SQL> SELECT * FROM v$asm_user;USERNAME SYSASM SYSOPER SYSDBA
—————————— ——- ——- ——-
SYS TRUE TRUE TRUE
ASM_USER TRUE FALSE FALSE

— 1. 查看ASM磁盘组的加密状态
SELECT name, encryption FROM v$asm_diskgroup;– 2. 创建加密的ASM磁盘组
CREATE DISKGROUP encrypted_dg NORMAL REDUNDANCY
FAILGROUP fg1 DISK ‘/dev/sdb1’, ‘/dev/sdc1’
FAILGROUP fg2 DISK ‘/dev/sdd1’, ‘/dev/sde1’
ATTRIBUTE ‘compatible.asm’ = ‘19.0.0’, ‘compatible.rdbms’ = ‘19.0.0’, ‘encryption’ = ‘Y’;– 3. 修改ASM磁盘组的加密属性
ALTER DISKGROUP data_dg SET ATTRIBUTE ‘encryption’ = ‘Y’;– 4. 创建加密的表空间
CREATE TABLESPACE encrypted_ts
DATAFILE ‘+encrypted_dg/fgedudb/datafile/encrypted_ts01.dbf’ SIZE 100M
ENCRYPTION USING ‘AES256’ ENCRYPT;– 5. 查看表空间的加密状态
SELECT tablespace_name, encrypted FROM dba_tablespaces;– 6. 配置ASM密钥库
— 设置密钥库位置
ALTER SYSTEM SET encryption_key_management = ‘FILE’ SCOPE=SPFILE;ALTER SYSTEM SET encryption_key_destination = ‘/u01/app/oracle/admin/fgedudb/wallet’ SCOPE=SPFILE;– 7. 打开密钥库
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY “password”;– 8. 创建主加密密钥
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY “password” WITH BACKUP;– 9. 关闭密钥库
ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY “password”;– 10. 备份密钥库
— 复制密钥库文件到安全位置
$ cp /u01/app/oracle/admin/fgedudb/wallet/* /backup/wallet/

— 1. 查看ASM实例的审计设置
SHOW PARAMETER audit;– 2. 启用ASM实例的审计
ALTER SYSTEM SET audit_trail = ‘DB’ SCOPE=SPFILE;ALTER SYSTEM SET audit_sys_operations = TRUE SCOPE=SPFILE;– 3. 重启ASM实例
SHUTDOWN IMMEDIATE;STARTUP;– 4. 审计ASM操作
AUDIT CREATE DISKGROUP BY asm_user;AUDIT ALTER DISKGROUP BY asm_user;AUDIT DROP DISKGROUP BY asm_user;AUDIT CREATE DISK BY asm_user;AUDIT DROP DISK BY asm_user;– 5. 查看审计记录
SELECT * FROM v$audit_trail;– 6. 清理审计记录
PURGE AUDIT TRAIL;– 7. 配置审计文件大小
ALTER SYSTEM SET audit_file_dest = ‘/u01/app/oracle/admin/+ASM/adump’ SCOPE=SPFILE;– 8. 监控ASM操作
— 使用Oracle Enterprise Manager或第三方监控工具监控ASM操作

— 9. 查看ASM告警日志
SELECT * FROM v$diag_info;– 10. 配置ASM的安全告警
— 使用Oracle Enterprise Manager配置安全告警

— 案例：为企业应用系统配置ASM安全管理

— 1. 检查ASM实例状态
SELECT instance_name, status FROM v$instance;– 2. 创建ASM用户并授予权限
CREATE USER asm_admin IDENTIFIED BY password;GRANT SYSASM TO asm_admin;– 3. 配置ASM密码文件
ORAPWD FILE=’$ORACLE_HOME/dbs/orapw+ASM’ ENTRIES=10 FORCE=Y

— 4. 启用ASM审计
ALTER SYSTEM SET audit_trail = ‘DB’ SCOPE=SPFILE;ALTER SYSTEM SET audit_sys_operations = TRUE SCOPE=SPFILE;– 5. 重启ASM实例
SHUTDOWN IMMEDIATE;STARTUP;– 6. 创建加密的ASM磁盘组
CREATE DISKGROUP encrypted_dg NORMAL REDUNDANCY
FAILGROUP fg1 DISK ‘/dev/sdb1’, ‘/dev/sdc1’
FAILGROUP fg2 DISK ‘/dev/sdd1’, ‘/dev/sde1’
ATTRIBUTE ‘compatible.asm’ = ‘19.0.0’, ‘compatible.rdbms’ = ‘19.0.0’, ‘encryption’ = ‘Y’;– 7. 配置密钥库
ALTER SYSTEM SET encryption_key_management = ‘FILE’ SCOPE=SPFILE;ALTER SYSTEM SET encryption_key_destination = ‘/u01/app/oracle/admin/fgedudb/wallet’ SCOPE=SPFILE;– 8. 重启数据库实例
SHUTDOWN IMMEDIATE;STARTUP;– 9. 打开密钥库并创建主密钥
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY “password”;ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY “password” WITH BACKUP;ADMINISTER KEY MANAGEMENT SET KEYSTORE CLOSE IDENTIFIED BY “password”;– 10. 创建加密的表空间
CREATE TABLESPACE sensitive_data
DATAFILE ‘+encrypted_dg/fgedudb/datafile/sensitive_data01.dbf’ SIZE 100M
ENCRYPTION USING ‘AES256’ ENCRYPT;– 11. 审计ASM操作
AUDIT CREATE DISKGROUP BY asm_admin;AUDIT ALTER DISKGROUP BY asm_admin;AUDIT DROP DISKGROUP BY asm_admin;AUDIT CREATE DISK BY asm_admin;AUDIT DROP DISK BY asm_admin;– 12. 监控ASM安全状态
— 使用Oracle Enterprise Manager监控ASM安全状态

— 13. 备份密钥库
$ cp /u01/app/oracle/admin/fgedudb/wallet/* /backup/wallet/– 14. 验证安全配置
SELECT name, encryption FROM v$asm_diskgroup;SELECT tablespace_name, encrypted FROM dba_tablespaces;SELECT * FROM v$audit_trail;

— 1. 权限问题
— 查看ASM用户权限
SELECT * FROM v$asm_user;– 解决方案：授予必要的权限
GRANT SYSASM TO asm_user;– 2. 加密问题
— 查看磁盘组加密状态
SELECT name, encryption FROM v$asm_diskgroup;– 解决方案：启用加密，配置密钥库
ALTER DISKGROUP data_dg SET ATTRIBUTE ‘encryption’ = ‘Y’;ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY “password”;ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY “password” WITH BACKUP;– 3. 审计问题
— 查看审计设置
SHOW PARAMETER audit;– 解决方案：启用审计，配置审计参数
ALTER SYSTEM SET audit_trail = ‘DB’ SCOPE=SPFILE;ALTER SYSTEM SET audit_sys_operations = TRUE SCOPE=SPFILE;– 4. 密钥库问题
— 查看密钥库状态
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY “password”;ADMINISTER KEY MANAGEMENT SHOW KEYSTORE STATUS;– 解决方案：创建密钥库，设置主密钥
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE ‘/u01/app/oracle/admin/fgedudb/wallet’ IDENTIFIED BY “password”;ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY “password” WITH BACKUP;– 5. 访问控制问题
— 查看ASM用户权限
SELECT * FROM v$asm_user;– 解决方案：配置访问控制，限制用户权限
REVOKE SYSASM FROM asm_user;GRANT SYSOPER TO asm_user;

— 1. 权限问题
— 查看ASM用户权限
SELECT * FROM v$asm_user;– 解决方案：授予必要的权限
GRANT SYSASM TO asm_user;– 2. 加密问题
— 查看磁盘组加密状态
SELECT name, encryption FROM v$asm_diskgroup;– 解决方案：启用加密，配置密钥库
ALTER DISKGROUP data_dg SET ATTRIBUTE ‘encryption’ = ‘Y’;ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY “password”;ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY “password” WITH BACKUP;– 3. 审计问题
— 查看审计设置
SHOW PARAMETER audit;– 解决方案：启用审计，配置审计参数
ALTER SYSTEM SET audit_trail = ‘DB’ SCOPE=SPFILE;ALTER SYSTEM SET audit_sys_operations = TRUE SCOPE=SPFILE;– 4. 密钥库问题
— 查看密钥库状态
ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY “password”;ADMINISTER KEY MANAGEMENT SHOW KEYSTORE STATUS;– 解决方案：创建密钥库，设置主密钥
ADMINISTER KEY MANAGEMENT CREATE KEYSTORE ‘/u01/app/oracle/admin/fgedudb/wallet’ IDENTIFIED BY “password”;ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY “password” WITH BACKUP;– 5. 访问控制问题
— 查看ASM用户权限
SELECT * FROM v$asm_user;– 解决方案：配置访问控制，限制用户权限
REVOKE SYSASM FROM asm_user;GRANT SYSOPER TO asm_user;