Professional Documents
Culture Documents
02-Harding The Database
02-Harding The Database
02-Harding The Database
C S D LiU
Ni Dung
Phn II - 2
Phn II - 3
Phn II - 4
Phn II - 5
Phn II - 6
Phn II - 7
Phn II - 8
D t b
Database
S
Security
it Technical
T h i l IImplementation
l
t ti G
Guide
id (STIG)
c pht trin bi Defense Information Systems Agency
(DISA) cho Department of Defense (DOD)
Center for Internet Security (CIS) Benchmark for Oracle
c pht trin bi CIS
Bin son: Ng Duy Anh-2010
1. Database STIG
STIGs l ti liu c xut bn bi cc DISA h tr ci
thin an ninh ca h thng thng tin ca B Quc phng
C nhiu ti liu STIG-tt c chng c th truy cp ti:
http://iase.disa.mil/stigs/stig/index.html
Danh sch kim tra (checklist) c th ti ti:
http://iase.disa.mil/stigs/checklist/index.html
Phn II - 9
3. Database auditing
a. Audit data requirements
b. Audit data backups
c. Audit data reviews
d. Audit data access
e. Database monitoring
4. Network access
a. Protection of database identification parameters
b. Network connections to the database
c. Database replication
d. Database links
7. Oracle authorizations
a. Predefined roles
b. System privileges
c. Object privileges
d. Administration of privileges
8. Oracle replication
Phn II - 12
9. Network security
a. Encrypting network logins
b. Protecting network communications
c. Listener security
d. XML DB protocol server
Phn II - 14
c
cng
b nh
h l mt
t dch
d h v cho
h tt c
ngi
i d
dng ttrn
ton th gii.
Bn c th ti v cc tiu chun t:
http://www.cisecurity.org/bench_oracle.html
Cc khuyeend ngh trong kt qu Oracle benchmark l mt qu trnh
xy dng ng thun t cc chuyn gia bo mt Oracle hng u
Cc chun CIS c dng ca mt danh sch kim tra chia thnh mt
s on
Trong mi phn l mt danh sch cc mc cn c xc nhn
Phn II - 15
Tm tt 02 ti liu
Phn II - 17
trong
Oracle thc hin iu m hai ti liu ngh bn lm.
Phn II - 18
Phn II - 19
Phn II - 20
10
VA tools
C nhiu cng c VA cho Oracle bao gm: AppDetective,
AppSentry, Guardium, IPLocks,v NGS Squirrel
VA Tool thc hin nhiu loi kim tra, cc loi ny c th chia
lm 3 nhm chnh:
Kim tra l hng phn mm
Kim tra cu hnh sai
Kim tra vic s dng sai i vi CSDL
Tt c cc kim tra l cn thit kim tra l hng trong c s d liu ca bn.
Ba iu cn nh v vic
S dng mt cng c nh gi
1. Mt s cng c VA l phn mm quyt c lp v nhng
cng c khc l mt phn ca b sn phm phn mm bo
mt CSDL ln hn. Nu bn ang mun thc hin y
cc
ki
kin ngh
h d
do D
Database
t b
STIG trong
t
danh
d h sch
h ki
kim ttra
CIS, Bn nn xem xt cc b sn phm c th h kim ton
vic trin khai ca bn, thc hin pht hin xm nhp, chia
tch trch nhim,v.v..
2. VA qut kim tra c hai l hng v CPU ci t (hoc bn
cn phi ci t) cng nh cc cu hnh ca CSDL.
3 Mt s cc kim tra m bn cn thc hin c cp h
3.
iu hnh. Hy chc chn rng cng c VA bn chn c th
thc hin kim tra v s hu tp tin, quyn tp tin, ..vv..
Phn II - 22
11
C sTo v Duy tr
mt cu hnh an ton bo mt
Khi hon thnh vic lm cng CSDL, bn c mt cu hnh
cht ch, nhng bn cn phi m bo rng n vn cn cht
ch v khng b gim st theo thi gian.
C hai iu
bn c th
lm g
m bo duy tr cu
hnh an
ton bo mt
Thc hin chy cc nh gi trn c s lch c lp
tm cc l hng mi khi chng c to ra
V To ra mt c s i vi mt cu hnh m bn ng vi
n v theo di bt k thay i t cu hnh ny bng cch s
dng
g mt cnh bo cn phi c xem xt v ph duyt.
y
Cc thc hin tt nht cho thy rng bn lm c hai bi v chng b
sung cho nhau
Phn II - 24
12
Ba iu cn nh v c s
to v duy tr cu hnh an ton bo mt
1. Cng c theo di cc thay i c s dng nhiu ln trong
vic thc hin bo mt Oracle.Mt s trong s ny c th to
v theo di c s an ton bo mt tip theo giai on lm
cng
h
ha. C
Cc cng
c VA kt hp
h vi
i cng
c theo
th di th
thay
i cho bn nhiu la chn hn trong vic tun th c
tip tc
2. Baseline c to ra bi vic to ra bn tm tt c h thng
xc nh duy nht file v script. Bt k thay i no s c
a ra bo co
3 Baseline bao gm bng tm tt c h thng danh sch cc
3.
file khng ln thay i, tm tt cc kt qu script OS, tm tt
cc kt qu truy vn, tm tt cc gi tr bin mi trng,
hoc cc im nhp trong regitry
Phn II - 25
Cp nht bn v li Oracle
Critical Patch Updates (CPU)
13
Cp nht bn v li Oracle
Critical Patch Updates (CPU)
Phn II - 27
Phn II - 28
14
Phn II - 29
Phn II - 30
15
5 iu cn nh v CPU
1. CPU c pht hnh ba thng mt ln ti cc ngy c th,
bn c th hoch nh trc th nghim v trin khai cc
bn sa li.
2. CPU bao gm
cc bn sa li bo mt cho l hng
c
pht hin. iu rt quan trng p dng bn sa li bo
mt v y l cch tt nht bo v mnh khi cc cuc tn
cng khai thc l hng
3. CPU bao gm mt ma trn cc nguy c cho php xc nh
cch thc lm th no sa li cho cc mi trng ca
bn
4. CPU c tch ly, nu p dng cc CPU mi nht bao
gm tt c cc bn sa li cho tt c cc l hng trc y.
5. Vic gi n-Apply CPU cho php trin khai mt s l hng
mi so vi l hng c c a ra trong 1 bn v duy nht
Phn II - 31
Lm sch d liu i
vi mi trng th nghim
Cc DBA m bo vic export d liu t production database
cho mc ch pht trin hoc th nghim, cc thng tin
nhy cm nh lng, thng tin c nhn,..b loi b hoc b
sa
i
i.
Cc Production database thng c gim st v qun l
vic truy nhp cao hn so vi mi trng pht trin, iu ny
ch c ngha khi d liu trong mi trng th nghim v
pht trin thp hn so vi product
Cc nh pht trin c th truy cp c s d liu pht trin v
th nghim,
nghim nhng thng khng c vo my ch product
Phn II - 32
16
Phn II - 33
Bc 1: Log onto EM
Bc 2: Kch chn Targets tab v Databases subtab
Bc 3: La chn database m bn mun mt l d liu nhy cm
Bc 4: Kch vo lin kt Administration. gc di bn phi l
phn Data Masking:
Phn II - 34
17
Bc 6: Hnh trn cho thy mt nh dng che cc s an sinh x hi. Nhng con
s ny c mt mu ca [0-9] {3} - [0-9] {2} - [0-9] {4}. Trong trng hp ny bn c
th chn ngu nhin cc ch s t th xung v nhn vo Go. Nhp 1 l bt u v
11 l kt thc yu cu Oracle to ra 11 ch s ngu nhin cho bn. Nhp chut
vo OK. Sau , bn s phi gi mt PL / SQL th tc a vo cc du gch
ngang v tr 4 v 7, do nhp vo tn ca th tc ca bn v bm OK.
Phn II - 35
Phn II - 36
18
Phn II - 37
Phn II - 38
19
Phn II - 39
Phn II - 40
20
Phn II - 41
Data Masking
La chn Data Masking l mt sn phm mi v v th ch c
cc nh dng th s. Vi thi gian cc th vin nh dng
mt n s pht trin v s bo qun c qun l thng k
v
llogic
i
Tuy nhin, c mt tp hp ln cng c ca third-party thc
hin chc nng ny v c mt b hon chnh cc thc hin
v cc nh dng. V d nh Princeton Softech (nay l IBM
Optim), Application, Solix, v HP/Outerbay.
Phn II - 42
21
Phn II - 43
Phn II - 44
22
Tng Kt
Phn II - 45
23