Oracle Database 12c Security - 2. Essential Elements of User Security
本章重点谈User-Database Account Mapping。
UNDERSTANDING IDENTIFICATION AND AUTHENTICATION
数据库安全三步骤:
- 用户提供身份给数据库
- 用户通过口令验证证明自己身份
- 数据库认为用户可信任并决定其权限
Identification Methods
照片,指纹,员工号,用户名都属于身份。
身份分为用户提供的身份和技术身份两类。
用户提供的身份,如会员卡号,银行卡号,邮箱地址等。
技术身份包括如生物识别信息(声音与图像识别,指纹,虹膜),计算机身份(作为PKI一部分的数字证书)和数字身份(如主机名,IP地址,MAC地址等)。
Authentication
认证包括3类:
- something you know,如口令
- something you possess,如员工卡,信用卡,软件序列号等
- something you are,如指纹,虹膜
强认证指不易猜到和破解的认证。最佳实践建议使用强认证,并且结合多因子认证。
UNDERSTANDING DATABASE ACCOUNT TYPES
典型的Oracle数据库有以下类型的账户:
- end user,表示身份,常用于审计
- connection pool,用于应用服务器,如JDBC数据源,对数据库中对象有直接操作权限。和end user没有关联。
- NPE(Non-Person Entity),和pool账户类似,但用途是后台的维护任务和批处理操作,通常具有升级的权限
- application schema,拥有数据库对象,是数据库对象的容器。schema和end user没有关联,最佳建议是锁定schema用户以避免直接登录。
- DBA,最高权限用户,可以管理其他用户
- application DBA,?
DATABASE ACCOUNT TYPES IN ORACLE DATABASE 12C MULTITENANT ARCHITECTURE
多租户架构介绍参见这里
CDB = CDB$ROOT + PDB$SEED + n x PDB
整合后,由于很多东西可以共享,因此管理和运维得到简化。
PRIVILEGED DATABASE ACCOUNT MANAGEMENT IN ORACLE DATABASE 12C
Administrative Privileges for Separation of Duty
SYS和SYSTEM是schema,SYSDBA和SYSOPER是权限。
SYS拥有数据字典,SYSDBA权限登录时,对应的SYS schema。
SYSOPER权限登录时,对应的是PUBLIC角色。可以执行的操作包括启停和备份恢复数据库。
SYSBACKUP权限可备份恢复数据库。
SYSDG关乎Data Guard,SYSKM关乎key management、wallet和TDE,SYSASM关乎GI和ASM。
Methods for Privileged Database Account Management
-- 账户锁定是最佳建议
SQL> SELECT username, account_status, common2 FROM dba_users WHERE username LIKE 'SYS%'3 AND username != 'SYSTEM'4 ORDER BY username;USERNAME ACCOUNT_STATUS COM
-------------------- -------------------------------- ---
SYS OPEN YES
SYS$UMF LOCKED YES
SYSBACKUP LOCKED YES
SYSDG LOCKED YES
SYSKM LOCKED YES
SYSRAC LOCKED YES6 rows selected.-- 可看到用户和权限的对应关系
SQL> desc v$pwfile_usersName Null? Type----------------------------------------- -------- ----------------------------USERNAME VARCHAR2(128)SYSDBA VARCHAR2(5)SYSOPER VARCHAR2(5)SYSASM VARCHAR2(5)SYSBACKUP VARCHAR2(5)SYSDG VARCHAR2(5)SYSKM VARCHAR2(5)ACCOUNT_STATUS VARCHAR2(30)PASSWORD_PROFILE VARCHAR2(128)LAST_LOGIN TIMESTAMP(9) WITH TIME ZONELOCK_DATE DATEEXPIRY_DATE DATEEXTERNAL_NAME VARCHAR2(1024)AUTHENTICATION_TYPE VARCHAR2(8)COMMON VARCHAR2(3)CON_ID NUMBERSQL> select USERNAME, SYSDBA, SYSOPER, SYSASM, SYSBACKUP, SYSDG, SYSKM from v$pwfile_users;USERNAME SYSDB SYSOP SYSAS SYSBA SYSDG SYSKM
-------------------- ----- ----- ----- ----- ----- -----
SYS TRUE TRUE FALSE FALSE FALSE FALSE18c推出了schema only user,使得无法直接用schema user登录,详见这里,语法为:
CREATE USER schema_owner NO AUTHENTICATION QUOTA UNLIMITED ON users;
Oracle数据库的用户有两类认证方式,OS认证和标准方式。
** Privileged Database Account Management Based on Oracle OS Authentication **
OS认证是操作系统权限到数据库权限的映射。在$ORACLE_HOME/rdbms/lib/config.c中可看到映射关系:
#define SS_DBA_GRP "dba"
#define SS_OPER_GRP "oper"
#define SS_ASM_GRP ""
#define SS_BKP_GRP "dba"
#define SS_DGD_GRP "dba"
#define SS_KMT_GRP "dba"
#define SS_RAC_GRP "dba"
dba,oper是OS中定义的group:
$ egrep "^oper|^dba" /etc/group
dba:x:54322:oracle
oper:x:54323:oracle
sqlplus登录时可指定权限:
sqlplus / as SYSDBA
我们看到在config.c中,所有的权限都对应dba,你可以修改此文件,然后relink即可,参见操作和原理
以下为建立OS认证用户的示例:
# useradd operuser -g oper# sudo su - operuser
$ export ORACLE_SID=ORCLCDB
$ export ORACLE_HOME=/opt/oracle/product/19c/dbhome_1
$ id
uid=54322(operuser) gid=54323(oper) groups=54323(oper) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023$ sqlplus / as sysoperSQL*Plus: Release 19.0.0.0.0 - Production on Sun Aug 9 09:31:27 2020
Version 19.7.0.0.0Copyright (c) 1982, 2020, Oracle. All rights reserved.Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.7.0.0.0SQL> select * from session_privs order by 1;PRIVILEGE
----------------------------------------
CREATE SESSION
RESTRICTED SESSION
SYSOPERSQL> select * from session_roles order by 1;no rows selected-- SYSOPER不允许操作用户数据
SQL> alter session set container=orclpdb1;
ERROR:
ORA-01031: insufficient privilegesSQL> SELECT SYS_CONTEXT('USERENV','OS_USER') os_user
,SYS_CONTEXT('USERENV','HOST') host
,SYS_CONTEXT('USERENV','SESSION_USER') session_user
FROM dual;OS_USER HOST SESSION_US
---------- -------------------- ----------
operuser oracle-19c-vagrant PUBLICOS认证不允许直接登录PDB,而是先登录CDB再alter session:
$ sqlplus /@orclpdb1 as sysdbaSQL*Plus: Release 19.0.0.0.0 - Production on Sun Aug 9 09:44:10 2020
Version 19.7.0.0.0Copyright (c) 1982, 2020, Oracle. All rights reserved.ERROR:
ORA-01017: invalid username/password; logon denied
** Privileged Database Account Management Based on Named Accounts **
CREATE USER c##bill IDENTIFIED BY Welcome1 CONTAINER = ALL;GRANT SYSBACKUP, CREATE SESSION TO c##bill;SQL> select username, sysbackup from v$pwfile_users;USERNAME SYSBA
-------------------- -----
SYS FALSE
C##BILL TRUE注意,当使用系统权限时,都是用OS认证,口令已经不重要了,以下都可以登录成功:
sqlplus c##bill/Welcomeabc as sysbackup
sqlplus c##bill/Welcome1 as sysbackup
默认,系统权限不允许远程使用,但此行为可以修改,此略:
SQL> show parameter REMOTE_LOGIN_PASSWORDFILENAME TYPE VALUE
------------------------------------ ----------- ------------------------------
remote_login_passwordfile string EXCLUSIVE
ACCOUNT MANAGEMENT IN MULTITENANT ORACLE DATABASE 12C
12c后,由于有CDB和PDB,因此账户也分common user(以c##开头)和local user。
假设已有common user c##bill, 然后新建一PDB:
SQL> select FILE_NAME from dba_data_files;FILE_NAME
--------------------------------------------------------------------------------
/opt/oracle/oradata/ORCLCDB/system01.dbf
/opt/oracle/oradata/ORCLCDB/sysaux01.dbf
/opt/oracle/oradata/ORCLCDB/undotbs01.dbf
/opt/oracle/oradata/ORCLCDB/users01.dbfSQL> alter system set db_create_file_dest='/opt/oracle/oradata';System altered.SQL> create pluggable database sales admin user pdbadmin identified by Welcome1;Pluggable database created.即使是新建的PDB,也会有此common user:
SQL> col username format a20
SELECT u.con_id, NVL(p.pdb_name,'CDB$ROOT') con_name, u.username, u.oracle_maintained
FROM cdb_users u
LEFT OUTER JOIN (SELECT pdb_id, pdb_name FROM cdb_pdbs) pON u.con_id = p.pdb_id
WHERE u.username IN ('SYS','PDBADMIN','C##BILL')9 ORDER BY u.con_id, u.username;CON_ID CON_NAME USERNAME O
---------- ---------- -------------------- -1 CDB$ROOT C##BILL N1 CDB$ROOT SYS Y3 ORCLPDB1 C##BILL N3 ORCLPDB1 PDBADMIN N3 ORCLPDB1 SYS Y4 SALES C##BILL N4 SALES PDBADMIN N4 SALES SYS Y8 rows selected.
common user的好处主要是方便批量赋权,当然也可以在PDB内赋予个性化权限。
查询common user的权限:
SELECT grantee,privilege,common,con_id
FROM cdb_sys_privs
WHERE grantee = 'C##BILL';GRANTEE PRIVILEGE COM CON_ID
-------------------- ---------------------------------------- --- ----------
C##BILL CREATE SESSION NO 3
C##BILL CREATE SESSION NO 1
MANAGING DATABASE ACCOUNT PASSWORDS AND PROFILES
Managing Passwords for Local Database Accounts
默认,口令是大小写敏感的:
SQL> show parameter SEC_CASE_SENSITIVE_LOGONNAME TYPE VALUE
------------------------------------ ----------- ------------------------------
sec_case_sensitive_logon boolean TRUE
对于schema user,建议口令过期和锁定:
ALTER USER PASSWORD EXPIRE ACCOUNT LOCK
当远程登录失败次数达到设定值,会删除物理连接:
SQL> show parameter SEC_MAX_FAILED_LOGIN_ATTEMPTSNAME TYPE VALUE
------------------------------------ ----------- ------------------------------
sec_max_failed_login_attempts integer 3
后台程序等需要口令,以明码写入配置文件不安全,可使用Secure External Password Store,即密码保护的auto-login wallet,auto-login只有当wallet为当前OS用户拥有时有效。
Managing Database Account Profiles
Account profile可用于安全和资源管理等,在安全方面可控制口令有效期,错误尝试次数等。默认的Profile名为DEFAULT.
指定profile:
alter user PROFILE ;
DEFAULT profile的定义:
SELECT resource_name, limit, common
FROM dba_profiles
WHERE profile = 'DEFAULT' AND resource_type = 'PASSWORD'
ORDER BY resource_name;RESOURCE_NAME LIMIT COM
-------------------------------- ---------- ---
FAILED_LOGIN_ATTEMPTS 10 NO
INACTIVE_ACCOUNT_TIME UNLIMITED NO
PASSWORD_GRACE_TIME 7 NO
PASSWORD_LIFE_TIME 180 NO
PASSWORD_LOCK_TIME 1 NO
PASSWORD_REUSE_MAX UNLIMITED NO
PASSWORD_REUSE_TIME UNLIMITED NO
PASSWORD_VERIFY_FUNCTION NULL NO8 rows selected.SQL> select distinct resource_type from dba_profiles;
PASSWORD
KERNEL执行以下可部署3个口令复杂度验证函数:
sqlplus / as sysdba @$ORACLE_HOME/rdbms/admin/utlpwdmg.sql
查看此脚本发现其将口令验证函数改为ora12c_verify_function,而原来的值为null:
ALTER PROFILE DEFAULT LIMIT
PASSWORD_LIFE_TIME 180
PASSWORD_GRACE_TIME 7
PASSWORD_REUSE_TIME UNLIMITED
PASSWORD_REUSE_MAX UNLIMITED
FAILED_LOGIN_ATTEMPTS 10
PASSWORD_LOCK_TIME 1
INACTIVE_ACCOUNT_TIME UNLIMITED
PASSWORD_VERIFY_FUNCTION ora12c_verify_function;
此时口令复杂度提高了:
SQL> create user c##user01 identified by Welcome1;
create user c##user01 identified by Welcome1
*
ERROR at line 1:
ORA-28003: password verification for the specified password failed
ORA-20000: password must contain 1 or more special characters
如果希望恢复原状,则改验证函数为null即可:
ALTER PROFILE DEFAULT LIMIT
PASSWORD_LIFE_TIME 180
PASSWORD_GRACE_TIME 7
PASSWORD_REUSE_TIME UNLIMITED
PASSWORD_REUSE_MAX UNLIMITED
FAILED_LOGIN_ATTEMPTS 10
PASSWORD_LOCK_TIME 1
INACTIVE_ACCOUNT_TIME UNLIMITED
PASSWORD_VERIFY_FUNCTION null;
口令策略不可太机械,例如登录错误多次即锁定用户,或锁定很长时间,可能导致DoS攻击。此时可结合resource profile。
除了password profile,还有resource profile,我们看到其默认值均为UNLIMITED,最佳建议是设为特定的值:
SELECT resource_name, limit, common
FROM dba_profiles
WHERE profile = 'DEFAULT' AND resource_type = 'KERNEL'
ORDER BY resource_name;RESOURCE_NAME LIMIT COM
-------------------------------- -------------------- ---
COMPOSITE_LIMIT UNLIMITED NO
CONNECT_TIME UNLIMITED NO
CPU_PER_CALL UNLIMITED NO
CPU_PER_SESSION UNLIMITED NO
IDLE_TIME UNLIMITED NO
LOGICAL_READS_PER_CALL UNLIMITED NO
LOGICAL_READS_PER_SESSION UNLIMITED NO
PRIVATE_SGA UNLIMITED NO
SESSIONS_PER_USER UNLIMITED NO9 rows selected.比resource profile更高级的控制是DBMS_RESOURCE_MANAGER PL/SQL package,即资源管理(Resource Manager)。
可控制的资源包括CPU, Idle Time Limit, Exadata I/O, Runaway Queries, Parallel Execution Servers, Active Session Pool with Queuing, and the Undo Pool.
本文来自互联网用户投稿,文章观点仅代表作者本人,不代表本站立场,不承担相关法律责任。如若转载,请注明出处。 如若内容造成侵权/违法违规/事实不符,请点击【内容举报】进行投诉反馈!