Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Administering User Security
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Objectives
After completing this lesson, you should be able to:
• Crea...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Database User Accounts
Each database user account has:
• A unique user...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Predefined Administrative Accounts
• SYS account:
– Is granted the DBA...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
SYSOPER and SYSDBA
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Creating a User
Select Server > Users, and then click the Create butto...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Authenticating Users
• Password
• External
• Global
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Fixed Database Links
• Create a public fixed database link:
• Use a pu...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Viewing Database Link Passwords
• A privileged user may view database ...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Database Links Without Credentials
• Creating a connected user databas...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Audit Database Links
Local database audits
jane
FINANCE
connect scott/...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Administrator Authentication
Operating system security:
• DBAs must ha...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Locking and Expiring Default
User Accounts
• The Database Configuratio...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Privileges
There are two types of user privileges:
• System: Enables u...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
System Privileges
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Object Privileges
To grant object privileges:
• Choose the object type...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
GRANT
REVOKE
Revoking System Privileges
with ADMIN OPTION
REVOKE CREAT...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
GRANT
REVOKE
Revoking Object Privileges
with GRANT OPTION
Bob Joe Emil...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Benefits of Roles
• Easier privilege management
• Dynamic privilege ma...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Assigning Privileges to Roles and
Assigning Roles to Users
Users
Privi...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Predefined Roles
Role Privileges Included
CONNECT CREATE SESSION
RESOU...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Creating a Role
Select Server > Roles.
Click OK
when
finished.
Add pri...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
CREATE ROLE secure_application_role
IDENTIFIED USING <security_procedu...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Implementing a Secure Application Role
1. Create the role.
2. Create t...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
CREATE ROLE oe_sales_rep
IDENTIFIED USING secure.oe_roles;
Step 1: Cre...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
CREATE OR REPLACE PACKAGE oe_roles
AUTHID CURRENT_USER
IS
PROCEDURE se...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
...
SELECT id
INTO v_id
FROM oe.app_roles
WHERE username = sys_context...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
GRANT execute
ON oe_roles
TO appsrv;
Step 3: Grant the EXECUTE Privile...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Step 4: Write the Application Server
Code That Sets the Role
• When st...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Data Dictionary Views
SQL> SELECT *
2 FROM dba_application_roles
3 WHE...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Assigning Roles to Users
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Quiz
All passwords created in Oracle Database 11g are not
case-sensiti...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Quiz
A database role:
1. Can be enabled or disabled
2. Can consist of ...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Profiles and Users
Users are assigned only
one profile at a time.
Prof...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Implementing Password
Security Features
Password
history
Account
locki...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Creating a Password Profile
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Supplied Password Verification Function:
VERIFY_FUNCTION_11G
The VERIF...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Assigning Quotas to Users
Users who do not have the UNLIMITED TABLESPA...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Applying the Principle of Least Privilege
• Protect the data dictionar...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Protect Privileged Accounts
Privileged accounts can be protected by:
•...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Separation of Responsibilities
Users with DBA privileges must be trust...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Quiz
Applying the principle of least privilege is not enough to
harden...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Quiz
With RESOURCE_LIMIT set at its default value of FALSE,
profile pa...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Summary
In this lesson, you should have learned how to:
• Create and m...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Q&A
Nächste SlideShare
Wird geladen in …5
×

Oracle security 02-administering user security

1.031 Aufrufe

Veröffentlicht am

Oracle security 02-administering user security

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

Oracle security 02-administering user security

  1. 1. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Administering User Security
  2. 2. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Objectives After completing this lesson, you should be able to: • Create and manage database user accounts: – Authenticate users – Assign default storage areas (tablespaces) • Grant and revoke privileges • Create and manage roles • Create and manage profiles: – Implement standard password security features – Control resource usage by users
  3. 3. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Database User Accounts Each database user account has: • A unique username • An authentication method • A default tablespace • A temporary tablespace • A user profile • An initial consumer group • An account status A schema: • Is a collection of database objects that are owned by a database user • Has the same name as the user account
  4. 4. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Predefined Administrative Accounts • SYS account: – Is granted the DBA role, as well as several other roles. – Has all privileges with ADMIN OPTION – Is required for startup, shutdown, and some maintenance commands – Owns the data dictionary and the Automatic Workload Repository (AWR) • SYSTEM account is granted the DBA, MGMT_USER, and AQ_ADMINISTRATOR_ROLE roles. • DBSNMP account is granted the OEM_MONITOR role. • SYSMAN account is granted the MGMT_USER, RESOURCE and SELECT_CATALOG_ROLE roles. • These accounts are not used for routine operations.
  5. 5. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com SYSOPER and SYSDBA
  6. 6. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Creating a User Select Server > Users, and then click the Create button.
  7. 7. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Authenticating Users • Password • External • Global
  8. 8. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Fixed Database Links • Create a public fixed database link: • Use a public database link: CREATE PUBLIC DATABASE LINK dblk_orcl10g_hr CONNECT TO hr IDENTIFIED BY oracle USING ‘ORCL10g’; SELECT * FROM employees@dblk_orcl10g_hr; ORCL10g connect hr/oracle
  9. 9. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Viewing Database Link Passwords • A privileged user may view database link passwords: • The passwords for fixed links are stored in clear text in 10g: SELECT USERID,PASSWORD FROM SYS.LINK$ WHERE PASSWORD IS NOT NULL; USERID PASSWORD ---------- ---------- SYSTEM ORACLE SCOTT TIGER
  10. 10. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Database Links Without Credentials • Creating a connected user database link: • Creating a current user database link: CREATE DATABASE LINK sales.division3.acme.com USING 'sales'; CREATE DATABASE LINK sales CONNECT TO CURRENT_USER USING 'sales';
  11. 11. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Audit Database Links Local database audits jane FINANCE connect scott/tigerconnect jane/doe Remote database audits scott
  12. 12. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Administrator Authentication Operating system security: • DBAs must have the OS privileges to create and delete files. • Typical database users should not have the OS privileges to create or delete database files. Administrator security: • For SYSDBA, SYSOPER, and SYSASM connections: – DBA user by name is audited for password file and strong authentication methods – OS account name is audited for OS authentication – OS authentication takes precedence over password file authentication for privileged users – Password file uses case-sensitive passwords
  13. 13. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Locking and Expiring Default User Accounts • The Database Configuration Assistant (DBCA) expires and locks all accounts, except: – SYS – SYSTEM – SYSMAN – DBSNMP • For a manual installation, lock and expire accounts by using: ALTER USER hr PASSWORD EXPIRE ACCOUNT LOCK;
  14. 14. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Privileges There are two types of user privileges: • System: Enables users to perform particular actions in the database • Object: Enables users to access and manipulate a specific object System privilege: Create session HR_DBA Object privilege: Update employees
  15. 15. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com System Privileges
  16. 16. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Object Privileges To grant object privileges: • Choose the object type. • Select objects. • Select privileges. Search and select objects. 1 2 3
  17. 17. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com GRANT REVOKE Revoking System Privileges with ADMIN OPTION REVOKE CREATE TABLE FROM joe; User Privilege Object DBA Joe Emily Joe EmilyDBA
  18. 18. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com GRANT REVOKE Revoking Object Privileges with GRANT OPTION Bob Joe Emily EmilyJoeBob
  19. 19. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Benefits of Roles • Easier privilege management • Dynamic privilege management • Selective availability of privileges
  20. 20. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Assigning Privileges to Roles and Assigning Roles to Users Users Privileges Roles HR_CLERKHR_MGR Jenny David Rachel Delete employees. Select employees. Update employees. Insert employees. Create Job.
  21. 21. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Predefined Roles Role Privileges Included CONNECT CREATE SESSION RESOURCE CREATE CLUSTER, CREATE INDEXTYPE, CREATE OPERATOR, CREATE PROCEDURE, CREATE SEQUENCE, CREATE TABLE, CREATE TRIGGER, CREATE TYPE SCHEDULER_ ADMIN CREATE ANY JOB, CREATE EXTERNAL JOB, CREATE JOB, EXECUTE ANY CLASS, EXECUTE ANY PROGRAM, MANAGE SCHEDULER DBA Most system privileges; several other roles. Do not grant to nonadministrators. SELECT_ CATALOG_ROLE No system privileges; HS_ADMIN_ROLE and over 1,700 object privileges on the data dictionary
  22. 22. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Creating a Role Select Server > Roles. Click OK when finished. Add privileges and roles from the appropriate tab. Add privileges and roles from the appropriate tab. Add privileges and roles from the appropriate tab.
  23. 23. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com CREATE ROLE secure_application_role IDENTIFIED USING <security_procedure_name>; Secure Application Roles • Roles can be nondefault and enabled when required. • Roles can be protected through authentication. • Roles can also be secured programmatically. SET ROLE vacationdba;
  24. 24. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Implementing a Secure Application Role 1. Create the role. 2. Create the package that sets the role: a. Create the package specification. b. Create the package body. 3. Grant the execute privilege on the package. 4. Write the application server code that sets the role.
  25. 25. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com CREATE ROLE oe_sales_rep IDENTIFIED USING secure.oe_roles; Step 1: Create the Role • The CREATE ROLE command identifies the package that sets the role. • The package does not need to exist. • Example:
  26. 26. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com CREATE OR REPLACE PACKAGE oe_roles AUTHID CURRENT_USER IS PROCEDURE set_sales_rep_role; END; / Step 2.1: Create the Package Specification • The OE_ROLES package is referenced in the CREATE ROLE command. • The AUTHID CURRENT_USER clause is required to properly set the role. • Example:
  27. 27. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com ... SELECT id INTO v_id FROM oe.app_roles WHERE username = sys_context ('userenv','current_user') AND role = 'SALES_REP' AND ip_address = sys_context ('userenv','ip_address'); dbms_session.set_role('oe_sales_rep'); ... Step 2.2: Create the Package Body
  28. 28. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com GRANT execute ON oe_roles TO appsrv; Step 3: Grant the EXECUTE Privilege on the Package • The application server connects as the appsrv user. • It sets the role after it starts the user’s session. • Example:
  29. 29. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Step 4: Write the Application Server Code That Sets the Role • When starting, the application server: – Connects as the APPSRV user – Creates a connection pool • When starting a session for a user, the application server: – Gets a connection from the pool – Starts a session for the user – Sets the user’s role • Set the user’s role by using: secure.oe_roles.set_sales_rep_role;
  30. 30. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Data Dictionary Views SQL> SELECT * 2 FROM dba_application_roles 3 WHERE ROLE = 'OE_SALES_REP'; ROLE SCHEMA PACKAGE ------------- ------- -------- OE_SALES_REP SECURE OE_ROLES SQL>
  31. 31. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Assigning Roles to Users
  32. 32. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Quiz All passwords created in Oracle Database 11g are not case-sensitive by default. 1. True 2. False
  33. 33. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Quiz A database role: 1. Can be enabled or disabled 2. Can consist of system and object privileges 3. Is owned by its creator 4. Cannot be protected by a password
  34. 34. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Profiles and Users Users are assigned only one profile at a time. Profiles: • Control resource consumption • Manage account status and password expiration Note: RESOURCE_LIMIT must be set to TRUE before profiles can impose resource limitations.
  35. 35. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Implementing Password Security Features Password history Account locking Password aging and expiration Password complexity verification User Setting up profiles Note: Do not use profiles that cause the SYS, SYSMAN, and DBSNMP passwords to expire and the accounts to be locked.
  36. 36. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Creating a Password Profile
  37. 37. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Supplied Password Verification Function: VERIFY_FUNCTION_11G The VERIFY_FUNCTION_11G function insures that the password is: • At least eight characters • Different from the username, username with a number, or username reversed • Different from the database name or the database name with a number • A string with at least one alphabetic and one numeric character • Different from the previous password by at least three letters Tip: Use this function as a template to create your own customized password verification.
  38. 38. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Assigning Quotas to Users Users who do not have the UNLIMITED TABLESPACE system privilege must be given a quota before they can create objects in a tablespace. Quotas can be: • A specific value in megabytes or kilobytes • Unlimited
  39. 39. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Applying the Principle of Least Privilege • Protect the data dictionary: • Revoke unnecessary privileges from PUBLIC. • Use access control lists (ACL) to control network access. • Restrict the directories accessible by users. • Limit users with administrative privileges. • Restrict remote database authentication: O7_DICTIONARY_ACCESSIBILITY=FALSE REMOTE_OS_AUTHENT=FALSE
  40. 40. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Protect Privileged Accounts Privileged accounts can be protected by: • Using password file with case-sensitive passwords • Enabling strong authentication for administrator roles SYSDBA
  41. 41. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Separation of Responsibilities Users with DBA privileges must be trusted, but separation of responsibilities can: • Prevent abuse of trust • Allow audit trails to protect the trusted position To implement separation of trust: • DBA responsibilities must be shared • Accounts must never be shared • DBA and system administrator must be different people • SYSOPER and SYSDBA responsibilities must be separated.
  42. 42. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
  43. 43. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
  44. 44. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Quiz Applying the principle of least privilege is not enough to harden the Oracle database. 1. True 2. False
  45. 45. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Quiz With RESOURCE_LIMIT set at its default value of FALSE, profile password limitations are ignored. 1. True 2. False
  46. 46. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Summary In this lesson, you should have learned how to: • Create and manage database user accounts: – Authenticate users – Assign default storage areas (tablespaces) • Grant and revoke privileges • Create and manage roles • Create and manage profiles: – Implement standard password security features – Control resource usage by users
  47. 47. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Q&A

×