT PARAMETER_NAME, PARAMETER_VALUE, AUDIT_TRAIL
2 FROM DBA_AUDIT_MGMT_CONFIG_PARAMS
3 WHERE audit_trail = 'STANDARD AUDIT TRAIL';
PARAMETER_NAME PARAMETER_VALUE AUDIT_TRAIL
------------------------------ --------------- --------------------
DB AUDIT TABLESPACE AUDIT_DATA STANDARD AUDIT TRAIL
DB AUDIT CLEAN BATCH SIZE 10000 STANDARD AUDIT TRAIL
三、清除审计记录
通过这个过程设定清除间隔
SQL> BEGIN
2 DBMS_AUDIT_MGMT.init_cleanup(
3 audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_ALL,
4 default_cleanup_interval => 120 /* hours */);
5 END;
6 /
PL/SQL procedure successfully completed.
-- 下面严验证审计日志清除是否已开启
SQL> SET SERVEROUTPUT ON
SQL> BEGIN
2 IF DBMS_AUDIT_MGMT.is_cleanup_initialized(DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD) THEN
3 DBMS_OUTPUT.put_line('YES');
4 ELSE
5 DBMS_OUTPUT.put_line('NO');
6 END IF;
7 END;
8 /
YES
PL/SQL procedure successfully completed.
SQL> select segment_name,bytes/1024/1024 from dba_segments where segment_name='AUD$';
SEGMENT_NAME BYTES/1024/1024
------------------- ---------------
AUD$ 1152
SQL> select 'Leshami' As author,'http://blog.csdn.net/leshami' as Blog from dual;
AUTHOR BLOG
------- ----------------------------
Leshami http://blog.csdn.net/leshami
SQL> select count(*) from AUD$;
COUNT(*)
----------
5908086
SQL> select min(ntimestamp#) from aud$;
MIN(NTIMESTAMP#)
---------------------------------------------------------------------------
20-AUG-14 06.11.09.901253 AM
-- 设定归档间隔
SQL> BEGIN
2 DBMS_AUDIT_MGMT.set_last_archive_timestamp(
3 audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD,
4 last_archive_time => SYSTIMESTAMP-10);
5 END;
6 /
PL/SQL procedure successfully completed
--查看设定的归档间隔
SQL> SELECT * FROM dba_audit_mgmt_last_arch_ts;
AUDIT_TRAIL RAC_INSTANCE LAST_ARCHIVE_TS
-------------------- ------------ ---------------------------------------------------------------------------
STANDARD AUDIT TRAIL 0 09-OCT-15 01.27.17.000000 PM +00:00
--通过调用DBMS_AUDIT_MGMT.clean_audit_trail进行手动清理审计日志
BEGIN
DBMS_AUDIT_MGMT.clean_audit_trail(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD,
use_last_arch_timestamp => TRUE);
END;
/
DBMS_AUDIT_MGMT.clean_audit_trail
This procedure deletes audit trail records. The CLEAN_AUDIT_TRAIL procedure is usually called after the
SET_LAST_ARCHIVE_TIMESTAMP Procedure has been used to set the last archived timestamp for the audit records.
--也可以通过创建一个purge Job来进行清理已归档的历史审计记录
SQL> BEGIN
2 DBMS_AUDIT_MGMT.CREATE_PURGE_JOB(
3 AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD,
4 AUDIT_TRAIL_PURGE_INTERVAL => 24 /* hours */,
5 AUDIT_TRAIL_PURGE_NAME => 'Daily_Audit_Purge_Job',
6 USE_LAST_ARCH_TIMESTAMP => TRUE
7 );
8 END;
9 /
PL/SQL procedure successfully completed.
-- 本次测试使用了job进行清理,注,上面的purge job 并非使用DBMS_SCHEDULER.CREATE_JOB创建
-- 执行job用于清理归档,通过观察,由于redo log size为50MB,切换较为频繁,花费了19分钟
-- 同时伴随有Checkpoint not complete等待事件,可见redo size过小
SQL> exec DBMS_SCHEDULER.RUN_JOB(job_name => 'SYS.DAILY_AUDIT_PURGE_JOB');
PL/SQL procedure successfully completed.
Elapsed: 00:19:26.38
SQL> select count(*) from AUD$;
COUNT(*)
----------
12
--经查看,清理后空间并没有释放
SQL> select segment_name,bytes/1024/1024 from dba_segments where segment_name='AUD$';
SEGMENT_NAME BYTES/1024/1024
------------------------------ ---------------
AUD$ 1152
SQL> alter table sys.aud$ shrink space cascade;
alter table sys.aud$ shrink space cascade
*
ERROR at line 1:
ORA-10636: ROW MOVEMENT is not enabled
SQL> alter table sys.aud$ enable row movement;
Table altered.
SQL> alter table sys.aud$ shrink space cascade;
Table altered.
SQL> alter table sys.aud$ disable row movement;
Table altered.
-- 下面的查询可以看到,空间已经被释放
SQL> select segment_name,bytes/1024/1024 from dba_segments where segment_name='AUD$';
SEGMENT_NAME BYTES/1024/1024
-------------------- ---------------
AUD$ .0625
四、小结
a、对于Oracle 11g,审计功能默认被开启,因此如果在必须启用的情况下应考虑性能影响; b、开启审计的情况下,建议将审计从system或sysaux表空间剥离,使用单独的表空间; c、对于历史审计日志的清除,应考虑清除期间所带来的性能影响; d、调用DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_LOCATION这个过程已经开始了搬迁过程,如果审计日志很庞大,应考虑IO影响; e、审计日志的清除需要先设定归档,已归档的审计日志会被清理; f、也可以通过trunate table aud$ reuse storage以及deallocate非常规方式来处理。
|