Oracle LiveLabs实验:DB Security - Audit Vault and DB Firewall
Posted dingdingfish
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Oracle LiveLabs实验:DB Security - Audit Vault and DB Firewall相关的知识,希望对你有一定的参考价值。
概述
此实验关于Oracle AVDF(Audit Vault and DB Firewall)。
此实验申请地址在这里,时间为150分钟。
实验帮助在这里。
本实验使用的AVDF版本为Oracle AVDF 20.5。
环境生成后,记录3个主机的信息:
Instances :
129.146.77.47 DBSEC-AVS (Audit Vault Server)
129.146.45.178 DBSEC-DBF (DB Firewall Server)
129.146.97.17 DBSEC-LAB (审计目标)
Remote Desktop : http://129.146.97.17:6080/vnc.html?password=AWXYHOTZ4K&resize=scale&quality=9&autoconnect=true
Audit Vault Server支持用户AVADMIN和AVAUDITOR两个用户,口令均为T06tron.
为了节省时间,可以同时用2个用户登录,保持页面打开。
Introduction
本研讨会介绍了 Oracle Audit Vault and DB Firewall (AVDF) 的各种特性和功能。 它让用户有机会学习如何配置这些设备,以便审计、监控和保护对敏感数据的访问。
本实验的目标为:
- 将 Audit Vault 服务器连接到 Oracle 数据库
- 为此数据库配置审计并探索审计和报告能力
- 配置和管理防火墙监控
- 针对预期的 SQL 流量训练 DB Firewall 并查看对 Web 应用程序的影响
Task 1: Audit Vault - Run the Deploy Agent
实例DBSEC-LAB为数据库所在主机,登录此主机:
sudo su - oracle
cd $DBSEC_LABS/avdf/avs
## 解压 avcli.jar 实用程序以安装 Audit Vault 命令行界面 (avcli),以便我们可以自动化大多数代理、主机和 Audit Trail 部署
./avs_deploy_avcli.sh
## 我们将使用 avcli 向 Audit Vault 注册主机 dbsec-lab。 您将看到正在运行的命令存储在 avcli_register_host.av 文件中。 在此步骤中,您将看到一个激活密钥。 记录此激活密钥以供以后在实验室中使用!
./avs_register_host.sh
部分输出如下,记录ACTIVATION_KEY: DBSECLAB::UZMQ-GM80-R#HY-OK0R-ENC2
AVCLI>
---------------------------------------------------------------------------------------------------
| HOST | IP | VERSION | ACTIVATION_KEY | STATUS | AGENT_LOCATION |
===================================================================================================
| dbseclab | 10.0.0.150 | | DBSECLAB::UZMQ-GM80-R#HY-OK0R-ENC2 | ACTIVATED | |
-----------------------------------------------------------------------------------------------------
部署和激活AV代理:
## 代理被解压到目录/u01/app/avagent
./avs_deploy_agent.sh
## 激活时需要输入之前注册主机时生成的ACTIVATION_KEY
./avs_activate_agent.sh
确认代理处于运行状态:
$ ./avs_show_host.sh
==============================================================================
Verify that the host has been properly registered and activated with Audit Vault...
==============================================================================
------- View the info script -------
connect AVADMIN/T06tron.
list host;
------------------------------------
. Run the avcli utility to show the host registered
AVCLI : Release 20.5.0.0.0 - Production on Tue May 10 11:22:11 UTC 2022
Copyright (c) 1996, 2019 Oracle. All Rights Reserved.
AVCLI> Connected.
AVCLI> AVCLI>
--------------------------------------------------------------------------------------------------------
| HOST | IP | VERSION | ACTIVATION_KEY | STATUS | AGENT_LOCATION |
========================================================================================================
| dbseclab | 10.0.0.150 | 20.5.0.0.0 | DBSECLAB::UZMQ-GM80-R#HY-OK0R-ENC2 | RUNNING | /u01/app/avagent |
--------------------------------------------------------------------------------------------------------
1 row(s) selected.
The command completed successfully.
AVCLI>
如果状态不是RUNNING,则运行以下:
$AV_HOME/bin/agentctl start
Task 2: Audit Vault - Register a Pluggable Database as Target
## 提示口令时输入Oracle123
./avs_register_pdb.sh
输出如下:
==============================================================================
Register the pluggable database pdb1 as an AV Target...
==============================================================================
------ View the registration script ------
connect AVADMIN/T06tron.
LIST SECURED TARGET;
REGISTER SECURED TARGET pdb1 OF SECURED TARGET TYPE "Oracle Database" AT jdbc:oracle:thin:@//10.0.0.150:1521/pdb1 AUTHENTICATED BY avaudituser;
LIST SECURED TARGET;
------------------------------------------
. Run the avcli utility to register the pluggable database
AVCLI : Release 20.5.0.0.0 - Production on Tue May 10 11:24:28 UTC 2022
Copyright (c) 1996, 2019 Oracle. All Rights Reserved.
AVCLI> Connected.
AVCLI> AVCLI>
0 row(s) selected.
The command completed successfully.
AVCLI> Enter password:
The command completed successfully.
AVCLI>
-------------------------------------------------------------------------------------
| NAME | DESCRIPTION | LOCATION | SECUREDTARGETTYPE |
=====================================================================================
| pdb1 | | jdbc:oracle:thin:@//10.0.0.150:1521/pdb1 | Oracle Database |
-------------------------------------------------------------------------------------
1 row(s) selected.
The command completed successfully.
AVCLI>
说明:
- 您也可以从 Audit Vault Web 控制台执行此注册
- 此脚本将使用已创建并授予适当权限的数据库用户 AVAUDITUSER 来执行数据库审计收集和清理,并且对多个字典表具有 SELECT 访问权限
Task 3: Audit Vault - Register an Audit Trail
首先,使用 avcli 实用程序为可插拔数据库 pdb1 注册Unified Audit Trail以收集审计数据。
./avs_register_audit_trail.sh
输出如下:
$ ./avs_register_audit_trail.sh
==============================================================================
Register the Unified Audit Trail for the pluggable database pdb1...
==============================================================================
------ View the registration script ------
connect AVADMIN/T06tron.
LIST TRAIL FOR SECURED TARGET pdb1;
START COLLECTION FOR SECURED TARGET pdb1 USING HOST dbseclab FROM TABLE UNIFIED_AUDIT_TRAIL;
LIST TRAIL FOR SECURED TARGET pdb1;
------------------------------------------
. Run the avcli utility to register the UNIFIED_AUDIT_TRAIL to collect audit data
AVCLI : Release 20.5.0.0.0 - Production on Tue May 10 11:29:03 UTC 2022
Copyright (c) 1996, 2019 Oracle. All Rights Reserved.
AVCLI> Connected.
AVCLI> AVCLI>
0 row(s) selected.
The command completed successfully.
AVCLI> AVCLI>
Request submitted successfully. Audit trail is now eligible for auto-start.
AVCLI> AVCLI>
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| AUDIT_TRAIL_TYPE | HOST | LOCATION | STATUS | REQUEST_STATUS | AUTO_START_STATUS | AUTOSTART_ATTEMPTS | LAST_START_TIME | ERROR_MESSAGE |
===========================================================================================================================================================================
| TABLE | dbseclab | UNIFIED_AUDIT_TRAIL | STOPPED | START REQUESTED | ENABLED | 0 | 2022-05-10 11:29:05.335479 GMT | |
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------
1 row(s) selected.
The command completed successfully.
AVCLI>
执行完成后,AUTO_START_STATUS需为ENABLED。
接下来,列出可插入数据库 pdb1 的Audit Trail:
$ ./avs_list_audit_trails.sh
==============================================================================
List the Audit Trails for the pluggable database pdb1...
==============================================================================
---------- View the list script ----------
connect AVADMIN/T06tron.
LIST TRAIL FOR SECURED TARGET pdb1;
------------------------------------------
. Run the avcli utility to verify the UNIFIED_AUDIT_TRAIL is running (or idle)
AVCLI : Release 20.5.0.0.0 - Production on Tue May 10 11:31:57 UTC 2022
Copyright (c) 1996, 2019 Oracle. All Rights Reserved.
AVCLI> Connected.
AVCLI> AVCLI>
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| AUDIT_TRAIL_TYPE | HOST | LOCATION | STATUS | REQUEST_STATUS | AUTO_START_STATUS | AUTOSTART_ATTEMPTS | LAST_START_TIME | ERROR_MESSAGE |
=========================================================================================================================================================================
| TABLE | dbseclab | UNIFIED_AUDIT_TRAIL | IDLE | | ENABLED | 0 | 2022-05-10 11:29:05.335479 GMT | |
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
1 row(s) selected.
The command completed successfully.
AVCLI>
注意:
- 您应该会看到为Unified Audit Trail返回的一行
- STATUS 列应该显示 COLLECTING 或 IDLE,否则请再次运行脚本
使用 Audit Vault Web Console (地址为https://AVS-VM_@IP-Public)查看通过All Activity Report收集的审核数据。
登录用户名为AVAUDITOR,口令为T06tron.。
单击Reports选项卡;在Activity Reports下面的Summary部分,单击All Activity以加载报告。
您应该会看到如下所示的报告:
选择列头可以实现过滤:
这只是一个小示例,用于验证是否正在收集审计数据并且在 Audit Vault 中可见。
此时运行./avs_list_audit_trails.sh,输出的STATUS仍为IDLE。
Task 4: Audit Vault - Manage Unified Audit Settings
仍然在Audit Vault的Web界面中。单击Targets选项卡,单击目标 pdb1,在 Audit Policy 下执行以下操作:
在Policies选修卡,Audit Policies页面,单击pdb1。由于我们的版本大于12c,因此选择Unified Auditing。
在Core Policies中的选择保持与下图一致(默认就是一致的),最后单击Provision Unified Policy。
在Settings选项卡中的Jobs页面,确认任务Unified Audit Policy的状态为Completed Successfully …
查看PDB1中所有的审计策略(包含未启用的):
$ ./avs_query_all_unified_policies.sh
==============================================================================
List all of the Unified Audit Policies in the pluggable database pdb1...
This includes enabled and disabled policies!
==============================================================================
. List all the Unified Audit policies
POLICY_NAME
---------------------------------------------
APP_USER_NOT_APP_SERVER
EMPSEARCH_SELECT_USAGE_BY_PETE
ORA_ACCOUNT_MGMT
ORA_ADS$_ADMIN_USER_ACTIVITY
ORA_ADS$_CRITICAL_DB_ACTIVITY
ORA_ADS$_DB_SCHEMA_CHANGES
ORA_ADS$_LOGON_EVENTS
ORA_ADS$_LOGON_FAILURES
ORA_ADS$_SYS_TOP_ACTIVITY
ORA_AV$_ADMIN_USER_ACTIVITY
ORA_AV$_CRITICAL_DB_ACTIVITY
ORA_AV$_DB_SCHEMA_CHANGES
ORA_AV$_SYS_TOP_ACTIVITY
ORA_CIS_RECOMMENDATIONS
ORA_DATABASE_PARAMETER
ORA_DV_AUDPOL
ORA_DV_AUDPOL2
ORA_LOGON_FAILURES
ORA_RAS_POLICY_MGMT
ORA_RAS_SESSION_MGMT
ORA_SECURECONFIG
PRIVILEGED_ACTIONS
22 rows selected.
查看PDB1中所有启用的审计策略,之所以条目更多是因为POLICY_NAME有重复,可以针对不同的对象:
$ ./avs_query_enabled_unified_policies.sh
==============================================================================
List the ENABLED Unified Audit Policies in the pluggable database pdb1...
==============================================================================
. List the enabled Unified Audit policies
POLICY_NAME ENABLED_OPTION ENTITY_NAME ENTITY_TYPE SUCCESS FAILURE
--------------------------------------------- --------------- ----------------------------------- ------------ -------- --------
PRIVILEGED_ACTIONS BY GRANTED ROLE DBA ROLE YES YES
ORA_SECURECONFIG BY USER ALL USERS USER YES YES
ORA_RAS_SESSION_MGMT BY USER ALL USERS USER YES YES
ORA_RAS_POLICY_MGMT BY USER ALL USERS USER YES YES
ORA_LOGON_FAILURES BY USER Oracle LiveLabs实验:DB Security - ASO (Data Redaction)
Oracle LiveLabs实验:DB Security - Audit Vault and DB Firewall
Oracle LiveLabs实验:DB Security - Native Network Encryption (NNE)
Oracle LiveLabs实验:DB Security - Database Vault