历数几款第三方的Oracle数据库安全及漏洞扫描软件

虽然oracle公司自有一套丰富的数据库产品线, 包括 oracle advanced security, VDP , Database vault , lable security , Database FireWall 等等。

但我们还是有必要关注一些第三方的 安全工具, 这些安全工具的主要用途 包括: 漏洞扫描,风险评估,安全建议,审计等。

 

Secure Oracle Auditor -  Secure Bytes 的产品 图形化的集中式审计工具, 可以自定义审计策略; 并分析数据库风险,
产品主页: http://www.secure-bytes.com/soa.php

软件截图:

 

 

Oracle Database Encryption Wizard For Oracle  – Relational Database Consultants, Inc (RDC)的产品  主要功能是 数据加密,  支持 AES256 and DES3 Encryption加密算法  , 在从版本7开始支持Oracle 11gR2 及HSM( Hardware Security Modules )。
产品主页:http://www.relationalwizards.com/html/ora_encyrption.html

软件截图:

 

 

DB  Protect  – AppSecInc  的产品 , 提供企业级 的数据安全方案, 功能包括 隔离敏感数据库, 发现及修正可能存在的数据风险, 控制企业员工的数据访问权限,  监控越权行为等。
产品主页: http://www.appsecinc.com/products/dbprotect/index.shtml

软件截图:

 

 

NGS SQuirreL for Oracle –  NGS secure 的产品 , 算是已经在国内比较知名的 oracle 风险评估漏洞扫描工具, 支持从oracle 7.3 到 11g的主要版本。
产品主页: http://www.ngssecure.com/services/information-security-software/ngs-squirrel-for-oracle.aspx

 

产品介绍:

 

Oracle数据库安全漏洞扫描工具——NGSSQuirreL for Oracle

NGSSQuirrel for Oracle是国际顶级的数据库安全漏洞扫描工具。深圳市九州安域科技有限公司是NGSSQuirrel for Oracle数据库安全漏洞扫描工具中国区授权代理。

NGSSQuirreL for Oracle支持Oracle 8i,9i和10g,并且可以检查几千个可能存在的安全威胁、补丁状况、对象和权限信息、登陆和密码机制、存储过程以及启动过程。NGSSQuirrel提供强大的密码审计功能,包括字典和暴力破解模式。

NGSSQuirrel

1.         专业数据库漏洞评估工具;

支持MSSQL Server,Oracle,Informix,DB2,MySQL ,Sybase ASE数据库

支持对数据库所有实例的特权、角色、表单、视图、存储过程等进行安全检测。

2.         用于保护基础数据库平台安全并确保数据库满足安全法规的要求;

3.         创建Lockdown脚本,用于自动修复数据库扫描中未发现的漏洞

4.         通过check selection功能,可实行具体扫描或针对目标客户的扫描。

可以为特定目标扫描存储某一定制模板

可根据具体合规性扫描选择合规性模板

5.     提供业界专业的数据库安全资讯以及安全教材。

NGS SQuirreL 数据库扫描检测内容:

1.  扫描数据库默认口令、弱口令

2.     检测触发器、存储程序、表单、包等的访问权限

3.     识别默认Object的漏洞

4.     利用密码哈希值运行密码审计

5.     审查密码策略

6.     审查数据库的版本以及补丁情况

7.     检查数据库所有安全配置以及安全审计配置

8.     针对所有发现的安全问题提供修复建议

9.     可针对单一数据库或单一实例进行扫描

NGS SQuirreL for Oracle, SQL Server, MySQL, DB2 & Informix 行业合规性审计

NGS扫描器其内置有如下所有的合规性模块:

PCI DSS(支付款行业数据安全标准V1.2或V2.2)

SOX

HIPAA

Gramm-Leach Bliley Act

FISMA

SANS Top 20

CIS Benchmark for Oracle 9i/10g Ver. 2.0

CIS Benchmark for SQL Server 2005 v1.0

CIS Benchmark for MySQL v1.0.2

Oracle 基准

NSA SQL Server 2000 V1.5 安全配置和管理指南

这些模板都会保持持续更新;NGS 审计客户将满足这些标准的要求

 

NGSSQuirrel for Oracle 目前在国内有 九州安域 和   XLSoft  2家代理。

 

软件截图:

 

 

DB Audit – SoftTree的产品    功能强大的数据库安全和审计产品, 支持Oracle, Sybase, DB2, MySQL, Microsoft SQL Server等主流数据库。  DB Audit Expert是一款专业的数据库安全评估,审计和提供解决方案的数据库管理系统。DB Audit Expert允许数据库及系统管理员,安全管理员,审计人员和操作人患跟踪和分析数据库的活动,包括对数据库的访问,使用,对象的建立,修改和删除等。 DB Audit真正独特的是它内置多个审计方式,让您灵活地选择最适合你的数据库安全性要求的审计方式。
产品主页:http://www.softtreetech.com/

 

 

产品介绍

 

   DB Audit Expert是一款专业的数据库安全评估,审计和提供解决方案的数据库管理系统。DB Audit Expert允许数据库及系统管理员,安全管理员,审计人员和操作人患跟踪和分析数据库的活动,包括对数据库的访问,使用,对象的建立,修改和删除等。DB Audit真正独特的是它内置多个审计方式,让您灵活地选择最适合你的数据库安全性要求的审计方式。

主要优势:

提高系统的安全性并确保系统问责制。
捕获常规和“后门”访问被审计的数据库系统。
从易于管理的单一位置,集中了安全和审计控制多个数据库系统的功能,
统一审计的图形界面功能,缩短了学习曲线,很容易使用。
提供分析报告,全面总结概括,减少审核大量数据从而使轻松地识别各种数据库的安全性侵犯。
提供分析报告,以确定哪些进程和用户占用系统资源。
提供本地数据库审计不可用的审计线索的细节。
当敏感数据发生变化时,提供能够生成对关键人员生成电子邮件警报。
解放了DBA,不再需要创建和管理用于数据更改审计目的精心调校的数据库触发器。
支持灵活的审计配置,使安全人员可以选择必须监督和审计跟踪记录的数据库操作和数据修改的特定类型。
对现有的应用程序提供完全透明的系统级和数据更改审计,无需任何修改这些应用。
完全兼容所有主机操作系统可以运行支持的数据库,包括但不限于Windows NT,UNIX和Linux,虚拟机,OS/390,z/OS。

DB Audit 在多种平台,多种数据库上都有完整的解决方案:
安全性预防管理
侦测和安全配置分析
审计与监控
弱点及渗入测试
校正

多种数据库统一管理,操作简便学习周期短,方便使用。通过左侧数据库树型目录可以方便管理各种数据库;右侧大块的工作区域中,将所有的审计按功能分类,可清晰地完成所有的配置。

DB Audit 可以出色的工作在多种平台,多数据库的复杂环境中,通过警告中心服务器收集、存储和分析各种数据库的审计警告,并按照管理中心所配置将审计报表或警告发送到不同的部门及用户。

DB Audit客户:
DB Audit拥有众多大客户,例如,M&T银行,道琼斯公司,富士银行(Fuji Bank),亨廷顿银行(Huntington Bank),Wells Fargo银行,北方信托公司, (The Reserve Funds)储备基金,第一资本金融公司(Capital One Financial Corp.),3M公司,AT&T公司,IBM公司,戴尔公司,JP摩根大通,惠普,壳牌,索尼,美国军队,美国航空航天局等。

 

软件截图:

 

DB Audit 目前在国内有一家授权代理  北京铸锐数码科技

 

 

Audit DB – LuMigent 公司的产品 , 功能包括 数据库活动监控、审计、 用户权限监控、变更复核、访问监控等。
产品主页: http://www.lumigent.com/products/audit-db

软件截图:

 

 

 

DBCoffer – 难得一见的国产数据库安全产品。 相关介绍: 国内首款主动预防型 数据库安全加固产品,存储层、数据访问层、应用访问层全方位防止数据泄密。

audittools

 

 

 

 

DBCoffer

 

xSecure系列致力于对数据库的全面安全防护,覆盖数据库安全的事前检查、事中控制和事后追踪,形成面向用户的全方位的数据库安全产品和解决方案。

漏洞扫描产品xSecure-DBScan,实现对国际国内主流数据库的安全检查、漏洞分析和模拟渗透攻击,提供数据库安全状况检测评估报告和数据库安全加固建议。

核心功能:

数据库漏洞检查

覆盖绝大多数主流数据库的漏洞检查,包括:缺省配置检查、弱口令检查、无用对象检查、弱安全策略检查、SQL注入检查、缓冲区溢出检查、拒绝服务检查、宽泛权限、数据库补丁检查。

模拟渗透攻击

模拟黑客使用的漏洞发现技术和攻击手段,在没有授权的情况下,对目标数据库的安全性作深入的探测分析,并实施无害攻击(不会导致停机或对数据库造成损害),如获得系统权限、执行系统命令,篡改数据等。

检查报告

对检查结果进行汇总,提供不同类别、不同风险等级等因素的对比分析、趋势分析。

漏洞修复建议

能够智能化的协助网络安全管理人员评估数据库系统的安全状况,可以自动化地修复部分漏洞。
产品主页: http://www.schina.cn/a/fangan/shujukubaoxianxiang/about.html

 

 

www.askmaclean.com Here

 

Find password cracker in 11g

在11g中默认启用了对登录注销操作LOGON/LOGOFF的审计,详见<11g默认审计选项>。利用这一点我们可以很方便地从审计日志中找出数据库中的密码暴力破解者。如以下演示:

C:\Users\Maclean Liu>sqlplus system/try_password@G11R2

SQL*Plus: Release 11.2.0.1.0 Production on Mon Jul 4 21:37:44 2011

Copyright (c) 1982, 2010, Oracle.  All rights reserved.

ERROR:
ORA-01017: invalid username/password; logon denied

select username,userhost,terminal,timestamp,action_name,os_process
  from dba_audit_trail
 where returncode = 1017
 order by timestamp desc;

USERNAME             USERHOST                                 TERMINAL             TIMESTAMP          ACTION_NAME       OS_PROCESS
-------------------- ---------------------------------------- -------------------- ------------------ ----------------  ------------
SYSTEM               WORKGROUP\MACLEANLIU-PC                  MACLEANLIU-PC        04-JUL-11          LOGON             4240:2700

Script:

set linesize 140 pagesize 1400
col os_username for a30
col userhost for a30
col terminal for a30

select os_username,userhost,terminal,username,count(*)
  from dba_audit_trail
 where returncode = 1017
 group by os_username,userhost,username,terminal
 having count(*)>10
 /

注意对于LOGON PER SECOND很高的数据库,如果应用程序配置文件中的数据库用户密码不正确,同时应用在短期内发起大量会话登录数据库的话可能引发频繁的dc_users字典缓存锁,用户登录无法成功,乃至整个实例hang住,该问题具体可见<Row Cache lock Problem>。针对该问题如果是在11g中的话,可以利用以上脚本快速找到因密码不正确登录失败的数据库用户名,从而减少排查时间。

11g默认审计选项

11g默认启用强大的审计选项,AUDIT_TRAIL参数的缺省值为DB,这意为着审计数据将记录在数据库中的AUD$审计字典基表上。Oracle官方宣称默认启用的审计日志不会对绝大多数产品数据库的性能带来过大的负面影响,同时Oracle公司还推荐使用基于OS文件的审计日志记录方式(OS audit trail files)。

注意因为在11g中CREATE SESSION将被作为受审计的权限来被记录,因此当SYSTEM表空间因磁盘空间而无法扩展时将导致这部分审计记录无法生成,这将最终导致普通用户的新会话将无法正常创建,普通用户将无法登陆数据库。在这种场景中仍可以使用SYSDBA身份的用户创建会话,在将审计数据合适备份后删除一部分记录,或者干脆TRUNCATE AUD$都可以解决上述问题。

当AUDIT_TRAIL设置为OS时,审计记录文件将在AUDIT_FILE_DEST参数所指定的目录中生成。全部这些文件均可以随时被删除或复制。

注意在默认情况下会以AUTOEXTEND ON自动扩展选项创建SYSTEM表空间,因此系统表空间在必要情况下还是会自动增长的,我们所需注意的是磁盘上的剩余空间是否能够满足其增长需求,以及数据文件扩展的上限,对于普通的8k smallfile表空间而言单个数据文件的最大尺寸是32G。

以下权限将对所有用户审计:


SQL> select * from v$version;

BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production
PL/SQL Release 11.2.0.2.0 - Production
CORE    11.2.0.2.0      Production
TNS for Linux: Version 11.2.0.2.0 - Production
NLSRTL Version 11.2.0.2.0 - Production

SQL> select * from global_name;

GLOBAL_NAME
--------------------------------------------------------------------------------
www.askmaclean.com


SQL> select privilege,success,failure from dba_priv_audit_opts;

PRIVILEGE                                SUCCESS    FAILURE
---------------------------------------- ---------- ----------
CREATE EXTERNAL JOB                      BY ACCESS  BY ACCESS
CREATE ANY JOB                           BY ACCESS  BY ACCESS
GRANT ANY OBJECT PRIVILEGE               BY ACCESS  BY ACCESS
EXEMPT ACCESS POLICY                     BY ACCESS  BY ACCESS
CREATE ANY LIBRARY                       BY ACCESS  BY ACCESS
GRANT ANY PRIVILEGE                      BY ACCESS  BY ACCESS
DROP PROFILE                             BY ACCESS  BY ACCESS
ALTER PROFILE                            BY ACCESS  BY ACCESS
DROP ANY PROCEDURE                       BY ACCESS  BY ACCESS
ALTER ANY PROCEDURE                      BY ACCESS  BY ACCESS
CREATE ANY PROCEDURE                     BY ACCESS  BY ACCESS

PRIVILEGE                                SUCCESS    FAILURE
---------------------------------------- ---------- ----------
ALTER DATABASE                           BY ACCESS  BY ACCESS
GRANT ANY ROLE                           BY ACCESS  BY ACCESS
CREATE PUBLIC DATABASE LINK              BY ACCESS  BY ACCESS
DROP ANY TABLE                           BY ACCESS  BY ACCESS
ALTER ANY TABLE                          BY ACCESS  BY ACCESS
CREATE ANY TABLE                         BY ACCESS  BY ACCESS
DROP USER                                BY ACCESS  BY ACCESS
ALTER USER                               BY ACCESS  BY ACCESS
CREATE USER                              BY ACCESS  BY ACCESS
CREATE SESSION                           BY ACCESS  BY ACCESS
AUDIT SYSTEM                             BY ACCESS  BY ACCESS

PRIVILEGE                                SUCCESS    FAILURE
---------------------------------------- ---------- ----------
ALTER SYSTEM                             BY ACCESS  BY ACCESS

23 rows selected.

以下语句也将对所有用户审计:

SQL> select audit_option,success,failure from dba_stmt_audit_opts;

AUDIT_OPTION                             SUCCESS    FAILURE
---------------------------------------- ---------- ----------
ALTER SYSTEM                             BY ACCESS  BY ACCESS
SYSTEM AUDIT                             BY ACCESS  BY ACCESS
CREATE SESSION                           BY ACCESS  BY ACCESS
CREATE USER                              BY ACCESS  BY ACCESS
ALTER USER                               BY ACCESS  BY ACCESS
DROP USER                                BY ACCESS  BY ACCESS
PUBLIC SYNONYM                           BY ACCESS  BY ACCESS
DATABASE LINK                            BY ACCESS  BY ACCESS
ROLE                                     BY ACCESS  BY ACCESS
PROFILE                                  BY ACCESS  BY ACCESS
CREATE ANY TABLE                         BY ACCESS  BY ACCESS

AUDIT_OPTION                             SUCCESS    FAILURE
---------------------------------------- ---------- ----------
ALTER ANY TABLE                          BY ACCESS  BY ACCESS
DROP ANY TABLE                           BY ACCESS  BY ACCESS
CREATE PUBLIC DATABASE LINK              BY ACCESS  BY ACCESS
GRANT ANY ROLE                           BY ACCESS  BY ACCESS
SYSTEM GRANT                             BY ACCESS  BY ACCESS
ALTER DATABASE                           BY ACCESS  BY ACCESS
CREATE ANY PROCEDURE                     BY ACCESS  BY ACCESS
ALTER ANY PROCEDURE                      BY ACCESS  BY ACCESS
DROP ANY PROCEDURE                       BY ACCESS  BY ACCESS
ALTER PROFILE                            BY ACCESS  BY ACCESS
DROP PROFILE                             BY ACCESS  BY ACCESS

AUDIT_OPTION                             SUCCESS    FAILURE
---------------------------------------- ---------- ----------
GRANT ANY PRIVILEGE                      BY ACCESS  BY ACCESS
CREATE ANY LIBRARY                       BY ACCESS  BY ACCESS
EXEMPT ACCESS POLICY                     BY ACCESS  BY ACCESS
GRANT ANY OBJECT PRIVILEGE               BY ACCESS  BY ACCESS
CREATE ANY JOB                           BY ACCESS  BY ACCESS
CREATE EXTERNAL JOB                      BY ACCESS  BY ACCESS

28 rows selected.

当前数据库中的现有的审计记录:


SQL> select action_name,count(*) from dba_audit_trail group by action_name;

ACTION_NAME                    COUNT(*)
---------------------------- ----------
LOGOFF BY CLEANUP                    40
LOGON                               460
LOGOFF                              377
ALTER USER                            2
SYSTEM GRANT                         12
ALTER SYSTEM                         10
CREATE PUBLIC SYNONYM                 5
ALTER DATABASE                        2
CREATE DATABASE LINK                  1
DROP PUBLIC SYNONYM                   5

10 rows selected.

Audit Logon above 9i

1. Enable audit. Set the parameter to
audit_trail=db (or db,extended)
2. Restart the database instance to enable the audit settings.
3. Set up audit for session:
audit session whenever successful;
4. After a relevant period of time, check the DBA_AUDIT_SESSION view, in the documentation

LOGOFF_LREAD Logical reads for the session
LOGOFF_PREAD Physical reads for the session
LOGOFF_LWRITE Logical writes for the session
SESSION_CPU Amount of CPU time used by each Oracle session

A query example:

select username,sum(logoff_lread) "TOTAL READS",
sum(logoff_pread) "TOTAL PHYS READS",
sum(logoff_lwrite) "TOTAL WRITES",
sum(session_cpu) "TOTAL CPU",
sum(logoff_pread)/count(*) "READS/SESSIO",
sum(logoff_lwrite)/count(*) "PHYS_READS/SESSION",
sum(logoff_lwrite)/count(*) "WRITES/SESSION",
sum(session_cpu)/count(*) "CPU/SESSION"
from dba_audit_session group by username;

The range of values can be restricted using the TIMESTAMP and/or LOGOFF_TIME columns (which are the logon and logoff interval ends) to have the results for a specific period of time.

[oracle@rh2 ~]$
[oracle@rh2 ~]$ sqlplus maclean/fdsfds
SQL*Plus: Release 10.2.0.4.0 - Production on Fri Jul 8 12:48:05 2009
Copyright (c) 1982, 2007, Oracle.  All Rights Reserved.
ERROR:
ORA-01017: invalid username/password; logon denied
select * from dba_audit_session
OS_USERNAME
--------------------------------------------------------------------------------------------------------------------------------------------
USERNAME
------------------------------
USERHOST
--------------------------------------------------------------------------------------------------------------------------------
TERMINAL
--------------------------------------------------------------------------------------------------------------------------------------------
TIMESTAMP ACTION_NAME                  LOGOFF_TI LOGOFF_LREAD LOGOFF_PREAD LOGOFF_LWRITE LOGOFF_DLOCK                              SESSIONID
--------- ---------------------------- --------- ------------ ------------ ------------- ---------------------------------------- ----------
RETURNCODE CLIENT_ID                                                        SESSION_CPU
---------- ---------------------------------------------------------------- -----------
EXTENDED_TIMESTAMP                                                          PROXY_SESSIONID GLOBAL_UID                       INSTANCE_NUMBER
--------------------------------------------------------------------------- --------------- -------------------------------- ---------------
OS_PROCESS
----------------
oracle
MACLEAN
rh2.oracle.com
pts/0
08-JUL-09 LOGOFF                       08-JUL-09          655           51            16 0                                            960800
0                                                                            9
08-JUL-09 12.45.42.813460 PM +08:00                                                                                                        0
6159
oracle
MACLEAN
rh2.oracle.com
pts/0
08-JUL-09 LOGON                                                                                                                       960801
1017
08-JUL-09 12.46.17.938293 PM +08:00                                                                                                        0
6168
oracle
MACLEAN
rh2.oracle.com
pts/0
08-JUL-09 LOGON                                                                                                                       960802
1017
08-JUL-09 12.48.05.234442 PM +08:00                                                                                                        0
6176
oracle
MACLEAN
rh2.oracle.com
pts/0
08-JUL-09 LOGON                                                                                                                       960803
0
08-JUL-09 12.48.40.687569 PM +08:00                                                                                                        0
6181

Know about Oracle Network Security

Good network security is accomplished by utilizing port and protocol screening with routers, firewalls,
and Intrusion Detection Systems.Port and protocol screening with routers, firewalls,
and Intrusion Detection Systems create a bastion against network attacks.
A device that routes and translates information between interconnected networks is called a firewall.
Firewalls have a different function
Routers, not firewalls, use destination address and origin address to select the best path to route traffic.
When installing a firewall, the first action is to stop all communication.
After installation, the System Administrator adds rules that allow specific types of traffic to pass through the new firewall.
After installation of a firewall, the System Administrator adds rules
that allow specific types of traffic to pass through the new firewall
A switch is a data link layer device that forwards traffic based on MAC addresses.
Switching is performed in hardware instead of software, so it is significantly faster.
Network Security Wizards Dragon 4.0 is an example of vendors that offer  Intrusion Detection Systems or IDS
1.
Authentication is the process of verifying the identity of a user, device, or other entity.
Once the identity is verified, a trust relationship is established and further network interaction is possible.
2.
Authorization is the process of assigning various levels of access and capabilities for the authenticated user.
In other words, authorization allows assigned levels of access in the database environment.
3.
Oracle 8i supports 3 models for storing Authorizations in a centralized directory service. Public Key Infrastructure,
Microsoft Active Directory, or Distributed Computing Environment. PKI together with Oracle Internet Directory is the optimal method.
4.
Most issues of data security can be handled by Oracle8i authentication mechanisms.
5.
The init.ora file, or instance configuration file, is one of the key configuration files
in an Oracle database environment that must be protected.
This file contains all the initialization parameters: the configurable parameters that are applied when an instance is started up.
6.
A file transfer copy of the tnsnames.ora configuration file is a common way for hackers to discover whether the
AUDIT function is enabled. If they determine that AUDIT is enabled, they can take steps to cover their activities,
or even delete the audit trail.
7.
To protect the key configuration files at the operating system level,
the system administrator should ensure that UNIX file permissions and
the umask environment variable are set for the optimal combination of file restrictions in that environment.
The default value of umask is 022, but the UNIX system administrator responsible for that environment may
decide that a more restrictive value is appropriate.
8.
In Sun Solaris UNIX environments, a low level of security can be achieved using access control
utilities such as GETFACL and SETFACL. These access control list utilities are specific to the Sun Solaris UNIX platform
9.
Controlling access by using database object privileges is called DAC, or discretionary access control.
DAC controls access to any given object by granting specific privileges to user objects or roles.
10.
Giving a database user object the authority to perform INSERT or DELETE commands in a given table is an example of a privilege.
This privilege applies to a given user object, unlike a role which applies to a group of user objects.
11.
Virtual Private Database technology allows security access controls to be applied directly to views or tables.
Unlike other access control methods, defined access controls apply directly to the table or view, not the user object.
12.
Oracle Label Security provides fine-grained access control within the database by using access control tables and a security policy.
Label Security augments Virtual Private Databases to provide a tighter security for data.
13.
The transformation of data by using cryptography to make it unintelligible is known as encryption.
To encrypt a file is to render that file completely unreadable until it has been properly decrypted.
14.
DES and RC4 are examples of symmetric key encryption. 3DES, DES40 and RC2 are additional symmetrical encryption algorithms.
15.
Cryptography that requires key agreement, or keys on both sides of the session, is known as Diffie-Hellman cryptography.
This allows mutual authentication with the same common key. Advanced Security Option uses Diffie-Hellman cryptography.
16.
Cryptography that provides for private communications within a public network without trusting anyone to keep secrets is
called public key infrastructure, or PKI. HTTP and LDAP protocols are included within the public key infrastructure.
17.
The most widely used PKI application that supplies data integrity and encryption in the transport layer of the
Open Systems Interconnection (OSI) model is the secure sockets layer, or SSL, protocol.
SSL is typically used for authenticating servers and for the traffic encryption of credit cards and passwords.
18.
A data dictionary table called sys.aud$ is the database audit trail.
The database audit trail stores records which audit database statements, schema objects, and privileges.
19.
An entry in the operating system audit trail is always created when instance startup or instance shutdown occurs,
or when the sys user object logs in. The instance startup entry is necessary in order to
maintain a complete audit trail when the data dictionary is not available.
20.
The type of audit trail that efficiently consolidates audit records from multiple sources
(including Oracle databases and other applications which use the audit trail) is the operating system audit trail.
Operating system audit trails allow all audit records to reside in one place, including database audit trails.
21.
You can use Oracle Reports to create customized reports of audit information when the database audit trail is in use.
You can analyze database audit trail information and produce good reports from that analysis,
which is an advantage over using the operating system audit trail method.
22.
To protect the database audit trail from unauthorized deletions,
grant the Delete Any Table system privilege to security administrators only.
An unauthorized user with this system privilege can severely damage a database security trail, or even delete all the data.
Assign this privilege very carefully.
23.
Advanced Security Option provides a single source of integration with network encryption, single-sign-on services,
and security protocols. ASO is the centralized source for all of these security features.
24.
ASO ensures that data is not disclosed or stolen during Net8 transmissions by means of RSA encryption,
DES encryption, and Triple-DES encryption.
25.
The SSL feature of ASO allows you to use the SHA, or secure hash algorithm.
The SHA is slightly slower than MD5, but it is more secure against brute-force collision and inversion attacks.
26.
he SSO, or single sign-on, feature of ASO allows access to multiple accounts and applications with a single password.
SSO simplifies the management of user accounts and passwords for system administrators.
27.
LDAP stands for Lightweight Directory Access Protocol, which is a directory service standard based on the ISO X.500 specification.
LDAP is a protocol defined and maintained by the same task force which defined the HTTP and TCP/IP protocols.
28.
OID means Oracle Internet Directory, which is the LDAP directory available from Oracle.
OID is a directory service compliant with LDAP v. 3, and it offers scalability, security, and high availability.
29.
The scalability of OID allows thousands of LDAP clients to be connected together without harming performance.
Much of this scalability is accomplished using connection pooling and multithreaded server implementations.
30.
The Java-based tool for administering OID is called Directory Manager.
The Directory Manager tool provides administrative transparency for the Oracle environment,
and is based on Oracle Enterprise Manager.
32.
OID security controls data access at the authentication level, by using access control lists.
Data access is controlled with anonymous authentication methods, either password-based or certificate-based (through SSL).
33.
An enterprise user is defined and managed in a directory. All enterprise users have a unique identity which spans the enterprise.
34.
Enterprise User Security Management allows large user communities to access multiple applications with a single sign-on.
User credentials and authorizations are stored in a directory.
This allows single sign-ons using x.509v3 certificates over SSL.
35.
Groups of global roles are called enterprise roles, which are assigned to enterprise users in order to avoid
granting roles to hundreds or thousands of individual users.
36.
You can remove the need to create duplicate user objects in every database by using the shared schemas feature.
The benefit of shared schemas is fewer user accounts.
37.
The current user database link feature allows user objects to connect to another database instance as the procedure owner.
A current user database link requires global users and SSL.
38.
The Login server provides a single, enterprisewide authentication mechanism. This authentication mechanism allows users to
identify themselves securely to multiple applications through a single authentication step, or single sign-on (SSO).
39.
The single sign-on feature allows the storage of passwords in LDAP-compliant directory services such as Oracle Internet Directory.
Storing usernames and passwords in a directory improves efficiency by centralizing this administrative duty.
40.
A partner application can accept authentication directly from the Login server.
Partner applications are modified to work within the SSO framework.
41.
External applications are not modified to work within the SSO framework.
The Login server does not store the username and password, but only supplies this native information from the external application.
The benefits of LDAP directories are not available to external applications.
42.
During Oracle product installations, user objects are created with default passwords. SYS, SYSTEM,
and ORACLE are the most critical to examine, but all objects that may have default passwords should be examined.
43.
V_$PWFILE_USERS is the view that shows which user objects have been granted SYSDBA or SYSOPER privileges.
It is normal for INTERNAL and SYS objects to have the privileges, but suspect any other user objects that have these privileges.
When in doubt, revoke the privilege and monitor the change.
44.
Users with unlimited tablespace can accidentally or intentionally use 100 percent of available tablespace.
Review this ability by examining the DBA_TS_QUOTES view. User objects have unlimited tablespace
if that object displays MAX_BLOCKS or MAX_BYTES columns equal to -1.
Any user object that has this privilege should be examined closely for verification of need.
45.
Invoke SQL*Plus with the NOLOG switch to remove the plain-text password entry from the UNIX process table.
Sessions started with this /nolog SQL*Plus switch cannot reveal the password
when another session uses the Ps -ef|grep SQL*Plus command.
46.
The data dictionary view, DBA_ROLES, will reveal the names of all roles and their current password status.
It is a good view for reviewing any potential security risks related to roles and their respective passwords.
Review this view regularly to verify that these roles are not being misused,
and that a secure password policy is in place for all roles.
47.
Virtual Private Databases is a good security product but requires programming to implement.
Oracle Label Security provides similar row-level security out-of-the-box without this same need.
Oracle Label Security provides row-level security in databases without the need for programming that VPD requires.
48.
The Oracle Label Security administrative tool that allows you to quickly implement a security policy on a table is named Policy Manager.
Oracle Policy Manager allows administrators to use predefined security policies to quickly implement row-level security on any table.
49.
Oracle Label Security controls access to rows in database tables based on a label contained
in the row and the label privileges given to each user session. Beyond Directory Access Controls restrictions,
row-level security provides a finer level of security by using these two labels to implement further restrictions
and provide ease of administration.
50.
The user label specifies the data that a user or stored program unit has access to.
This is one element of security using Oracle Label Security.
51.
The row label specifies the sensitivity of the data placed under control. The row label has a different function than the user label.
The row label provides security on the data, not the user session or stored program unit.
52.
Oracle AUDIT performs the monitoring and recording of selected user database actions.
Oracle AUDIT is used to watch over user actions in a database instance.
53.
The AUDIT_TRAIL init.ora parameter is used to stop, start, and configure the AUDIT function for any given instance.
NONE is the default value of this parameter; the OS value of this parameter
enables all audit records to go to the operating system's audit trail,
and the dB value of this parameter enables database auditing.
54.
Minimize auditing. If only user login monitoring is required, listener log monitoring is an alternative to using AUDIT.
All sessions route through the listener, and an entry is made in the listener log for each session.
55.
To maintain optimal performance, you should periodically issue the SQL command truncate on the audit table. Old,
unnecessary data should be purged regularly. The length of time between truncate command invocations
that will maintain the optimal audit table size will vary by the volume of audit information retained.
56.
The most critical role to control is the DELETE_ANY_CATALOG role. Only DBAs should have this role.
This is key to protecting the audit trail. Restricting this role will ensure that the audit trail is protected from deletion.
Hackers will often remove or edit the audit trail to cover their activities.
57.
Advanced Security Option (ASO) encrypts all protocols in the database. Net8 connections to the database are encrypted,
as are all connections to the database.
58.
Data integrity is provided by the checksumming algorithm. The checksumming technique detects replay attacks,
where a valid $100.00 withdrawal is resubmitted 100 unauthorized times.
59.
DES is an example of native ASO cryptography. An example of an SSL cryptography that expands on DES is the 3 DES cryptography.
Triple Data Encryption Standard (DES) makes three passes during the cryptography process, providing a higher level of security.
60.
A system that uses polices and procedures to establish a secure information exchange is
called the public key infrastructure, or PKI.
Several elements of PKI include SSL, x.509v3 certificates, and the Certificate Authority.
61.
Benefits of using the public key infrastructure include the ability to scale to the Internet and accommodate millions of users.
Efficiency is paramount when millions of users are part of the community.

Practice:Demonstrating Oracle AUDIT Concepts and Procedures

This practice uses common UNIX and NT Oracle utilities to practice enabling AUDIT on a database.  You will:

  • See the procedure to enable and disable Oracle AUDIT on a database.
  • Understand the SQL commands used to audit a specific user schema object.
  • Investigate how to configure Audit to extend auditing into modified or new schema objects..

ASSUMPTIONS

  • This practice will reference SQL commands that function equally on UNIX operating systems, and the NT operating system, using SQL*Plus.
  • Results may vary slightly according to your Oracle environment.
  • Utilize the RealPlayer Demonstration in conjunction with this Practice, to further illustrate and guide this activity.
  • Login to your sqlplus session using the SYSTEM user object and the current password.

INSTRUCTIONS

1.

UNIX: Open a shell, login, locate and edit the initSID.ora file for your database:

NT: Use Window’ File Manager to locate the initSID.ora file for your database.

#audit_trail = true        # save,  original line

audit_trail = true         #activated for demonstration, rjm

 

Locate the line above, make a full copy of the line in the next newline, then uncomment (remove the # symbol) from the line.  Edit comments to reflect your reasons for the change.  Save the modified file, then shutdown/startup the instance.  Audit is now active on your database instance.

2.

UNIX: Open a shell, login, create a SQLPlus session with the SYSTEM connection.

NT: Create an SQLPlus session with SYSTEM connection.

sqlplus /nolog

 

SQL> audit select any table by scott;

 

Audit succeeded.

 

SQL> noaudit select any table by scott;

 

Noaudit succeeded.

 

SQL> audit all by scott;

 

Audit succeeded.

 

SQL> noaudit all by scott;

 

Noaudit succeeded.

 

SQL>

Now, all SELECT activity by the user Scott will be recorded in the audit trail, for our review later.

The NOAUDIT command following disables this selective monitoring once we have accumulated sufficient data to analyze.  The next commands will begin monitoring on ALL database activity for the user Scott, and then disables that same type of monitoring.

3.

UNIX: Open a shell, login, create a SQLPlus session with SYSTEM connection:

NT: Create a SQLPlus session with SYSTEM connection:

sqlplus /nolog

 

SQL> audit insert on default;

 

Audit succeeded.

 

SQL> audit delete on default;

 

Audit succeeded.

 

SQL> audit update on default;

 

Audit succeeded.

 

SQL> noaudit insert on default;

 

Noaudit succeeded.

 

SQL> noaudit delete on default;

 

Noaudit succeeded.

 

SQL> noaudit update on default;

 

Noaudit succeeded.

 

SQL>

These commands will extend INSERT, DELETE, UPDATE auditing to include future new or modified schema objects.

The second set of NOAUDIT commands disable those same audit actions.

沪ICP备14014813号

沪公网安备 31010802001379号