Administracin de

Seguridad con Oracle

Introducation
Passwords and Users
Oracle Password Management Features
Default Oracle Users
Privileges, Grants, Roles, and Views
Password features
Password enhancements
User PROFILE
Default profile
Create/alter profile
SQL> describe DBA_PROFILES;
----------------------------------------------------------------- -------- -----------------------
PROFILE NOT NULL VARCHAR2(30)
RESOURCE_NAME NOT NULL VARCHAR2(32)
RESOURCE_TYPE VARCHAR2(8)
LIMIT VARCHAR2(40)
SQL> select * from DBA_PROFILES;
PROFILE RESOURCE_NAME RESOURCE LIMIT
------------------------------ -------------------------------- -------- -----------
DEFAULT COMPOSITE_LIMIT KERNEL UNLIMITED
DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD UNLIMITED
DEFAULT SESSIONS_PER_USER KERNEL UNLIMITED
DEFAULT PASSWORD_LIFE_TIME PASSWORD UNLIMITED
DEFAULT CPU_PER_SESSION KERNEL UNLIMITED
DEFAULT PASSWORD_REUSE_TIME PASSWORD UNLIMITED
DEFAULT CPU_PER_CALL KERNEL UNLIMITED
DEFAULT PASSWORD_REUSE_MAX PASSWORD UNLIMITED
DEFAULT LOGICAL_READS_PER_SESSION KERNEL UNLIMITED
DEFAULT PASSWORD_VERIFY_FUNCTION PASSWORD NULL
Password enhancements (Cont)
Resource_type
Password
Kernel
SQL> select * from dba_profiles where resource_type = 'PASSWORD'
PROFILE RESOURCE_NAME RESOURCE LIMIT
------------------------------ -------------------------------- -------- ---------
DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD UNLIMITED
DEFAULT PASSWORD_LIFE_TIME PASSWORD UNLIMITED
DEFAULT PASSWORD_REUSE_TIME PASSWORD UNLIMITED
DEFAULT PASSWORD_REUSE_MAX PASSWORD UNLIMITED
DEFAULT PASSWORD_VERIFY_FUNCTION PASSWORD NULL
DEFAULT PASSWORD_LOCK_TIME PASSWORD UNLIMITED
DEFAULT PASSWORD_GRACE_TIME PASSWORD UNLIMITED
Password enhancements (Cont)
SQL> select * from dba_profiles where resource_type = 'PASSWORD'
PROFILE RESOURCE_NAME RESOURCE LIMIT
------------------------------ -------------------------------- -------- ---------
DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD 3
DEFAULT PASSWORD_LIFE_TIME PASSWORD 60
DEFAULT PASSWORD_REUSE_TIME PASSWORD 1800
DEFAULT PASSWORD_REUSE_MAX PASSWORD UNLIMITED
DEFAULT PASSWORD_VERIFY_FUNCTION PASSWORD VERIFY_FUNCTION
DEFAULT PASSWORD_LOCK_TIME PASSWORD .0006
DEFAULT PASSWORD_GRACE_TIME PASSWORD 10
Duraciny expiracin
Password_life_time
Number of days the same password can be used for
authentication
Password_grace_time
Number of days in the grace period
Ex: Password_life_time = 90
Password_grace_time = 15
After day 90+15, the account will be locked.
Historial de Password
Parameters prevents users from avoiding
password expiration by changing a password and
changing it back to the original password.
Password_reuse_time
Number of days until a password cannot be resued.
Password_reuse_max
Number of password changes required before the
current password can be reused.
Setting both to UNLIMITED allows passwords to
be reused immediately.
Bloqueo de Cuentas
Failed_login_attempts
Number of attempts to log in that can fail before the user account
is locked
Password_lock_time
Amount of time an account remains locked after the specified
number of consecutive failed login attempts is reached
If set to UNLIMITED, the account will no unlock automatically.
Password profile parameters
Password profile parameters (Cont)
Enabling password parameters
Create a user-defined profile
create profile MY_PROFILE limit
failed_login_attempts 5
password_lock_time .5
password_reuse_max UNLIMITED
password_life_time 90
password_reuse_time 60
password_verify_function MY_PASSWORD_FUNCT
password_grace_time 15;
Create users with specific profile
create user NELSON
identified by nel_123
default tablespace USERS
temporary tablespace TMP
password expire
profile MY_PROFILE;
Default Oracle Users
Several default users are created when you create your
database.
Check these users via DBA_USERS
describe DBA_USERS
Lock those unused users
Verify users granted_role, and privileges
select * from dba_role_privs where grantee =
'HR';
select * from dba_sys_privs where grantee = 'HR';
select * from dba_tab_privs where grantee = 'HR;
Privileges
Database security:
System security
Data security
System privileges: Gain access to the database
Object privileges: Manipulate the content of the database
objects
Schema: Collection of objects, such as tables, views, and
sequences
User System Privileges
GRANT privilege [, privilege...]
TO user [, user...];
An application developer may have the following system privileges:
CREATE SESSION
CREATE TABLE
CREATE SEQUENCE
CREATE VIEW
CREATE PROCEDURE
Once a user is created, the DBA can grant specific system privileges to
a user.
DBA_ views that display user privileges
VIEW Description
DBA_SYS_PRIVS
DBA_ROLE_PRIVS
DBA_TAB_PRIVS
DBA_ROLES
Show the system privileges assigned to user and roles
Show the privileges assigned to a role
Show the users who have been granted access to insert,
update, select, or delete form a table or view
Show what roles exist and whether or not they are
default
Database objects
Object type Description
Table
Index
View
Sequence
Cluster
:
Basic unit of data storage. Table data is stored in row
comprising column.
An optional database structure used to quickly locate a row
in a table. The three kinds of indexes are cluster indexes,
table indexes, and bit-mapped indexes.
A virtual table that does not have physical storage.
A serial list of unique numbers used with in a numeric
column that can be used to generate unique values.
Optional groups of one or more tables stored together
because they are commonly used together.
Object privileges
Privilege Action
Select
Insert
Update
Delete
Alter
Execute
Read
Reference
Index
View information within a table or view.
Insert new rows of information into a table or view.
Modify one or more columns of information within a table
or view.
Remove one or more columns of information within a table
or view.
Change an objects definition.
Compile, execute, or access a procedure or function
referenced in a program
Read files in a directory
Create a constraint that refers to a table
Create an index on a table
Object
Privilege Table View Sequence Procedure
ALTER
DELETE
EXECUTE
INDEX
INSERT
REFERENCES
SELECT
UPDATE
Object Privileges
Object Privileges
Object privileges vary from object to object.
An owner has all the privileges on the object.
An owner can give specific privileges on that
owners object.
GRANT object_priv [(columns)]
ON object
TO {user|role|PUBLIC}
[WITH GRANT OPTION];
Controlling user access
Product-level Security
Users access can be restricted based on the SQL*Plus product
usage.
DBAs can use PRODUCT_USER_PROFILE to disable certain SQL and
SQL*Plus commands in the SQL*Plus environment on a per-user
basis.
PRODUCT_USER_PROFILE table consists of the following columns:
PRODUCT
USERID
ATTRIBUTE
SCOPE
NUMERIC_VALUE
CHAR_VALUE DATE_VALUE
LONG_VALUE
NOT NULL CHAR (30)
CHAR(30)
CHAR(240)
CHAR(240)
NUMBER(15,2)
CHAR(240)
DATE LONG
With Grant Option
DBAs can grant different privileges to different users.
SQL> CREATE USER TOM IDENTIFIED BY ICE;
User created.
SQL> GRANT CREATE SESSION TO TOM;
Grant succeeded.
SQL> GRANT CREATE TABLE TO TOM;
Grant succeeded.
SQL> GRANT CREATE SEQUENCE TO TOM;
Grant succeeded.
DBAs can also grant users with grant option to allow them to grant
access to other users without any action on the DBA parts.
SWL> CREATE TABLE TEST (COL NUMBER);
Table created.
SQL> GRANT SELECT, UPDATE ON TEST TO TOM WITH GRANT OPTION;
Grant succeeded.
With Admin Option
DBA can grant users administration privileges
using with admin option
SQL> GRANT CREATE TABLE TO TOM WITH ADMIN OPTION;
Grant succeeded.
Revoke uses administration privileges
SQL> REVOKE CREATE TABLE FROM TOM;
Revoke succeeded.
Privileges granted by TOM still retain after DBA
revoke TOMs administration privileges.
What Is a Role?
Allocating privileges
without a role
Allocating privileges
with a role
Privileges
Users
Manager
Using Role
Why using roles
Grant privileges to individual directly can be very
tedious.
Example, 100 objects with 100 users needs to make
10,000 grants; one people leave the company needs to
make 100 revokes.
Steps of using roles
Group users into categories
Define one or more roles for each category
Grant proper privileges to each role
Assign roles to users in each category
Create roles
Assume table EMP has two kinds of users: query EMP and
update EMP.
SQL> create role report_writer identified by rep123;
Role created.
SQL> create role data_changer identified by your_pwd;
Role created.
Grant privileges to roles
SQL> GRANT SELECT ON EMP TO REPORT_WRITER;
Grant succeeded.
SQL> GRANT UPDATE, DELETE, INSERT ON EMP TO DATA_CHANGER;
Grant succeeded.
Assign roles to users
Once we create roles with proper privileges, we
can assign roles to users.
SQL> GRANT REPORT_WRITER TO TOM;
Grant succeeded.
SQL> GRANT DATA_CHANGER TO HENRY;
Grant succeeded.
Revoke roles from users to maintain the proper
privileges
SQL> REVOLE DATA_CHANGE FROM HENRY;
Revoke succeeded.
DBA_ROLES
SQL> select * from dba_roles;
Oracle-supplied roles
CONNECT
Gives the user the ability to access the database
RESOURCE
Gives the user the ability to create objects and use
space in the database
DBA
Gives the user administrative privileges in the
database
Querying roles
VIEW Description
USER_ROLE_PRIVS
ROLE_ROLE_PRIVS
ROLE_TAB_PRIVS
ROLE_SYS_PRIVS
SESSION_ROLES
Show the roles granted to current user
Show the roles which are granted to roles
Show the table privileges granted to roles
Show the system privileges granted to roles
Show the roles which the user currently has enabled
Set roles
Default roles will be enabled automatically and accessible
when users connect to the database
For roles requiring password, users need to use set role to
enable the role privileges.
SQL> set role DATA_CHANGE identified by your_pwd;
Using Views to Manage
Privileges
Rather than granting users privileges on a particular table,
you can give them access to a view of the table.
Views add two more levels of security:
A view can limit access to only selected columns of the base table.
A view can provide value-based security for the information in a
table. Thus a WHERE clause in the definition of a view can display
only selected rows of a base table.
The user need not be given privileges on base objects
underlying the view.
An Example of a View
View privileges
View creation
SQL> CREATE VIEW STAFF AS (
2 SELECT EMPNO, ENAME, JOB, MGR, DEPTNO FROM EMP
3 );
View created.
Grant privileges to roles
SQL> GRANT SELECT ON STAFF TO REPORT_WRITER;
Grant succeeded.
Administracin de
Seguridad con
SQLServer
Introduccin
Layered Security Model:
Windows Level
SQL Server Level
Database
Schemas (for database objects)
Terminology:
Principals
Securables
Permissions
Scopes and Inheritance
Security Overview
(from
Microsoft
SQL Server
2005 Books
Online)
Buenas prcticas
Make security a part of your standard process
Use the principle of least privilege
Implement defense-in-depth (layered security)
Enable only required services and features
Regularly review security settings
Educate users about the importance of security
Define security roles based on business rules
Cuentas de SQL Server Service
Local Service Account
Permissions of Users group (limited)
No network authentication
Network Service Account
Permissions of Users group
Network authentication with Computer account
Domain User Accounts
Adds network access for cross-server functionality
GestionandoLogins
Windows Logins
Authentication/Policy managed by Windows
SQL Server Logins
Managed by SQL Server
Based on Windows policies
Password Policy Options:
HASHED (pw is already hashed)
MUST_CHANGE
CHECK_EXPIRATION
CHECK_POLICY
Crear Logins
Transact-SQL
CREATE LOGIN statement
Replaces sp_AddLogin and sp_GrantLogin
SQL Server Logins
Windows Logins
SQL Server Management Studio
Setting server authentication options
Login Auditing
Managing Logins
Usuarios y roles
Usuarios de base de datos
Mapeo entre Logins y usuarios de base de datos
Roles de base de datos
Los usuarios pueden pertenecer a varios roles
Invitado: No requiere una cuenta
dbo (Server sysadmin users)
Crear Usuarios y Roles de base
de datos
CREATE USER
Replaces sp_AddUser and sp_GrantDBAccess
Can specify a default schema
Managed with ALTER USER and DROP USER
CREATE ROLE
Default owner is creator of the role
SQL Server Management Studio
Working with Users and Roles
Roles de Servidor / Base de
Datos por defecto
Server Roles
SysAdmin
ServerAdmin
SetupAdmin
SecurityAdmin
ProcessAdmin
DiskAdmin
DBCreator
BulkAdmin
Database Roles
db_accessadmin
db_BackupOperation
db_DataReader
db_DataWriter
db_DDLAdmin
db_DenyDataReader
db_DenyDataWriter
db_Owner
db_SecurityAdmin
public
Entendiendolos esquemas de
base de datos
Schemas
Logical collection of related database objects
Part of full object name:
Server.Database.Schema.Object
Default schema is dbo
Managing Schemas
CREATE, ALTER, DROP SCHEMA
SQL Server Management Studio
Can assign default schemes to database users:
WITH DEFAULT_SCHEMA SchemaName
Configurando los permisos
Scopes of Securables
Server
Database
Schema
Objects
Permission Settings:
GRANT
REVOKE
DENY
Options
WITH GRANT OPTION
AS (Sets permissions using another user or role)
Other Security Options
Database Encryption
Encrypting Object Definitions
Data encryption
SQL Server Agent
Proxies based on subsystems allow lock-down by job step types
Preventing SQL Injection attacks
Use application design best practices