




版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請進行舉報或認領(lǐng)
文檔簡介
1、Implementing Oracle Database Security,Objectives,After completing this lesson, you should be able to do the following: Describe your DBA responsibilities for security Implement security by applying the principle of least privilege Manage default user accounts Implement standard password security fea
2、tures Describe database auditing Describe Virtual Private Database (VPD),Industry Security Requirements,Legal: Sarbanes-Oxley Act (SOX) Health Information Portability and Accountability Act (HIPAA) California Breach Law UK Data Protection Act Auditing,Security RequirementsFull Notes Page,Separation
3、of Responsibilities,Users with DBA privileges must be trusted. Consider: Abuse of trust Audit trails protect the trusted position. DBA responsibilities must be shared. Accounts must never be shared. The DBA and the system administrator must be different people. Separate operator and DBA responsibili
4、ties.,Database Security,A secure system ensures the confidentiality of the data that it contains. There are several aspects of security: Restricting access to data and services Authenticating users Monitoring for suspicious activity,Database SecurityFull Notes Page,Principle of Least Privilege,Insta
5、ll only required software on the machine. Activate only required services on the machine. Give OS and database access to only those users that require access. Limit access to the root or administrator account. Limit access to the SYSDBA and SYSOPER accounts. Limit users access to only the database o
6、bjects required to do their jobs.,REVOKE EXECUTE ON UTL_SMTP, UTL_TCP, UTL_HTTP,UTL_FILE FROM PUBLIC;,O7_DICTIONARY_ACCESSIBILITY=FALSE,REMOTE_OS_AUTHENT=FALSE,Applying the Principle of Least Privilege,Protect the data dictionary: Revoke unnecessary privileges from PUBLIC: Restrict the directories a
7、ccessible by users. Limit users with administrative privileges. Restrict remote database authentication:,Apply the Principle of Least Privilege Full Notes Page,Managing Default User Accounts,DBCA expires and locks all accounts, except: SYS SYSTEM SYSMAN DBSNMP For a manually created database, lock a
8、nd expire any unused accounts.,User,Password aging and expiration,Password complexity verification,Setting up profiles,Implementing Standard Password Security Features,Password history,Account locking,Password SecurityFull Notes Page,Supplied Password Verification Function: VERIFY_FUNCTION,The suppl
9、ied password verification function enforces these password restrictions: The minimum length is four characters. The password cannot be the same as the username. The password must have at least one alphabetic, one numeric, and one special character. The password must differ from the previous password
10、 by at least three letters. Tip: Use this function as a template to createyour own customized password verification.,Creating a Password Profile,Assigning Users to a Password Profile,Select Administration Schema Users ,FGA Policy,dbms_fga.add_policy ( object_schema= HR, object_name= EMPLOYEES, polic
11、y_name= audit_emps_salary, audit_condition=department_id=10, audit_column = SALARY, handler_schema= secure, handler_module= log_emps_salary, enable= TRUE, statement_types =SELECT );,SELECT name, job_id FROM employees;,SELECT name, salary FROM employees WHERE department_id = 10;,SECURE.LOG_ EMPS_SALA
12、RY,employees,Defines: Audit criteria Audit action Is created with DBMS_FGA .ADD_POLICY,FGA PolicyFull Notes Page,Audited DML Statement: Considerations,Records are audited if FGA predicate is satisfied and relevant columns are referenced. DELETE statements are audited regardless of any specified colu
13、mns. MERGE statements are audited with the underlying INSERT or UPDATE generated statements.,UPDATE hr.employees SET salary = 10 WHERE commission_pct = 90;,UPDATE hr.employees SET salary = 10 WHERE employee_id = 111;,FGA Guidelines,To audit all statements, use a null condition. Policy names must be
14、unique. The audited table or view must already exist when you create the policy. If the audit condition syntax is invalid, an ORA-28112 error is raised when the audited object is accessed. If the audited column does not exist in the table, no rows are audited. If the event handler does not exist, no
15、 error is returned and the audit record is still created.,DBA Auditing,Users with the SYSDBA or SYSOPER privileges can connect when the database is closed: Audit trail must be stored outside the database. Connecting as SYSDBA or SYSOPER is always audited. Enable additional auditing of SYSDBA or SYSO
16、PER actions with audit_sys_operations. Control audit trail with audit_file_dest.,Maintaining the Audit Trail,The audit trail should be maintained. Follow best practice guidelines: Review and store old records Prevent storage problems Avoid loss of records,Quiz: What Is Audited?,Match the following t
17、ext, “A” to “What is Audited?”, and “T” to “What is in the Audit Trail?”. A1: Data changed by DML statements A2: SQL statements (insert, update, delete, select, and merge) based on content) A3: Privilege use including object access T1: Fixed set of data including the SQL statement T2: Fixed set of d
18、ata T3: N/A,Where We Are,Comparing security aspects Applying the principle of least privilege Managing default user accounts Implementing standard password security features Describing auditing: Mandatory auditing Standard database auditing Value-based auditing Fine-grained auditing DBA auditing Vir
19、tual Private Database (VPD),Virtual Private Database: Overview,Virtual Private Database (VPD) consists of: Fine-grained access control Secure application context VPD uses policies to add conditions to SQL statements that protect sensitive data. VPD provides row-level access control. Application attr
20、ibutes defined inside an application context are used by fine-grained access policies.,VPD Example,Business rule: Employees outside the HR department are only allowed to see their own EMPLOYEES record. A salesman enters the following query: SELECT * FROM EMPLOYEES; The function implementing the secu
21、rity policy returns the predicate employee_id=my_emp_id and the database rewrites the query and executes the following: SELECT * FROM EMPLOYEES WHERE employee_id=my_emp_id;,Creating a Column-Level Policy,BEGIN dbms_rls.add_policy(object_schema = hr, object_name = employees, policy_name = hr_policy,
22、function_schema =hr, policy_function = hrsec, statement_types =select,insert, sec_relevant_cols=salary,commission_pct); END; /,Column-Level VPD: Example,Statements are not always rewritten. Consider a policy protecting the SALARY and COMMISSION_PCT columns of the EMPLOYEES table. The fine-grained ac
23、cess control is: Not enforced for this query: Enforced for these queries:,SQL SELECT last_name, salary 2 FROM employees;,SQL SELECT last_name FROM employees;,SQL SELECT * FROM employees;,Security Updates,Oracle posts security alerts on the Oracle Technology Network Web site at: Oracle database administrators and developers can also subscribe to be notified about critical security alerts via e-mail by clicking the “Subscribe to Securi
溫馨提示
- 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
- 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
- 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會有圖紙預覽,若沒有圖紙預覽就沒有圖紙。
- 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
- 5. 人人文庫網(wǎng)僅提供信息存儲空間,僅對用戶上傳內(nèi)容的表現(xiàn)方式做保護處理,對用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對任何下載內(nèi)容負責。
- 6. 下載文件中如有侵權(quán)或不適當內(nèi)容,請與我們聯(lián)系,我們立即糾正。
- 7. 本站不保證下載資源的準確性、安全性和完整性, 同時也不承擔用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。
最新文檔
- 用電安全懲罰管理辦法
- 福州餐飲住宿管理辦法
- 工程企業(yè)合同管理辦法
- 育肥豬養(yǎng)殖技術(shù)課件
- 肯德基公司介紹
- 肩周炎健康知識課件
- 醫(yī)院醫(yī)廢培訓課件
- 高三第一章數(shù)學試卷
- 設備計劃管理培訓課件
- 房山八上期末數(shù)學試卷
- eps泡沫廠工藝流程
- 枕式換熱器行業(yè)分析
- 干部履歷表(中共中央組織部2015年制)
- JCT1041-2007 混凝土裂縫用環(huán)氧樹脂灌漿材料
- SPA水療管理手冊
- 充電樁工程施工方案解決方案
- 7、煤礦安全管理二級質(zhì)量標準化驗收標準
- USSF-美國太空部隊數(shù)字服務遠景(英文)-2021.5-17正式版
- 靜配中心應急預案處理流程
- 江蘇省射陽中等專業(yè)學校工作人員招聘考試真題2022
評論
0/150
提交評論