40、安全_2(审计、钱包加密)
查看建立的函数:
select * from dba_objects f where f.OBJECT_NAME like 'FUN%';
策略1和策略2同时建立之后,查询结果:
SQL> select name from car;
NAME
--------------------
toyota
volvo
honda
SQL> select name,cost from car;
NAME COST
-------------------- ----------
toyota 30
volvo 30
honda 30
SQL> select num,cost from car;
NUM COST
---------- ----------
20 10
30 10
40 10
SQL> select * from car;
no rows selected
另外情况的函数和策略
定义策略3:
begin
dbms_rls.add_policy(
object_schema => 'u1',
object_name => 'car',
policy_name => 'filter_num',
policy_function => 'fun_num',
sec_relevant_cols => 'num',
sec_relevant_cols_opt =>dbms_rls.all_rows); -- 只显示满足策略的列:num列cost = 10的满足策略,不满足的就为空
end;
/
查询结果:
SQL> select * from car;
NAME NUM COST
-------------------- ---------- ----------
toyota 30
volvo 30
honda 30
biaozhi 20
xuetielong 20
polo 20
xiali 20 10
jili 30 10
byd 40 10
9 rows selected.
定义函数3:
create or replace function f_limit_access
(
vc_schema varchar2,
vc_object varchar2
) return varchar2
as
vc_userid varchar2(100);
begin
select SYS_CONTEXT('USERENV','SESSION_USER') -- 判断当前登录用户是谁
into vc_userid
from dual;
if (trim(vc_userid)='U1') then -- 如果登录用户为U1
return '1=1'; -- 返回一个条件
else
return '1=0'; -- 不是U1用户,返回另外一个条件
end if;
end;
/
策略函数,判断当前登录用户,根据用户的情况,返回不同的where条件
建立策略4(对应函数3):
begin
dbms_rls.add_policy(
object_schema => 'U1',
object_name => 'CAR',
policy_name => 'VPD_TEST',
function_schema => 'U1',
policy_function => 'F_LIMIT_ACCESS');
end;
/
建立策略4之后的查询结果:
SQL> connect u1/u1
Connected.
SQL> select * from car;
NAME NUM COST
-------------------- ---------- ----------
toyota 10 30
volvo 50 30
honda 60 30
biaozhi 70 20
xuetielong 80 20
polo 90 20
xiali 20 10
jili 30 10
byd 40 10
9 rows selected.
SQL> connect utest1/utest1
Connected.
SQL> select * from u1.car;
no rows selected
所以VPD可以:
1、可以隐藏某些行
2、可以隐藏某些列
3、不同的用户,登陆后查询,显示不同的数据
审计
对sys用户的审计
对于sys用户来讲:
只要登陆,就被强制审计;
但是对于sys做了什么,它不审计;也可以设置参数使登陆后所做的事情也被审计
用sys用户登陆数据库,登陆这个行为就被审计了
登录数据库的时候就要被审计
查看审计文件:
1、首先登录数据库
[oracle@db11g ~]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.4.0 Production on Sat Feb 11 01:35:19 2017
Copyright (c) 1982, 2013, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL>
2、查看审计文件内容
[oracle@db11g ~]$ cd /u01/app/oracle/admin/orcl/adump
[oracle@db11g adump]$ ll -t|more
total 808
-rw-r----- 1 oracle oinstall 772 Feb 11 01:35 orcl_ora_5006_20170211013519198737143795.aud
-rw-r----- 1 oracle oinstall 766 Feb 10 21:40 orcl_ora_24984_20170210214020316275143795.aud
-rw-r----- 1 oracle oinstall 1501 Feb 10 21:38 orcl_s000_1488_20170210014716686331143795.aud
-rw-r----- 1 oracle oinstall 766 Feb 10 19:01 orcl_ora_16004_20170210190136584381143795.aud
-rw-r----- 1 oracle oinstall 772 Feb 10 18:57 orcl_s004_1496_20170210185758932712143795.aud
-rw-r----- 1 oracle oinstall 774 Feb 10 08:11 orcl_ora_13992_20170210081150194153143795.aud
-rw-r----- 1 oracle oinstall 1017 Feb 10 07:54 orcl_s002_1492_20170210075404966757143795.aud
-rw-r----- 1 oracle oinstall 2024 Feb 10 07:54 orcl_s001_1490_20170209174721334447143795.aud
-rw-r----- 1 oracle oinstall 1001 Feb 10 01:47 orcl_s003_1494_20170209185118719720143795.aud
-rw-r----- 1 oracle oinstall 774 Feb 10 01:40 orcl_ora_25645_20170210014018163355143795.aud
-rw-r----- 1 oracle oinstall 764 Feb 9 18:52 orcl_ora_4199_20170209185227902487143795.aud
-rw-r----- 1 oracle oinstall 4326 Feb 9 17:47 orcl_s019_22005_20170208171107111721143795.aud
-rw-r----- 1 oracle oinstall 831 Feb 9 17:46 orcl_s006_1500_20170209174615347664143795.aud
-rw-r----- 1 oracle oinstall 769 Feb 9 17:45 orcl_ora_28875_20170209174513294570143795.aud
-rw-r----- 1 oracle oinstall 769 Feb 9 17:45 orcl_ora_28874_20170209174513251955143795.aud
-rw-r----- 1 oracle oinstall 769 Feb 9 17:42 orcl_ora_28866_20170209174208297287143795.aud
-rw-r----- 1 oracle oinstall 769 Feb 9 17:42 orcl_ora_28844_20170209174208006693143795.aud
-rw-r----- 1 oracle oinstall 769 Feb 9 17:42 orcl_ora_28843_20170209174207973210143795.aud
-rw-r----- 1 oracle oinstall 769 Feb 9 17:42 orcl_ora_28842_20170209174207880767143795.aud
[oracle@db11g adump]$ cat orcl_ora_5006_20170211013519198737143795.aud
Audit file /u01/app/oracle/admin/orcl/adump/orcl_ora_5006_20170211013519198737143795.aud
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
ORACLE_HOME = /u01/app/oracle/product/11.2.0/db_1
System name: Linux
Node name: db11g
Release: 2.6.32-431.el6.x86_64
Version: #1 SMP Sun Nov 10 22:19:54 EST 2013
Machine: x86_64
Instance name: orcl
Redo thread mounted by this instance: 1
Oracle process number: 41
Unix process pid: 5006, image: oracle@db11g (TNS V1-V3)
Sat Feb 11 01:35:19 2017 +08:00
LENGTH : '160'
ACTION :[7] 'CONNECT'
DATABASE USER:[1] '/'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[6] 'oracle'
CLIENT TERMINAL:[5] 'pts/2'
STATUS:[1] '0'
DBID:[10] '1458193369'
审计参数
audit_sys_operations参数
设置参数:audit_sys_operations,来使sys用户登陆数据库后所做的事情也被审计
SQL> show parameter audit_sys_operations
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_sys_operations boolean FALSE
SQL> alter system set audit_sys_operations=true scope=spfile;
System altered.
SQL> startup force; -- 重启数据库
ORACLE instance started.
Total System Global Area 1603411968 bytes
Fixed Size 2253664 bytes
Variable Size 1426066592 bytes
Database Buffers 167772160 bytes
Redo Buffers 7319552 bytes
Database mounted.
Database opened.
sys用户,首先建立了一个表,还访问了u1用户的t1表:
SQL> create table t101 as select * from dba_objects;
Table created.
SQL> select count(*) from u1.t1;
COUNT(*)
----------
0
查看审计文件:
[oracle@db11g adump]$ cat orcl_ora_26802_20170211182729736166143795.aud
Audit file /u01/app/oracle/admin/orcl/adump/orcl_ora_26802_20170211182729736166143795.aud
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
ORACLE_HOME = /u01/app/oracle/product/11.2.0/db_1
System name: Linux
Node name: db11g
Release: 2.6.32-431.el6.x86_64
Version: #1 SMP Sun Nov 10 22:19:54 EST 2013
Machine: x86_64
Instance name: orcl
Redo thread mounted by this instance: 1
Oracle process number: 49
Unix process pid: 26802, image: oracle@db11g (TNS V1-V3)
Sat Feb 11 18:27:29 2017 +08:00
LENGTH : '160'
ACTION :[7] 'CONNECT'
DATABASE USER:[1] '/'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[6] 'oracle'
CLIENT TERMINAL:[5] 'pts/1'
STATUS:[1] '0'
DBID:[10] '1458193369'
Sat Feb 11 18:27:29 2017 +08:00
LENGTH : '159'
ACTION :[6] 'COMMIT'
DATABASE USER:[1] '/'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[6] 'oracle'
CLIENT TERMINAL:[5] 'pts/1'
STATUS:[1] '0'
DBID:[10] '1458193369'
Sat Feb 11 18:27:29 2017 +08:00
LENGTH : '159'
ACTION :[6] 'COMMIT'
DATABASE USER:[1] '/'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[6] 'oracle'
CLIENT TERMINAL:[5] 'pts/1'
STATUS:[1] '0'
DBID:[10] '1458193369'
Sat Feb 11 18:28:29 2017 +08:00
LENGTH : '200'
ACTION :[46] 'create table t101 as select * from dba_objects' -- 建表被审计了
DATABASE USER:[1] '/'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[6] 'oracle'
CLIENT TERMINAL:[5] 'pts/1'
STATUS:[1] '0'
DBID:[10] '1458193369'
Sat Feb 11 18:28:54 2017 +08:00
LENGTH : '180'
ACTION :[26] 'select count(*) from u1.t1' -- 访问u1用户的t1表也被审计了
DATABASE USER:[1] '/'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[6] 'oracle'
CLIENT TERMINAL:[5] 'pts/1'
STATUS:[1] '0'
DBID:[10] '1458193369'
对普通用户的审计(标准审计)
1、在11g里面,默认开启了对普通用户的审计
2、开启之后需要去设置
对普通用户审计了什么?
1、审计普通用户执行的SQL语句
2、审计普通用户使用了哪些系统权限
3、审计普通用户用了哪些对象权限
怎么设置对普通用户的审计?
查询普通用户的相关审计:
1、查询用户的审计(做哪些操作会被审计)
select * from dba_obj_audit_opts;
当用户U1对t1表做delete操作的时候就会被审计(基于对象的审计)
2、查询用户使用哪些权限会被审计
select * from DBA_PRIV_AUDIT_OPTS;
当用户只要使用了这些权限就会被审计
3、查询用户执行哪些操作会被审计
select * from DBA_STMT_AUDIT_OPTS
当用户执行相关的语句的时候就会被审计
4、查询审计信息:
select * from dba_audit_trail
dba_audit_trail视图里面记录着所有的审计信息
对于sys用户,oracle对它没有任何审计功能
5、清空审计信息:
delete from sys.aud$ where timestamp#<sysdate-10
6、查询会话审计(对用户登录、退出做的审计):
select * from dba_audit_session;
7、查询对象的审计(对哪个对象做了什么操作的审计):
select * from dba_audit_object;
精细化审计
对一个表里面的某些行,或者某些列,或者某一列的某一行进行审计
示例:对用户U1访问T1表时会被审计,但只是对id=2的这一行的name列和id列做审计(审计某几块)
添加审计(策略):
begin
dbms_fga.add_policy(object_schema=>'U1',
object_name=>'T1',
policy_name=>'chk_t',
audit_condition=>'id=2',
audit_column=>'NAME,ID', -- name列和id列,访问其中任何一个列都会被审计
enable=>TRUE,
statement_types=>'SELECT,INSERT,UPDATE,DELETE'
);
end;
查询审计:
select OBJECT_SCHEMA,OBJECT_NAME,POLICY_NAME from dba_audit_policies;
查询审计记录:
select OBJECT_SCHEMA,OBJECT_NAME,POLICY_NAME,SQL_TEXT from dba_fga_audit_trail;
加密
1、对表上的列加密
2、对整个表空间加密(11g的新特性)
加密使用钱包的策略
1、建立一个钱包,钱包有一个密码
2、加密的时候,只要钱包保持打开,可以直接使用加密功能
钱包的建立
1、编辑一个文件:sqlnet.ora文件
[oracle@db11g ~]$ cd /u01/app/oracle/product/11.2.0/db_1/network/admin
[oracle@db11g admin]$ vi sqlnet.ora
添加内容:
ENCRYPTION_WALLET_LOCATION = (SOURCE =
(METHOD = FILE) -- 钱包放到某个文件里面
(METHOD_DATA =
(DIRECTORY =
/u01/app/oracle/product/11.2.0/db_1/jinshang/wallet))) --钱包所放的位置,这个目录之前必须有
2、执行一条命令:
SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "qwe123!@#"; -- qwe123!@#:钱包密码
会在/u01/app/oracle/product/11.2.0/db_1/jinshang/wallet目录里生成一个钱包文件:
[oracle@db11g db_1]$ cd jinshang
[oracle@db11g jinshang]$ cd wallet
[oracle@db11g wallet]$ ls
ewallet.p12 -- 钱包文件
3、查看钱包是否打开:
select * from v$encryption_wallet;
钱包未打开
4、打开钱包:
SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY "qwe123!@#";
select * from v$encryption_wallet;
打开钱包之后,只要数据库不关闭,钱包一直保持打开
5、关闭钱包:
SQL> ALTER SYSTEM SET ENCRYPTION WALLET CLOSE IDENTIFIED BY "qwe123!@#";
注意:
这里我们建立的钱包是不能自动打开的,需要我们自己手工打开,数据库重启以后也需要手工打开;
要建立自动打开的钱包,查看官方文档:
建立一张表:指定salary列加密
CREATE TABLE employee (
first_name VARCHAR2(128),
last_name VARCHAR2(128),
empID NUMBER,
salary NUMBER(6) ENCRYPT -- ENCRYPT:使用加密,salary列自动加密
);
建立一张表:指定使用什么加密算法加密
CREATE TABLE employee1 (
first_name VARCHAR2(128),
last_name VARCHAR2(128),
empID NUMBER ENCRYPT NO SALT,
salary NUMBER(6) ENCRYPT USING '3DES168' -- 指定使用3DES168加密算法
);
加密算法:
1、3DES168
2、AES128
3、AES192:(default)默认为这种加密算法
4、AES256
只要建立了钱包,加密的时候不需要指定密码,钱包直接就给加密了;访问的时候也不需要密码,它直接解密;只是打开钱包的时候需要使用钱包的密码
使用rman备份的时候,也可以使用加密
添加一个列时加密,或许修改某个列为加密的列:
SQL> ALTER TABLE employee ADD (ssn VARCHAR2(11) ENCRYPT);
SQL> ALTER TABLE employee MODIFY (first_name ENCRYPT);
SQL> ALTER TABLE employee MODIFY (first_name ENCRYPT 'NOMAC');
创建一个加密的表空间:
CREATE TABLESPACE securespace
DATAFILE '+DATA'
SIZE 150
MENCRYPTION USING '3DES168'
DEFAULT STORAGE(ENCRYPT);
