风哥教程参考DB2官方文档Security、Hardening等内容,详细介绍DB2安全加固、密码策略、访问控制等。更多视频教程www.fgedu.net.cn
目录大纲
Part01-安全加固概述
1.1 安全加固重要性
安全加固重要性:
- 防止未授权访问
- 保护敏感数据
- 满足合规要求
- 降低安全风险
1.2 加固范围
- 实例级加固:实例参数、认证方式
- 数据库级加固:权限、加密、审计
- 网络级加固:防火墙、SSL、端口
- 操作系统级加固:文件权限、用户管理
Part02-密码策略
2.1 密码复杂度
UPDATE DATABASE MANAGER CONFIGURATION USING CLPWFILE /db2/security/password.policy;
# 密码复杂度要求
# – 最小长度:8位
# – 包含大小写字母
# – 包含数字
# – 包含特殊字符
# 创建密码验证函数
CREATE OR REPLACE FUNCTION FN_VALIDATE_PASSWORD(p_password VARCHAR(50))
RETURNS INTEGER
LANGUAGE SQL
BEGIN
DECLARE v_length INTEGER;
DECLARE v_has_upper INTEGER;
DECLARE v_has_lower INTEGER;
DECLARE v_has_digit INTEGER;
DECLARE v_has_special INTEGER;
SET v_length = LENGTH(p_password);
SET v_has_upper = CASE WHEN LOCATE(‘A’, p_password) > 0 OR
LOCATE(‘B’, p_password) > 0 OR
LOCATE(‘C’, p_password) > 0 THEN 1 ELSE 0 END;
SET v_has_lower = CASE WHEN LOCATE(‘a’, p_password) > 0 OR
LOCATE(‘b’, p_password) > 0 OR
LOCATE(‘c’, p_password) > 0 THEN 1 ELSE 0 END;
SET v_has_digit = CASE WHEN LOCATE(‘0’, p_password) > 0 OR
LOCATE(‘1’, p_password) > 0 OR
LOCATE(‘2’, p_password) > 0 THEN 1 ELSE 0 END;
SET v_has_special = CASE WHEN LOCATE(‘!’, p_password) > 0 OR
LOCATE(‘@’, p_password) > 0 OR
LOCATE(‘#’, p_password) > 0 THEN 1 ELSE 0 END;
IF v_length >= 8 AND v_has_upper = 1 AND v_has_lower = 1
AND v_has_digit = 1 AND v_has_special = 1 THEN
RETURN 1;
ELSE
RETURN 0;
END IF;
END;
# 使用密码验证
SELECT FN_VALIDATE_PASSWORD(‘Abc123!@’) FROM SYSIBM.SYSDUMMY1;
2.2 密码过期策略
UPDATE DATABASE CONFIGURATION USING PWD_EXPIRY_DAYS 90;
# 查看密码过期配置
GET DATABASE CONFIGURATION | grep PWD_EXPIRY_DAYS;
# 创建密码历史表
CREATE TABLE PASSWORD_HISTORY (
USER_NAME VARCHAR(128) NOT NULL,
PASSWORD_HASH VARCHAR(256) NOT NULL,
CHANGE_TIME TIMESTAMP NOT NULL DEFAULT CURRENT TIMESTAMP,
CONSTRAINT PK_PASSWORD_HISTORY PRIMARY KEY (USER_NAME, CHANGE_TIME)
);
# 创建密码修改触发器
CREATE TRIGGER TRG_PASSWORD_CHANGE
AFTER UPDATE OF PASSWORD ON USER_PASSWORD
REFERENCING NEW AS N
FOR EACH ROW
BEGIN
INSERT INTO PASSWORD_HISTORY (USER_NAME, PASSWORD_HASH)
VALUES (N.USER_NAME, N.PASSWORD_HASH);
END;
# 检查密码历史
SELECT COUNT(*)
FROM PASSWORD_HISTORY
WHERE USER_NAME = ‘APP_USER’
AND CHANGE_TIME > CURRENT DATE – 365 DAYS;
Part03-访问控制
3.1 最小权限原则
CREATE ROLE APP_READONLY;
CREATE ROLE APP_READWRITE;
CREATE ROLE APP_ADMIN;
# 授予只读权限
GRANT SELECT ON TABLE ORDERS TO APP_READONLY;
GRANT SELECT ON TABLE CUSTOMER TO APP_READONLY;
GRANT SELECT ON TABLE PRODUCT TO APP_READONLY;
# 授予读写权限
GRANT SELECT, INSERT, UPDATE ON TABLE ORDERS TO APP_READWRITE;
GRANT SELECT, INSERT, UPDATE ON TABLE CUSTOMER TO APP_READWRITE;
# 授予管理权限
GRANT ALL ON TABLE ORDERS TO APP_ADMIN;
GRANT ALL ON TABLE CUSTOMER TO APP_ADMIN;
# 授予角色给用户
GRANT APP_READONLY TO app_readonly_user;
GRANT APP_READWRITE TO app_readwrite_user;
GRANT APP_ADMIN TO app_admin_user;
# 查看用户权限
SELECT
GRANTEE,
GRANTEETYPE,
TABSCHEMA,
TABNAME,
SELECTAUTH,
INSERTAUTH,
UPDATEAUTH,
DELETEAUTH
FROM SYSCAT.TABAUTH
WHERE GRANTEE = ‘APP_READONLY’;
3.2 行级访问控制
CREATE TABLE SENSITIVE_DATA (
ID INTEGER NOT NULL,
DEPARTMENT VARCHAR(50) NOT NULL,
DATA_VALUE VARCHAR(500),
CONSTRAINT PK_SENSITIVE_DATA PRIMARY KEY (ID)
);
# 创建权限视图
CREATE VIEW V_SENSITIVE_DATA_DEPT AS
SELECT * FROM SENSITIVE_DATA
WHERE DEPARTMENT = CURRENT_USER;
# 授权视图
GRANT SELECT ON V_SENSITIVE_DATA_DEPT TO dept_user;
# 创建行级权限控制函数
CREATE OR REPLACE FUNCTION FN_CHECK_DEPARTMENT(p_dept VARCHAR(50))
RETURNS INTEGER
LANGUAGE SQL
BEGIN
IF p_dept = CURRENT_USER THEN
RETURN 1;
ELSE
RETURN 0;
END IF;
END;
# 创建行级权限触发器
CREATE TRIGGER TRG_CHECK_DEPARTMENT
NO CASCADE BEFORE INSERT OR UPDATE OR DELETE ON SENSITIVE_DATA
REFERENCING NEW AS N OLD AS O
FOR EACH ROW
BEGIN
DECLARE v_allowed INTEGER;
IF INSERTING THEN
SET v_allowed = FN_CHECK_DEPARTMENT(N.DEPARTMENT);
ELSE
SET v_allowed = FN_CHECK_DEPARTMENT(O.DEPARTMENT);
END IF;
IF v_allowed = 0 THEN
SIGNAL SQLSTATE ‘45000’
SET MESSAGE_TEXT = ‘Access denied for this department’;
END IF;
END;
Part04-网络安全
4.1 SSL加密连接
# 1. 创建证书请求
openssl req -new -newkey rsa:2048 -nodes -keyout db2server.key -out db2server.csr
# 2. 签名证书
openssl x509 -req -days 365 -in db2server.csr -signkey db2server.key -out db2server.crt
# 3. 创建证书库
gsk8capicmd_64 -keydb -create -db /db2/ssl/key.kdb -pw password -type kdb -stash
# 4. 导入证书
gsk8capicmd_64 -cert -import -db /db2/ssl/key.kdb -pw password -label db2server -file db2server.crt
# 配置SSL
UPDATE DATABASE MANAGER CONFIGURATION USING
SSL_SVR_KEYDB /db2/ssl/key.kdb
SSL_SVR_STASH /db2/ssl/key.sth
SSL_SVR_LABEL db2server
SSL_SVCENAME 50001;
# 重启实例
db2stop
db2start
# 客户端连接
db2 connect to FGEDB user db2inst1 using password
SSLCLIENT=true SSLServerCertificate=/db2/ssl/db2server.crt
# 查看SSL配置
GET DATABASE MANAGER CONFIGURATION | grep SSL;
4.2 网络访问控制
# 只允许特定IP访问
iptables -A INPUT -p tcp -s 192.168.1.0/24 –dport 50000 -j ACCEPT
iptables -A INPUT -p tcp –dport 50000 -j DROP
# 配置DB2连接限制
UPDATE DATABASE MANAGER CONFIGURATION USING
AUTHENTICATION SERVER_ENCRYPT
TRUST_ALLCLNTS NO
TRUST_CLNTAUTH SERVER;
# 创建允许连接的主机列表
UPDATE DATABASE MANAGER CONFIGURATION USING
SVT_ENCRYPT_AES ON;
# 配置连接超时
UPDATE DATABASE MANAGER CONFIGURATION USING
CONNECT_TIMEOUT 10
IDLE_TIMEOUT 600;
# 查看连接配置
GET DATABASE MANAGER CONFIGURATION;
# 监控连接
SELECT
AGENT_ID,
CLIENT_IPADDR,
APPL_NAME,
APPL_STATUS
FROM SYSIBMADM.APPLICATIONS
ORDER BY CLIENT_IPADDR;
Part05-风哥经验总结与分享
5.1 安全加固要点
- 实施最小权限原则
- 配置强密码策略
- 启用SSL加密连接
- 定期审查权限
- 启用审计日志
- 定期安全扫描
5.2 加固建议
| 加固项 | 建议配置 | 检查频率 |
|---|---|---|
| 密码策略 | 8位以上,包含大小写数字特殊字符 | 每季度 |
| 权限审查 | 最小权限,定期回收 | 每月 |
| SSL加密 | 启用SSL,证书有效期1年 | 每年 |
| 审计日志 | 启用审计,保留1年 | 每天 |
5.3 运维要点
- 定期审查用户权限
- 定期检查密码策略
- 监控异常登录
- 定期更新SSL证书
- 定期安全扫描
- 建立安全事件响应流程
学习交流加群风哥微信: itpux-com
风哥Oracle/MySQL/PostgreSQL/Greenplum/DB2/Redis等数据库培训课程,10年一线实战经验,企业级培训,真正掌握数据库核心技术!
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
