Upload
zhaoyang-wang
View
154
Download
12
Embed Size (px)
DESCRIPTION
Oracle security 02-administering user security
Citation preview
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Objectives
After completing this lesson, you should be able to:• Create and manage database user accounts:
– Authenticate users– Assign default storage areas (tablespaces)
• Grant and revoke privileges• Create and manage roles• Create and manage profiles:
– Implement standard password security features– Control resource usage by users
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Database User Accounts
Each database user account has:• A unique username• An authentication method• A default tablespace • A temporary tablespace• A user profile• An initial consumer group• An account status
A schema:• Is a collection of database objects that are owned by a
database user• Has the same name as the user account
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Predefined Administrative Accounts
• SYS account:– Is granted the DBA role, as well as several other roles.– Has all privileges with ADMIN OPTION– Is required for startup, shutdown, and some
maintenance commands– Owns the data dictionary and the Automatic Workload
Repository (AWR)• SYSTEM account is granted the DBA, MGMT_USER, and
AQ_ADMINISTRATOR_ROLE roles. • DBSNMP account is granted the OEM_MONITOR role.• SYSMAN account is granted the MGMT_USER, RESOURCE
and SELECT_CATALOG_ROLE roles.• These accounts are not used for routine operations.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Creating a User
Select Server > Users, and then click the Create button.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Fixed Database Links
• Create a public fixed database link:
• Use a public database link:
CREATE PUBLIC DATABASE LINK dblk_orcl10g_hr CONNECT TO hr IDENTIFIED BY oracle USING
‘ORCL10g’;
SELECT * FROM employees@dblk_orcl10g_hr;
ORCL10g
connect hr/oracle
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Viewing Database Link Passwords
• A privileged user may view database link passwords:
• The passwords for fixed links are stored in clear text in 10g:
SELECT USERID,PASSWORDFROM SYS.LINK$
WHERE PASSWORD IS NOT NULL;
USERID PASSWORD---------- ----------SYSTEM ORACLESCOTT TIGER
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Database Links Without Credentials
• Creating a connected user database link:
• Creating a current user database link:
CREATE DATABASE LINK sales.division3.acme.com USING 'sales';
CREATE DATABASE LINK sales CONNECT TO CURRENT_USER USING 'sales';
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Audit Database Links
Local database audits jane
FINANCE
connect scott/tigerconnect jane/doe
Remote database audits scott
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Administrator Authentication
Operating system security:• DBAs must have the OS privileges to create and delete
files.• Typical database users should not have the OS
privileges to create or delete database files. Administrator security:• For SYSDBA, SYSOPER, and SYSASM connections:
– DBA user by name is audited for password file and strong authentication methods
– OS account name is audited for OS authentication– OS authentication takes precedence over password file
authentication for privileged users– Password file uses case-sensitive passwords
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Locking and Expiring Default User Accounts
• The Database Configuration Assistant (DBCA) expires and locks all accounts, except:– SYS– SYSTEM– SYSMAN– DBSNMP
• For a manual installation, lock and expire accounts by using:
ALTER USER hr PASSWORD EXPIRE ACCOUNT LOCK;
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Privileges
There are two types of user privileges:• System: Enables users to perform particular actions in
the database• Object: Enables users to access and manipulate a
specific object
System privilege: Create session
HR_DBA
Object privilege: Update employees
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Object Privileges
To grant object privileges:• Choose the object type.• Select objects.• Select privileges.
Search and
select objects.
1
2
3
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
GRANT
REVOKE
Revoking System Privilegeswith ADMIN OPTION
REVOKE CREATE TABLE FROM joe;
User
Privilege
Object
DBA Joe Emily
Joe EmilyDBA
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
GRANT
REVOKE
Revoking Object Privilegeswith GRANT OPTION
Bob Joe Emily
EmilyJoeBob
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Benefits of Roles
• Easier privilege management• Dynamic privilege management• Selective availability of privileges
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Assigning Privileges to Roles andAssigning Roles to Users
Users
Privileges
Roles HR_CLERKHR_MGR
Jenny David Rachel
Deleteemployees.
Selectemployees.
Updateemployees.
Insertemployees.
CreateJob.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Predefined Roles
Role Privileges Included
CONNECT CREATE SESSION
RESOURCE CREATE CLUSTER, CREATE INDEXTYPE, CREATE OPERATOR, CREATE PROCEDURE, CREATE SEQUENCE,CREATE TABLE, CREATE TRIGGER, CREATE TYPE
SCHEDULER_ ADMIN CREATE ANY JOB, CREATE EXTERNAL JOB, CREATE JOB, EXECUTE ANY CLASS, EXECUTE ANY PROGRAM,MANAGE SCHEDULER
DBA Most system privileges; several other roles. Do not grant to nonadministrators.
SELECT_
CATALOG_ROLENo system privileges; HS_ADMIN_ROLE and over 1,700 object privileges on the data dictionary
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Creating a Role
Select Server > Roles.
Click OK when
finished.
Add privileges and roles from the appropriate tab.Add privileges and roles from the appropriate tab.Add privileges and roles from the appropriate tab.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
CREATE ROLE secure_application_roleIDENTIFIED USING <security_procedure_name>;
Secure Application Roles
• Roles can be nondefault and enabled when required.
• Roles can be protected through authentication.
• Roles can also be secured programmatically.
SET ROLE vacationdba;
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Implementing a Secure Application Role
1. Create the role.2. Create the package that sets the role:
a. Create the package specification.b. Create the package body.
3. Grant the execute privilege on the package.4. Write the application server code that sets the role.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
CREATE ROLE oe_sales_repIDENTIFIED USING secure.oe_roles;
Step 1: Create the Role
• The CREATE ROLE command identifies the package that sets the role.
• The package does not need to exist.• Example:
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
CREATE OR REPLACE PACKAGE oe_rolesAUTHID CURRENT_USER
ISPROCEDURE set_sales_rep_role;
END;/
Step 2.1: Create the Package Specification
• The OE_ROLES package is referenced in the CREATE ROLE command.
• The AUTHID CURRENT_USER clause is required to properly set the role.
• Example:
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
...SELECT idINTO v_idFROM oe.app_rolesWHERE username = sys_context
('userenv','current_user')AND role = 'SALES_REP'AND ip_address = sys_context
('userenv','ip_address'); dbms_session.set_role('oe_sales_rep');...
Step 2.2: Create the Package Body
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
GRANT executeON oe_rolesTO appsrv;
Step 3: Grant the EXECUTE Privilege on the Package
• The application server connects as the appsrvuser.
• It sets the role after it starts the user’s session.• Example:
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Step 4: Write the Application Server Code That Sets the Role
• When starting, the application server:– Connects as the APPSRV user – Creates a connection pool
• When starting a session for a user, the application server:– Gets a connection from the pool– Starts a session for the user– Sets the user’s role
• Set the user’s role by using:
secure.oe_roles.set_sales_rep_role;
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Data Dictionary Views
SQL> SELECT *2 FROM dba_application_roles3 WHERE ROLE = 'OE_SALES_REP';
ROLE SCHEMA PACKAGE------------- ------- --------OE_SALES_REP SECURE OE_ROLES
SQL>
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Quiz
All passwords created in Oracle Database 11g are not case-sensitive by default. 1. True 2. False
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Quiz
A database role: 1. Can be enabled or disabled 2. Can consist of system and object privileges 3. Is owned by its creator 4. Cannot be protected by a password
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Profiles and Users
Users are assigned only one profile at a time.Profiles:• Control resource
consumption• Manage account
status and password expiration
Note: RESOURCE_LIMIT must be set to TRUE before profiles can impose resource limitations.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Implementing Password Security Features
Password history
Account locking
Password aging and expiration
Password complexity verification
User Setting up profiles
Note: Do not use profiles that cause the SYS, SYSMAN, and DBSNMPpasswords to expire and the accounts to be locked.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Supplied Password Verification Function: VERIFY_FUNCTION_11G
The VERIFY_FUNCTION_11G function insures that the password is:• At least eight characters• Different from the username, username with a number,
or username reversed• Different from the database name or the database
name with a number• A string with at least one alphabetic and one numeric
character• Different from the previous password by
at least three lettersTip: Use this function as a template to create your own customized password verification.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Assigning Quotas to Users
Users who do not have the UNLIMITED TABLESPACEsystem privilege must be given a quota before they can create objects in a tablespace.
Quotas can be:• A specific value in megabytes or kilobytes• Unlimited
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Applying the Principle of Least Privilege
• Protect the data dictionary:
• Revoke unnecessary privileges from PUBLIC.• Use access control lists (ACL) to control network
access.• Restrict the directories accessible by users.• Limit users with administrative privileges.• Restrict remote database authentication:
O7_DICTIONARY_ACCESSIBILITY=FALSE
REMOTE_OS_AUTHENT=FALSE
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Protect Privileged Accounts
Privileged accounts can be protected by:• Using password file with case-sensitive passwords• Enabling strong authentication for administrator roles
SYSDBA
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Separation of Responsibilities
Users with DBA privileges must be trusted, but separation of responsibilities can:
• Prevent abuse of trust• Allow audit trails to protect the trusted position
To implement separation of trust:• DBA responsibilities must be shared• Accounts must never be shared• DBA and system administrator must be different
people• SYSOPER and SYSDBA responsibilities must be
separated.
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Quiz
Applying the principle of least privilege is not enough to harden the Oracle database. 1. True 2. False
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Quiz
With RESOURCE_LIMIT set at its default value of FALSE, profile password limitations are ignored. 1. True 2. False
云和恩墨 成就所托 by 王朝阳 18516271611 [email protected]
Summary
In this lesson, you should have learned how to:• Create and manage database user accounts:
– Authenticate users– Assign default storage areas (tablespaces)
• Grant and revoke privileges• Create and manage roles• Create and manage profiles:
– Implement standard password security features– Control resource usage by users