Oracle LiveLabs实验:DB Security - Audit Vault and DB Firewall

Posted dingdingfish

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Oracle LiveLabs实验:DB Security - Audit Vault and DB Firewall相关的知识,希望对你有一定的参考价值。

概述

此实验关于Oracle AVDF(Audit Vault and DB Firewall)。

此实验申请地址在这里,时间为150分钟。

实验帮助在这里

本实验使用的AVDF版本为Oracle AVDF 20.5。

环境生成后,记录3个主机的信息:

Instances	:	
129.146.77.47	 	DBSEC-AVS	(Audit Vault Server)
129.146.45.178	 	DBSEC-DBF	(DB Firewall Server)
129.146.97.17	 	DBSEC-LAB	(审计目标)
Remote Desktop	:	http://129.146.97.17:6080/vnc.html?password=AWXYHOTZ4K&resize=scale&quality=9&autoconnect=true

Audit Vault Server支持用户AVADMIN和AVAUDITOR两个用户,口令均为T06tron.

为了节省时间,可以同时用2个用户登录,保持页面打开。

Introduction

本研讨会介绍了 Oracle Audit Vault and DB Firewall (AVDF) 的各种特性和功能。 它让用户有机会学习如何配置这些设备,以便审计、监控和保护对敏感数据的访问。

本实验的目标为:

  • 将 Audit Vault 服务器连接到 Oracle 数据库
  • 为此数据库配置审计并探索审计和报告能力
  • 配置和管理防火墙监控
  • 针对预期的 SQL 流量训练 DB Firewall 并查看对 Web 应用程序的影响

Task 1: Audit Vault - Run the Deploy Agent

实例DBSEC-LAB为数据库所在主机,登录此主机:

sudo su - oracle
cd $DBSEC_LABS/avdf/avs
## 解压 avcli.jar 实用程序以安装 Audit Vault 命令行界面 (avcli),以便我们可以自动化大多数代理、主机和 Audit Trail 部署
./avs_deploy_avcli.sh
## 我们将使用 avcli 向 Audit Vault 注册主机 dbsec-lab。 您将看到正在运行的命令存储在 avcli_register_host.av 文件中。 在此步骤中,您将看到一个激活密钥。 记录此激活密钥以供以后在实验室中使用!
./avs_register_host.sh

部分输出如下,记录ACTIVATION_KEY: DBSECLAB::UZMQ-GM80-R#HY-OK0R-ENC2

AVCLI> 
---------------------------------------------------------------------------------------------------
| HOST     | IP         | VERSION | ACTIVATION_KEY                     | STATUS    | AGENT_LOCATION |
===================================================================================================
| dbseclab | 10.0.0.150 |         | DBSECLAB::UZMQ-GM80-R#HY-OK0R-ENC2 | ACTIVATED |                |
-----------------------------------------------------------------------------------------------------

部署和激活AV代理:

## 代理被解压到目录/u01/app/avagent 
./avs_deploy_agent.sh

## 激活时需要输入之前注册主机时生成的ACTIVATION_KEY
./avs_activate_agent.sh

确认代理处于运行状态:

$ ./avs_show_host.sh

==============================================================================
 Verify that the host has been properly registered and activated with Audit Vault...
==============================================================================

 ------- View the info script -------
connect AVADMIN/T06tron.

list host;
 ------------------------------------

. Run the avcli utility to show the host registered


AVCLI : Release 20.5.0.0.0 - Production on Tue May 10 11:22:11 UTC 2022


Copyright (c) 1996, 2019 Oracle.  All Rights Reserved.


AVCLI> Connected.
AVCLI> AVCLI>
--------------------------------------------------------------------------------------------------------
| HOST     | IP         | VERSION    | ACTIVATION_KEY                     | STATUS  | AGENT_LOCATION   |
========================================================================================================
| dbseclab | 10.0.0.150 | 20.5.0.0.0 | DBSECLAB::UZMQ-GM80-R#HY-OK0R-ENC2 | RUNNING | /u01/app/avagent |
--------------------------------------------------------------------------------------------------------

1 row(s) selected.

The command completed successfully.

AVCLI>

如果状态不是RUNNING,则运行以下:

$AV_HOME/bin/agentctl start

Task 2: Audit Vault - Register a Pluggable Database as Target

## 提示口令时输入Oracle123
./avs_register_pdb.sh

输出如下:

==============================================================================
 Register the pluggable database pdb1 as an AV Target...
==============================================================================

------ View the registration script ------
connect AVADMIN/T06tron.

LIST SECURED TARGET;
REGISTER SECURED TARGET pdb1 OF SECURED TARGET TYPE "Oracle Database" AT jdbc:oracle:thin:@//10.0.0.150:1521/pdb1 AUTHENTICATED BY avaudituser;
LIST SECURED TARGET;
------------------------------------------

. Run the avcli utility to register the pluggable database


AVCLI : Release 20.5.0.0.0 - Production on Tue May 10 11:24:28 UTC 2022


Copyright (c) 1996, 2019 Oracle.  All Rights Reserved.


AVCLI> Connected.
AVCLI> AVCLI>
0 row(s) selected.

The command completed successfully.

AVCLI> Enter password:

The command completed successfully.

AVCLI>
-------------------------------------------------------------------------------------
| NAME | DESCRIPTION | LOCATION                                 | SECUREDTARGETTYPE |
=====================================================================================
| pdb1 |             | jdbc:oracle:thin:@//10.0.0.150:1521/pdb1 | Oracle Database   |
-------------------------------------------------------------------------------------

1 row(s) selected.

The command completed successfully.

AVCLI>

说明:

  • 您也可以从 Audit Vault Web 控制台执行此注册
  • 此脚本将使用已创建并授予适当权限的数据库用户 AVAUDITUSER 来执行数据库审计收集和清理,并且对多个字典表具有 SELECT 访问权限

Task 3: Audit Vault - Register an Audit Trail

首先,使用 avcli 实用程序为可插拔数据库 pdb1 注册Unified Audit Trail以收集审计数据。

./avs_register_audit_trail.sh

输出如下:

$ ./avs_register_audit_trail.sh

==============================================================================
 Register the Unified Audit Trail for the pluggable database pdb1...
==============================================================================

------ View the registration script ------
connect AVADMIN/T06tron.

LIST TRAIL FOR SECURED TARGET pdb1;

START COLLECTION FOR SECURED TARGET pdb1 USING HOST dbseclab FROM TABLE UNIFIED_AUDIT_TRAIL;

LIST TRAIL FOR SECURED TARGET pdb1;
------------------------------------------

. Run the avcli utility to register the UNIFIED_AUDIT_TRAIL to collect audit data


AVCLI : Release 20.5.0.0.0 - Production on Tue May 10 11:29:03 UTC 2022


Copyright (c) 1996, 2019 Oracle.  All Rights Reserved.


AVCLI> Connected.
AVCLI> AVCLI>
0 row(s) selected.

The command completed successfully.

AVCLI> AVCLI>
Request submitted successfully. Audit trail is now eligible for auto-start.

AVCLI> AVCLI>
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| AUDIT_TRAIL_TYPE | HOST     | LOCATION            | STATUS  | REQUEST_STATUS  | AUTO_START_STATUS | AUTOSTART_ATTEMPTS | LAST_START_TIME                | ERROR_MESSAGE |
===========================================================================================================================================================================
| TABLE            | dbseclab | UNIFIED_AUDIT_TRAIL | STOPPED | START REQUESTED | ENABLED           | 0                  | 2022-05-10 11:29:05.335479 GMT |               |
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------

1 row(s) selected.

The command completed successfully.

AVCLI>

执行完成后,AUTO_START_STATUS需为ENABLED。

接下来,列出可插入数据库 pdb1 的Audit Trail:

$ ./avs_list_audit_trails.sh

==============================================================================
 List the Audit Trails for the pluggable database pdb1...
==============================================================================

---------- View the list script ----------
connect AVADMIN/T06tron.

LIST TRAIL FOR SECURED TARGET pdb1;
------------------------------------------

. Run the avcli utility to verify the UNIFIED_AUDIT_TRAIL is running (or idle)


AVCLI : Release 20.5.0.0.0 - Production on Tue May 10 11:31:57 UTC 2022


Copyright (c) 1996, 2019 Oracle.  All Rights Reserved.


AVCLI> Connected.
AVCLI> AVCLI>
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| AUDIT_TRAIL_TYPE | HOST     | LOCATION            | STATUS | REQUEST_STATUS | AUTO_START_STATUS | AUTOSTART_ATTEMPTS | LAST_START_TIME                | ERROR_MESSAGE |
=========================================================================================================================================================================
| TABLE            | dbseclab | UNIFIED_AUDIT_TRAIL | IDLE   |                | ENABLED           | 0                  | 2022-05-10 11:29:05.335479 GMT |               |
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------

1 row(s) selected.

The command completed successfully.

AVCLI>

注意:

  • 您应该会看到为Unified Audit Trail返回的一行
  • STATUS 列应该显示 COLLECTING 或 IDLE,否则请再次运行脚本

使用 Audit Vault Web Console (地址为https://AVS-VM_@IP-Public)查看通过All Activity Report收集的审核数据。
登录用户名为AVAUDITOR,口令为T06tron.

单击Reports选项卡;在Activity Reports下面的Summary部分,单击All Activity以加载报告。

您应该会看到如下所示的报告:

选择列头可以实现过滤:

这只是一个小示例,用于验证是否正在收集审计数据并且在 Audit Vault 中可见。

此时运行./avs_list_audit_trails.sh,输出的STATUS仍为IDLE。

Task 4: Audit Vault - Manage Unified Audit Settings

仍然在Audit Vault的Web界面中。单击Targets选项卡,单击目标 pdb1,在 Audit Policy 下执行以下操作:

在Policies选修卡,Audit Policies页面,单击pdb1。由于我们的版本大于12c,因此选择Unified Auditing。
在Core Policies中的选择保持与下图一致(默认就是一致的),最后单击Provision Unified Policy。

在Settings选项卡中的Jobs页面,确认任务Unified Audit Policy的状态为Completed Successfully …

查看PDB1中所有的审计策略(包含未启用的):

$ ./avs_query_all_unified_policies.sh

==============================================================================
 List all of the Unified Audit Policies in the pluggable database pdb1...
 This includes enabled and disabled policies!
==============================================================================

. List all the Unified Audit policies

POLICY_NAME
---------------------------------------------
APP_USER_NOT_APP_SERVER
EMPSEARCH_SELECT_USAGE_BY_PETE
ORA_ACCOUNT_MGMT
ORA_ADS$_ADMIN_USER_ACTIVITY
ORA_ADS$_CRITICAL_DB_ACTIVITY
ORA_ADS$_DB_SCHEMA_CHANGES
ORA_ADS$_LOGON_EVENTS
ORA_ADS$_LOGON_FAILURES
ORA_ADS$_SYS_TOP_ACTIVITY
ORA_AV$_ADMIN_USER_ACTIVITY
ORA_AV$_CRITICAL_DB_ACTIVITY
ORA_AV$_DB_SCHEMA_CHANGES
ORA_AV$_SYS_TOP_ACTIVITY
ORA_CIS_RECOMMENDATIONS
ORA_DATABASE_PARAMETER
ORA_DV_AUDPOL
ORA_DV_AUDPOL2
ORA_LOGON_FAILURES
ORA_RAS_POLICY_MGMT
ORA_RAS_SESSION_MGMT
ORA_SECURECONFIG
PRIVILEGED_ACTIONS

22 rows selected.

查看PDB1中所有启用的审计策略,之所以条目更多是因为POLICY_NAME有重复,可以针对不同的对象:

$ ./avs_query_enabled_unified_policies.sh

==============================================================================
 List the ENABLED Unified Audit Policies in the pluggable database pdb1...
==============================================================================

. List the enabled Unified Audit policies

POLICY_NAME                                   ENABLED_OPTION  ENTITY_NAME                         ENTITY_TYPE  SUCCESS  FAILURE
--------------------------------------------- --------------- ----------------------------------- ------------ -------- --------
PRIVILEGED_ACTIONS                            BY GRANTED ROLE DBA                                 ROLE         YES      YES
ORA_SECURECONFIG                              BY USER         ALL USERS                           USER         YES      YES
ORA_RAS_SESSION_MGMT                          BY USER         ALL USERS                           USER         YES      YES
ORA_RAS_POLICY_MGMT                           BY USER         ALL USERS                           USER         YES      YES
ORA_LOGON_FAILURES                            BY USER         Oracle LiveLabs实验:DB Security - ASO (Data Redaction)

Oracle LiveLabs实验:DB Security - Audit Vault and DB Firewall

Oracle LiveLabs实验:DB Security - Native Network Encryption (NNE)

Oracle LiveLabs实验:DB Security - Database Vault

Oracle LiveLabs实验:DB Security - Database Vault

Oracle LiveLabs实验:DB Security - Database Assessment Tool