Oracle LiveLabs实验:DB Security - Database Vault

Posted dingdingfish

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Oracle LiveLabs实验:DB Security - Database Vault相关的知识,希望对你有一定的参考价值。

概述

此实验申请地址在这里,时间为45分钟。

本实验也是DB Security Advanced研讨会的的第6个实验,即Lab 8。

实验帮助在这里

本实验使用的数据库为19.13。

Introduction

本研讨会介绍了 Oracle Database Vault (DV) 的各种特性和功能。 它使用户有机会学习如何配置这些功能,以防止未经授权的特权用户访问敏感数据。

Task 1: Enable Database Vault

进入实验目录:

sudo su - oracle
cd $DBSEC_LABS/database-vault

首先在容器数据库 cdb1 中启用 Database Vault:

./dv_enable_on_cdb.sh

实际执行的命令和输出为:

==============================================================================
 Configure and Enable Database Vault for the container database CDB...
==============================================================================

CON_NAME
------------------------------
CDB$ROOT

-- . Show the DB Vault status
SQL> select * from dba_dv_status;

NAME                      STATUS
------------------------- --------------------
DV_APP_PROTECTION         NOT CONFIGURED
DV_CONFIGURE_STATUS       FALSE
DV_ENABLE_STATUS          FALSE

SQL> select a.name pdb_name, a.open_mode, b.name, b.status
  from v$pdbs a, cdb_dv_status b
 where a.con_id = b.con_id
 order by 1,2;
 
PDB_NAME             OPEN_MODE            NAME                      STATUS
-------------------- -------------------- ------------------------- --------------------
PDB1                 READ WRITE           DV_APP_PROTECTION         NOT CONFIGURED
                     READ WRITE           DV_ENABLE_STATUS          FALSE
                     READ WRITE           DV_CONFIGURE_STATUS       FALSE

PDB_NAME             OPEN_MODE            NAME                      STATUS
-------------------- -------------------- ------------------------- --------------------
PDB2                 READ WRITE           DV_APP_PROTECTION         NOT CONFIGURED
                     READ WRITE           DV_ENABLE_STATUS          FALSE
                     READ WRITE           DV_CONFIGURE_STATUS       FALSE

6 rows selected.


-- . Configure DB Vault
SQL> 
BEGIN
 DVSYS.CONFIGURE_DV (
   dvowner_uname         => 'C##DVOWNER',
   dvacctmgr_uname       => 'c##DVACCTMGR');
 END;
/

PL/SQL procedure successfully completed.


-- . Enable DB Vault

CON_NAME
------------------------------
CDB$ROOT
USER is "C##DVOWNER"

SQL> exec dvsys.dbms_macadm.enable_dv;
PL/SQL procedure successfully completed.


. Reboot the Database

CON_NAME
------------------------------
CDB$ROOT
Database closed.
Database dismounted.
ORACLE instance shut down.
ORACLE instance started.

Total System Global Area 3674209872 bytes
Fixed Size                  9141840 bytes
Variable Size            1996488704 bytes
Database Buffers         1660944384 bytes
Redo Buffers                7634944 bytes
Database mounted.
Database opened.

-- . Show the DB Vault status
SQL> select * from dba_dv_status;

NAME                      STATUS
------------------------- --------------------
DV_APP_PROTECTION         NOT CONFIGURED
DV_CONFIGURE_STATUS       TRUE
DV_ENABLE_STATUS          TRUE

SQL> select a.name pdb_name, a.open_mode, b.name, b.status
  from v$pdbs a, cdb_dv_status b
 where a.con_id = b.con_id
 order by 1,2;
 
PDB_NAME             OPEN_MODE            NAME                      STATUS
-------------------- -------------------- ------------------------- --------------------
PDB1                 READ WRITE           DV_APP_PROTECTION         NOT CONFIGURED
                     READ WRITE           DV_ENABLE_STATUS          FALSE
                     READ WRITE           DV_CONFIGURE_STATUS       FALSE

PDB_NAME             OPEN_MODE            NAME                      STATUS
-------------------- -------------------- ------------------------- --------------------
PDB2                 READ WRITE           DV_APP_PROTECTION         NOT CONFIGURED
                     READ WRITE           DV_ENABLE_STATUS          FALSE
                     READ WRITE           DV_CONFIGURE_STATUS       FALSE

6 rows selected.

接下来,在可插拔数据库上启用它。 目前,仅在 pdb1 上启用它:

./dv_enable_on_pdb.sh pdb1

此命令和上一个类似,只是连接到PDB中执行而已。输出为:

==============================================================================
 Configure and Enable Database Vault for the pluggable database ...
==============================================================================

CON_NAME
------------------------------
CDB$ROOT

. Show the DB Vault status

NAME                      STATUS
------------------------- --------------------
DV_APP_PROTECTION         NOT CONFIGURED
DV_CONFIGURE_STATUS       TRUE
DV_ENABLE_STATUS          TRUE


PDB_NAME             OPEN_MODE            NAME                      STATUS
-------------------- -------------------- ------------------------- --------------------
PDB1                 READ WRITE           DV_APP_PROTECTION         NOT CONFIGURED
                     READ WRITE           DV_ENABLE_STATUS          FALSE
                     READ WRITE           DV_CONFIGURE_STATUS       FALSE

PDB_NAME             OPEN_MODE            NAME                      STATUS
-------------------- -------------------- ------------------------- --------------------
PDB2                 READ WRITE           DV_APP_PROTECTION         NOT CONFIGURED
                     READ WRITE           DV_ENABLE_STATUS          FALSE
                     READ WRITE           DV_CONFIGURE_STATUS       FALSE

6 rows selected.


. Connect to the pluggable database pdb1

Session altered.


CON_NAME
------------------------------
PDB1

. Configure DB Vault

PL/SQL procedure successfully completed.


. Enable DB Vault
USER is "C##DVOWNER"

PL/SQL procedure successfully completed.


. Reboot the pluggable database

CON_NAME
------------------------------
CDB$ROOT

Pluggable database altered.


Pluggable database altered.


. Show the DB Vault status

NAME                      STATUS
------------------------- --------------------
DV_APP_PROTECTION         NOT CONFIGURED
DV_CONFIGURE_STATUS       TRUE
DV_ENABLE_STATUS          TRUE


PDB_NAME             OPEN_MODE            NAME                      STATUS
-------------------- -------------------- ------------------------- --------------------
PDB1                 READ WRITE           DV_APP_PROTECTION         NOT CONFIGURED
                     READ WRITE           DV_ENABLE_STATUS          TRUE
                     READ WRITE           DV_CONFIGURE_STATUS       TRUE

PDB_NAME             OPEN_MODE            NAME                      STATUS
-------------------- -------------------- ------------------------- --------------------
PDB2                 READ WRITE           DV_APP_PROTECTION         NOT CONFIGURED
                     READ WRITE           DV_ENABLE_STATUS          FALSE
                     READ WRITE           DV_CONFIGURE_STATUS       FALSE

6 rows selected.

现在,在容器数据库和 pdb1 中启用了 Database Vault!

Task 2: Create a Simple Realm

在浏览器中启动Web应用:

  • URL:http://<YOUR_DBSEC-LAB_VM_PUBLIC_IP>:8080/hr_prod_pdb1
  • 用户名和口令:hradmin/Oracle123
  • 单击Search Employee,然后单击Search

返回您的终端会话并运行命令以查看Schema中的数据:

./dv_query_employee_data.sh

执行的命令和输出如下:

==============================================================================
 Query on EMPLOYEESEARCH_PROD data...
==============================================================================
USER is "SYS"

-- . Describe EMPLOYEESEARCH_PROD.DEMO_HR_EMPLOYEES from SYS user
SQL> desc employeesearch_prod.demo_hr_employees;

 Name                                                                                Null?    Type
 ----------------------------------------------------------------------------------- -------- --------------------------------------------------------
 USERID                                                                              NOT NULL NUMBER(4)
 FIRSTNAME                                                                           NOT NULL VARCHAR2(25)
 LASTNAME                                                                            NOT NULL VARCHAR2(35)
 EMAIL                                                                               NOT NULL VARCHAR2(35)
 PHONEMOBILE                                                                                  VARCHAR2(15)
 PHONEFIX                                                                                     VARCHAR2(15)
 PHONEFAX                                                                                     VARCHAR2(15)
 EMPTYPE                                                                             NOT NULL VARCHAR2(15)
 POSITION                                                                            NOT NULL VARCHAR2(25)
 ISMANAGER                                                                           NOT NULL NUMBER(1)
 MANAGERID                                                                                    NUMBER(4)
 DEPARTMENT                                                                          NOT NULL VARCHAR2(15)
 CITY                                                                                NOT NULL VARCHAR2(35)
 STARTDATE                                                                           NOT NULL DATE
 ENDDATE                                                                                      DATE
 ACTIVE                                                                                       VARCHAR2(1)
 ORGANIZATION                                                                        NOT NULL VARCHAR2(15)
 CREATIONDATE                                                                        NOT NULL DATE
 MODIFICATIONDATE                                                                             DATE
 COSTCENTER                                                                                   NUMBER(5)
 ISHEADOFDEPARTMENT                                                                           NUMBER(1)
 DOB                                                                                 NOT NULL DATE
 SSN                                                                                          VARCHAR2(15)
 SIN                                                                                          VARCHAR2(15)
 NINO                                                                                         VARCHAR2(15)
 ADDRESS_1                                                                           NOT NULL VARCHAR2(50)
 ADDRESS_2                                                                                    VARCHAR2(35)
 STATE                                                                                        VARCHAR2(5)
 COUNTRY                                                                             NOT NULL VARCHAR2(5)
 POSTAL_CODE                                                                         NOT NULL VARCHAR2(15)
 CORPORATE_CARD                                                                               VARCHAR2(25)
 CC_PIN                                                                                       NUMBER(4)
 CC_EXPIRE                                                                                    DATE
 SALARY                                                                                       NUMBER(8,2)


-- . Query EMPLOYEESEARCH_PROD.DEMO_HR_EMPLOYEES from SYS user
SQL> select userid, firstname, lastname, emptype, position, ssn, sin, nino
  from employeesearch_prod.demo_hr_employees
 where rownum < 10;

    USERID FIRSTNAME  LASTNAME   EMPTYPE   POSITION         SSN         SIN         NINO
---------- ---------- ---------- --------- ---------------- ----------- ----------- -------------
        73 Craig      Hunt       Part-Time Administrator    102-20-4997
        74 Fred       Stewart    Part-Time Project Manager                          MN 33 14 95 E
        75 Julie      Reed       Full-time Clerk            412-62-2417
        76 Ruby       James      Full-time End-User         537-78-8902
        77 Alice      Harper     Part-Time District Manager             170-042-126
        78 Marilyn    Lee        Part-Time District Manager 553-51-1031
        79 Laura      Ryan       Full-time Project Manager  568-10-8709
        80 William    Elliott    Full-time District Manager 787-89-2282
        81 Martha     Carpenter  Full-time Administrator                            FZ 84 80 43 S

9 rows selected.

现在,创建领域 PROTECT_EMPLOYEESEARCH_PROD 以保护 EMPLOYEESEARCH_PROD 模式中的对象免受恶意活动:

./dv_create_realm.sh

执行的命令和输出为:

==============================================================================
 Create the realm...
==============================================================================
USER is "C##DVOWNER"

CON_NAME
------------------------------
PDB1

-- . Show the current DV realm
SQL> select name, description, enabled from dba_dv_realm where id# >= 5000 order by 1;

no rows selected


-- . Create the "PROTECT_EMPLOYEESEARCH_PROD" DV realm
SQL>
begin
 DVSYS.DBMS_MACADM.CREATE_REALM(
   realm_name => 'PROTECT_EMPLOYEESEARCH_PROD'
  ,description => 'A mandatory realm to protect the EMPLOYEESEARCH_PROD schema.'
  ,enabled => DBMS_MACUTL.G_YES
  ,audit_options => DBMS_MACUTL.G_REALM_AUDIT_FAIL
  ,realm_type => 1);
END;
/

PL/SQL procedure successfully completed.


-- . Show the current DV realm
SQL> select name, description, enabled from dba_dv_realm where id# >= 5000 order by 1;

NAME                            DESCRIPTION                                                       ENABLED
------------------------------- ----------------------------------------------------------------- --------
PROTECT_EMPLOYEESEARCH_PROD     A mandatory realm to protect the EMPLOYEESEARCH_PROD schema.      Y

将对象添加到要保护的领域(在这里添加模式中所有的对象):

./dv_add_obj_to_realm.sh

执行的命令和输出为:

==============================================================================
 Add an object to protect Oracle LiveLabs实验:DB Security - ASO (Data Redaction)

Oracle LiveLabs实验:DB Security - Audit Vault and DB Firewall

Oracle LiveLabs实验:DB Security - Native Network Encryption (NNE)

Oracle LiveLabs实验:DB Security - Database Vault

Oracle LiveLabs实验:DB Security - Database Vault

Oracle LiveLabs实验:DB Security - Database Assessment Tool