Oracle LiveLabs实验:DB Security - Database Vault
Posted dingdingfish
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Oracle LiveLabs实验:DB Security - Database Vault相关的知识,希望对你有一定的参考价值。
概述
此实验申请地址在这里,时间为45分钟。
本实验也是DB Security Advanced研讨会的的第6个实验,即Lab 8。
实验帮助在这里。
本实验使用的数据库为19.13。
Introduction
本研讨会介绍了 Oracle Database Vault (DV) 的各种特性和功能。 它使用户有机会学习如何配置这些功能,以防止未经授权的特权用户访问敏感数据。
Task 1: Enable Database Vault
进入实验目录:
sudo su - oracle
cd $DBSEC_LABS/database-vault
首先在容器数据库 cdb1 中启用 Database Vault:
./dv_enable_on_cdb.sh
实际执行的命令和输出为:
==============================================================================
Configure and Enable Database Vault for the container database CDB...
==============================================================================
CON_NAME
------------------------------
CDB$ROOT
-- . Show the DB Vault status
SQL> select * from dba_dv_status;
NAME STATUS
------------------------- --------------------
DV_APP_PROTECTION NOT CONFIGURED
DV_CONFIGURE_STATUS FALSE
DV_ENABLE_STATUS FALSE
SQL> select a.name pdb_name, a.open_mode, b.name, b.status
from v$pdbs a, cdb_dv_status b
where a.con_id = b.con_id
order by 1,2;
PDB_NAME OPEN_MODE NAME STATUS
-------------------- -------------------- ------------------------- --------------------
PDB1 READ WRITE DV_APP_PROTECTION NOT CONFIGURED
READ WRITE DV_ENABLE_STATUS FALSE
READ WRITE DV_CONFIGURE_STATUS FALSE
PDB_NAME OPEN_MODE NAME STATUS
-------------------- -------------------- ------------------------- --------------------
PDB2 READ WRITE DV_APP_PROTECTION NOT CONFIGURED
READ WRITE DV_ENABLE_STATUS FALSE
READ WRITE DV_CONFIGURE_STATUS FALSE
6 rows selected.
-- . Configure DB Vault
SQL>
BEGIN
DVSYS.CONFIGURE_DV (
dvowner_uname => 'C##DVOWNER',
dvacctmgr_uname => 'c##DVACCTMGR');
END;
/
PL/SQL procedure successfully completed.
-- . Enable DB Vault
CON_NAME
------------------------------
CDB$ROOT
USER is "C##DVOWNER"
SQL> exec dvsys.dbms_macadm.enable_dv;
PL/SQL procedure successfully completed.
. Reboot the Database
CON_NAME
------------------------------
CDB$ROOT
Database closed.
Database dismounted.
ORACLE instance shut down.
ORACLE instance started.
Total System Global Area 3674209872 bytes
Fixed Size 9141840 bytes
Variable Size 1996488704 bytes
Database Buffers 1660944384 bytes
Redo Buffers 7634944 bytes
Database mounted.
Database opened.
-- . Show the DB Vault status
SQL> select * from dba_dv_status;
NAME STATUS
------------------------- --------------------
DV_APP_PROTECTION NOT CONFIGURED
DV_CONFIGURE_STATUS TRUE
DV_ENABLE_STATUS TRUE
SQL> select a.name pdb_name, a.open_mode, b.name, b.status
from v$pdbs a, cdb_dv_status b
where a.con_id = b.con_id
order by 1,2;
PDB_NAME OPEN_MODE NAME STATUS
-------------------- -------------------- ------------------------- --------------------
PDB1 READ WRITE DV_APP_PROTECTION NOT CONFIGURED
READ WRITE DV_ENABLE_STATUS FALSE
READ WRITE DV_CONFIGURE_STATUS FALSE
PDB_NAME OPEN_MODE NAME STATUS
-------------------- -------------------- ------------------------- --------------------
PDB2 READ WRITE DV_APP_PROTECTION NOT CONFIGURED
READ WRITE DV_ENABLE_STATUS FALSE
READ WRITE DV_CONFIGURE_STATUS FALSE
6 rows selected.
接下来,在可插拔数据库上启用它。 目前,仅在 pdb1 上启用它:
./dv_enable_on_pdb.sh pdb1
此命令和上一个类似,只是连接到PDB中执行而已。输出为:
==============================================================================
Configure and Enable Database Vault for the pluggable database ...
==============================================================================
CON_NAME
------------------------------
CDB$ROOT
. Show the DB Vault status
NAME STATUS
------------------------- --------------------
DV_APP_PROTECTION NOT CONFIGURED
DV_CONFIGURE_STATUS TRUE
DV_ENABLE_STATUS TRUE
PDB_NAME OPEN_MODE NAME STATUS
-------------------- -------------------- ------------------------- --------------------
PDB1 READ WRITE DV_APP_PROTECTION NOT CONFIGURED
READ WRITE DV_ENABLE_STATUS FALSE
READ WRITE DV_CONFIGURE_STATUS FALSE
PDB_NAME OPEN_MODE NAME STATUS
-------------------- -------------------- ------------------------- --------------------
PDB2 READ WRITE DV_APP_PROTECTION NOT CONFIGURED
READ WRITE DV_ENABLE_STATUS FALSE
READ WRITE DV_CONFIGURE_STATUS FALSE
6 rows selected.
. Connect to the pluggable database pdb1
Session altered.
CON_NAME
------------------------------
PDB1
. Configure DB Vault
PL/SQL procedure successfully completed.
. Enable DB Vault
USER is "C##DVOWNER"
PL/SQL procedure successfully completed.
. Reboot the pluggable database
CON_NAME
------------------------------
CDB$ROOT
Pluggable database altered.
Pluggable database altered.
. Show the DB Vault status
NAME STATUS
------------------------- --------------------
DV_APP_PROTECTION NOT CONFIGURED
DV_CONFIGURE_STATUS TRUE
DV_ENABLE_STATUS TRUE
PDB_NAME OPEN_MODE NAME STATUS
-------------------- -------------------- ------------------------- --------------------
PDB1 READ WRITE DV_APP_PROTECTION NOT CONFIGURED
READ WRITE DV_ENABLE_STATUS TRUE
READ WRITE DV_CONFIGURE_STATUS TRUE
PDB_NAME OPEN_MODE NAME STATUS
-------------------- -------------------- ------------------------- --------------------
PDB2 READ WRITE DV_APP_PROTECTION NOT CONFIGURED
READ WRITE DV_ENABLE_STATUS FALSE
READ WRITE DV_CONFIGURE_STATUS FALSE
6 rows selected.
现在,在容器数据库和 pdb1 中启用了 Database Vault!
Task 2: Create a Simple Realm
在浏览器中启动Web应用:
- URL:http://<YOUR_DBSEC-LAB_VM_PUBLIC_IP>:8080/hr_prod_pdb1
- 用户名和口令:hradmin/Oracle123
- 单击Search Employee,然后单击Search
返回您的终端会话并运行命令以查看Schema中的数据:
./dv_query_employee_data.sh
执行的命令和输出如下:
==============================================================================
Query on EMPLOYEESEARCH_PROD data...
==============================================================================
USER is "SYS"
-- . Describe EMPLOYEESEARCH_PROD.DEMO_HR_EMPLOYEES from SYS user
SQL> desc employeesearch_prod.demo_hr_employees;
Name Null? Type
----------------------------------------------------------------------------------- -------- --------------------------------------------------------
USERID NOT NULL NUMBER(4)
FIRSTNAME NOT NULL VARCHAR2(25)
LASTNAME NOT NULL VARCHAR2(35)
EMAIL NOT NULL VARCHAR2(35)
PHONEMOBILE VARCHAR2(15)
PHONEFIX VARCHAR2(15)
PHONEFAX VARCHAR2(15)
EMPTYPE NOT NULL VARCHAR2(15)
POSITION NOT NULL VARCHAR2(25)
ISMANAGER NOT NULL NUMBER(1)
MANAGERID NUMBER(4)
DEPARTMENT NOT NULL VARCHAR2(15)
CITY NOT NULL VARCHAR2(35)
STARTDATE NOT NULL DATE
ENDDATE DATE
ACTIVE VARCHAR2(1)
ORGANIZATION NOT NULL VARCHAR2(15)
CREATIONDATE NOT NULL DATE
MODIFICATIONDATE DATE
COSTCENTER NUMBER(5)
ISHEADOFDEPARTMENT NUMBER(1)
DOB NOT NULL DATE
SSN VARCHAR2(15)
SIN VARCHAR2(15)
NINO VARCHAR2(15)
ADDRESS_1 NOT NULL VARCHAR2(50)
ADDRESS_2 VARCHAR2(35)
STATE VARCHAR2(5)
COUNTRY NOT NULL VARCHAR2(5)
POSTAL_CODE NOT NULL VARCHAR2(15)
CORPORATE_CARD VARCHAR2(25)
CC_PIN NUMBER(4)
CC_EXPIRE DATE
SALARY NUMBER(8,2)
-- . Query EMPLOYEESEARCH_PROD.DEMO_HR_EMPLOYEES from SYS user
SQL> select userid, firstname, lastname, emptype, position, ssn, sin, nino
from employeesearch_prod.demo_hr_employees
where rownum < 10;
USERID FIRSTNAME LASTNAME EMPTYPE POSITION SSN SIN NINO
---------- ---------- ---------- --------- ---------------- ----------- ----------- -------------
73 Craig Hunt Part-Time Administrator 102-20-4997
74 Fred Stewart Part-Time Project Manager MN 33 14 95 E
75 Julie Reed Full-time Clerk 412-62-2417
76 Ruby James Full-time End-User 537-78-8902
77 Alice Harper Part-Time District Manager 170-042-126
78 Marilyn Lee Part-Time District Manager 553-51-1031
79 Laura Ryan Full-time Project Manager 568-10-8709
80 William Elliott Full-time District Manager 787-89-2282
81 Martha Carpenter Full-time Administrator FZ 84 80 43 S
9 rows selected.
现在,创建领域 PROTECT_EMPLOYEESEARCH_PROD 以保护 EMPLOYEESEARCH_PROD 模式中的对象免受恶意活动:
./dv_create_realm.sh
执行的命令和输出为:
==============================================================================
Create the realm...
==============================================================================
USER is "C##DVOWNER"
CON_NAME
------------------------------
PDB1
-- . Show the current DV realm
SQL> select name, description, enabled from dba_dv_realm where id# >= 5000 order by 1;
no rows selected
-- . Create the "PROTECT_EMPLOYEESEARCH_PROD" DV realm
SQL>
begin
DVSYS.DBMS_MACADM.CREATE_REALM(
realm_name => 'PROTECT_EMPLOYEESEARCH_PROD'
,description => 'A mandatory realm to protect the EMPLOYEESEARCH_PROD schema.'
,enabled => DBMS_MACUTL.G_YES
,audit_options => DBMS_MACUTL.G_REALM_AUDIT_FAIL
,realm_type => 1);
END;
/
PL/SQL procedure successfully completed.
-- . Show the current DV realm
SQL> select name, description, enabled from dba_dv_realm where id# >= 5000 order by 1;
NAME DESCRIPTION ENABLED
------------------------------- ----------------------------------------------------------------- --------
PROTECT_EMPLOYEESEARCH_PROD A mandatory realm to protect the EMPLOYEESEARCH_PROD schema. Y
将对象添加到要保护的领域(在这里添加模式中所有的对象):
./dv_add_obj_to_realm.sh
执行的命令和输出为:
==============================================================================
Add an object to protect Oracle LiveLabs实验:DB Security - ASO (Data Redaction)
Oracle LiveLabs实验:DB Security - Audit Vault and DB Firewall
Oracle LiveLabs实验:DB Security - Native Network Encryption (NNE)
Oracle LiveLabs实验:DB Security - Database Vault