Welcome 微信登录

首页 / 数据库 / MySQL / 使用触发器和自治事务做了个DDL审计

目的:禁止对ZFPT用户的表执行ALTER TABLE的操作,并审计操作行为。--创建ZFPTADM用户用于管理触发器CREATE USER ZFPTADM IDENTIFIED BY ZFPTADMDEFAULT TABLESPACE ZFPT_CDATA TEMPORARY TABLESPACE ZFPT_TEMP;--授予ZFPTADM用户创建会话、触发器、表、查询字典视图以及不限制空间的权限GRANT CREATE SESSION,CREATE TRIGGER,CREATETABLE,UNLIMITED TABLESPACE,SELECT ANY DICTIONARY TO ZFPTADM;--创建审计日志表DROP TABLE ZFPTADM.ZFPT_DDL_LOGS PURGE;CREATE TABLE ZFPTADM.ZFPT_DDL_LOGS (TIMESTAMP VARCHAR2(32),USERNAME VARCHAR2(32),OSUSER VARCHAR2(32),LOGONTIME VARCHAR2(32),MACHINE VARCHAR2(64),PROGRAM VARCHAR2(64),ERRMSG VARCHAR2(4000)); COMMENT ON COLUMNZFPTADM.ZFPT_DDL_LOGS.TIMESTAMP IS "操作时间";COMMENT ON COLUMNZFPTADM.ZFPT_DDL_LOGS.USERNAME IS "使用的DB用户";COMMENT ON COLUMN ZFPTADM.ZFPT_DDL_LOGS.OSUSERIS "使用的OS用户";COMMENT ON COLUMNZFPTADM.ZFPT_DDL_LOGS.LOGONTIME IS "回话登陆时间";COMMENT ON COLUMNZFPTADM.ZFPT_DDL_LOGS.MACHINE IS "客户端";COMMENT ON COLUMNZFPTADM.ZFPT_DDL_LOGS.PROGRAM IS "使用的工具";COMMENT ON COLUMNZFPTADM.ZFPT_DDL_LOGS.ERRMSG IS "组装信息";--创建触发器CREATE OR REPLACE TRIGGERZFPTADM.ZFPTDDLMONITORBEFORE ALTER ON ZFPT.SCHEMADECLAREPRAGMA AUTONOMOUS_TRANSACTION;V_TIMESTAMP VARCHAR2(32);V_USERNAME VARCHAR2(32);V_OSUSER VARCHAR2(32);V_LOGONTIME VARCHAR2(32);V_MACHINE VARCHAR2(64);V_PROGRAM VARCHAR2(64);V_ERRMSG VARCHAR2(4000); BEGIN         --判断所操作的对象类型是否为TABLE类型,只有TABLE类型才需要审计和禁止,其他类型以来方行         IF(ORA_DICT_OBJ_TYPE="TABLE")          THEN                   SELECTUSERNAME,MACHINE,OSUSER,PROGRAM,TO_CHAR(LOGON_TIME,"YYYY-MM-DD HH24:MI:SS"),TO_CHAR(SYSTIMESTAMP,"YYYY-MM-DD HH24:MI:SS")                   INTOV_USERNAME,V_MACHINE,V_OSUSER,V_PROGRAM,V_LOGONTIME ,V_TIMESTAMP                   FROMV$SESSION WHERE SID=(SELECT USERENV("SID") FROM DUAL);                   V_ERRMSG:= "来自客户端【"||V_MACHINE||"】的OS用户【"||V_OSUSER||"】使用【"||V_PROGRAM||"】程序以DB用户【"||V_USERNAME||"】连接,对【"||ORA_DICT_OBJ_OWNER|| "." || ORA_DICT_OBJ_NAME || " 】对象执行了【"||ORA_SYSEVENT||"】操作!";                   INSERTINTO  ZFPTADM.ZFPT_DDL_LOGS(TIMESTAMP,USERNAME,OSUSER,LOGONTIME,MACHINE,PROGRAM,ERRMSG)                   VALUES(V_TIMESTAMP,V_USERNAME,V_OSUSER,V_LOGONTIME,V_MACHINE,V_PROGRAM,V_ERRMSG);                   COMMIT;                   RAISE_APPLICATION_ERROR(-20001,"注意:客户端【"||V_MACHINE||"】,OS用户为【"||V_OSUSER||"】,DB用户为【"||V_USERNAME||"】,你无权对【"||ORA_DICT_OBJ_OWNER || "." || ORA_DICT_OBJ_NAME || " 】对象执行【"||ORA_SYSEVENT||"】操作,已记录你的违规操作行为!");         ENDIF;END ;/--启用触发器就会继续审计,不能执行ALTER操作ALTER TRIGGER ZFPTADM.ZFPTDDLMONITORENABLE;--禁用触发器就会停止审计,可以执行ALERT操作ALTER TRIGGER ZFPTADM.ZFPTDDLMONITORDISABLE;Oracle 11.2.0.3在非Exadata环境禁掉了diskmon服务应用出现ORA-24550: signal received: [si_signo=6] [si_errno=0] [si_code=9] [si_addr=0]的错误相关资讯      DDL  DDL审计 
  • MySQL在线大表DDL操作  (今 09:43)
  • MySQL的DDL维护技巧  (07/25/2012 09:12:45)
  • MySQL5.6在线DDL更改表测试  (今 09:03)
本文评论 查看全部评论 (0)
表情: 姓名: 字数