深入oracle视频教程-数据库安全

1、深入Oracle 第十四课数据库安全（2）22001133.22.2288法律【】和幻灯片为炼数成金网络课程的教学资料，所有资料只能在课程内使用，不得在课程以外范围散播，违者将可能被责任。法律和经济课程详情炼数成金培训http:2013.2.282数据安全VPD-Virtual Private DatabaseOLS-Oracle Label Security优势： 更精细的对业务透明控制2013.2.28VPD-Virtual Private Database通过指定策略，对用户的SQL添加过滤的谓词，来达到过滤数据的目的。TablePackageSELECT * FR OM table ;

2、USERStep 1Step 5Table row sU ser 1Step 4PredicateU ser 22013.2.28SELECT * FR OM table ;WhereStep 2Security PolicyStep 3VPD-Virtual Private Database2013.2.28VPD-Virtual Private Database2013.2.28VPD-Virtual Private Database隐藏敏感列的数据2013.2.28VPD-Virtual Private Database删除策略2013.2.28OLS-Oracle Label secu

3、rityOracle 10g 安装OLS2013.2.28OLS-Oracle Label securityOracle 11g 启用OLS2013.2.28OLS-Oracle Label security2013.2.28OLS-Oracle Label security2013.2.28OLS-Oracle Label security用dbca配置OLS2013.2.28OLS-Oracle Label securityU s erSQL RequestC hec k D A CVPD SQL ModificationOracle Label Security Enforcement2

4、013.2.28Oracle Data ServerU ser D efined VPD PoliciesObject PrivilegeA csT a b leData RecordData RecordData RecordLabel SecurityAcs ControlT a b le sSecurity PolicyA pplic ation Oracle User SesOLS-Oracle Label security创建一个伪列（定义每行的列）属性2013.2.28OLS-Oracle Label security安全策略2013.2.28权限TomSENSITIVEBEIJI

5、NG, TOKYO, SINGAPOREPeterMUNICH, OXFORD, ROMERosePUBLIC其它OLS-Oracle Label security创建策略2013.2.28OLS-Oracle Label security创建分级和2013.2.28OLS-Oracle Label security创建测试用户2013.2.28OLS-Oracle Label security更新2013.2.28OLS-Oracle Label security测试全部数据2013.2.28OLS-Oracle Label security测试TOM-SENS（BEIJING, TOKYO

6、, SINGAPORE)全部数据2013.2.28OLS-Oracle Label security测试Peter-CONF(MUNICH, OXFORD, ROME);除去SENS信息2013.2.28OLS-Oracle Label security测试Rose-PUBLILC除去SENS，CONF之外的其它城市数据2013.2.28OLS-Oracle Label security删除相关的信息2013.2.28Oracle Database Vault通过将权限现在特定范围里，来达到安全的目的。领域命令集最重要的-对sys用户的管理2013.2.28database vault Rea

7、Database DBA views HR dataHR DBA views Fin. dataHR DBAFIN DBA2013.2.28Fin RealmFinHR RealmHRselect * from HR.empDBAd Rule FlexibilityAlter Database Alter FunctionAlter Database AuditAlter TableAlter TablespaceAltackage BodyAltrocedureAltrofileAlter Ses Alter Table PasswordChange Password Create Func

8、tion Create Database Link Create Package Body Create TableNoauditCreate Tablespace UpdateExecuteAlter System Alter Trigger Alter Tablespace ConnectCreate Index Create Procedure Create User GrantRename Create Trigger InsertSelectAlter Synonym Alter User Alter View CommentCreate Package Create Role Cr

9、eate View InsertLock Table Truncate Table Delete2013.2.28安装database vault10g 需要另外database vault安装包。11g 已经整合到数据库安装包中，直接配置使用即可。2013.2.28安装database vault -11g2013.2.28安装database vault -11g2013.2.28安装database vault -11g2013.2.28安装database vault -11g2013.2.28安装database vault -11g2013.2.28安装database vault

10、 -11g2013.2.28Oracle database vault 示例sys用户默认可以查看所有的数据信息2013.2.28Oracle database vault 示例2013.2.28Oracle database vault 示例2013.2.28Oracle database vault 示例2013.2.28Oracle database vault 示例2013.2.28Oracle database vault 示例2013.2.28Oracle database vault 示例2013.2.28Oracle database vault 示例了解http？/cd/E1

11、1882_01/server.112/e23090/toc.htm2013.2.28审计-auditTrigger-based Auditing（触发器）Auditing the sys User-(SYS用户审计）Standard Auditing （标准审计）Managing the Audit Trail（审计日志管理）2013.2.28触发器审计CREATE TRIGGER trg_a_idu_r_emp_salAFTER INSERT OR DELETE OR UPDATE OF sal ON emp FOR EACH ROWBEGINIF (:NEW.sal :OLD.sal *

12、1.10)THEN INSERTO emp_sal_audit VALUES (:OLD.empno,:OLD.sal,:NEW.sal,user,sysdate);END IF; END;/2013.2.28sys用户的审计ALTER SYSTEM SET AUDIT_SYS_OPERATIONS = TRUE SCOPE = SPFILE;sys用户审计日志写到系统日志中2013.2.28标准审计ALTER SYSTEM SET AUDIT_TRAIL = DB,EXTENDED SCOPE = SPFILE;审计会话审计对象审计操作审计2013.2.28对象的审计2013.2.28管理审

13、计数据sys.aud$操作系统文件 $ORACLE_BASE/admin/sid/adumpaudit vault2013.2.28Oracle Audit VaultAlertsHR DataBuilt-in ReportsDataAudit DataCustom ReportsDataPoliciesDatabasesAuditor保管审计数据告警机制提供审计策略管理2013.2.28! Oracle Audit Vault 架构2013.2.28审计信息可以定制后，自动生成Oracle Audit Vault Database Audit Support2013.2.2854RDBMSV

14、ersAudit LocationsOracle DatabaseOracle Database 9iR2, Oracle Database 10g, Oracle Database 11guAudit Tables for standard and fine- grained auditinguOracle audit trail from OS files written in XML, text file, or SYSLOG uBefore/after values and DDL changes from redo loguDatabase Vault specific audit

15、recordsSQLServer2000, 2005, 2008uServer side trace set specific audit eventuWindows event audit specific events viewed by windows event vieweruC2 - automatically sets all auditable eventsIBM DB28.2, 9.1 & 9.5 on Linux, Unix, WindowsuBinary OS files written by the audit facilitySybase ASE12.5.4 - 15.

16、0.xuSybsecurity database tablesOracle Database 安全解决方案Encryption and MaskingOracle Advanced SecurityOracle Secure BackupOracle Data MaskingOracle Database VaultOracle Label SecurityOracle Audit VaultOracle Total RecallOracle Database Firewall2013.2.28Blocking and MonitoringAuditing and TrackingAcs Control炼数成金逆向式网络课程Dataguru（炼数成金