本文档风哥主要介绍Oracle PDB数据库保险库(Database Vault)相关知识,包括PDB数据库保险库的概念、PDB数据库保险库的组件、PDB数据库保险库的安装、PDB数据库保险库的配置、PDB数据库保险库验证、PDB数据库保险库故障处理等内容,由风哥教程参考Oracle官方文档Security内容编写,适合DBA人员在学习和测试中使用,如果要应用于生产环境则需要自行确认。
Part01-基础概念与理论知识
1.1 PDB数据库保险库的概念
Oracle PDB数据库保险库(Oracle Database Vault)是一种高级安全解决方案,用于保护敏感数据免受未经授权的访问。数据库保险库通过限制特权用户的访问、实施细粒度访问控制和审计,提供多层安全保护。数据库保险库适用于需要满足严格合规性要求的企业环境。更多视频教程www.fgedu.net.cn
- 限制特权用户访问
- 实施细粒度访问控制
- 提供多层安全保护
- 支持多租户环境
- 满足合规性要求
1.2 PDB数据库保险库的组件
Oracle PDB数据库保险库的组件包括:
- 领域(Realms):保护数据库对象的集合
- 因素(Factors):用于访问控制的上下文信息
- 身份标识(Identities):定义用户和角色
- 规则集(Rule Sets):定义访问控制规则
- 命令规则(Command Rules):控制特定命令的执行
- 安全应用(Secure Application Roles):控制应用角色的激活
1.3 PDB数据库保险库的优势
Oracle PDB数据库保险库的优势:
- 数据保护:保护敏感数据免受未经授权的访问
- 合规性:满足数据保护法规要求
- 特权用户控制:限制特权用户的访问
- 细粒度访问控制:实施细粒度访问控制
- 审计支持:支持审计和监控
Part02-生产环境规划与建议
2.1 PDB数据库保险库规划
Oracle PDB数据库保险库规划要点:
– 敏感数据识别:识别需要保护的敏感数据
– 领域规划:定义需要保护的数据库对象
– 因素规划:定义访问控制因素
– 规则集规划:定义访问控制规则
# 领域规划
– 领域类型:表空间、模式、表、视图
– 领域范围:定义领域包含的对象
– 领域授权:定义领域授权用户
– 领域审计:审计领域访问
# 因素规划
– 因素类型:身份、时间、位置、网络
– 因素标识:定义因素标识符
– 因素值:定义因素可能的值
– 因素信任:定义因素信任级别
# 规则集规划
– 规则类型:允许、拒绝、审计
– 规则条件:定义规则触发条件
– 规则动作:定义规则执行动作
– 规则优先级:定义规则执行顺序
2.2 PDB数据库保险库安全策略
Oracle PDB数据库保险库安全策略:
- 最小权限原则:只授予必要的权限
- 职责分离:分离管理和审计职责
- 定期审计:审计数据库保险库配置和使用
- 定期测试:定期测试访问控制规则
- 文档记录:记录数据库保险库配置
– 识别敏感数据
– 定义领域和规则
– 配置因素和身份标识
– 定期审计和测试
– 文档记录配置
2.3 PDB数据库保险库最佳实践
Oracle PDB数据库保险库最佳实践:
- 数据分类:根据数据敏感程度分类
- 领域设计:合理设计领域结构
- 规则设计:合理设计访问控制规则
- 定期审计:审计数据库保险库配置和使用
- 定期测试:定期测试访问控制规则
Part03-生产环境项目实施方案
3.1 PDB数据库保险库安装
3.1.1 安装数据库保险库
$ sqlplus / as sysdba
SQL> select comp_name, status, version from dba_registry where comp_name like ‘%Vault%’;
COMP_NAME STATUS VERSION
—————————— ——— ——————
Oracle Database Vault VALID 19.0.0.0.0
# 2. 如果未安装,安装数据库保险库
# 使用Oracle Universal Installer安装Database Vault选项
# 3. 连接到PDB
SQL> alter session set container=SALESPDB;
Session altered.
# 4. 在PDB中启用数据库保险库
SQL> @?/rdbms/admin/catdv.sql
# 5. 验证数据库保险库安装
SQL> select comp_name, status, version from dba_registry where comp_name like ‘%Vault%’;
COMP_NAME STATUS VERSION
—————————— ——— ——————
Oracle Database Vault VALID 19.0.0.0.0
# 6. 创建数据库保险库管理员
SQL> create user dv_owner identified by dv_owner_password;
User created.
SQL> grant create session to dv_owner;
Grant succeeded.
SQL> grant dv_owner to dv_owner;
Grant succeeded.
SQL> grant dv_acctmgr to dv_owner;
Grant succeeded.
SQL> grant dv_public to dv_owner;
Grant succeeded.
# 7. 创建数据库保险库账户管理员
SQL> create user dv_acctmgr identified by dv_acctmgr_password;
User created.
SQL> grant create session to dv_acctmgr;
Grant succeeded.
SQL> grant dv_acctmgr to dv_acctmgr;
Grant succeeded.
# 8. 验证用户创建
SQL> select username, account_status from dba_users where username like ‘DV_%’;
USERNAME ACCOUNT_STATUS
———- ————–
DV_OWNER OPEN
DV_ACCTMGR OPEN
3.1.2 配置数据库保险库
SQL> conn dv_owner/dv_owner_password@SALESPDB
Connected.
# 2. 创建领域
SQL> begin
dvsys.dbms_macadm.create_realm(
realm_name => ‘CUSTOMER_DATA_REALM’,
description => ‘Customer Data Protection Realm’,
enabled => ‘Y’
);
end;
/
PL/SQL procedure successfully completed.
# 3. 验证领域创建
SQL> select realm_name, description, status from dvsys.dba_dv_realm;
REALM_NAME DESCRIPTION STATUS
———————- —————————— ——–
CUSTOMER_DATA_REALM Customer Data Protection Realm ENABLED
# 4. 创建因素
SQL> begin
dvsys.dbms_macadm.create_factor(
factor_name => ‘NETWORK_FACTOR’,
factor_type_name => ‘Network’,
description => ‘Network Access Factor’,
factor_ident => ‘NETWORK’
);
end;
/
PL/SQL procedure successfully completed.
# 5. 验证因素创建
SQL> select factor_name, factor_type_name, description from dvsys.dba_dv_factor;
FACTOR_NAME FACTOR_TYPE_NAME DESCRIPTION
—————– —————- ——————
NETWORK_FACTOR Network Network Access Factor
# 6. 创建规则集
SQL> begin
dvsys.dbms_macadm.create_rule_set(
rule_set_name => ‘CUSTOMER_ACCESS_RULESET’,
description => ‘Customer Access Rule Set’,
enabled => ‘Y’,
eval_options => ‘ALL’,
audit_options => ‘ALL’
);
end;
/
PL/SQL procedure successfully completed.
# 7. 验证规则集创建
SQL> select rule_set_name, description, status from dvsys.dba_dv_rule_set;
RULE_SET_NAME DESCRIPTION STATUS
————————– —————————— ——–
CUSTOMER_ACCESS_RULESET Customer Access Rule Set ENABLED
3.2 PDB数据库保险库配置
3.2.1 配置领域
SQL> conn / as sysdba
SQL> alter session set container=SALESPDB;
Session altered.
SQL> create user fgfgfgsales_user identified by fgfgfgsales_password;
User created.
SQL> grant create session, connect, resource to fgfgfgsales_user;
Grant succeeded.
SQL> create table fgfgfgsales_user.customers (
id number primary key,
name varchar2(100),
email varchar2(100),
phone varchar2(20),
credit_card varchar2(20),
ssn varchar2(20)
);
Table created.
SQL> insert into fgfgfgsales_user.customers values (1, ‘风哥1号’, ‘zhangsan@fgedu.net.cn’, ‘13800138000’, ‘1234567890123456’, ‘123456789’);
1 row created.
SQL> commit;
Commit complete.
# 2. 连接到数据库保险库管理员
SQL> conn dv_owner/dv_owner_password@SALESPDB
Connected.
# 3. 将表添加到领域
SQL> begin
dvsys.dbms_macadm.add_object_to_realm(
realm_name => ‘CUSTOMER_DATA_REALM’,
object_owner => ‘SALES_USER’,
object_name => ‘CUSTOMERS’,
object_type => ‘TABLE’
);
end;
/
PL/SQL procedure successfully completed.
# 4. 验证对象已添加到领域
SQL> select realm_name, object_owner, object_name, object_type
from dvsys.dba_dv_realm_object
where realm_name = ‘CUSTOMER_DATA_REALM’;
REALM_NAME OBJECT_OWNER OBJECT_NAME OBJECT_TYPE
———————- ———— ———– ———–
CUSTOMER_DATA_REALM SALES_USER CUSTOMERS TABLE
# 5. 授予领域授权
SQL> begin
dvsys.dbms_macadm.grant_realm_authorization(
realm_name => ‘CUSTOMER_DATA_REALM’,
grantee => ‘SALES_USER’,
auth_options => ‘PARTICIPANT’
);
end;
/
PL/SQL procedure successfully completed.
# 6. 验证领域授权
SQL> select realm_name, grantee, auth_options
from dvsys.dba_dv_realm_auth
where realm_name = ‘CUSTOMER_DATA_REALM’;
REALM_NAME GRANTEE AUTH_OPTIONS
———————- ———- ————–
CUSTOMER_DATA_REALM SALES_USER PARTICIPANT
3.2.2 配置命令规则
SQL> begin
dvsys.dbms_macadm.create_rule(
rule_name => ‘ALLOW_CUSTOMER_ACCESS’,
rule_expr => ‘SYS_CONTEXT(”DV_FACTOR”, ”NETWORK_FACTOR”) = ”TRUSTED”’
);
end;
/
PL/SQL procedure successfully completed.
# 2. 验证规则创建
SQL> select rule_name, rule_expr from dvsys.dba_dv_rule;
RULE_NAME RULE_EXPR
———————– —————————————–
ALLOW_CUSTOMER_ACCESS SYS_CONTEXT(‘DV_FACTOR’, ‘NETWORK_FACTOR’) = ‘TRUSTED’
# 3. 将规则添加到规则集
SQL> begin
dvsys.dbms_macadm.add_rule_to_rule_set(
rule_set_name => ‘CUSTOMER_ACCESS_RULESET’,
rule_name => ‘ALLOW_CUSTOMER_ACCESS’,
rule_order => 1
);
end;
/
PL/SQL procedure successfully completed.
# 4. 验证规则已添加到规则集
SQL> select rule_set_name, rule_name, rule_order
from dvsys.dba_dv_rule_set_rule
where rule_set_name = ‘CUSTOMER_ACCESS_RULESET’;
RULE_SET_NAME RULE_NAME RULE_ORDER
————————– ———————– ———-
CUSTOMER_ACCESS_RULESET ALLOW_CUSTOMER_ACCESS 1
# 5. 创建命令规则
SQL> begin
dvsys.dbms_macadm.create_command_rule(
command => ‘SELECT’,
object_owner => ‘SALES_USER’,
object_name => ‘CUSTOMERS’,
rule_set_name => ‘CUSTOMER_ACCESS_RULESET’,
enabled => ‘Y’
);
end;
/
PL/SQL procedure successfully completed.
# 6. 验证命令规则创建
SQL> select command, object_owner, object_name, rule_set_name, enabled
from dvsys.dba_dv_command_rule
where object_owner = ‘SALES_USER’ and object_name = ‘CUSTOMERS’;
COMMAND OBJECT_OWNER OBJECT_NAME RULE_SET_NAME ENABLED
——– ———— ———– ————————– ——–
SELECT SALES_USER CUSTOMERS CUSTOMER_ACCESS_RULESET YES
3.3 PDB数据库保险库验证
3.3.1 验证数据库保险库配置
SQL> select realm_name, description, status from dvsys.dba_dv_realm;
REALM_NAME DESCRIPTION STATUS
———————- —————————— ——–
CUSTOMER_DATA_REALM Customer Data Protection Realm ENABLED
# 2. 查看领域对象
SQL> select realm_name, object_owner, object_name, object_type
from dvsys.dba_dv_realm_object;
REALM_NAME OBJECT_OWNER OBJECT_NAME OBJECT_TYPE
———————- ———— ———– ———–
CUSTOMER_DATA_REALM SALES_USER CUSTOMERS TABLE
# 3. 查看领域授权
SQL> select realm_name, grantee, auth_options
from dvsys.dba_dv_realm_auth;
REALM_NAME GRANTEE AUTH_OPTIONS
———————- ———- ————–
CUSTOMER_DATA_REALM SALES_USER PARTICIPANT
# 4. 查看规则集配置
SQL> select rule_set_name, description, status from dvsys.dba_dv_rule_set;
RULE_SET_NAME DESCRIPTION STATUS
————————– —————————— ——–
CUSTOMER_ACCESS_RULESET Customer Access Rule Set ENABLED
# 5. 查看规则配置
SQL> select rule_name, rule_expr from dvsys.dba_dv_rule;
RULE_NAME RULE_EXPR
———————– —————————————–
ALLOW_CUSTOMER_ACCESS SYS_CONTEXT(‘DV_FACTOR’, ‘NETWORK_FACTOR’) = ‘TRUSTED’
# 6. 查看命令规则配置
SQL> select command, object_owner, object_name, rule_set_name, enabled
from dvsys.dba_dv_command_rule;
COMMAND OBJECT_OWNER OBJECT_NAME RULE_SET_NAME ENABLED
——– ———— ———– ————————– ——–
SELECT SALES_USER CUSTOMERS CUSTOMER_ACCESS_RULESET YES
3.3.2 测试数据库保险库
SQL> conn fgfgfgsales_user/fgfgfgsales_password@SALESPDB
Connected.
SQL> select * from customers;
select * from customers
*
ERROR at line 1:
ORA-01031: insufficient privileges
# 2. 设置因素值
SQL> conn dv_owner/dv_owner_password@SALESPDB
Connected.
SQL> begin
dvsys.dbms_macadm.set_factor(
factor_name => ‘NETWORK_FACTOR’,
factor_value => ‘TRUSTED’
);
end;
/
PL/SQL procedure successfully completed.
# 3. 验证因素值已设置
SQL> select factor_name, factor_value
from dvsys.dba_dv_factor
where factor_name = ‘NETWORK_FACTOR’;
FACTOR_NAME FACTOR_VALUE
—————– ————-
NETWORK_FACTOR TRUSTED
# 4. 测试设置因素值后的访问
SQL> conn fgfgfgsales_user/fgfgfgsales_password@SALESPDB
Connected.
SQL> select * from customers;
ID NAME EMAIL PHONE CREDIT_CARD SSN
———- ———- ———————- ————— —————— ———-
1 风哥1号 zhangsan@fgedu.net.cn 13800138000 1234567890123456 123456789
# 5. 清除因素值
SQL> conn dv_owner/dv_owner_password@SALESPDB
Connected.
SQL> begin
dvsys.dbms_macadm.delete_factor(
factor_name => ‘NETWORK_FACTOR’
);
end;
/
PL/SQL procedure successfully completed.
# 6. 验证因素值已清除
SQL> select factor_name, factor_value
from dvsys.dba_dv_factor
where factor_name = ‘NETWORK_FACTOR’;
FACTOR_NAME FACTOR_VALUE
—————– ————-
NETWORK_FACTOR
Part04-生产案例与实战讲解
4.1 PDB数据库保险库配置案例
在生产环境中配置PDB数据库保险库的完整案例:
4.1.1 场景描述
某企业需要为销售PDB中的客户数据配置数据库保险库,保护信用卡号、手机号、身份证号等敏感信息,确保只有授权用户才能访问。
4.1.2 配置步骤
SQL> conn / as sysdba
SQL> alter session set container=SALESPDB;
Session altered.
SQL> create user fgfgfgsales_admin identified by fgfgfgsales_password;
User created.
SQL> grant create session, connect, resource to fgfgfgsales_admin;
Grant succeeded.
SQL> create table fgfgfgsales_admin.customers (
id number primary key,
name varchar2(100),
email varchar2(100),
phone varchar2(20),
credit_card varchar2(20),
id_card varchar2(20),
address varchar2(200)
);
Table created.
SQL> insert into fgfgfgsales_admin.customers values (
1, ‘风哥1号’, ‘zhangsan@fgedu.net.cn’, ‘13800138000’,
‘1234567890123456’, ‘110101199001011234’, ‘北京市朝阳区’
);
1 row created.
SQL> insert into fgfgfgsales_admin.customers values (
2, ‘风哥2号’, ‘lisi@fgedu.net.cn’, ‘13900139000’,
‘2345678901234567’, ‘110101199002022345’, ‘上海市浦东新区’
);
1 row created.
SQL> insert into fgfgfgsales_admin.customers values (
3, ‘王五’, ‘wangwu@fgedu.net.cn’, ‘13700137000’,
‘3456789012345678’, ‘110101199003033456’, ‘广州市天河区’
);
1 row created.
SQL> commit;
Commit complete.
# 2. 创建领域
SQL> conn dv_owner/dv_owner_password@SALESPDB
Connected.
SQL> begin
dvsys.dbms_macadm.create_realm(
realm_name => ‘SALES_CUSTOMER_REALM’,
description => ‘Sales Customer Data Protection Realm’,
enabled => ‘Y’
);
end;
/
PL/SQL procedure successfully completed.
# 3. 将表添加到领域
SQL> begin
dvsys.dbms_macadm.add_object_to_realm(
realm_name => ‘SALES_CUSTOMER_REALM’,
object_owner => ‘SALES_ADMIN’,
object_name => ‘CUSTOMERS’,
object_type => ‘TABLE’
);
end;
/
PL/SQL procedure successfully completed.
# 4. 授予领域授权
SQL> begin
dvsys.dbms_macadm.grant_realm_authorization(
realm_name => ‘SALES_CUSTOMER_REALM’,
grantee => ‘SALES_ADMIN’,
auth_options => ‘PARTICIPANT’
);
end;
/
PL/SQL procedure successfully completed.
# 5. 创建因素
SQL> begin
dvsys.dbms_macadm.create_factor(
factor_name => ‘USER_ROLE_FACTOR’,
factor_type_name => ‘Identity’,
description => ‘User Role Factor’,
factor_ident => ‘USER_ROLE’
);
end;
/
PL/SQL procedure successfully completed.
# 6. 创建规则
SQL> begin
dvsys.dbms_macadm.create_rule(
rule_name => ‘ALLOW_ADMIN_ACCESS’,
rule_expr => ‘SYS_CONTEXT(”DV_FACTOR”, ”USER_ROLE_FACTOR”) = ”ADMIN”’
);
end;
/
PL/SQL procedure successfully completed.
# 7. 创建规则集
SQL> begin
dvsys.dbms_macadm.create_rule_set(
rule_set_name => ‘SALES_ACCESS_RULESET’,
description => ‘Sales Access Rule Set’,
enabled => ‘Y’,
eval_options => ‘ALL’,
audit_options => ‘ALL’
);
end;
/
PL/SQL procedure successfully completed.
# 8. 将规则添加到规则集
SQL> begin
dvsys.dbms_macadm.add_rule_to_rule_set(
rule_set_name => ‘SALES_ACCESS_RULESET’,
rule_name => ‘ALLOW_ADMIN_ACCESS’,
rule_order => 1
);
end;
/
PL/SQL procedure successfully completed.
# 9. 创建命令规则
SQL> begin
dvsys.dbms_macadm.create_command_rule(
command => ‘SELECT’,
object_owner => ‘SALES_ADMIN’,
object_name => ‘CUSTOMERS’,
rule_set_name => ‘SALES_ACCESS_RULESET’,
enabled => ‘Y’
);
end;
/
PL/SQL procedure successfully completed.
# 10. 验证配置
SQL> select realm_name, object_owner, object_name
from dvsys.dba_dv_realm_object
where realm_name = ‘SALES_CUSTOMER_REALM’;
REALM_NAME OBJECT_OWNER OBJECT_NAME
———————- ———— ———–
SALES_CUSTOMER_REALM SALES_ADMIN CUSTOMERS
SQL> select command, object_owner, object_name, rule_set_name, enabled
from dvsys.dba_dv_command_rule
where object_owner = ‘SALES_ADMIN’ and object_name = ‘CUSTOMERS’;
COMMAND OBJECT_OWNER OBJECT_NAME RULE_SET_NAME ENABLED
——– ———— ———– ———————- ——–
SELECT SALES_ADMIN CUSTOMERS SALES_ACCESS_RULESET YES
4.2 PDB数据库保险库故障处理
在PDB数据库保险库过程中可能遇到的故障及处理方法:
4.2.1 故障现象:ORA-01031权限不足
SQL> conn fgfgfgsales_admin/fgfgfgsales_password@SALESPDB
Connected.
SQL> select * from customers;
select * from customers
*
ERROR at line 1:
ORA-01031: insufficient privileges
# 分析步骤
# 1. 检查领域配置
SQL> conn dv_owner/dv_owner_password@SALESPDB
Connected.
SQL> select realm_name, object_owner, object_name
from dvsys.dba_dv_realm_object
where object_owner = ‘SALES_ADMIN’ and object_name = ‘CUSTOMERS’;
REALM_NAME OBJECT_OWNER OBJECT_NAME
———————- ———— ———–
SALES_CUSTOMER_REALM SALES_ADMIN CUSTOMERS
# 2. 检查领域授权
SQL> select realm_name, grantee, auth_options
from dvsys.dba_dv_realm_auth
where realm_name = ‘SALES_CUSTOMER_REALM’;
REALM_NAME GRANTEE AUTH_OPTIONS
———————- ———- ————–
SALES_CUSTOMER_REALM SALES_ADMIN PARTICIPANT
# 3. 检查命令规则
SQL> select command, object_owner, object_name, rule_set_name, enabled
from dvsys.dba_dv_command_rule
where object_owner = ‘SALES_ADMIN’ and object_name = ‘CUSTOMERS’;
COMMAND OBJECT_OWNER OBJECT_NAME RULE_SET_NAME ENABLED
——– ———— ———– ———————- ——–
SELECT SALES_ADMIN CUSTOMERS SALES_ACCESS_RULESET YES
# 4. 检查因素值
SQL> select factor_name, factor_value
from dvsys.dba_dv_factor
where factor_name = ‘USER_ROLE_FACTOR’;
FACTOR_NAME FACTOR_VALUE
—————– ————-
USER_ROLE_FACTOR
# 5. 发现因素值未设置
# 6. 解决方案:设置因素值
SQL> begin
dvsys.dbms_macadm.set_factor(
factor_name => ‘USER_ROLE_FACTOR’,
factor_value => ‘ADMIN’
);
end;
/
PL/SQL procedure successfully completed.
# 7. 验证因素值已设置
SQL> select factor_name, factor_value
from dvsys.dba_dv_factor
where factor_name = ‘USER_ROLE_FACTOR’;
FACTOR_NAME FACTOR_VALUE
—————– ————-
USER_ROLE_FACTOR ADMIN
# 8. 测试访问
SQL> conn fgfgfgsales_admin/fgfgfgsales_password@SALESPDB
Connected.
SQL> select * from customers;
ID NAME EMAIL PHONE CREDIT_CARD ID_CARD ADDRESS
———- ———- ———————- ————— —————— ———————- ——————
1 风哥1号 zhangsan@fgedu.net.cn 13800138000 1234567890123456 110101199001011234 北京市朝阳区
2 风哥2号 lisi@fgedu.net.cn 13900139000 2345678901234567 110101199002022345 上海市浦东新区
3 王五 wangwu@fgedu.net.cn 13700137000 3456789012345678 110101199003033456 广州市天河区
# 9. 预防措施
# – 配置自动设置因素值
# – 监控数据库保险库状态
# – 定期测试访问控制规则
4.2.2 故障现象:ORA-47401领域已存在
SQL> begin
dvsys.dbms_macadm.create_realm(
realm_name => ‘SALES_CUSTOMER_REALM’,
description => ‘Sales Customer Data Protection Realm’,
enabled => ‘Y’
);
end;
/
ORA-47401: Realm SALES_CUSTOMER_REALM already exists
# 分析步骤
# 1. 检查现有领域
SQL> select realm_name, description, status from dvsys.dba_dv_realm;
REALM_NAME DESCRIPTION STATUS
———————- —————————— ——–
SALES_CUSTOMER_REALM Sales Customer Data Protection Realm ENABLED
# 2. 发现已存在领域
# 3. 解决方案:修改现有领域
SQL> begin
dvsys.dbms_macadm.update_realm(
realm_name => ‘SALES_CUSTOMER_REALM’,
description => ‘Updated Sales Customer Data Protection Realm’,
enabled => ‘Y’
);
end;
/
PL/SQL procedure successfully completed.
# 4. 验证领域已修改
SQL> select realm_name, description, status from dvsys.dba_dv_realm;
REALM_NAME DESCRIPTION STATUS
———————- ———————————————— ——–
SALES_CUSTOMER_REALM Updated Sales Customer Data Protection Realm ENABLED
# 5. 预防措施
# – 在创建领域前检查是否已存在
# – 使用唯一的领域名称
# – 定期检查现有领域
4.3 PDB数据库保险库优化
优化PDB数据库保险库配置的最佳实践:
4.3.1 优化数据库保险库配置
SQL> conn dv_owner/dv_owner_password@SALESPDB
Connected.
SQL> begin
dvsys.dbms_macadm.create_realm(
realm_name => ‘CUSTOMER_DATA_REALM’,
description => ‘Customer Data Protection Realm’,
enabled => ‘Y’
);
end;
/
PL/SQL procedure successfully completed.
SQL> begin
dvsys.dbms_macadm.create_realm(
realm_name => ‘FINANCE_DATA_REALM’,
description => ‘Finance Data Protection Realm’,
enabled => ‘Y’
);
end;
/
PL/SQL procedure successfully completed.
# 2. 创建多个因素
SQL> begin
dvsys.dbms_macadm.create_factor(
factor_name => ‘NETWORK_FACTOR’,
factor_type_name => ‘Network’,
description => ‘Network Access Factor’,
factor_ident => ‘NETWORK’
);
end;
/
PL/SQL procedure successfully completed.
SQL> begin
dvsys.dbms_macadm.create_factor(
factor_name => ‘TIME_FACTOR’,
factor_type_name => ‘Time’,
description => ‘Time Access Factor’,
factor_ident => ‘TIME’
);
end;
/
PL/SQL procedure successfully completed.
# 3. 创建组合规则
SQL> begin
dvsys.dbms_macadm.create_rule(
rule_name => ‘ALLOW_TRUSTED_NETWORK’,
rule_expr => ‘SYS_CONTEXT(”DV_FACTOR”, ”NETWORK_FACTOR”) = ”TRUSTED”’
);
end;
/
PL/SQL procedure successfully completed.
SQL> begin
dvsys.dbms_macadm.create_rule(
rule_name => ‘ALLOW_BUSINESS_HOURS’,
rule_expr => ‘TO_NUMBER(TO_CHAR(SYSDATE, ”HH24”)) BETWEEN 9 AND 18’
);
end;
/
PL/SQL procedure successfully completed.
# 4. 创建组合规则集
SQL> begin
dvsys.dbms_macadm.create_rule_set(
rule_set_name => ‘COMBINED_ACCESS_RULESET’,
description => ‘Combined Access Rule Set’,
enabled => ‘Y’,
eval_options => ‘ALL’,
audit_options => ‘ALL’
);
end;
/
PL/SQL procedure successfully completed.
# 5. 将规则添加到规则集
SQL> begin
dvsys.dbms_macadm.add_rule_to_rule_set(
rule_set_name => ‘COMBINED_ACCESS_RULESET’,
rule_name => ‘ALLOW_TRUSTED_NETWORK’,
rule_order => 1
);
end;
/
PL/SQL procedure successfully completed.
SQL> begin
dvsys.dbms_macadm.add_rule_to_rule_set(
rule_set_name => ‘COMBINED_ACCESS_RULESET’,
rule_name => ‘ALLOW_BUSINESS_HOURS’,
rule_order => 2
);
end;
/
PL/SQL procedure successfully completed.
# 6. 配置数据库保险库审计
SQL> audit policy oracle_secure_config;
Audit succeeded.
# 7. 监控数据库保险库状态
SQL> select realm_name, status from dvsys.dba_dv_realm;
REALM_NAME STATUS
———————- ——–
CUSTOMER_DATA_REALM ENABLED
FINANCE_DATA_REALM ENABLED
SALES_CUSTOMER_REALM ENABLED
# 8. 创建数据库保险库监控脚本
$ vi /home/oracle/scripts/monitor_dv.sh
#!/bin/bash
# from:www.itpux.com.qq113257174.wx:itpux-com
# web: http://www.fgedu.net.cn
# from:www.itpux.com.qq113257174.wx:itpux-com
# web: http://www.fgedu.net.cn
# from:www.itpux.com.qq113257174.wx:itpux-com
# web: http://www.fgedu.net.cn
# 数据库保险库监控脚本
export ORACLE_HOME=/oracle/app/oracle/product/19c/dbhome_1
export ORACLE_SID=FGEDUDB
export PATH=$ORACLE_HOME/bin:$PATH
# 检查领域状态
REALM_COUNT=$(sqlplus -s dv_owner/dv_owner_password@SALESPDB << EOF
set heading off feedback off pagesize 0
select count(*) from dvsys.dba_dv_realm where status = 'DISABLED';
exit;
EOF
)
if [ “$REALM_COUNT” -gt 0 ]; then
echo “WARNING: $REALM_COUNT realms are disabled”
# 发送告警
echo “$REALM_COUNT realms are disabled” | mail -s “Database Vault Alert” admin@fgedu.net.cn
fi
# 检查规则集状态
RULESET_COUNT=$(sqlplus -s dv_owner/dv_owner_password@SALESPDB << EOF
set heading off feedback off pagesize 0
select count(*) from dvsys.dba_dv_rule_set where status = 'DISABLED';
exit;
EOF
)
if [ “$RULESET_COUNT” -gt 0 ]; then
echo “WARNING: $RULESET_COUNT rule sets are disabled”
# 发送告警
echo “$RULESET_COUNT rule sets are disabled” | mail -s “Database Vault Alert” admin@fgedu.net.cn
fi
echo “Database Vault monitoring completed at $(date)”
# 9. 设置定期监控
$ crontab -e
# 每小时检查数据库保险库状态
0 * * * * /home/oracle/scripts/monitor_dv.sh >> /home/oracle/scripts/monitor_dv.log 2>&1
Part05-风哥经验总结与分享
5.1 PDB数据库保险库总结
Oracle PDB数据库保险库是保护敏感数据的高级安全解决方案,具有以下特点:
- 数据保护:保护敏感数据免受未经授权的访问
- 合规性:满足数据保护法规要求
- 特权用户控制:限制特权用户的访问
- 细粒度访问控制:实施细粒度访问控制
- 审计支持:支持审计和监控
5.2 PDB数据库保险库检查清单
Oracle PDB数据库保险库检查清单:
- 配置检查:检查领域、因素、规则集配置
- 状态检查:检查领域、规则集状态
- 授权检查:检查领域授权
- 规则检查:检查命令规则
- 审计检查:检查数据库保险库审计
- 监控检查:检查数据库保险库监控
5.3 PDB数据库保险库工具推荐
Oracle PDB数据库保险库工具推荐:
- DBMS_MACADM包:数据库保险库管理包
- SQL*Plus:命令行工具,用于数据库保险库管理
- SQL Developer:图形化工具,用于数据库保险库管理
- Enterprise Manager:企业级管理工具
- Oracle Audit Vault:审计管理工具
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
联系我们
在线咨询:
微信号:itpux-com
工作日:9:30-18:30,节假日休息
