Essential oracle security internal for dba

2,704 views

Published on

Published in: Technology, Education
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,704
On SlideShare
0
From Embeds
0
Number of Embeds
526
Actions
Shares
0
Downloads
32
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • SQL> create user maclean_priv identified by oracle; User created. SQL> grant connect ,select any table to maclean_priv; Grant succeeded. SQL> conn maclean_priv/oracle Connected. SQL> select count(*) from sys.obj$; select count(*) from sys.obj$ * ERROR at line 1: ORA-00942: table or view does not exist SQL> alter system set O7_DICTIONARY_ACCESSIBILITY=TRUE scope=spfile; System altered. Reboot instance SQL> conn maclean_priv/oracle Connected. SQL> select count(*) from sys.obj$; COUNT(*) ---------- 52140
  • SQL> alter session set events '10046 trace name context forever,level 8'; Session altered. SQL> SQL> alter system flush shared_pool; System altered. SQL> / System altered. SQL> select * from t1; C1 ---------- 10 10 10046 trace: select * from t1 begin :con := FUNC1(:sn, :on); end; 10053 trace: sql_id=cvta8kmh9uc3z. Current SQL statement for this session: select * from scott.t1 ============ Plan Table ============ -------------------------------------+-----------------------------------+ | Id | Operation | Name | Rows | Bytes | Cost | Time | -------------------------------------+-----------------------------------+ | 0 | SELECT STATEMENT | | | | 3 | | | 1 | TABLE ACCESS FULL | T1 | 1 | 2 | 3 | 00:00:01 | -------------------------------------+-----------------------------------+ Predicate Information: ---------------------- 1 - filter("C1"=10)
  • o Errors in alert.log file:     ORA-07445: exception encountered: core dump [] [] [] [] [] [] o INSERT or UPDATE statements uses Foreign Key/Primary Key enforcement. o The FK / PK enforcement is protected by OLS policies. o kzrtppg exists in the call stack printed in the trace file indicating that a Foreign Key Table is accessing a Parent table with an OLS Policy on it.  A call stack example is: kzrtppg kglsscn kqlsscn kkmfcblo kkmpfcbk qcsprfro qcspafq qcspqb kkmdrv opiSem opiprs kksald Cause The Foreign Key/Primary Key reinforcement is protected by an OLS Policy on the Primary Key column that prevents the Foreign Key column from reading the Primary Key column. @ It can be caused by bug:4620832 Solution To implement the solution, please execute the following steps: 1.Enable OLS so that the FKs can select from the primary key. 2.Do not use OLS @ 3. Look for a solution of bug:4620832 .  A workaround for this bug is to pin the insert or update cursor @ using dbms_shared_pool.keep
  • [oracle@vrh8 adump]$ cat g10r25_ora_3630_1.aud Audit file /s01/admin/G10R25/adump/g10r25_ora_3630_1.aud Oracle Database 10g Enterprise Edition Release 10.2.0.5.0 - 64bit Production With the Partitioning, OLAP, Data Mining and Real Application Testing options ORACLE_HOME = /s01/oracle/product/10.2.0.5/db_1 System name: Linux Node name: vrh8.oracle.com Release: 2.6.32-200.13.1.el5uek Version: #1 SMP Wed Jul 27 21:02:33 EDT 2011 Machine: x86_64 Instance name: G10R25 Redo thread mounted by this instance: 1 Oracle process number: 18 Unix process pid: 3630, image: oracle@vrh8.oracle.com (TNS V1-V3) Sat Jul 7 02:26:52 2012 LENGTH : '160' ACTION :[7] 'CONNECT' DATABASE USER:[1] '/' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'oracle' CLIENT TERMINAL:[5] 'pts/0' STATUS:[1] '0' DBID:[10] '2652277393'
  •   Audit cleanup is implicit in audsucc, but audsucc is never called.
  • 数据库中由 SYS 用户或其他管理员用户所作的操作均可以被审计且记录到由 root 用户拥有的系统级日志中。这样就可以避免有人使用 Oracle 的 OS 账户修改普通审计日志删除相关操作信息。启用 (AUDIT_TRAIL=OS) 在 Oracle 审计目录中记录日志或启用 ( AUDIT_TRAIL=DB )在数据库中记录审计信息都是不妥当的,显然 DBA 总是可以修改它们。通过 UNIX 系统级的日志组件来进行审计对防止黑客 侵入和“内鬼“捣乱都很有效。 结合 UNIX 中的 SYSLOG 组件记录审计信息是 Oracle 10g 的一个新特性。该组件包括一个守护进程 (daemon) 名叫 syslogd (你可以通过 man syslogd 查询其相关手册),该进程用以接受由应用程序调用 syslog 的 C 函数库所发送的日志信息。 Syslogd 服务 (service) 的配置文 件一般是 /etc/syslog.conf ,日志信息一般被记录在 /var/log 或 /var/adm 视乎不同的 UNIX 发行版本。日志文件名由相关组件 名,重要性和级别组成。在 /etc/syslog.conf 每条记录为特定的组件与重要性指定文件名。在该配置文件中加入记录: user.notice  /var/log/oracle_dbms, 并使 syslogd 进程重启,接下来修改 Oracle 参数 AUDIT_SYSLOG_LEVEL=user.notice ,则相关的审计记录将出现在文件 /var/log/oracle_dbms 中。 在 UNIX 系统上,以 SYSDBA 或 SYSOPER 权限进行的 CONNECT,STARTUP 与 SHUTDOWN 操作均会被无条件地记录 到 $ORACLE_HOME/rdbms/audit 或 AUDIT_FILE_DEST 指定的目录中,并使用扩展名为 .aud 。 Oracle 9i 以后版本中通过设置 AUDIT_SYS_OPERATIONS=TURE 可以记录不限于 CONNECT,STARTUP,SHUTDOWN 的以 SYSDBA 或 SYSOPER 进行的操作。
  • Essential oracle security internal for dba

    1. 1. Essential Oracle Security Internal For DBA(V1.0)刘相兵 (Maclean Liu)liu.maclean@gmail.com www.oracledatabase12g.com
    2. 2. 介绍允许或禁止 Oracle DB 中的用户行为,包括其中的对象通过以下实现:登录身份验证 (Authentication) ,连接到数据库访问控制,访问模式对象和数据 (access control)审计,记录用户行为 (audit) www.oracledatabase12g.com www.oracledatabase12g.com www.oracledatabase12g.com
    3. 3. 基础身份验证数据库管理员 ( 以 SYSDBA/SYSOPER) 身份在 DB 之外被身份验证操作系统身份验证密码文件身份验证举例来说 sqlplus “/ as sysdba” 登录, OS 用户在 Unix 上为 DBA 组用户,在 Windows 上是 ORADBA 组用户普通数据库用户只能在数据库启动 (alter database open) 后身份验证并等登录也可以采用 OS 身份验证例如 : create user maclean identified externally . www.oracledatabase12g.com www.oracledatabase12g.com www.oracledatabase12g.com
    4. 4. 基础身份验证数据库身份认证例如:  create user maclean identified by oracle;可以通过数据字典视图来查看用户信息DBA_USERS describes all users of the database.ALL_USERS Lists users visible to the current user, but does notdescribe themUSER_TS_QUOTAS Describes tablespace quotas for users V$SESSION Lists session information for each current session,includes user namePROXY_USERS Describes users who can assume the identity of otherusersV$PWFILE_USERS lists users granted SYSDBA and SYSOPERprivileges as derived from the password file www.oracledatabase12g.com www.oracledatabase12g.com www.oracledatabase12g.com
    5. 5. 访问控制对象级别的安全(最小权限原则)-通过对象权限-通过角色数据级别的安全 ( 细粒度访问控制 )- 通过 RLS(Row Level Security) www.oracledatabase12g.com www.oracledatabase12g.com www.oracledatabase12g.com
    6. 6. 对象级别的安全控制将自身拥有对象的权限显示地授权给其他用户,包括查询和修改数据举例来说: CONN MACLEAN/ORACLE GRANT SELECT ON wallet to hanna;角色 (roles) 是一组已被命名的权限,可以直接授权给用户或者其他角色 :举例来说: CREATE ROLE developer; GRANT SELECT ON wallet1 to developer; GRANT INSERT ON wallet1 to developer; GRANT role1 to hanna; www.oracledatabase12g.com www.oracledatabase12g.com www.oracledatabase12g.com
    7. 7. 对象级别的安全控制内核函数 Kzpchkbu() 负责完成为给定用户检查某个对象上权限的任务。该函数可能被多种路径调用,以检查对象上的必要权限。大致的算法如下:If 检查需要被授权的用户是否对象的拥有者则 返回授权验证成功 ( 表示不需要做权限检查 )Else 该对象权限是否被授予了 PUBLIC 若是,则返回 授权验证成功Else 检查该用户是否被显示地授予了该对象权限或角色 若是,则返回 授权验证成功Else 检查该用户是否被显示地授予了对应的系统权限 若是,则返回 授权验证成功否则 报错 , ORA_01031,ORA-00942 www.oracledatabase12g.com www.oracledatabase12g.com www.oracledatabase12g.com
    8. 8. 对象级别的安全控制普通用户访问 SYS schema 下的对象? ( 越来越困难! )从 9i 开始,’ ANY’ 权限无法访问 SYS 用户对象默认 O7_DICTIONARY_ACCESSIBILITY=false ,设置为 TRUE 可以让’ ANY’ 权限访问 SYS 对象否则普通用户必须显示地拥有 SYS 对象的权限。 www.oracledatabase12g.com www.oracledatabase12g.com www.oracledatabase12g.com
    9. 9. 对象级别的安全控制常用数据字典视图,帮助了解对象和系统权限的信息:- DBA_SYS_PRIVS describes system privileges granted to usersand roles (USER_SYS_PRIVS for connected user). - SESSION_PRIVS lists the privileges that are currently available tothe user. - SESSION_ROLES lists the roles that are currently enabled to theuser. - DBA_TAB_PRIVS describes all object grants in the database.(USER_TAB_PRIVS for connected user). www.oracledatabase12g.com www.oracledatabase12g.com www.oracledatabase12g.com
    10. 10. 数据级别的安全 (RLS/VPD)Virtual Private Database(VPD) 有时候也叫做 Fine Grained AccessControl (FGAC) ,亦即 Row Level Security (RLS) ,在 Oracle 8i 中被引入; 由于该特性是基于实际的数据内容而非数据库对象,因此被叫做RLS 。仅在 discretionary access control (DAC) 满足的情况下 RLS 生效,例如user1 尝试访问 user2 所拥有的存在 RLS policy 的表,前提是在 user2 的表上有 SELECT 权限其内部工作原理是 透明地将 SQL 语句修改成基于预定义准则的临时视图。在运行时,谓词会被附加到原查询上以便过滤查询所能看到的数据 www.oracledatabase12g.com www.oracledatabase12g.com www.oracledatabase12g.com
    11. 11. 数据级别的安全 (RLS/VPD)通过 Oracle 提供的标准 DBMS_RLS Package 的过程来将表 / 视图 / 同义词等对象和策略关联起来RLS 策略包含一个 PL/SQL 函数以返回谓词串,这个谓词串会被在语句被执行前被加入到查询条件中例如: : CONNECT scott/tiger create table t1 (c1 int); insert into t1 values (10); insert into t1 values (10); insert into t1 values (20); insert into t1 values (30); commit; www.oracledatabase12g.com www.oracledatabase12g.com www.oracledatabase12g.com
    12. 12. 数据级别的安全 (RLS/VPD)CREATE OR REPLACE FUNCTION func1 (schema_nameVARCHAR2, table_name VARCHAR2) RETURN VARCHAR2 IS BEGIN RETURN c1 = 10; END; /SQL> EXEC DBMS_RLS.ADD_POLICY (scott,t1,pol1,scott,func1);PL/SQL procedure successfully completed.SQL> select * from t1; C1---------- 10 10 www.oracledatabase12g.com www.oracledatabase12g.com www.oracledatabase12g.com
    13. 13. 数据级别的安全 (RLS/VPD)内核函数 kzrtevw() 完成为存在 RLS policy 的表 / 视图 / 同义词创建临时视图的工作在语义解析阶段,从数据字典层 kkmfcblo() 调用 kzrtevw()一个查询语句” select * from maclean” 在语义解析阶段被装换为Select * from (select * from maclean where t1=10); ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^  临时视图kzrtevw() 生成的临时视图会再次被硬解析 hard parse www.oracledatabase12g.com www.oracledatabase12g.com www.oracledatabase12g.com
    14. 14. 数据级别的安全 (RLS/VPD)若存在参考完整性约束例如一张启用了 RLS Policy 的子表上有外键约束, RLS 机制会检查相关的父表上是否有 RLS Policy 以判断是否真的可以从父表上读取数据以验证约束。这通过内核函数 kzrtppg() 完成,若无法从父表读取到数据,则报错 ORA-28117 。[oracle@vrh8 ~]$ oerr ora 2811728117, 00000, "integrity constraint violated - parent record not found"// *Cause: try to update/insert a child record with new foreign key// values, but the corresponding parent row is not visible// because of fine-grained security in the parent.// *Action: make sure that the updated foreign key values must alsovisible in the parent www.oracledatabase12g.com www.oracledatabase12g.com www.oracledatabase12g.com
    15. 15. 数据级别的安全 (RLS/VPD)SYS 对任何行级安全策略 (RLS) 均享有豁免权可以通过系统权限 “ EXEMPT ACCESS POLICY” 让普通用户也对 RLSPolicy 豁免RLS policies 相关的一些有用字典视图:ALL_POLICIES describes the security policies on the synonyms, tables,and views accessible to the current user.DBA_POLICIES describes all security policies in the database.USER_POLICIES describes the security policies on the synonyms,tables, and views owned by the current user. www.oracledatabase12g.com www.oracledatabase12g.com www.oracledatabase12g.com
    16. 16. Audit 审计记录用户行为在部署安全措施后仍有发生恶意数据库行为的可能性审计和记录用户行为可以发现各种可疑的或伪装的恶意行为有助于进一步加强安全措施 www.oracledatabase12g.com www.oracledatabase12g.com www.oracledatabase12g.com
    17. 17. Audit 审计记录用户行为Audit 审计的种类强制审计:为每一次实例启动写出审计记录到 OS 文件, shutdown 以及权限登录的记录存放在 $ORACLE_HOME/rdbms/audit 目录下 ( 注意定期清理哦,亲! )SYS 审计 : 记录 SYSDBA/SYSOPER 等权限用户的操作,审计记录存放在 OS 文件, SYSLOG 中。标准审计:记录用户针对数据库对象、语句、权限级别的行为。审计记录可以存放在 OS 文件、 XML 文件或数据库中 (AUD$ 基表 )•对象级别审计•权限级别审计•语句级别审计细粒度控制:基于用户访问的数据记录用户行为。 审计记录存放在数据库内 (FGA_LOG$) 或者 XML 文件中。 www.oracledatabase12g.com www.oracledatabase12g.com www.oracledatabase12g.com
    18. 18. Audit 审计记录用户行为示例审计文件 :Audit file /s01/admin/G10R25/adump/g10r25_ora_3724_1.audOracle Database 10g Enterprise Edition Release 10.2.0.5.0 - 64bit ProductionWith the Partitioning, OLAP, Data Mining and Real Application Testing optionsORACLE_HOME = /s01/oracle/product/10.2.0.5/db_1System name: LinuxNode name: vrh8.oracle.comRelease: 2.6.32-200.13.1.el5uekVersion: #1 SMP Wed Jul 27 21:02:33 EDT 2011Machine: x86_64Instance name: G10R25Redo thread mounted by this instance: 1Oracle process number: 15Unix process pid: 3724, image: oracle@vrh8.oracle.com (TNS V1-V3)Sat Jul 7 02:29:41 2012LENGTH : 160ACTION :[7] CONNECTDATABASE USER:[1] /PRIVILEGE :[6] SYSDBACLIENT USER:[6] oracleCLIENT TERMINAL:[5] pts/0STATUS:[1] 0DBID:[10] 2652277393Sat Jul 7 02:29:42 2012LENGTH : 173ACTION :[19] ALTER DATABASE OPENDATABASE USER:[1] /PRIVILEGE :[6] SYSDBACLIENT USER:[6] oracleCLIENT TERMINAL:[5] pts/0STATUS:[1] 0DBID:[10] 2652277393Sat Jul 7 02:29:46 2012LENGTH : 172ACTION :[18] select * from dualDATABASE USER:[1] /PRIVILEGE :[6] SYSDBACLIENT USER:[6] oracleCLIENT TERMINAL:[5] pts/0STATUS:[1] 0DBID:[10] 2652277393 www.oracledatabase12g.com www.oracledatabase12g.com www.oracledatabase12g.com
    19. 19. Audit 审计记录用户行为内核函数 Kzasydmp() 为强制的 SYSDBA/SYSOPER 审计写出审计记录到 OS 文件、 SYSLOG 或者 XML 文件在 windows 系统上,打印审计记录到 EventLog(DB_User, OS_Privilege,Client_User, Client_Termninal, Status, SQL_Text)在 Unix 平台上若设置了 AUDIT_SYSLOG_LEVEL ,审计记录发送给syslog 这个后台服务否则生成一个审计文件 <program_code>_<OS_processid>.aud www.oracledatabase12g.com www.oracledatabase12g.com www.oracledatabase12g.com
    20. 20. Audit 审计记录用户行为对象级别的审计例如: AUDIT SELECT ON MACLEAN.TEST;语句级别的审计例如: AUDIT CREATE TABLE BY MACLEAN;权限级别的审计例如: AUDIT SELECT ANY TABLE BY MACLEAN; www.oracledatabase12g.com www.oracledatabase12g.com www.oracledatabase12g.com
    21. 21. Audit 审计记录用户行为部分标准审计选项:AUDIT BY SESSION— 针对用户和会话例如 :AUDIT SELECT ON MACLEAN.TAB BY SESSION;AUDIT BY ACCESS— 针对每一个可审计的操作例如: AUDIT SELECT ON MACLEAN.TAB BY ACCESS;AUDIT WHENEVER SUCCESSFUL— 仅审计执行成功的操作例如: AUDIT CONNECT WHENEVER SUCCESSFUL;Audit WHENEVER NOT SUCCESSFUL— 仅审计执行失败的操作例如: AUDIT CONNECT WHENEVER NOT SUCCESSFUL www.oracledatabase12g.com www.oracledatabase12g.com www.oracledatabase12g.com
    22. 22. Audit 审计记录用户行为细粒度审计 Fine Grained Auditing (FGA)FGA 策略通过 DBMS_FGA 包与表 / 视图 / 同义词关联起来例如: begin DBMS_FGA.ADD_POLICY(object_schema => scott, object_name => emp, policy_name => mypolicy1, audit_condition => sal < 100, audit_column => comm,sal, handler_schema => NULL, handler_module => NULL, enable => TRUE, statement_types => INSERT, UPDATE, audit_trail => DBMS_FGA.XML +DBMS_FGA.EXTENDED, audit_column_opts => DBMS_FGA.ANY_COLUMNS);end; www.oracledatabase12g.com www.oracledatabase12g.com www.oracledatabase12g.com
    23. 23. Audit 审计记录用户行为标准审计:audsucc()/audfail() 是审计的主要入口,针对成功 / 不成功的审计操作会进一步调用 auddft()例如 maclean 用户下的 test 表为成功操作审计… -> opiexe() -> audsucc() -> auddft() -> audsel() -> audfro() …auddft() 判断行为代码决定合适的审计路径audsel() 调用 audfro() ,记录审计链上的信息audfro() 首先设置已使用的对象权限, 进一步检查该对象相关的审计选项,例如到底这个对象是 audit by access 还是 by session 。 By access调用 audins() , By session 调用 audses() www.oracledatabase12g.com www.oracledatabase12g.com www.oracledatabase12g.com
    24. 24. Audit 审计记录用户行为启动审计必要的 Init.ora 实例初始化参数AUDIT_TRAIL = { none | os | db | db,extended | xml | xml,extended }.AUDIT_SYS_OPERATIONS Oracle 9i 以后版本中通过设置该参数为TURE 可以记录不限于 CONNECT,STARTUP,SHUTDOWN 的以SYSDBA 或 SYSOPER 进行的操作。AUDIT_FILE_DEST 指定审计目录 ( 默认为 $ORACLE_BASE/admin/$SID/adump)一些有用的字典视图:DBA_AUDIT_POLICIES – Lists FGA policies in the database.DBA_AUDIT_TRAIL – Lists all audit trail entries.DBA_AUDIT_OBJECT - Lists audit trail records for all objects in thedatabase.DBA_FGA_AUDIT_TRAIL - Lists all audit records for fine-grainedauditing.DBA_COMMON_AUDIT_TRAIL - Lists all standard and fine-grainedaudit trail entries, mandatory and SYS audit records written in XMLformat. www.oracledatabase12g.com www.oracledatabase12g.com www.oracledatabase12g.com

    ×