Scribd Logo
Upload

Welcome to Scribd!

  • Oracle Security 101 (Chinese Version)

    Uploaded by

    Fenng
    194 views24 pages
    http://www.dbanotes.net

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    http://www.dbanotes.net

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    194 views24 pages

    Oracle Security 101 (Chinese Version)

    Uploaded by

    Fenng
    http://www.dbanotes.net

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 24

    Oracle 安全之实践入门篇

    Fenng
    个人介绍

     Blog:http://www.dbanotes.net
     Oracle ACE
     DBA@ 支付宝 (Alipay.com)
     IM/Mail: dbanotes@gmail.com
     Books
    议程

     我们身边的安全问题
     发现、收集、侦测
     安全加固 ( 三板斧 )
    1 ) OS 安全加固
    2 ) Oracle 网络加固
    3 ) RDBMS 安全加固
    N ) ...
     其他、更多 Oracle 安全功能选件
     演示
    我们身边的数据库安全问题

     eg:
    内部人员通过后门入侵数据库,盗取用户
    账户信息。

     eg: 应用程序错误,暴露数据库配置信息。

     eg: 数据库管理员监守自盗,盗取客户资料
    发现、收集问题 ( 1 )

     Oracle CPU ( Critical Patch Update)


    跟踪
    Oracle Security Alert
    首次发布 CPU : 2005 年 3 月 15 日
    要注意 :“ 不提供除 CPU 或安全警报通告、安装前说明、自述文件和
    常见问题解答中所提供信息外的其他具体信息 ” ,也没有“ ... 对产品中
    的漏洞开发或发布可利用的入侵代码(或“验证性代码”)”
     Metalink
    Hacking /Google hacking/
    Yahoo Hacking
    eg: http://www.red-database-
    security.com/wp/oracle_metalink_hacking_us.pdf
    发现、收集问题 ( 2 )

    内部安全审计、扫描
    eg: Nessus
    面对一个新系统的最好办法 : scan ...
    安全邮件列表
    侦测: Nessus 简介

     Top 100 Network Security Tools No.1


     http://www.nessus.org/
     跨平台
     非 GPL 版权 (个人用户有免费版本可用)
     扫描报告示例
    next page
    安全加固

     策略
    性能、可用性与安全之间的平衡

     递进式改进
    一蹴而就是不可能的

     Log,
    Log, Log
    操作 Log 、软件 Log ,有记录可依
    OS 安全加固

     关闭不必要的端口与服务
    eg: snmp
     文件完整性检验

    Tripwire, AIDE, Integrit , AIX Security


    Expert
     相关工具: nmap lsof netstat ......

    # nmap -sTU localhost


    # find / -path /proc -prune -o -type f
    -perm +6000 –ls
    Oracle 网络安全加固

     Top
    1 Problem: Listener 密码设定
    演示在后面

     Oracle 10g 新增本地操作系统验证功能

     Log 设定与审计

     防火墙
    RDBMS 安全加固

     最小授权原则
    grant resouce to scott ; NO, NO, NO!
     取消不必要的权限
    resouce, unlimited tablespace...create
    session
     权限审计
    eg: who has dba role ?
    Package 调用溢出权限提升

     UTL_SMTP
     UTL_TCP
     UTL_HTTP
     DBMS_FLASHBACK
     DBMS_OBFUSCATION_TOOLKIT
     DBMS_METADATA
     DBMS_JOB
     DBMS_RANDOM
     更多 ...... 关注 Oracle CPU
    避免坏习惯 ( 1 )

     命令行中的密码: $sqlplus scott/tiger


    $ ps –ef |grep sqlplus
    好的习惯 :
    sqlplus “/ nolog”
    @>connect scott
    Enter password: *****
    避免坏习惯 ( 2 )
     Shell 脚本中存在密码明文
    1) 操作系统验证用户
    2) Oracle Password Repository ( OPR)
    http://sourceforge.net/projects/opr
    sqlplus -s /NOLOG << EOF
    connect system/`opr -r foodb system`@foo

     没有或者不遵守密码策略
     过度授权
    grant resource to scott; NO!
    更为深入的 Oracle 安全 件

     Oracle Audit
     Fine-Grained Access Control
     Oracle Database Vault
     Secure Backup
     加密与透明数据加密

    Again: 可用性、安全、性能之间的平衡
    出发角度对比
    Oracle Database Vault 的意义
    安全策略

     安全策略的建立
    难点在于执行

     安全与可用性、性能之间的平衡
    具体情况具体分析
    Oracle Listener 密码设定演示
    (1)

     LSNRCTL> change_password
     Old password:
     New password:
     Reenter new password:
     Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC)))
     Password changed for listener
     The command completed successfully
     LSNRCTL> set password
     Password:
     The command completed successfully
     LSNRCTL> save_config
     Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC)))
     Saved LISTENER configuration parameters.
     Listener Parameter File /opt/oracle/products/9.2.0/network/admin/listener.ora
     Old Parameter File /opt/oracle/products/9.2.0/network/admin/listener.bak
     The command completed successfully
     LSNRCTL> exit
    Oracle Listener 密码设定演示
    (2)
     $ lsnrctl status

    LSNRCTL for IBM/AIX RISC System/6000: Version 9.2.0.6.0 - Production on 07-


    SEP-2007 18:18:01
    Copyright (c) 1991, 2002, Oracle Corporation. All rights reserved.
    Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC)))
    TNS-01169: The listener has not recognized the password

    $ cat /opt/oracle/products/9.2.0/network/admin/listener.ora

    #----ADDED BY TNSLSNR 07-SEP-2007 18:17:54---


    PASSWORDS_LISTENER = A072C8903DA55A33
    #--------------------------------------------
    Listener 信息窥探

    $ ./tnscmd status -h 10.0.0.94 -p 1521 --indent
     sending (CONNECT_DATA=(COMMAND=status)) to 10.0.0.94:1521
     writing 89 bytes
     reading
     . .......6.........u. ....................
     DESCRIPTION=
     ( 内容略 )
     ALIAS=LISTENER
     SECURITY=OFF
     VERSION=TNSLSNR for IBM/AIX RISC System/6000: Version 9.2.0.6.0 - Production
     START_DATE=25-JUN-2007 13:02:37
     SIDNUM=1
     LOGFILE=/opt/oracle/products/9.2.0/network/log/listener.log
     PRMFILE=/opt/oracle/products/9.2.0/network/admin/listener.ora
     TRACING=off
     UPTIME=443684410
     SNMP=OFF
     PID=221398
     ( 内容略 )
     SERVICE=
     SERVICE_NAME=test
     INSTANCE=
     INSTANCE_NAME=test
     NUM=1
     INSTANCE_STATUS=UNKNOWN
     NUMREL=1
    资源

     tnscmd
    http://www.jammed.com/~jwa/hacks/security/tnscmd/
     Metalink Note: 92602.1
    “How to Password Protect the Listener”
     Oracle Database Listener Security Guide
    http://www.integrigy.com/security-resources/w
    Q&A

     http://www.dbanotes.net 订阅 RSS ,获
    取动态

    You might also like