oracle10g ocp認(rèn)證周老師中文與真題精解

1、管理 Oracle 數(shù)據(jù)庫(kù)安全講師:n 1數(shù)據(jù)目標(biāo)課程目標(biāo):描述作為DBA的職責(zé)通過應(yīng)用最小權(quán)限原則實(shí)現(xiàn)數(shù)據(jù)庫(kù)安全管理默認(rèn)用戶賬號(hào)實(shí)現(xiàn)標(biāo)準(zhǔn)安全特點(diǎn)描述數(shù)據(jù)庫(kù)審計(jì)描述 VPDn 2數(shù)據(jù)工業(yè)安全需要.法律:Sarbanes-Oxley Act (SOX)Health Information Portability and Accountability Act (HIPAA)California Breach LawUK Data Protection Act審計(jì)n 3數(shù)據(jù)Requirements Least Privilege AuditingValue-based FGADBASec. Upda

2、tes職責(zé)分離DBA用戶必須是賴的DBA的職責(zé)必須共享賬號(hào)不能共用DBA和系統(tǒng)管理員必須屬于不同的人分離操作員和DBA的職責(zé)n 5數(shù)據(jù)數(shù)據(jù)庫(kù)安全一個(gè)安全的系統(tǒng)保證了數(shù)據(jù)庫(kù)中數(shù)據(jù)的個(gè)方面：性，安全機(jī)制包括以下幾限制驗(yàn)證用戶監(jiān)視可疑行為n 6數(shù)據(jù)最小權(quán)限原則.在機(jī)器里面只安裝必須的只激活必須的服務(wù)的用戶提供對(duì)OS和數(shù)據(jù)庫(kù)僅給需要root或者管理員賬號(hào)SYSDBA 和 SYSOPER 賬號(hào)數(shù)據(jù)庫(kù)對(duì)象必須做這些事務(wù)限制限制限制用戶n 8數(shù)據(jù)RequirementsLeast Privilege AuditingValue-based FGADBASec. Updates應(yīng)用最小權(quán)限原則保護(hù)數(shù)據(jù)字典:從

3、PUBLIC中撤回不必要的權(quán)限:通過用戶限制目錄限制用戶擁有管理權(quán)限限制數(shù)據(jù)庫(kù)驗(yàn)證:n 9數(shù)據(jù)REMOTE_OS_AUTHENT=FALSEREVOKE EXECUTE ON UTL_SMTP, UTL_TCP, UTL_HTTP, UTL_FILE FROM PUBLIC;O7_DICTIONARY_ACSIBILITY=FALSE監(jiān)視可疑行為監(jiān)視和審計(jì)是安全程序的主要部分：強(qiáng)制審計(jì)標(biāo)準(zhǔn)的數(shù)據(jù)庫(kù)審計(jì)基于值的審計(jì)FGADBA審計(jì)n 16數(shù)據(jù)Requirements Least PrivilegeAuditing Value-based FGADBASec. Updates標(biāo)準(zhǔn)的數(shù)據(jù)庫(kù)審計(jì)啟用數(shù)

4、據(jù)庫(kù)審計(jì)參數(shù)文件User執(zhí)行命令DBA(2) 指定審計(jì)選項(xiàng).產(chǎn)生審計(jì)回顧審計(jì)信息.審計(jì)OS 或 XML審計(jì)n 17數(shù)據(jù)服務(wù)器進(jìn)程數(shù)據(jù)庫(kù)審計(jì)選項(xiàng)審計(jì)啟動(dòng)審計(jì)修改初始化參數(shù)后需要重起數(shù)據(jù)庫(kù).n 18數(shù)據(jù)ALTER SYSTEM SET audit_trail=“XML” SCOPE=SPFILE;審計(jì)軌跡用啟動(dòng)數(shù)據(jù)庫(kù)審計(jì)AUDIT_TRAILEXTENDED_TIMEST, GLOBAL_UID,PROXY_SESID,INSTANCE_NUMBER,OS_PROS,TRANIONID,SCN,SQL_BIND,SQL_TEXTn 19數(shù)據(jù)MON_AUDIT_TRAILDBA_FGA_AUDIT_

5、TRAILDBA_AUDIT_TRAILAUDIT_TRAIL=DB,EXTENDEDS ENEMENTID, RYIDTEntrise Manager 審計(jì)頁(yè)n 20數(shù)據(jù)指定審計(jì)選項(xiàng)SQL 語(yǔ)句設(shè)計(jì):系統(tǒng)權(quán)限審計(jì) (nonfocused and focused):對(duì)象權(quán)限審計(jì) (nonfocused and focused):n 21數(shù)據(jù)AUDIT ALL on hr.employees;AUDIT UPDATE,DELETE on hr.employees BY ACS;AUDIT select any table, create any trigger;AUDIT select any

6、tabY hr BY SES;AUDIT table;使用和審計(jì)信息如果不用可以禁用審計(jì)選項(xiàng)n 22數(shù)據(jù)基于值的審計(jì)用戶開始一個(gè)進(jìn)程觸發(fā)器文件通過觸發(fā)器創(chuàng)建審計(jì)文件被改變.到一個(gè)審計(jì)表中.n 23數(shù)據(jù)Requirements Least Privilege AuditingValue-based FGADBASec. Updates增強(qiáng)企業(yè)用戶審計(jì)n 25數(shù)據(jù)共享模式FGADB_USER GLOBAL_UID標(biāo)準(zhǔn)審計(jì)USERNAME GLOBAL_UID單一模式FGADB_USER標(biāo)準(zhǔn)審計(jì)USERNAMEFGA可以監(jiān)視基于目錄的數(shù)據(jù)存取可以審計(jì) SELECT, INSERT, UPDATE,

7、DELETE, 和可以連接到表或者視圖是一個(gè)安全保證程序用DBMS_FGA包管理FGAMERGE成員n 26數(shù)據(jù)Policy: AUDIT_EMPS_SALARYSELECT name, salary FROM employees WHEREdepartment_id = 10;Requirements Least Privilege AuditingValue-basedFGA DBASec. UpdatesFGA 策略定義:審計(jì)標(biāo)準(zhǔn)審計(jì)行為由DBMS_FGA.ADD_POLICY創(chuàng)建成員n 27數(shù)據(jù)SECURE.LOG_ EMPS_SALARYSELECT name, salary FRO

8、M employees WHEREdepartment_id = 10;SELECT name, job_id FROM employees;dbms_fga.add_policy ( object_schema = HR, object_name= EMPLOYEES,policy_name = audit_emps_salary, audit_condition= department_id=10, audit_column= SALARY, handler_schema = secure, handler_module = log_emps_salary, enable= TRUE,se

9、ment_types = SELECT );DML審計(jì): 考慮事項(xiàng)如果FGA判斷是滿意的并且有關(guān)字段被,則被審計(jì).DELETE語(yǔ)句對(duì)于任何字段是會(huì)被無(wú)條件審計(jì)的或 UPDATE語(yǔ)句審計(jì).MERGE語(yǔ)句用下面INSERTn 29數(shù)據(jù)UPDATE hr.employees SET salary = 10WHERE employee_id = 111;UPDATE hr.employees SET salary = 10WHERE commis_pct = 90;FGA 指導(dǎo)審計(jì)全部語(yǔ)句，使用null條件.策略名必須唯一.創(chuàng)建審計(jì)粗略時(shí)審計(jì)表或視圖必須存在Y.如果審計(jì)條件語(yǔ)法錯(cuò)誤,會(huì)發(fā)生.審計(jì)對(duì)象發(fā)

10、生時(shí)ORA-28112被審計(jì).如果審計(jì)的標(biāo)中字段不存在，沒有仍然會(huì)創(chuàng)建.如果事件處理者不存在，沒有錯(cuò)誤返回，同時(shí)審計(jì)n 30數(shù)據(jù)DBA 審計(jì)當(dāng)數(shù)據(jù)庫(kù)處在關(guān)閉狀態(tài)的時(shí)候用戶可以用連接:SYSDBA 或 SYSOPER在數(shù)據(jù)庫(kù)外面.審計(jì)線索必須被用SYSDBA 或 SYSOPER登陸的用戶會(huì)一直被審計(jì)用用audit_sys_operations啟動(dòng)SYSDBAaudit_file_dest控制審計(jì)軌跡或的額外審計(jì)SYSOPERn 31數(shù)據(jù)Requirements Least Privilege AuditingValue-based FGADBASec. Updates審計(jì)軌跡系統(tǒng)將被保持.最好對(duì)

11、照練習(xí)指南:和儲(chǔ)藏老問題檢查預(yù)防避免丟失n 32數(shù)據(jù)審計(jì)？符合下列說明, “A” 到 “審計(jì)？”, 和“T” 到 “審計(jì)軌跡”.A1: 數(shù)據(jù)通過DML語(yǔ)句被改變A2: SQL 語(yǔ)句 (insert, update, delete, select, and merge)使用包括對(duì)象A3:T1: 固定的數(shù)據(jù)包括SQL語(yǔ)句T2: 固定的一套數(shù)據(jù)T3: N/An 33數(shù)據(jù)審計(jì)類型什么被審計(jì)？審計(jì)軌跡?標(biāo)準(zhǔn)的數(shù)據(jù)庫(kù)審計(jì)基于值的審計(jì)FGA安全更新Oracle公司安全警報(bào)技術(shù):htt數(shù)據(jù)庫(kù)管理員和開發(fā)/technology/deploy/security/alerts.htm可以通過點(diǎn)擊“訂閱警報(bào)”用電子郵

12、件訂閱安全警報(bào)通知.有關(guān)的n 34數(shù)據(jù)Requirements Least Privilege AuditingValue-based FGADBASec. Updates應(yīng)用安全補(bǔ)丁使用關(guān)鍵性補(bǔ)丁更新進(jìn)程.適用于所有的安全補(bǔ)丁和工作和工作區(qū).聯(lián)絡(luò)Oracle安全產(chǎn)品的團(tuán)隊(duì).n 35數(shù)據(jù)虛擬私有數(shù)據(jù)庫(kù): 概覽虛擬私有數(shù)據(jù)庫(kù)(VPD) 由下列項(xiàng)組成:精密審計(jì)控制安全應(yīng)用VPD使用政策，以添加條件到SQL語(yǔ)句，保護(hù)敏感數(shù)據(jù).VPD提供行級(jí)的控制在一個(gè)應(yīng)用背景下通過精細(xì)審計(jì)策略應(yīng)用屬性定義.n 36數(shù)據(jù)VPD 例子業(yè)務(wù)規(guī)則: 雇員以外的人力資源部門只可看到自己的雇員進(jìn)入以下查詢:. 銷售員SELEC

13、T * FROM EMPLOYEES;功能實(shí)施安全政策的回應(yīng)，employee_id= my_emp_id 和數(shù)據(jù)庫(kù)重寫查詢并執(zhí)行:SELECT * FROM EMPLOYEESWHEREemployee_id=my_emp_id;n 37數(shù)據(jù)創(chuàng)建一個(gè)字段級(jí)別策略n 38數(shù)據(jù)BEGINdbms_rls.add_policy(object_schema = hr, object_name = employees,policy_name = hr_policy, function_schema =hr, policy_function = hrsec,sement_types =select,insert, sec_relevant_cols=mis_pct);END;/字段標(biāo)準(zhǔn) VPD:例如語(yǔ)句并不總是被改寫.設(shè)想一個(gè)策略來保護(hù)EMPLOYEES表的SALARY段.FGA控制:和COMMIS_PCT字不執(zhí)行此查詢 :執(zhí)行此查詢 :n 39數(shù)據(jù)SQL SELECT * FROM employees;SQL SELECT last_name, salary2 FROM employees;SQL SELECT last_name FROM employees;總結(jié)在本節(jié)課里，你學(xué)會(huì)如何:描述DBA的安全責(zé)任確定最少權(quán)限原則 啟動(dòng)標(biāo)準(zhǔn)數(shù)據(jù)庫(kù)審計(jì)確定審計(jì)選項(xiàng)核對(duì)審計(jì)信息審計(jì)軌跡n