历数几款第三方的Oracle数据库安全及漏洞扫描软件

虽然oracle公司自有一套丰富的数据库产品线, 包括 oracle advanced security, VDP , Database vault , lable security , Database FireWall 等等。

但我们还是有必要关注一些第三方的 安全工具, 这些安全工具的主要用途 包括: 漏洞扫描,风险评估,安全建议,审计等。

 

Secure Oracle Auditor -  Secure Bytes 的产品 图形化的集中式审计工具, 可以自定义审计策略; 并分析数据库风险,
产品主页: http://www.secure-bytes.com/soa.php

软件截图:

 

 

Oracle Database Encryption Wizard For Oracle  – Relational Database Consultants, Inc (RDC)的产品  主要功能是 数据加密,  支持 AES256 and DES3 Encryption加密算法  , 在从版本7开始支持Oracle 11gR2 及HSM( Hardware Security Modules )。
产品主页:http://www.relationalwizards.com/html/ora_encyrption.html

软件截图:

 

 

DB  Protect  – AppSecInc  的产品 , 提供企业级 的数据安全方案, 功能包括 隔离敏感数据库, 发现及修正可能存在的数据风险, 控制企业员工的数据访问权限,  监控越权行为等。
产品主页: http://www.appsecinc.com/products/dbprotect/index.shtml

软件截图:

 

 

NGS SQuirreL for Oracle –  NGS secure 的产品 , 算是已经在国内比较知名的 oracle 风险评估漏洞扫描工具, 支持从oracle 7.3 到 11g的主要版本。
产品主页: http://www.ngssecure.com/services/information-security-software/ngs-squirrel-for-oracle.aspx

 

产品介绍:

 

Oracle数据库安全漏洞扫描工具——NGSSQuirreL for Oracle

NGSSQuirrel for Oracle是国际顶级的数据库安全漏洞扫描工具。深圳市九州安域科技有限公司是NGSSQuirrel for Oracle数据库安全漏洞扫描工具中国区授权代理。

NGSSQuirreL for Oracle支持Oracle 8i,9i和10g,并且可以检查几千个可能存在的安全威胁、补丁状况、对象和权限信息、登陆和密码机制、存储过程以及启动过程。NGSSQuirrel提供强大的密码审计功能,包括字典和暴力破解模式。

NGSSQuirrel

1.         专业数据库漏洞评估工具;

支持MSSQL Server,Oracle,Informix,DB2,MySQL ,Sybase ASE数据库

支持对数据库所有实例的特权、角色、表单、视图、存储过程等进行安全检测。

2.         用于保护基础数据库平台安全并确保数据库满足安全法规的要求;

3.         创建Lockdown脚本,用于自动修复数据库扫描中未发现的漏洞

4.         通过check selection功能,可实行具体扫描或针对目标客户的扫描。

可以为特定目标扫描存储某一定制模板

可根据具体合规性扫描选择合规性模板

5.     提供业界专业的数据库安全资讯以及安全教材。

NGS SQuirreL 数据库扫描检测内容:

1.  扫描数据库默认口令、弱口令

2.     检测触发器、存储程序、表单、包等的访问权限

3.     识别默认Object的漏洞

4.     利用密码哈希值运行密码审计

5.     审查密码策略

6.     审查数据库的版本以及补丁情况

7.     检查数据库所有安全配置以及安全审计配置

8.     针对所有发现的安全问题提供修复建议

9.     可针对单一数据库或单一实例进行扫描

NGS SQuirreL for Oracle, SQL Server, MySQL, DB2 & Informix 行业合规性审计

NGS扫描器其内置有如下所有的合规性模块:

PCI DSS(支付款行业数据安全标准V1.2或V2.2)

SOX

HIPAA

Gramm-Leach Bliley Act

FISMA

SANS Top 20

CIS Benchmark for Oracle 9i/10g Ver. 2.0

CIS Benchmark for SQL Server 2005 v1.0

CIS Benchmark for MySQL v1.0.2

Oracle 基准

NSA SQL Server 2000 V1.5 安全配置和管理指南

这些模板都会保持持续更新;NGS 审计客户将满足这些标准的要求

 

NGSSQuirrel for Oracle 目前在国内有 九州安域 和   XLSoft  2家代理。

 

软件截图:

 

 

DB Audit – SoftTree的产品    功能强大的数据库安全和审计产品, 支持Oracle, Sybase, DB2, MySQL, Microsoft SQL Server等主流数据库。  DB Audit Expert是一款专业的数据库安全评估,审计和提供解决方案的数据库管理系统。DB Audit Expert允许数据库及系统管理员,安全管理员,审计人员和操作人患跟踪和分析数据库的活动,包括对数据库的访问,使用,对象的建立,修改和删除等。 DB Audit真正独特的是它内置多个审计方式,让您灵活地选择最适合你的数据库安全性要求的审计方式。
产品主页:http://www.softtreetech.com/

 

 

产品介绍

 

   DB Audit Expert是一款专业的数据库安全评估,审计和提供解决方案的数据库管理系统。DB Audit Expert允许数据库及系统管理员,安全管理员,审计人员和操作人患跟踪和分析数据库的活动,包括对数据库的访问,使用,对象的建立,修改和删除等。DB Audit真正独特的是它内置多个审计方式,让您灵活地选择最适合你的数据库安全性要求的审计方式。

主要优势:

提高系统的安全性并确保系统问责制。
捕获常规和“后门”访问被审计的数据库系统。
从易于管理的单一位置,集中了安全和审计控制多个数据库系统的功能,
统一审计的图形界面功能,缩短了学习曲线,很容易使用。
提供分析报告,全面总结概括,减少审核大量数据从而使轻松地识别各种数据库的安全性侵犯。
提供分析报告,以确定哪些进程和用户占用系统资源。
提供本地数据库审计不可用的审计线索的细节。
当敏感数据发生变化时,提供能够生成对关键人员生成电子邮件警报。
解放了DBA,不再需要创建和管理用于数据更改审计目的精心调校的数据库触发器。
支持灵活的审计配置,使安全人员可以选择必须监督和审计跟踪记录的数据库操作和数据修改的特定类型。
对现有的应用程序提供完全透明的系统级和数据更改审计,无需任何修改这些应用。
完全兼容所有主机操作系统可以运行支持的数据库,包括但不限于Windows NT,UNIX和Linux,虚拟机,OS/390,z/OS。

DB Audit 在多种平台,多种数据库上都有完整的解决方案:
安全性预防管理
侦测和安全配置分析
审计与监控
弱点及渗入测试
校正

多种数据库统一管理,操作简便学习周期短,方便使用。通过左侧数据库树型目录可以方便管理各种数据库;右侧大块的工作区域中,将所有的审计按功能分类,可清晰地完成所有的配置。

DB Audit 可以出色的工作在多种平台,多数据库的复杂环境中,通过警告中心服务器收集、存储和分析各种数据库的审计警告,并按照管理中心所配置将审计报表或警告发送到不同的部门及用户。

DB Audit客户:
DB Audit拥有众多大客户,例如,M&T银行,道琼斯公司,富士银行(Fuji Bank),亨廷顿银行(Huntington Bank),Wells Fargo银行,北方信托公司, (The Reserve Funds)储备基金,第一资本金融公司(Capital One Financial Corp.),3M公司,AT&T公司,IBM公司,戴尔公司,JP摩根大通,惠普,壳牌,索尼,美国军队,美国航空航天局等。

 

软件截图:

 

DB Audit 目前在国内有一家授权代理  北京铸锐数码科技

 

 

Audit DB – LuMigent 公司的产品 , 功能包括 数据库活动监控、审计、 用户权限监控、变更复核、访问监控等。
产品主页: http://www.lumigent.com/products/audit-db

软件截图:

 

 

 

DBCoffer – 难得一见的国产数据库安全产品。 相关介绍: 国内首款主动预防型 数据库安全加固产品,存储层、数据访问层、应用访问层全方位防止数据泄密。

audittools

 

 

 

 

DBCoffer

 

xSecure系列致力于对数据库的全面安全防护,覆盖数据库安全的事前检查、事中控制和事后追踪,形成面向用户的全方位的数据库安全产品和解决方案。

漏洞扫描产品xSecure-DBScan,实现对国际国内主流数据库的安全检查、漏洞分析和模拟渗透攻击,提供数据库安全状况检测评估报告和数据库安全加固建议。

核心功能:

数据库漏洞检查

覆盖绝大多数主流数据库的漏洞检查,包括:缺省配置检查、弱口令检查、无用对象检查、弱安全策略检查、SQL注入检查、缓冲区溢出检查、拒绝服务检查、宽泛权限、数据库补丁检查。

模拟渗透攻击

模拟黑客使用的漏洞发现技术和攻击手段,在没有授权的情况下,对目标数据库的安全性作深入的探测分析,并实施无害攻击(不会导致停机或对数据库造成损害),如获得系统权限、执行系统命令,篡改数据等。

检查报告

对检查结果进行汇总,提供不同类别、不同风险等级等因素的对比分析、趋势分析。

漏洞修复建议

能够智能化的协助网络安全管理人员评估数据库系统的安全状况,可以自动化地修复部分漏洞。
产品主页: http://www.schina.cn/a/fangan/shujukubaoxianxiang/about.html

 

 

www.askmac.cn Here

 

Find password cracker in 11g

在11g中默认启用了对登录注销操作LOGON/LOGOFF的审计,详见<11g默认审计选项>。利用这一点我们可以很方便地从审计日志中找出数据库中的密码暴力破解者。如以下演示:

C:\Users\Maclean Liu>sqlplus system/try_password@G11R2

SQL*Plus: Release 11.2.0.1.0 Production on Mon Jul 4 21:37:44 2011

Copyright (c) 1982, 2010, Oracle.  All rights reserved.

ERROR:
ORA-01017: invalid username/password; logon denied

select username,userhost,terminal,timestamp,action_name,os_process
  from dba_audit_trail
 where returncode = 1017
 order by timestamp desc;

USERNAME             USERHOST                                 TERMINAL             TIMESTAMP          ACTION_NAME       OS_PROCESS
-------------------- ---------------------------------------- -------------------- ------------------ ----------------  ------------
SYSTEM               WORKGROUP\MACLEANLIU-PC                  MACLEANLIU-PC        04-JUL-11          LOGON             4240:2700

Script:

set linesize 140 pagesize 1400
col os_username for a30
col userhost for a30
col terminal for a30

select os_username,userhost,terminal,username,count(*)
  from dba_audit_trail
 where returncode = 1017
 group by os_username,userhost,username,terminal
 having count(*)>10
 /

注意对于LOGON PER SECOND很高的数据库,如果应用程序配置文件中的数据库用户密码不正确,同时应用在短期内发起大量会话登录数据库的话可能引发频繁的dc_users字典缓存锁,用户登录无法成功,乃至整个实例hang住,该问题具体可见<Row Cache lock Problem>。针对该问题如果是在11g中的话,可以利用以上脚本快速找到因密码不正确登录失败的数据库用户名,从而减少排查时间。

11g默认审计选项

11g默认启用强大的审计选项,AUDIT_TRAIL参数的缺省值为DB,这意为着审计数据将记录在数据库中的AUD$审计字典基表上。Oracle官方宣称默认启用的审计日志不会对绝大多数产品数据库的性能带来过大的负面影响,同时Oracle公司还推荐使用基于OS文件的审计日志记录方式(OS audit trail files)。

注意因为在11g中CREATE SESSION将被作为受审计的权限来被记录,因此当SYSTEM表空间因磁盘空间而无法扩展时将导致这部分审计记录无法生成,这将最终导致普通用户的新会话将无法正常创建,普通用户将无法登陆数据库。在这种场景中仍可以使用SYSDBA身份的用户创建会话,在将审计数据合适备份后删除一部分记录,或者干脆TRUNCATE AUD$都可以解决上述问题。

当AUDIT_TRAIL设置为OS时,审计记录文件将在AUDIT_FILE_DEST参数所指定的目录中生成。全部这些文件均可以随时被删除或复制。

注意在默认情况下会以AUTOEXTEND ON自动扩展选项创建SYSTEM表空间,因此系统表空间在必要情况下还是会自动增长的,我们所需注意的是磁盘上的剩余空间是否能够满足其增长需求,以及数据文件扩展的上限,对于普通的8k smallfile表空间而言单个数据文件的最大尺寸是32G。

以下权限将对所有用户审计:


SQL> select * from v$version;

BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production
PL/SQL Release 11.2.0.2.0 - Production
CORE    11.2.0.2.0      Production
TNS for Linux: Version 11.2.0.2.0 - Production
NLSRTL Version 11.2.0.2.0 - Production

SQL> select * from global_name;

GLOBAL_NAME
--------------------------------------------------------------------------------
www.askmac.cn


SQL> select privilege,success,failure from dba_priv_audit_opts;

PRIVILEGE                                SUCCESS    FAILURE
---------------------------------------- ---------- ----------
CREATE EXTERNAL JOB                      BY ACCESS  BY ACCESS
CREATE ANY JOB                           BY ACCESS  BY ACCESS
GRANT ANY OBJECT PRIVILEGE               BY ACCESS  BY ACCESS
EXEMPT ACCESS POLICY                     BY ACCESS  BY ACCESS
CREATE ANY LIBRARY                       BY ACCESS  BY ACCESS
GRANT ANY PRIVILEGE                      BY ACCESS  BY ACCESS
DROP PROFILE                             BY ACCESS  BY ACCESS
ALTER PROFILE                            BY ACCESS  BY ACCESS
DROP ANY PROCEDURE                       BY ACCESS  BY ACCESS
ALTER ANY PROCEDURE                      BY ACCESS  BY ACCESS
CREATE ANY PROCEDURE                     BY ACCESS  BY ACCESS

PRIVILEGE                                SUCCESS    FAILURE
---------------------------------------- ---------- ----------
ALTER DATABASE                           BY ACCESS  BY ACCESS
GRANT ANY ROLE                           BY ACCESS  BY ACCESS
CREATE PUBLIC DATABASE LINK              BY ACCESS  BY ACCESS
DROP ANY TABLE                           BY ACCESS  BY ACCESS
ALTER ANY TABLE                          BY ACCESS  BY ACCESS
CREATE ANY TABLE                         BY ACCESS  BY ACCESS
DROP USER                                BY ACCESS  BY ACCESS
ALTER USER                               BY ACCESS  BY ACCESS
CREATE USER                              BY ACCESS  BY ACCESS
CREATE SESSION                           BY ACCESS  BY ACCESS
AUDIT SYSTEM                             BY ACCESS  BY ACCESS

PRIVILEGE                                SUCCESS    FAILURE
---------------------------------------- ---------- ----------
ALTER SYSTEM                             BY ACCESS  BY ACCESS

23 rows selected.

以下语句也将对所有用户审计:

SQL> select audit_option,success,failure from dba_stmt_audit_opts;

AUDIT_OPTION                             SUCCESS    FAILURE
---------------------------------------- ---------- ----------
ALTER SYSTEM                             BY ACCESS  BY ACCESS
SYSTEM AUDIT                             BY ACCESS  BY ACCESS
CREATE SESSION                           BY ACCESS  BY ACCESS
CREATE USER                              BY ACCESS  BY ACCESS
ALTER USER                               BY ACCESS  BY ACCESS
DROP USER                                BY ACCESS  BY ACCESS
PUBLIC SYNONYM                           BY ACCESS  BY ACCESS
DATABASE LINK                            BY ACCESS  BY ACCESS
ROLE                                     BY ACCESS  BY ACCESS
PROFILE                                  BY ACCESS  BY ACCESS
CREATE ANY TABLE                         BY ACCESS  BY ACCESS

AUDIT_OPTION                             SUCCESS    FAILURE
---------------------------------------- ---------- ----------
ALTER ANY TABLE                          BY ACCESS  BY ACCESS
DROP ANY TABLE                           BY ACCESS  BY ACCESS
CREATE PUBLIC DATABASE LINK              BY ACCESS  BY ACCESS
GRANT ANY ROLE                           BY ACCESS  BY ACCESS
SYSTEM GRANT                             BY ACCESS  BY ACCESS
ALTER DATABASE                           BY ACCESS  BY ACCESS
CREATE ANY PROCEDURE                     BY ACCESS  BY ACCESS
ALTER ANY PROCEDURE                      BY ACCESS  BY ACCESS
DROP ANY PROCEDURE                       BY ACCESS  BY ACCESS
ALTER PROFILE                            BY ACCESS  BY ACCESS
DROP PROFILE                             BY ACCESS  BY ACCESS

AUDIT_OPTION                             SUCCESS    FAILURE
---------------------------------------- ---------- ----------
GRANT ANY PRIVILEGE                      BY ACCESS  BY ACCESS
CREATE ANY LIBRARY                       BY ACCESS  BY ACCESS
EXEMPT ACCESS POLICY                     BY ACCESS  BY ACCESS
GRANT ANY OBJECT PRIVILEGE               BY ACCESS  BY ACCESS
CREATE ANY JOB                           BY ACCESS  BY ACCESS
CREATE EXTERNAL JOB                      BY ACCESS  BY ACCESS

28 rows selected.

当前数据库中的现有的审计记录:


SQL> select action_name,count(*) from dba_audit_trail group by action_name;

ACTION_NAME                    COUNT(*)
---------------------------- ----------
LOGOFF BY CLEANUP                    40
LOGON                               460
LOGOFF                              377
ALTER USER                            2
SYSTEM GRANT                         12
ALTER SYSTEM                         10
CREATE PUBLIC SYNONYM                 5
ALTER DATABASE                        2
CREATE DATABASE LINK                  1
DROP PUBLIC SYNONYM                   5

10 rows selected.

ORA-07274 spdcr:access error错误一例

下午在客户office遭遇了ORA-07274错误,那是一套AIX 5.3上10.2.0.4的2节点RAC系统,乍看到7274还以为是ORA-7445的孪生兄弟,心中暗想10.2.0.4的RAC问题还真是不少:

Errors in file /s01/oracle/product/10.2.0/db_1/rdbms/log/prod21_psp0_4272.trc:
ORA-07274: spdcr: access error, access to oracle denied.
No such file or directory

Mon Apr 18 17:05:44 2011
PSP0: terminating instance due to error 7274
Mon Apr 18 17:05:44 2011
Errors in file /s01/oracle/product/10.2.0/db_1/rdbms/log/prod21_lms1_4285.trc:
ORA-07274: spdcr: access error, access to oracle denied.
Mon Apr 18 17:05:44 2011
Errors in file /s01/oracle/product/10.2.0/db_1/rdbms/log/prod21_lms0_4279.trc:
ORA-07274: spdcr: access error, access to oracle denied.
Mon Apr 18 17:05:44 2011
Errors in file /s01/oracle/product/10.2.0/db_1/rdbms/log/prod21_lmd0_4276.trc:
ORA-07274: spdcr: access error, access to oracle denied.
Mon Apr 18 17:05:44 2011
Errors in file /s01/oracle/product/10.2.0/db_1/rdbms/log/prod21_lmon_4274.trc:
ORA-07274: spdcr: access error, access to oracle denied.
Mon Apr 18 17:05:45 2011
System state dump is made for local instance
System State dumped to trace file /s01/oracle/product/10.2.0/db_1/rdbms/log/prod21_diag_4270.trc
Mon Apr 18 17:05:45 2011
Trace dumping is performing id=[cdmp_20110418170545]
Mon Apr 18 17:05:46 2011
Instance terminated by PSP0, pid = 4272


====/s01/oracle/product/10.2.0/db_1/rdbms/log/prod21_psp0_4272.trc======

error 7274 detected in background process
ORA-07274: spdcr: access error, access to oracle denied.
ksuitm: waiting up to [5] seconds before killing DIAG


[oracle@vrh1 ~]$ oerr ora 7274
07274, 00000, "spdcr: access error, access to oracle denied."
// *Cause:  Unable to access "oracle" program. Verify ?/bin/oracle or
//          $ORABCKPRG exist, and are executable.
// *Action: Check errno returned.

以上ORA-07274错误直接导致RAC的2号节点实例意外终止!

引起ORA-07274错误的唯一直接原因是$ORACLE_HOME/bin目录下的oracle 2进制文件在错误发生时无法正常访问,可能造成该重要文件无法访问的原因可能有:

1.文件系统被umount或者ORACLE_HOME所在磁盘出现错误
2.oracle 2进制文件的权限设置错误,其正确权限应为6751
3.oracle 2进制文件被意外删除;当然relink oracle程序需要短暂移动该文件,所以也可能造成以上问题

在发生以上ORA-07274错误后我们第一时间使用ls命令查看了oracle 2进制文件的状态:

[oracle@vrh1 bin]$ ls -l $ORACLE_HOME/bin/oracle     
-rwsr-s--x 1 oracle oinstall 96789226 Apr 18 17:03 /s01/oracle/product/10.2.0/db_1/bin/oracle

[oracle@vrh1 bin]$ stat $ORACLE_HOME/bin/oracle
  File: `/s01/oracle/product/10.2.0/db_1/bin/oracle'
  Size: 96789226        Blocks: 189248     IO Block: 4096   regular file
Device: fd00h/64768d    Inode: 4434759     Links: 1
Access: (6751/-rwsr-s--x)  Uid: (  500/  oracle)   Gid: (  500/oinstall)
Access: 2011-04-18 17:04:55.000000000 -0400
Modify: 2011-04-18 17:03:44.000000000 -0400
Change: 2011-04-18 17:25:09.000000000 -0400

[oracle@vrh1 bin]$ date
Mon Apr 18 17:25:30 EDT 2011

并发现该文件在近期内被修改过(Modify: 2011-04-18 17:03:44.000000000 -0400),首先我想到的是可能有人在实例启动的情况下重新编译了oracle 2进制程序,但虽然的调查发现$ORACLE_HOME下大部分的目录修改时间(Modify time)都变成了最近。

这个时候一副”案件现场”已经呈现在我脑海中了,很明显是有人误删除了$ORACLE_HOME下的文件,在发现是误操作后立即终止了rm命令,但这个时候Oracle instance已经因为oracle 2进制程序文件丢失而意外终止terminated了,为了让现场恢复到原样,其又试图通过将1号节点上的Oracle Software传输到2号节点上来解决问题。

为了进一步证明我的想法,我求助于OS管理人员,希望通过传说中的系统命令审计来”锁定”问题。OS管理人员打开一个文本文件同我一起开始review起来,但在我看来这个审计文件的信息似乎过于简单了,只记录操作用户名下运行过的shell命令;一开始我们浏览了root用户的审计记录,没有发现任何问题;在准备查看oracle用户的审计文件时,系统管理人员才告之我,我们在查看的审计文件其实是用户home目录下的.sh_history,天哪!这就是传说中的审计文件,真神奇!

一般来说UNIX上的shell history只保留最近1000条的命令记录,为了不让这些唯一的证据丢失,我们首先将该.sh_history复制了一份,之后review历史记录文件后发现oracle用户执行过如下命令:

..............
rm -rf *
rcp -r node:/s01/oracle/product/10.2.0/db_1/* ./

rm -rf命令的确应当成为DBA的禁忌,无论是旧历江湖的老鸟还是初出茅庐的嫩头青都可能栽在rm手上。根据抽屉原理,最坏的情况总会发生,而我们又无法真正绝对意义上杜绝对rm命令的使用(我之前的文章介绍过由hostname误操作修改了RAC中一个节点的主机名的例子,这样的情况推荐使用uname -n来获取主机名字,可以杜绝使用hostname),那么我们真的很有必要在敲下rm命令前思考那么几秒,或者请另一位头脑清醒的仁兄帮自己确认一下,当然常年在船上走没有不湿鞋的,特别是当操作者处在一种panic模式的情景中时。

这个case因为oracle用户的密码只有少数几个人拥有,所以之后很容易能定位到责任人。多年之前在我第一家服务的公司中,office中到处贴着各种IT从业人员应当知晓的守则,其中就有一条”Passwords are like bubble gum”,是的密码就像是吹泡泡糖!

Oracle Advanced Security:Column Encryption Overhead

在Oracle 10g中出现了column encryption列加密特性,通过对列上的数据加密实现数据安全性的目的。当然实现这一加密特性是有代价的,一方面会导致所加密列数据每行所占磁盘空间字节数增长,另一方面会消耗更多的cpu和内存资源。

当使用Oracle的TDE(transparent data encryption)加密数据表的某一列时将导致该表上每行数据所占用的空间大致增加33-51个字节,这几十个字节用作以下用途:

  • 其中20个字节用以对加密值的完整性检查,该部分可以通过’nomac’选项来省略
  • 同时加密会填补加密值到16个字节(如果列本身长度不够的话),举例来说如果是9个字节长度的number类型,那么加密该number字段时就会需要将该数据填补到16个字节,也就是额外地多用了7个字节
  • 加密时默认采用salt选项(default),salt是指一串长度为16个字节的随机string,在数据被正式加密前这串string将会被添加到列上,这种做法使得黑客无法通过比对已知的密文来匹配加密值(steal patterns of ciphertext to known ciphertext);salt总是位于加密数据的末尾;该部分可以通过no salt选项来省略。

注意默认使用salt选项加密的列是不能创建索引的,所以强烈建议加密列时强制使用no salt选项!加密列上的索引不支持范围扫描操作(Range scans on encrypted columns can’t use index),而加密表空间(encryption tablespace)没该限制。

SQL> create table enctab (t1 int encrypt);
Table created.

SQL>  create index ind_enc on enctab(t1);
create index ind_enc on enctab(t1)
*
ERROR at line 1:
ORA-28338: Column(s) cannot be both indexed and encrypted with salt

SQL> create table news (t1 varchar2(1) encrypt);
Table created.

/*以默认的salt和mac选项创建示例用表 */

SQL> insert into news values('1');
1 row created.

SQL> commit;
Commit complete.

/* 该列本身的长度为1个字节 */

SQL> select dump(t1,16) from news;

DUMP(T1,16)
--------------------------------------------------------------------------------
Typ=1 Len=1: 31

/* 以下为该行的dump信息,可以看到加密值增长到了52字节 */
col  0: [52]
de 76 08 74 2a c0 e3 94 89 e6 a8 3b 22 54 ca e5 af 4d eb a0 26 a7 e5 c2 f5
c0 e5 3a a0 09 9a 08 fa 56 2a 92 a0 83 b3 7f 0b 99 03 ad 12 78 d4 03 ec 6e
b3 c2

针对加密列可以使用’nomac’和no salt选项来减少性能损耗,其中’no mac’选项用以允许Oracle省略在加密数据中产生和存放message authentication code(MAC,信息验证代码),如上文所述的这部分代码用以对加密值的完整性检查,会占用20个字节的空间。通过使用’nomac’选项可以有效较少加密和后续操作所额外消耗的cpu周期,同时为加密值的存储减少20个字节的开销。
另外no salt选项用以省略加密中加入的16个字节的随机字符串(string),在能保证列值都唯一的情况下(攻击者无法通过已知密文比对的方式来解密),使用该选项可以有效减少cpu周期和每个单元16字节的空间开销。

askmac.cn>create table Maclean (t1 varchar2(16) encrypt no salt 'nomac');

/* 注意这里的nomac要被单引号括起来 */

askmac.cn>alter table table_name modify column_name encrypt [using ] [no salt] ['nomac'];

此外目前列加密不支持外键约束,造成这种限制的原因是每张表都有其唯一的密钥(encryption key);而表空间加密则不存在这种限制,即便某个从属表不在加密表空间上。

SQL> create table man (t1 int primary key );
Table created.

SQL> create table woman(t1 int encrypt);
Table created.

SQL>  alter table woman add constraint fk foreign key(t1) references man(t1);
 alter table woman add constraint fk foreign key(t1) references man(t1)
                                                 *
ERROR at line 1:
ORA-28335: referenced or referencing FK constraint column cannot be encrypted

列加密特性对于表连接(table joining)来说是透明的,即便作为连接条件的列被加密了也是如此(join tables is transparent,even if the columns for join condition are encrypted)。同时分区键是不能作为加密列的,否则将出现ORA-28346: an encrypted column cannot serve as a partitioning column错误。
此外加密列索引存在诸多限制,总结加密列索引(Indexes On Encrypted Columns)的几个restrictions:

  1. 只有使用no salt选项加密的列上才允许创建索引
  2. 加密列上不支持位图索引
  3. 加密列不支持外键
  4. 加密列上创建的索引只能做等式查询,因为不能做Range scan所以如between,like等非等式查询是不支持的;这种限制是由于索引中的数据也被加密了,所以实际上数据是以加密后的形式来排序的。所有非等式查询的条件均无法利用到索引,而使用全表扫描。
  5. 如果应用不使用等式查询的话,那么建议不要在加密列上创建索引,因为这样无益与性能,反而会增加性能开销。

而加密表空间(TDE Tablespace Encryption)不存在以上关于索引的限制,甚至在加密表空间上的表的索引在非加密表空间上也不会影响其使用,包括Range Scans;显然这一点出乎许多人的意料:

SQL> select tablespace_name,ENCRYPTED from dba_tablespaces  where tablespace_name in ('ENC','USERS');
TABLESPACE_NAME                ENC
------------------------------ ---
ENC                            YES
USERS                          NO

SQL> create table tv tablespace enc as select * from dba_objects;
Table created.

SQL> create index pk_tv on tv(object_id) tablespace enc;
Index created.

SQL> set autotrace on;
SQL> select 1 from tv where object_id=9999;
         1
----------
         1

Execution Plan
----------------------------------------------------------
Plan hash value: 2009574168
--------------------------------------------------------------------------
| Id  | Operation        | Name  | Rows  | Bytes | Cost (%CPU)| Time     |
--------------------------------------------------------------------------
|   0 | SELECT STATEMENT |       |     1 |    13 |     1   (0)| 00:00:01 |
|*  1 |  INDEX RANGE SCAN| PK_TV |     1 |    13 |     1   (0)| 00:00:01 |
--------------------------------------------------------------------------
Predicate Information (identified by operation id):
---------------------------------------------------
   1 - access("OBJECT_ID"=9999)

/* 将该索引移动至非加密表空间上 */

SQL> alter index pk_tv rebuild tablespace users;
Index altered.

SQL> select 1 from tv where object_id=9999;

         1
----------
         1

Execution Plan
----------------------------------------------------------
Plan hash value: 2009574168
--------------------------------------------------------------------------
| Id  | Operation        | Name  | Rows  | Bytes | Cost (%CPU)| Time     |
--------------------------------------------------------------------------
|   0 | SELECT STATEMENT |       |     1 |    13 |     1   (0)| 00:00:01 |
|*  1 |  INDEX RANGE SCAN| PK_TV |     1 |    13 |     1   (0)| 00:00:01 |
--------------------------------------------------------------------------

Predicate Information (identified by operation id):
---------------------------------------------------
   1 - access("OBJECT_ID"=9999)

/* 可以看到虽然索引被移动到非加密表空间上但仍可以被利用到并range scan */

SQL> create bitmap index obj_typ on tv (object_type) tablespace users;
Index created.

/* 创建位图索引也没有问题 */

当然表空间加密也仍然存在一些限制:

  • 加密表空间不能使用传统的exp/imp工具导入导出,而只能使用datapump工具
  • 显然External Large Objects (BFILEs)这种存储在数据库外的外部大对象也不受支持。

Internal_Function with Encryption in SQL PLAN

Sometimes,the columns are decrypted as a result and decrypt functions (appears as INTERNAL_FUNCTION in the execution plan) are applied on them, which can lead to poor approximations of column selectivity, leading to improper plans. This happens mostly when the encrypted columns are using SALT to encrypt the data, but it can happen for other reasons as well, including bugs.

Bug:7147087 AFTER ENABLING TDE, EXECUTION PLAN CHANGES FOR THE WORSE

and it can be recognized from the following symptoms:

1. both tables participating in a join have encrypted columns.
2. there is at least a join condition with encrypted columns at both ends.
3. the second table has an index on the join column(s).
4. the INTERNAL_FUNCTION is applied to the encrypted columns in the join in the second table and the execution plan that used to be an INDEX UNIQUE SCAN on the unenecrypted columns turns into an INDEX RANGE SCAN or FULL TABLE SCAN.

Scenario 2: Pushed Predicates

The second known TDE performance bug is the one when the queries are using pushed predicates on encrypted columns inside explicit or implicit views and the encrypted column values are decrypted to filter out the values instead of encrypting the pushed predicates. This situation is met when:

1. external predicates are pushed into views
2. the execution plan presents predicate of the form INTERNAL_FUNCTION(column) = ;

On the other hand, INTERNAL_FUNCTION may consume more memory and cpu than normal

[oracle@rh2 admin]$ pwd
/s01/oracle/product/11.2.0/dbhome_1/network/admin


[oracle@rh2 admin]$ cat sqlnet.ora 
ENCRYPTION_WALLET_LOCATION=
  (SOURCE=(METHOD=FILE)(METHOD_DATA=
    (DIRECTORY=/s01/wallet)))


SQL> ALTER SYSTEM SET ENCRYPTION KEY AUTHENTICATED BY "oracle";

System altered.



SQL> conn maclean/maclean
Connected.

SQL> create table enctab (t1 int encrypt);
Table created.

SQL> select * from enctab;

no rows selected


Execution Plan
----------------------------------------------------------
Plan hash value: 3026244987

----------------------------------------------------------------------------
| Id  | Operation         | Name   | Rows  | Bytes | Cost (%CPU)| Time     |
----------------------------------------------------------------------------
|   0 | SELECT STATEMENT  |        |     1 |    47 |     2   (0)| 00:00:01 |
|   1 |  TABLE ACCESS FULL| ENCTAB |     1 |    47 |     2   (0)| 00:00:01 |
----------------------------------------------------------------------------

Note
-----
   - dynamic sampling used for this statement (level=2)


Statistics
----------------------------------------------------------
          0  recursive calls
          0  db block gets
          0  consistent gets
          0  physical reads
          0  redo size
        330  bytes sent via SQL*Net to client
        512  bytes received via SQL*Net from client
          1  SQL*Net roundtrips to/from client
          0  sorts (memory)
          0  sorts (disk)
          0  rows processed

SQL> select * from enctab where t1=10;

no rows selected


Execution Plan
----------------------------------------------------------
Plan hash value: 3026244987

----------------------------------------------------------------------------
| Id  | Operation         | Name   | Rows  | Bytes | Cost (%CPU)| Time     |
----------------------------------------------------------------------------
|   0 | SELECT STATEMENT  |        |     1 |    47 |     2   (0)| 00:00:01 |
|*  1 |  TABLE ACCESS FULL| ENCTAB |     1 |    47 |     2   (0)| 00:00:01 |
----------------------------------------------------------------------------

Predicate Information (identified by operation id):
---------------------------------------------------

   1 - filter(INTERNAL_FUNCTION("T1")=10)

Note
-----
   - dynamic sampling used for this statement (level=2)


Statistics
----------------------------------------------------------
          1  recursive calls
          0  db block gets
          0  consistent gets
          0  physical reads
          0  redo size
        330  bytes sent via SQL*Net to client
        512  bytes received via SQL*Net from client
          1  SQL*Net roundtrips to/from client
          0  sorts (memory)
          0  sorts (disk)
          0  rows processed

SQL> desc enctab;
 Name                                      Null?    Type
 ----------------------------------------- -------- ----------------------------
 T1                                                 NUMBER(38) ENCRYPT


SQL> col WRL_PARAMETER for a20
SQL> set linesize 140
SQL> select * from V$ENCRYPTION_WALLET;

WRL_TYPE             WRL_PARAMETER        STATUS
-------------------- -------------------- ------------------
file                 /s01/wallet          OPEN


Script:收集数据库安全风险评估信息

以下脚本可以用于收集数据库安全风险评估信息:

REM list database vulnerability assessment info

set escape on;
set linesize 140 ;
spool db_vulnerability_assessment.log

Select role
  from dba_roles r
 where role not in ('CONNECT',
                    'RESOURCE',
                    'DBA',
                    'SELECT_CATALOG_ROLE',
                    'EXECUTE_CATALOG_ROLE',
                    'DELETE_CATALOG_ROLE',
                    'EXP_FULL_DATABASE',
                    'WM_ADMIN_ROLE',
                    'IMP_FULL_DATABASE',
                    'RECOVERY_CATALOG_OWNER',
                    'AQ_ADMINISTRATOR_ROLE',
                    'AQ_USER_ROLE',
                    'GLOBAL_AQ_USER_ROLE',
                    'OEM_MONITOR',
                    'HS_ADMIN_ROLE')
   and not exists
 (Select 1 from dba_role_privs p where p.granted_role = r.role)
/

select tp.grantee, tp.table_name
  from dba_tab_privs tp, dba_users u
 where tp.owner = 'SYS'
   and (tp.table_name like 'V_$%' or tp.table_name like 'G_V$')
   and tp.grantee = u.username
   and u.username not in ('SYS',
                          'SYSTEM',
                          'SYSMAN',
                          'EXFSYS',
                          'WMSYS',
                          'OLAPSYS',
                          'OUTLN',
                          'DBSNMP',
                          'ORDSYS',
                          'ORDPLUGINS',
                          'MDSYS',
                          'DMSYS',
                          'CTXSYS',
                          'AURORA$ORB$UNAUTHENTICATED',
                          'XDB',
                          'FLOWS_030000',
                          'FLOWS_FILES')
 order by 1, 2
/


select *
  from (select 'Hidden User in DBA_USERS' ddview, name
          from sys.user$
         where type# = 1
        minus
        select 'Hidden User in DBA_USERS', username from SYS.dba_users) q1
union all
select *
  from (select 'Hidden User in ALL_USERS', name
          from sys.user$
         where type# = 1
        minus
        select 'Hidden User in ALL_USERS', username from SYS.all_users) q2
/



select grantee, granted_role
  from dba_role_privs
 where grantee in (select role from dba_roles)
 order by grantee, granted_role
/

select grantee, privilege, admin_option
  from dba_sys_privs sp, dba_users u
 where sp.GRANTEE = u.username
   and grantee not in ('SYS', 'SYSTEM')
   and privilege in (select name
                       from sys.system_privilege_map
                      where 0 = 1
                         or name like '%ANY%'
                         or name like '%DATABASE%'
                         or name like '%DIRECTORY%'
                         or name like '%LIBRARY%'
                         or name like '%LINK%'
                         or name like '%PROFILE%'
                         or name like '%RESTRICTED%'
                         or name like 'SYS%'
                         or name like '%SYSTEM%'
                         or name like '%TABLESPACE%'
                         or name like '%USER%')
 order by 1
/

select role,
       (select count(*)
          from dba_role_privs rp
         where rp.granted_role = r.role) GRANT_COUNT
  from dba_roles r
 where r.role in ('DBA', 'CONNECT', 'RESOURCE')
 order by 1
/

select grantee, granted_role, admin_option
  from dba_role_privs rp, dba_users u
 where rp.grantee = u.username
   and grantee not in ('SYS', 'SYSTEM')
   and granted_role in (select role
                          from dba_roles
                         where 0 = 1
                            or role like '%CATALOG%'
                            or role like '%DATABASE%'
                            or role like '%DBA%')
 order by 1
/

select distinct profile, resource_name, actual_limit 
from (select P.Profile, p.resource_Name,
             decode(p.limit, 'UNLIMITED', '9999999999999999999', 
                   'NULL', null, to_number(p.limit)) limit,
             limit actual_limit
      from ( select profile, resource_name, 
                    decode(resource_name,  'IDLE_TIME', decode(limit, 'DEFAULT', 'UNLIMITED', limit),
                                           'FAILED_LOGIN_ATTEMPTS', decode(limit, 'DEFAULT', '10', limit),
                                           'PASSWORD_LIFE_TIME', decode(limit, 'DEFAULT', 'UNLIMITED', limit),
                                           'PASSWORD_REUSE_MAX', decode(limit, 'DEFAULT', 'UNLIMITED', limit),
                                           'PASSWORD_REUSE_TIME', decode(limit, 'DEFAULT', 'UNLIMITED', limit),
                                           'PASSWORD_GRACE_TIME', decode(limit, 'DEFAULT', 'UNLIMITED', limit),
                                'PASSWORD_VERIFY_FUNCTION', decode(limit, 'NULL', '0', null, 0, 'DEFAULT', 0, 1), limit) limit
              from   dba_profiles
              where resource_name in ('IDLE_TIME', 'FAILED_LOGIN_ATTEMPTS',
                                      'PASSWORD_LIFE_TIME', 'PASSWORD_REUSE_MAX',
                                      'PASSWORD_REUSE_TIME','PASSWORD_GRACE_TIME',
                                      'PASSWORD_VERIFY_FUNCTION')) p ) 
where 1=0 
or    (RESOURCE_NAME = 'IDLE_TIME' AND LIMIT > 60)
or    (RESOURCE_NAME = 'FAILED_LOGIN_ATTEMPTS' AND LIMIT > 3)
or    (RESOURCE_NAME = 'PASSWORD_LIFE_TIME' AND LIMIT > 90)
or    (RESOURCE_NAME = 'PASSWORD_REUSE_MAX' AND LIMIT > 20)
or    (RESOURCE_NAME = 'PASSWORD_REUSE_TIME' AND LIMIT > 180)
or    (RESOURCE_NAME = 'PASSWORD_GRACE_TIME' AND LIMIT > 3)
or    (RESOURCE_NAME = 'PASSWORD_VERIFY_FUNCTION' AND LIMIT = 0)
order by 1,2
/

Select s.owner, s.synonym_name, s.table_owner, s.table_name
  from sys.DBA_synonyms s
 where not exists (Select 'x'
          from sys.DBA_objects o
         where o.owner = s.table_owner
           and o.object_name = s.table_name)
   and db_link is null
   and s.owner <> 'PUBLIC'
 order by 1
/

Select distinct profile
  from dba_profiles
minus
Select distinct profile from dba_users
/

select table_name
  from dba_tab_privs
 where owner = 'SYS'
   and grantee = 'PUBLIC'
   and table_name in ('UTL_SMTP',
                      'UTL_TCP',
                      'UTL_HTTP',
                      'UTL_FILE',
                      'DBMS_RANDOM',
                      'DBMS_LOB',
                      'DBMS_SYS_SQL',
                      'DBMS_BACKUP_RESTORE',
                      'EMD_SYSTEM',
                      'DBMS_NAMESPACE',
                      'DBMS_SCHEDULER')
 order by 1
/ 
 

select username, password from dba_users order by 1
/


select tp.grantee, tp.table_name, tp.privilege
  from dba_tab_privs tp, dba_users u, dba_tables t
 where tp.owner = 'SYS'
   and tp.grantee = u.username
   and tp.owner = t.owner
   and tp.table_name = t.table_name
   and u.username not in ('SYS',
                          'SYSTEM',
                          'SYSMAN',
                          'EXFSYS',
                          'WMSYS',
                          'OLAPSYS',
                          'OUTLN',
                          'DBSNMP',
                          'ORDSYS',
                          'ORDPLUGINS',
                          'MDSYS',
                          'CTXSYS',
                          'AURORA$ORB$UNAUTHENTICATED',
                          'XDB',
                          'FLOWS_030000',
                          'FLOWS_FILES')
 order by 1, 2, 3
/
 
 select sp.grantee, sp.privilege
   from dba_sys_privs sp, dba_users u
  where sp.admin_option = 'YES'
    and u.username = sp.grantee
    and u.username not in ('SYS',
                           'SYSTEM',
                           'SYSMAN',
                           'EXFSYS',
                           'WMSYS',
                           'OLAPSYS',
                           'OUTLN',
                           'DBSNMP',
                           'ORDSYS',
                           'ORDPLUGINS',
                           'MDSYS',
                           'CTXSYS',
                           'AURORA$ORB$UNAUTHENTICATED',
                           'XDB',
                           'FLOWS_030000',
                           'FLOWS_FILES')
  order by 1, 2
/
  
  select p.grantee, p.owner, p.table_name, p.privilege
    from dba_tab_privs p, dba_users u
   where p.grantable = 'YES'
     and u.USERNAME = p.grantee
     and u.username not in ('SYS',
                            'SYSTEM',
                            'SYSMAN',
                            'EXFSYS',
                            'WMSYS',
                            'OLAPSYS',
                            'OUTLN',
                            'DBSNMP',
                            'ORDSYS',
                            'ORDPLUGINS',
                            'MDSYS',
                            'CTXSYS',
                            'AURORA$ORB$UNAUTHENTICATED',
                            'XDB',
                            'FLOWS_030000',
                            'FLOWS_FILES')
   order by 1, 2, 3, 4
/

select username
  from dba_users
 where account_status!='EXPIRED \& LOCKED'
 order by 1
/

Select s.synonym_name, s.table_owner, s.table_name
  from sys.DBA_synonyms s
 where not exists (Select 'x'
          from sys.DBA_objects o
         where o.owner = s.table_owner
           and o.object_name = s.table_name)
   and db_link is null
   and s.owner = 'PUBLIC'
 order by 1
/

select r.grantee, r.granted_role
  from dba_role_privs r, dba_users u
 where r.admin_option = 'YES'
   and u.username = r.grantee
   and u.username not in ('SYS',
                          'SYSTEM',
                          'SYSMAN',
                          'EXFSYS',
                          'WMSYS',
                          'OLAPSYS',
                          'OUTLN',
                          'DBSNMP',
                          'ORDSYS',
                          'ORDPLUGINS',
                          'MDSYS',
                          'CTXSYS',
                          'AURORA$ORB$UNAUTHENTICATED',
                          'XDB',
                          'FLOWS_030000',
                          'FLOWS_FILES')
 order by 1, 2
/


select username
  from dba_users
 where password = 'EXTERNAL'
 order by username
/

Know about Oracle Network Security

Good network security is accomplished by utilizing port and protocol screening with routers, firewalls,
and Intrusion Detection Systems.Port and protocol screening with routers, firewalls,
and Intrusion Detection Systems create a bastion against network attacks.

A device that routes and translates information between interconnected networks is called a firewall.
Firewalls have a different function
Routers, not firewalls, use destination address and origin address to select the best path to route traffic.

When installing a firewall, the first action is to stop all communication.
After installation, the System Administrator adds rules that allow specific types of traffic to pass through the new firewall.
After installation of a firewall, the System Administrator adds rules
that allow specific types of traffic to pass through the new firewall

A switch is a data link layer device that forwards traffic based on MAC addresses.
Switching is performed in hardware instead of software, so it is significantly faster.

Network Security Wizards Dragon 4.0 is an example of vendors that offer  Intrusion Detection Systems or IDS

1.
Authentication is the process of verifying the identity of a user, device, or other entity.
Once the identity is verified, a trust relationship is established and further network interaction is possible.

2.
Authorization is the process of assigning various levels of access and capabilities for the authenticated user.
In other words, authorization allows assigned levels of access in the database environment.

3.
Oracle 8i supports 3 models for storing Authorizations in a centralized directory service. Public Key Infrastructure,
Microsoft Active Directory, or Distributed Computing Environment. PKI together with Oracle Internet Directory is the optimal method.

4.
Most issues of data security can be handled by Oracle8i authentication mechanisms.

5.
The init.ora file, or instance configuration file, is one of the key configuration files
in an Oracle database environment that must be protected.
This file contains all the initialization parameters: the configurable parameters that are applied when an instance is started up.

6.
A file transfer copy of the tnsnames.ora configuration file is a common way for hackers to discover whether the
AUDIT function is enabled. If they determine that AUDIT is enabled, they can take steps to cover their activities,
or even delete the audit trail.

7.
To protect the key configuration files at the operating system level,
the system administrator should ensure that UNIX file permissions and
the umask environment variable are set for the optimal combination of file restrictions in that environment.
The default value of umask is 022, but the UNIX system administrator responsible for that environment may
decide that a more restrictive value is appropriate.

8.
In Sun Solaris UNIX environments, a low level of security can be achieved using access control
utilities such as GETFACL and SETFACL. These access control list utilities are specific to the Sun Solaris UNIX platform

9.
Controlling access by using database object privileges is called DAC, or discretionary access control.
DAC controls access to any given object by granting specific privileges to user objects or roles.

10.
Giving a database user object the authority to perform INSERT or DELETE commands in a given table is an example of a privilege.
This privilege applies to a given user object, unlike a role which applies to a group of user objects.

11.
Virtual Private Database technology allows security access controls to be applied directly to views or tables.
Unlike other access control methods, defined access controls apply directly to the table or view, not the user object.

12.
Oracle Label Security provides fine-grained access control within the database by using access control tables and a security policy.
Label Security augments Virtual Private Databases to provide a tighter security for data.

13.
The transformation of data by using cryptography to make it unintelligible is known as encryption.
To encrypt a file is to render that file completely unreadable until it has been properly decrypted.

14.
DES and RC4 are examples of symmetric key encryption. 3DES, DES40 and RC2 are additional symmetrical encryption algorithms.

15.
Cryptography that requires key agreement, or keys on both sides of the session, is known as Diffie-Hellman cryptography.
This allows mutual authentication with the same common key. Advanced Security Option uses Diffie-Hellman cryptography.

16.
Cryptography that provides for private communications within a public network without trusting anyone to keep secrets is
called public key infrastructure, or PKI. HTTP and LDAP protocols are included within the public key infrastructure.

17.
The most widely used PKI application that supplies data integrity and encryption in the transport layer of the
Open Systems Interconnection (OSI) model is the secure sockets layer, or SSL, protocol.
SSL is typically used for authenticating servers and for the traffic encryption of credit cards and passwords.

18.
A data dictionary table called sys.aud$ is the database audit trail.
The database audit trail stores records which audit database statements, schema objects, and privileges.

19.
An entry in the operating system audit trail is always created when instance startup or instance shutdown occurs,
or when the sys user object logs in. The instance startup entry is necessary in order to
maintain a complete audit trail when the data dictionary is not available.

20.
The type of audit trail that efficiently consolidates audit records from multiple sources
(including Oracle databases and other applications which use the audit trail) is the operating system audit trail.
Operating system audit trails allow all audit records to reside in one place, including database audit trails.

21.
You can use Oracle Reports to create customized reports of audit information when the database audit trail is in use.
You can analyze database audit trail information and produce good reports from that analysis,
which is an advantage over using the operating system audit trail method.

22.
To protect the database audit trail from unauthorized deletions,
grant the Delete Any Table system privilege to security administrators only.
An unauthorized user with this system privilege can severely damage a database security trail, or even delete all the data.
Assign this privilege very carefully.

23.
Advanced Security Option provides a single source of integration with network encryption, single-sign-on services,
and security protocols. ASO is the centralized source for all of these security features.

24.
ASO ensures that data is not disclosed or stolen during Net8 transmissions by means of RSA encryption,
DES encryption, and Triple-DES encryption.

25.
The SSL feature of ASO allows you to use the SHA, or secure hash algorithm.
The SHA is slightly slower than MD5, but it is more secure against brute-force collision and inversion attacks.

26.
he SSO, or single sign-on, feature of ASO allows access to multiple accounts and applications with a single password.
SSO simplifies the management of user accounts and passwords for system administrators.

27.
LDAP stands for Lightweight Directory Access Protocol, which is a directory service standard based on the ISO X.500 specification.
LDAP is a protocol defined and maintained by the same task force which defined the HTTP and TCP/IP protocols.

28.
OID means Oracle Internet Directory, which is the LDAP directory available from Oracle.
OID is a directory service compliant with LDAP v. 3, and it offers scalability, security, and high availability.

29.
The scalability of OID allows thousands of LDAP clients to be connected together without harming performance.
Much of this scalability is accomplished using connection pooling and multithreaded server implementations.

30.
The Java-based tool for administering OID is called Directory Manager.
The Directory Manager tool provides administrative transparency for the Oracle environment,
and is based on Oracle Enterprise Manager.

32.
OID security controls data access at the authentication level, by using access control lists.
Data access is controlled with anonymous authentication methods, either password-based or certificate-based (through SSL).

33.
An enterprise user is defined and managed in a directory. All enterprise users have a unique identity which spans the enterprise.

34.
Enterprise User Security Management allows large user communities to access multiple applications with a single sign-on.
User credentials and authorizations are stored in a directory.
This allows single sign-ons using x.509v3 certificates over SSL.

35.
Groups of global roles are called enterprise roles, which are assigned to enterprise users in order to avoid
granting roles to hundreds or thousands of individual users.

36.
You can remove the need to create duplicate user objects in every database by using the shared schemas feature.
The benefit of shared schemas is fewer user accounts.

37.
The current user database link feature allows user objects to connect to another database instance as the procedure owner.
A current user database link requires global users and SSL.

38.
The Login server provides a single, enterprisewide authentication mechanism. This authentication mechanism allows users to
identify themselves securely to multiple applications through a single authentication step, or single sign-on (SSO).

39.
The single sign-on feature allows the storage of passwords in LDAP-compliant directory services such as Oracle Internet Directory.
Storing usernames and passwords in a directory improves efficiency by centralizing this administrative duty.

40.
A partner application can accept authentication directly from the Login server.
Partner applications are modified to work within the SSO framework.

41.
External applications are not modified to work within the SSO framework.
The Login server does not store the username and password, but only supplies this native information from the external application.
The benefits of LDAP directories are not available to external applications.

42.
During Oracle product installations, user objects are created with default passwords. SYS, SYSTEM,
and ORACLE are the most critical to examine, but all objects that may have default passwords should be examined.

43.
V_$PWFILE_USERS is the view that shows which user objects have been granted SYSDBA or SYSOPER privileges.
It is normal for INTERNAL and SYS objects to have the privileges, but suspect any other user objects that have these privileges.
When in doubt, revoke the privilege and monitor the change.

44.
Users with unlimited tablespace can accidentally or intentionally use 100 percent of available tablespace.
Review this ability by examining the DBA_TS_QUOTES view. User objects have unlimited tablespace
if that object displays MAX_BLOCKS or MAX_BYTES columns equal to -1.
Any user object that has this privilege should be examined closely for verification of need.

45.
Invoke SQL*Plus with the NOLOG switch to remove the plain-text password entry from the UNIX process table.
Sessions started with this /nolog SQL*Plus switch cannot reveal the password
when another session uses the Ps -ef|grep SQL*Plus command.

46.
The data dictionary view, DBA_ROLES, will reveal the names of all roles and their current password status.
It is a good view for reviewing any potential security risks related to roles and their respective passwords.
Review this view regularly to verify that these roles are not being misused,
and that a secure password policy is in place for all roles.

47.
Virtual Private Databases is a good security product but requires programming to implement.
Oracle Label Security provides similar row-level security out-of-the-box without this same need.
Oracle Label Security provides row-level security in databases without the need for programming that VPD requires.

48.
The Oracle Label Security administrative tool that allows you to quickly implement a security policy on a table is named Policy Manager.
Oracle Policy Manager allows administrators to use predefined security policies to quickly implement row-level security on any table.

49.
Oracle Label Security controls access to rows in database tables based on a label contained
in the row and the label privileges given to each user session. Beyond Directory Access Controls restrictions,
row-level security provides a finer level of security by using these two labels to implement further restrictions
and provide ease of administration.

50.
The user label specifies the data that a user or stored program unit has access to.
This is one element of security using Oracle Label Security.

51.
The row label specifies the sensitivity of the data placed under control. The row label has a different function than the user label.
The row label provides security on the data, not the user session or stored program unit.

52.
Oracle AUDIT performs the monitoring and recording of selected user database actions.
Oracle AUDIT is used to watch over user actions in a database instance.

53.
The AUDIT_TRAIL init.ora parameter is used to stop, start, and configure the AUDIT function for any given instance.
NONE is the default value of this parameter; the OS value of this parameter
enables all audit records to go to the operating system's audit trail,
and the dB value of this parameter enables database auditing.

54.
Minimize auditing. If only user login monitoring is required, listener log monitoring is an alternative to using AUDIT.
All sessions route through the listener, and an entry is made in the listener log for each session.

55.
To maintain optimal performance, you should periodically issue the SQL command truncate on the audit table. Old,
unnecessary data should be purged regularly. The length of time between truncate command invocations
that will maintain the optimal audit table size will vary by the volume of audit information retained.

56.
The most critical role to control is the DELETE_ANY_CATALOG role. Only DBAs should have this role.
This is key to protecting the audit trail. Restricting this role will ensure that the audit trail is protected from deletion.
Hackers will often remove or edit the audit trail to cover their activities.

57.
Advanced Security Option (ASO) encrypts all protocols in the database. Net8 connections to the database are encrypted,
as are all connections to the database.

58.
Data integrity is provided by the checksumming algorithm. The checksumming technique detects replay attacks,
where a valid $100.00 withdrawal is resubmitted 100 unauthorized times.

59.
DES is an example of native ASO cryptography. An example of an SSL cryptography that expands on DES is the 3 DES cryptography.
Triple Data Encryption Standard (DES) makes three passes during the cryptography process, providing a higher level of security.

60.
A system that uses polices and procedures to establish a secure information exchange is
called the public key infrastructure, or PKI.
Several elements of PKI include SSL, x.509v3 certificates, and the Certificate Authority.

61.
Benefits of using the public key infrastructure include the ability to scale to the Internet and accommodate millions of users.
Efficiency is paramount when millions of users are part of the community.

沪ICP备14014813号-2

沪公网安备 31010802001379号