ITPub博客

首页 > 数据库 > Oracle > How To Audit GRANT ANY PRIVILEGE Or GRANT ANY ROLE (Doc ID 222807.1)

How To Audit GRANT ANY PRIVILEGE Or GRANT ANY ROLE (Doc ID 222807.1)

Oracle 作者:rongshiyuan 时间:2014-04-08 09:00:00 0 删除 编辑
How To Audit GRANT ANY PRIVILEGE Or GRANT ANY ROLE (Doc ID 222807.1)

Fact(s)
~~~~~~~~
You are attempting to audit the GRANT ANY PRIVILEGE and/or the GRANT ANY ROLE
statement but no audit records are produced for these two audited activities.

Symptom(s)
~~~~~~~~~~
You have turned on auditing properly.
You used the following steps to audit the granting of GRANT ANY PRIVILEGE
and/or GRANT ANY ROLE to other users:

   SQL> GRANT grant any privilege TO usr1;
   Grant succeeded.

   SQL> AUDIT grant any privilege BY usr1;
   Audit succeeded.

   SQL> SELECT * FROM sys.DBA_PRIV_AUDIT_OPTS;

   USER_NAME  PROXY_NAME PRIVILEGE           SUCCESS   FAILURE
   ---------- ---------- ------------------- --------- ---------
   USR1                  GRANT ANY PRIVILEGE BY ACCESS BY ACCESS

   SQL> CONNECT usr1/
   Connected.

   SQL> GRANT grant any privilege TO user2;
   Grant succeeded.

   SQL> select  USERNAME, ACTION, ACTION_NAME, SYS_PRIVILEGE,
                GRANTEE,AUDIT_OPTION, PRIV_USED
        from dba_audit_trail WHERE USERNAME='USR1';
   no rows selected


Fix
~~~~
1.  As a DBA, issue the command:

    SQL> AUDIT system grant by usr1;

2.  As the user being audited, grant the GRANT ANY PRIVILEGE or GRANT ANY ROLE
    privilege to another user :

    SQL> connect usr1/
    SQL> GRANT grant any privilege TO user2;
    SQL> GRANT grant any role      TO user2;


3.  As a DBA :

    SQL> select  USERNAME, ACTION, ACTION_NAME, SYS_PRIVILEGE,
                 GRANTEE,AUDIT_OPTION, PRIV_USED
         from dba_audit_trail WHERE USERNAME='USR1';

    USERNAME ACTION ACTION_NAME  SYS_PRIVILEGE       GRANTEE PRIV_USED
    -------- ------ ------------ ------------------- ------- -------------------
    USR1        108 SYSTEM GRANT GRANT ANY ROLE      USER2   GRANT ANY PRIVILEGE
    USR1        108 SYSTEM GRANT GRANT ANY PRIVILEGE USER2   GRANT ANY PRIVILEGE


Cause
~~~~~~~
The appropriate auditable statement was not issued: SYSTEM GRANT .




来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/17252115/viewspace-1137499/,如需转载,请注明出处,否则将追究法律责任。

请登录后发表评论 登录
全部评论

注册时间:2009-11-24

  • 博文量
    798
  • 访问量
    3251751