0 evaluări0% au considerat acest document util (0 voturi)
22 vizualizări46 pagini
Administracion de Seguridad con Oracle Introducción Passwords and Users Default Oracle Users Privileges, Grants, Roles, and Views Password features Password enhancements User PROFILE Default profile Create / alter profile SQL> describe DBA_profiles.
Administracion de Seguridad con Oracle Introducción Passwords and Users Default Oracle Users Privileges, Grants, Roles, and Views Password features Password enhancements User PROFILE Default profile Create / alter profile SQL> describe DBA_profiles.
Administracion de Seguridad con Oracle Introducción Passwords and Users Default Oracle Users Privileges, Grants, Roles, and Views Password features Password enhancements User PROFILE Default profile Create / alter profile SQL> describe DBA_profiles.
Introducation Passwords and Users Oracle Password Management Features Default Oracle Users Privileges, Grants, Roles, and Views Password features Password enhancements User PROFILE Default profile Create/alter profile SQL> describe DBA_PROFILES; ----------------------------------------------------------------- -------- ----------------------- PROFILE NOT NULL VARCHAR2(30) RESOURCE_NAME NOT NULL VARCHAR2(32) RESOURCE_TYPE VARCHAR2(8) LIMIT VARCHAR2(40) SQL> select * from DBA_PROFILES; PROFILE RESOURCE_NAME RESOURCE LIMIT ------------------------------ -------------------------------- -------- ----------- DEFAULT COMPOSITE_LIMIT KERNEL UNLIMITED DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD UNLIMITED DEFAULT SESSIONS_PER_USER KERNEL UNLIMITED DEFAULT PASSWORD_LIFE_TIME PASSWORD UNLIMITED DEFAULT CPU_PER_SESSION KERNEL UNLIMITED DEFAULT PASSWORD_REUSE_TIME PASSWORD UNLIMITED DEFAULT CPU_PER_CALL KERNEL UNLIMITED DEFAULT PASSWORD_REUSE_MAX PASSWORD UNLIMITED DEFAULT LOGICAL_READS_PER_SESSION KERNEL UNLIMITED DEFAULT PASSWORD_VERIFY_FUNCTION PASSWORD NULL Password enhancements (Cont) Resource_type Password Kernel SQL> select * from dba_profiles where resource_type = 'PASSWORD' PROFILE RESOURCE_NAME RESOURCE LIMIT ------------------------------ -------------------------------- -------- --------- DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD UNLIMITED DEFAULT PASSWORD_LIFE_TIME PASSWORD UNLIMITED DEFAULT PASSWORD_REUSE_TIME PASSWORD UNLIMITED DEFAULT PASSWORD_REUSE_MAX PASSWORD UNLIMITED DEFAULT PASSWORD_VERIFY_FUNCTION PASSWORD NULL DEFAULT PASSWORD_LOCK_TIME PASSWORD UNLIMITED DEFAULT PASSWORD_GRACE_TIME PASSWORD UNLIMITED Password enhancements (Cont) SQL> select * from dba_profiles where resource_type = 'PASSWORD' PROFILE RESOURCE_NAME RESOURCE LIMIT ------------------------------ -------------------------------- -------- --------- DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD 3 DEFAULT PASSWORD_LIFE_TIME PASSWORD 60 DEFAULT PASSWORD_REUSE_TIME PASSWORD 1800 DEFAULT PASSWORD_REUSE_MAX PASSWORD UNLIMITED DEFAULT PASSWORD_VERIFY_FUNCTION PASSWORD VERIFY_FUNCTION DEFAULT PASSWORD_LOCK_TIME PASSWORD .0006 DEFAULT PASSWORD_GRACE_TIME PASSWORD 10 Duraciny expiracin Password_life_time Number of days the same password can be used for authentication Password_grace_time Number of days in the grace period Ex: Password_life_time = 90 Password_grace_time = 15 After day 90+15, the account will be locked. Historial de Password Parameters prevents users from avoiding password expiration by changing a password and changing it back to the original password. Password_reuse_time Number of days until a password cannot be resued. Password_reuse_max Number of password changes required before the current password can be reused. Setting both to UNLIMITED allows passwords to be reused immediately. Bloqueo de Cuentas Failed_login_attempts Number of attempts to log in that can fail before the user account is locked Password_lock_time Amount of time an account remains locked after the specified number of consecutive failed login attempts is reached If set to UNLIMITED, the account will no unlock automatically. Password profile parameters Password profile parameters (Cont) Enabling password parameters Create a user-defined profile create profile MY_PROFILE limit failed_login_attempts 5 password_lock_time .5 password_reuse_max UNLIMITED password_life_time 90 password_reuse_time 60 password_verify_function MY_PASSWORD_FUNCT password_grace_time 15; Create users with specific profile create user NELSON identified by nel_123 default tablespace USERS temporary tablespace TMP password expire profile MY_PROFILE; Default Oracle Users Several default users are created when you create your database. Check these users via DBA_USERS describe DBA_USERS Lock those unused users Verify users granted_role, and privileges select * from dba_role_privs where grantee = 'HR'; select * from dba_sys_privs where grantee = 'HR'; select * from dba_tab_privs where grantee = 'HR; Privileges Database security: System security Data security System privileges: Gain access to the database Object privileges: Manipulate the content of the database objects Schema: Collection of objects, such as tables, views, and sequences User System Privileges GRANT privilege [, privilege...] TO user [, user...]; An application developer may have the following system privileges: CREATE SESSION CREATE TABLE CREATE SEQUENCE CREATE VIEW CREATE PROCEDURE Once a user is created, the DBA can grant specific system privileges to a user. DBA_ views that display user privileges VIEW Description DBA_SYS_PRIVS DBA_ROLE_PRIVS DBA_TAB_PRIVS DBA_ROLES Show the system privileges assigned to user and roles Show the privileges assigned to a role Show the users who have been granted access to insert, update, select, or delete form a table or view Show what roles exist and whether or not they are default Database objects Object type Description Table Index View Sequence Cluster : Basic unit of data storage. Table data is stored in row comprising column. An optional database structure used to quickly locate a row in a table. The three kinds of indexes are cluster indexes, table indexes, and bit-mapped indexes. A virtual table that does not have physical storage. A serial list of unique numbers used with in a numeric column that can be used to generate unique values. Optional groups of one or more tables stored together because they are commonly used together. Object privileges Privilege Action Select Insert Update Delete Alter Execute Read Reference Index View information within a table or view. Insert new rows of information into a table or view. Modify one or more columns of information within a table or view. Remove one or more columns of information within a table or view. Change an objects definition. Compile, execute, or access a procedure or function referenced in a program Read files in a directory Create a constraint that refers to a table Create an index on a table Object Privilege Table View Sequence Procedure ALTER DELETE EXECUTE INDEX INSERT REFERENCES SELECT UPDATE Object Privileges Object Privileges Object privileges vary from object to object. An owner has all the privileges on the object. An owner can give specific privileges on that owners object. GRANT object_priv [(columns)] ON object TO {user|role|PUBLIC} [WITH GRANT OPTION]; Controlling user access Product-level Security Users access can be restricted based on the SQL*Plus product usage. DBAs can use PRODUCT_USER_PROFILE to disable certain SQL and SQL*Plus commands in the SQL*Plus environment on a per-user basis. PRODUCT_USER_PROFILE table consists of the following columns: PRODUCT USERID ATTRIBUTE SCOPE NUMERIC_VALUE CHAR_VALUE DATE_VALUE LONG_VALUE NOT NULL CHAR (30) CHAR(30) CHAR(240) CHAR(240) NUMBER(15,2) CHAR(240) DATE LONG With Grant Option DBAs can grant different privileges to different users. SQL> CREATE USER TOM IDENTIFIED BY ICE; User created. SQL> GRANT CREATE SESSION TO TOM; Grant succeeded. SQL> GRANT CREATE TABLE TO TOM; Grant succeeded. SQL> GRANT CREATE SEQUENCE TO TOM; Grant succeeded. DBAs can also grant users with grant option to allow them to grant access to other users without any action on the DBA parts. SWL> CREATE TABLE TEST (COL NUMBER); Table created. SQL> GRANT SELECT, UPDATE ON TEST TO TOM WITH GRANT OPTION; Grant succeeded. With Admin Option DBA can grant users administration privileges using with admin option SQL> GRANT CREATE TABLE TO TOM WITH ADMIN OPTION; Grant succeeded. Revoke uses administration privileges SQL> REVOKE CREATE TABLE FROM TOM; Revoke succeeded. Privileges granted by TOM still retain after DBA revoke TOMs administration privileges. What Is a Role? Allocating privileges without a role Allocating privileges with a role Privileges Users Manager Using Role Why using roles Grant privileges to individual directly can be very tedious. Example, 100 objects with 100 users needs to make 10,000 grants; one people leave the company needs to make 100 revokes. Steps of using roles Group users into categories Define one or more roles for each category Grant proper privileges to each role Assign roles to users in each category Create roles Assume table EMP has two kinds of users: query EMP and update EMP. SQL> create role report_writer identified by rep123; Role created. SQL> create role data_changer identified by your_pwd; Role created. Grant privileges to roles SQL> GRANT SELECT ON EMP TO REPORT_WRITER; Grant succeeded. SQL> GRANT UPDATE, DELETE, INSERT ON EMP TO DATA_CHANGER; Grant succeeded. Assign roles to users Once we create roles with proper privileges, we can assign roles to users. SQL> GRANT REPORT_WRITER TO TOM; Grant succeeded. SQL> GRANT DATA_CHANGER TO HENRY; Grant succeeded. Revoke roles from users to maintain the proper privileges SQL> REVOLE DATA_CHANGE FROM HENRY; Revoke succeeded. DBA_ROLES SQL> select * from dba_roles; Oracle-supplied roles CONNECT Gives the user the ability to access the database RESOURCE Gives the user the ability to create objects and use space in the database DBA Gives the user administrative privileges in the database Querying roles VIEW Description USER_ROLE_PRIVS ROLE_ROLE_PRIVS ROLE_TAB_PRIVS ROLE_SYS_PRIVS SESSION_ROLES Show the roles granted to current user Show the roles which are granted to roles Show the table privileges granted to roles Show the system privileges granted to roles Show the roles which the user currently has enabled Set roles Default roles will be enabled automatically and accessible when users connect to the database For roles requiring password, users need to use set role to enable the role privileges. SQL> set role DATA_CHANGE identified by your_pwd; Using Views to Manage Privileges Rather than granting users privileges on a particular table, you can give them access to a view of the table. Views add two more levels of security: A view can limit access to only selected columns of the base table. A view can provide value-based security for the information in a table. Thus a WHERE clause in the definition of a view can display only selected rows of a base table. The user need not be given privileges on base objects underlying the view. An Example of a View View privileges View creation SQL> CREATE VIEW STAFF AS ( 2 SELECT EMPNO, ENAME, JOB, MGR, DEPTNO FROM EMP 3 ); View created. Grant privileges to roles SQL> GRANT SELECT ON STAFF TO REPORT_WRITER; Grant succeeded. Administracin de Seguridad con SQLServer Introduccin Layered Security Model: Windows Level SQL Server Level Database Schemas (for database objects) Terminology: Principals Securables Permissions Scopes and Inheritance Security Overview (from Microsoft SQL Server 2005 Books Online) Buenas prcticas Make security a part of your standard process Use the principle of least privilege Implement defense-in-depth (layered security) Enable only required services and features Regularly review security settings Educate users about the importance of security Define security roles based on business rules Cuentas de SQL Server Service Local Service Account Permissions of Users group (limited) No network authentication Network Service Account Permissions of Users group Network authentication with Computer account Domain User Accounts Adds network access for cross-server functionality GestionandoLogins Windows Logins Authentication/Policy managed by Windows SQL Server Logins Managed by SQL Server Based on Windows policies Password Policy Options: HASHED (pw is already hashed) MUST_CHANGE CHECK_EXPIRATION CHECK_POLICY Crear Logins Transact-SQL CREATE LOGIN statement Replaces sp_AddLogin and sp_GrantLogin SQL Server Logins Windows Logins SQL Server Management Studio Setting server authentication options Login Auditing Managing Logins Usuarios y roles Usuarios de base de datos Mapeo entre Logins y usuarios de base de datos Roles de base de datos Los usuarios pueden pertenecer a varios roles Invitado: No requiere una cuenta dbo (Server sysadmin users) Crear Usuarios y Roles de base de datos CREATE USER Replaces sp_AddUser and sp_GrantDBAccess Can specify a default schema Managed with ALTER USER and DROP USER CREATE ROLE Default owner is creator of the role SQL Server Management Studio Working with Users and Roles Roles de Servidor / Base de Datos por defecto Server Roles SysAdmin ServerAdmin SetupAdmin SecurityAdmin ProcessAdmin DiskAdmin DBCreator BulkAdmin Database Roles db_accessadmin db_BackupOperation db_DataReader db_DataWriter db_DDLAdmin db_DenyDataReader db_DenyDataWriter db_Owner db_SecurityAdmin public Entendiendolos esquemas de base de datos Schemas Logical collection of related database objects Part of full object name: Server.Database.Schema.Object Default schema is dbo Managing Schemas CREATE, ALTER, DROP SCHEMA SQL Server Management Studio Can assign default schemes to database users: WITH DEFAULT_SCHEMA SchemaName Configurando los permisos Scopes of Securables Server Database Schema Objects Permission Settings: GRANT REVOKE DENY Options WITH GRANT OPTION AS (Sets permissions using another user or role) Other Security Options Database Encryption Encrypting Object Definitions Data encryption SQL Server Agent Proxies based on subsystems allow lock-down by job step types Preventing SQL Injection attacks Use application design best practices