Oracle - SCOTT/TIGER - 2
Oracle Database - - - Standard Edition 3
DoS =$ 4
5
SSO Browser Clients IC OID LDAP/SSL USB PKI SSL Web Server SQL Clients
7
Agenda Oracle Database Oracle Database 8
OS 9
OUI 10
11
Oracle Spatial Oracle Ultra Search Oracle Label Security Oracle Data Mining Oracle OLAP Example Schemas Oracle JVM Oracle intermedia Oracle Text Oracle XML DB 8080 2100 12
USERNAME ACCOUNT_STATUS ------------------------------------------------------------------------------------------------------------------------- ADAMS ANONYMOUS AURORA$JIS$UTILITY$ OPEN AURORA$ORB$UNAUTHENTICATED OPEN BLAKE CLARK CTXSYS DBSNMP OPEN HR JONES LBACSYS MDSYS ODM ODM_MTR OE OLAPDBA OLAPSVR OLAPSYS ORDPLUGINS ORDSYS OSE$HTTP$ADMIN OPEN OUTLN OPEN OWNER PM QS QS_ADM QS_CB QS_CBADM QS_CS QS_ES QS_OS QS_WS SCOTT OPEN SH SYS OPEN SYSTEM OPEN WKPROXY WKSYS WMSYS XDB Database Configuration Assistant 13
SCOTT CTXSYS MDSYS ORDSYS ORDPLUGINS WMSYS XDB WKSYS, WKPROXY PM, OE, QS_CS, QS_CB, QS_CBADM, QS_OS, QS_ES,QS_WS, QS, QS_ADM, SH, HR Oracle Text Oracle Spatial intermedia intermedia audio,video Workspace Manager Oracle XML DB Oracle Ultra Serch 14
DBSNMP OUTLN AURORA$JIS$UTILITY$ ( ) AURORA$ORB$UNAUTHENTICATED ( ) OSE$HTTP$ADMIN ( ) JSERV SYS SYSTEM DBCA 15
CREATE PROFILE UTLPWDMG.SQL VERIFY_FUNCTION 16
AAA init<sid>.ora REMOTE_OS_AUTHENT = FALSE AAA Externally ( ) 17
init<sid>.ora O7_DICTIONARY_ACCESSIBILITY = FALSE O7_DISCTIOARY_ACCESSIBILITY Oracle8 TRUE Oracle9i FALSE 18
SYSDBA SYSOPER ANY AAA SYSDBA AAA, BBB, CCC 19
DBA Role AAA Role, DDD DBA Role BBB Role DBA Role AAA Role, BBB Role 20
PUBLIC PUBLIC EXECUTE UTL_SMTP UTL_TCP UTL_HTTP UTL_FILE DBMS_RANDOM HTML Web 21
SQL*PLUS SQL*PLUS % % ls $ORACLE_HOME/bin/sqlplus sqlplus % PATH 22
OS OS OS ORACLE_HOME 23
http://otn.oracle.co.jp/security/index.html 24
Agenda Oracle Database Oracle Database 25
Firewall Oracle Listener IP 26
LSNRCTL> LSNRCTL> status local Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=xxxx)(PORT=1521))) STATUS of the LISTENER -------------------- Alias ener Version TNSLSNR for 32-bit Windows: Version 8.1.6.0.0 - Production Start Date 09-AUG-2000 14:57:05 Uptime 0 days 2hr. 6 min. 22 sec Trace Level off Security ON SNMP OFF Listener Parameter File L: Sarah network admin listener.ora Listener Log File L: Sarah network log ener.log Services Summary... PLSExtProc has 1 service handler(s) sarah1 has 1 service handler(s) The command completed successfully LSNRCTL> TIMEZONE Oracle ORACLE_HOME 27
Firewall Firewall Firewall Firewall Listener 1521 28
Oracle Listener % lsnrctl LSNRCTL> change_password LSNRCTL> set password LSNRCTL> save_config Listener listener.ora ADMIN_RESTRICTIONS_listener_name=ON 29
IP Oracle Net IP protocol.ora sqlnet.ora tcp.validnode_checking = YES tcp.excluded_nodes = { } tcp.invited_nodes = { } IP 30
Agenda Oracle Database Oracle Database 31
32
33
34
35
36
DBA SQL DBA 37
SYSOPER/SYSDBA $ORACLE_HOME/rdbms/audit/ora_xxxxx.aud Windows $ORACLE_HOME/network/log/listener.log Oracle*Net lsnrctl set log_status off 38
SYSDBA Thu Jun 17 18:38:29 2004 ACTION : 'CONNECT' DATABASE USER: 'SYS' PRIVILEGE : SYSDBA CLIENT USER: miyamoto CLIENT TERMINAL: pts/3 STATUS: 0 ora_xxxx.aud DB OS ORA 39
listener.log listener.log 16-7 -2004 18:38:57 * (CONNECT_DATA=(SERVER=DEDICATED) (SERVICE_NAME=test)(CID=(PROGRAM=D: oracle orcl bin sqlplus.exe)(host=test01)( USER=miyamoto))) * (ADDRESS=(PROTOCOL=tcp)(HOST=123.45. 67.89)(PORT=4942)) * establish * test * 0 Net DB 40
SYS.AUD$ SQL 10 g init<sid>.ora AUDIT_TRAIL = DB AUDIT_TRAIL = DB_EXTENDED AUDIT_TRAIL = OS AUDIT_FILE_DEST = 41
SYS.AUD$ DBA_AUDIT_TRAIL OS OS DBA 42
CLIENT USER os DATABASE USER os os os ACTION os os UTC PRIVILEGE os ID ID os * init.ora AUDIT_TRAIL=DB_EXTENDED os ID SQL SCN * SQL SQL * SQL 43
DDL AUDIT TABLE TABLE CREATE ANY TRIGGER SCOTT EMP SELECT 44
DBA SYS SYSOPER / SYSDBA OS 45
DBA init<sid>.ora AUDIT_SYS_OPERATIONS = TRUE Windows Solaris AUDIT_FILE_DEST ORACLE_HOME/rdbms/audit 46
DBA Thu Jan 24 12:58:00 2002 ACTION: 'CONNECT' DATABASE USER: '/' OSPRIV: SYSDBA CLIENT USER: jeff CLIENT TERMINAL: pts/2 STATUS: 0 Thu Jan 24 12:58:00 2002 ACTION: 'update salary set base=1000 where name='myname'' DATABASE USER: '' OSPRIV: SYSDBA CLIENT USER: jeff CLIENT TERMINAL: pts/2 STATUS: 0 47
Agenda Oracle Database Oracle Database 48
10 49
Oracle9i R2 http://otndnld.oracle.co.jp/idba/security/oracle9ir2/pdf/ 9ir2_checklist_new.pdf Oracle http://otndnld.oracle.co.jp/deploy/security/pdf/orahack_ fixed.pdf 50