Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Oracle Security 101

2,675 views

Published on

这是我2007年做的一份文档。因为之前分享出来的文件已经找不到了,因而重新上传了一下。

该文档内容有删节,另外,用的时候注意内容的时效性。

Published in: Technology, News & Politics
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • thx
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Oracle Security 101

  1. 1. Oracle 安全之实践入门篇    冯大辉 (Fenng) 
  2. 2. 个人介绍l  Blog: http://www.dbanotes.net l  Oracle ACE l  DBA@支付宝(Alipay.com) l  IM/Mail: dbanotes@gmail.com l  Books 
  3. 3. 议程 l  我们身边的安全问题 l  发现、收集、侦测 l  安全加固(三板斧)᠋᠌᠍᠎ 1)OS安全加固᠋᠌᠍᠎ 2)Oracle 网络加固᠋᠌᠍᠎ 3)RDBMS 安全加固᠋᠌᠍᠎ N)... l  其他、更多Oracle安全功能选件 l  演示 
  4. 4. 我们身边的数据库安全问题l  eg: 内部人员通过后门入侵数据库,盗取用户 账户信息。᠋᠌᠍᠎ l  eg: 应用程序错误,暴露数据库配置信息。᠋᠌᠍᠎ l  eg: 数据库管理员监守自盗,盗取客户资料
  5. 5. 发现、收集问题 (1)l  Oracle CPU (Critical Patch Update) 跟 踪᠋᠌᠍᠎ Oracle Security Alert ᠋᠌᠍᠎ 首次发布 CPU :2005 年 3 月 15 日 ᠋᠌᠍᠎ 要注意:“不提供除 CPU 或安全警报通告、安装前说明、自述文件和常 见问题解答中所提供信息外的其他具体信息 ” ,也没有“...对产品中的 漏洞开发或发布可利用的入侵代码(或“验证性代码”)” l  Metalink Hacking /Google hacking/ Yahoo Hacking᠋᠌᠍᠎ eg: http://www.red-database-security.com/wp/ oracle_metalink_hacking_us.pdf 
  6. 6. 发现、收集问题 (2)l  内部安全审计、扫描᠋᠌᠍᠎ eg: Nessus ᠋᠌᠍᠎ 面对一个新系统的最好办法: scan ... l  安全邮件列表 
  7. 7. 侦测:Nessus 简介 l  Top 100 Network Security Tools No.1 l  http://www.nessus.org/ l  跨平台 l  非 GPL 版权 (个人用户有免费版本可用) l  扫描报告示例 ᠋᠌᠍᠎ next pageà 
  8. 8. 安全加固l  策略᠋᠌᠍᠎ 性能、可用性与安全之间的平衡᠋᠌᠍᠎ l  递进式改进᠋᠌᠍᠎ 一蹴而就是不可能的᠋᠌᠍᠎ l  Log, Log, Log᠋᠌᠍᠎ 操作Log、软件Log,有记录可依 
  9. 9. OS 安全加固 l  关闭不必要的端口与服务᠋᠌᠍᠎ eg: snmp l  文件完整性检验  Tripwire, AIDE, Integrit , AIX Security Expert l  相关工具:nmap lsof netstat ......  # nmap -sTU localhost  # find / -path /proc -prune -o -type f - perm +6000 –ls  
  10. 10. Oracle 网络安全加固l  Top 1 Problem: Listener 密码设定᠋᠌᠍᠎ 演示在后面᠋᠌᠍᠎ l  Oracle 10g 新增本地操作系统验证功能 l  Log 设定与审计 l  防火墙 
  11. 11. RDBMS 安全加固 l  最小授权原则᠋᠌᠍᠎ grant resouce to scott ; NO, NO, NO! l  取消不必要的权限᠋᠌᠍᠎ resouce, unlimited tablespace...create session l  权限审计᠋᠌᠍᠎ eg: who has dba role ? 
  12. 12. Package 调用溢出权限提升 l  UTL_SMTP l  UTL_TCP l  UTL_HTTP l  DBMS_FLASHBACK l  DBMS_OBFUSCATION_TOOLKIT l  DBMS_METADATA l  DBMS_JOB l  DBMS_RANDOM l  更多......关注 Oracle CPU 
  13. 13. 避免坏习惯 (1)l  命令行中的密码:$sqlplus scott/tiger ᠋᠌᠍᠎ $ ps –ef |grep sqlplus ᠋᠌᠍᠎ 好的习惯:᠋᠌᠍᠎ sqlplus “/ nolog” ᠋᠌᠍᠎ @connect scott Enter password: *****
  14. 14. 避免坏习惯 (2)l  Shell 脚本中存在密码明文᠋᠌᠍᠎ 1) 操作系统验证用户᠋᠌᠍᠎ ᠋᠌᠍᠎ 2) Oracle Password Repository (OPR)᠋᠌᠍᠎ http://sourceforge.net/projects/opr᠋᠌᠍᠎ ᠋᠌᠍᠎ sqlplus -s /NOLOG EOF᠋᠌᠍᠎ connect system/`opr -r foodb system`@foo l  没有或者不遵守密码策略 l  过度授权᠋᠌᠍᠎ grant resource to scott; NO! 
  15. 15. 更为深入的 Oracle 安全选项组件 l  Oracle Audit l  Fine-Grained Access Control l  Oracle Database Vault l  Secure Backup l  加密与透明数据加密᠋᠌᠍᠎ ᠋᠌᠍᠎ Again: 可用性、安全、性能之间的平衡 
  16. 16. 出发角度对比
  17. 17. Oracle Database Vault 的意义 
  18. 18. 安全策略l  安全策略的建立 难点在于执行l  安全与可用性、性能之间的平衡 具体情况具体分析
  19. 19. Oracle Listener 密码设定演示(1) l  LSNRCTL change_password l  Old password: l  New password: l  Reenter new password: l  Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC))) l  Password changed for listener l  The command completed successfully l  LSNRCTL set password l  Password: l  The command completed successfully l  LSNRCTL save_config l  Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC))) l  Saved LISTENER configuration parameters. l  Listener Parameter File /opt/oracle/products/9.2.0/network/admin/listener.ora l  Old Parameter File /opt/oracle/products/9.2.0/network/admin/listener.bak l  The command completed successfully l  LSNRCTL exit 
  20. 20. Oracle Listener 密码设定演示(2) l  $ lsnrctl status᠋᠌᠍᠎ ᠋᠌᠍᠎ LSNRCTL for IBM/AIX RISC System/6000: Version 9.2.0.6.0 - Production on 07-SEP-2007 18:18:01᠋᠌᠍᠎ Copyright (c) 1991, 2002, Oracle Corporation. All rights reserved.᠋᠌᠍᠎ Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC)))᠋᠌᠍᠎ TNS-01169: The listener has not recognized the password᠋᠌᠍᠎ ᠋᠌᠍᠎ $ cat /opt/oracle/products/9.2.0/network/admin/listener.ora᠋᠌᠍᠎ ᠋᠌᠍᠎ #----ADDED BY TNSLSNR 07-SEP-2007 18:17:54---  PASSWORDS_LISTENER = A072C8903DA55A33  #-------------------------------------------- 
  21. 21. Listener 信息窥探 l  $ ./tnscmd status -h 10.0.0.94 -p 1521 --indentl  sending (CONNECT_DATA=(COMMAND=status)) to 10.0.0.94:1521l  writing 89 bytesl  readingl  . .......6.........u. ....................l  DESCRIPTION=l  (内容略)l  ALIAS=LISTENERl  SECURITY=OFFl  VERSION=TNSLSNR for IBM/AIX RISC System/6000: Version 9.2.0.6.0 - Productionl  START_DATE=25-JUN-2007 13:02:37l  SIDNUM=1l  LOGFILE=/opt/oracle/products/9.2.0/network/log/listener.logl  PRMFILE=/opt/oracle/products/9.2.0/network/admin/listener.oral  TRACING=offl  UPTIME=443684410l  SNMP=OFFl  PID=221398l  (内容略)l  SERVICE=l  SERVICE_NAME=testl  INSTANCE=l  INSTANCE_NAME=testl  NUM=1l  INSTANCE_STATUS=UNKNOWNl  NUMREL=1
  22. 22. 资源l  tnscmd᠋᠌᠍᠎ http://www.jammed.com/~jwa/hacks/security/tnscmd/ l  Metalink Note: 92602.1 ᠋᠌᠍᠎ “How to Password Protect the Listener” l  Oracle Database Listener Security Guide᠋᠌᠍᠎ http://www.integrigy.com/security-resources/ whitepapers/ Integrigy_Oracle_Listener_TNS_Security.pdf 
  23. 23. QAl  http://www.dbanotes.net 订阅RSS,获取 动态 

×