02-Harding the Database

1CNG HAC S D LiU

Bin son: Ng Duy Anh-2010

Ni Dung

Ni dung tho lun trong phn ny bao gm:Ni dung tho lun trong phn ny bao gm: Tng quan cng ha h thng c s d liu Chn la hng dn cho vic cng ha Oracle Cng c s dng nh gi im d tn thng (VA

Tools) C s to v duy tr cu hnh an ton bo mt Lm sch d liu i vi mi trng th nghim

Bin son: Ng Duy Anh-2010Phn II - 2

Lm sch d liu i vi mi trng th nghim Tho lun: Phng th chiu su

2 Tng quan cng ha h thng c s d liuTng quan cng ha h thng c s d liu Chn la hng dn cho vic cng ha Oracle Cng c s dng nh gi im d tn thng (VA

Tools) C s to v duy tr cu hnh an ton bo mt Lm sch d liu i vi mi trng th nghim Tho lun: Phng th chiu su


Tho lun: Phng th chiu su

Tng quan cng ha h thng

Vic lm cng ha h thng l qu trinh cu hnh mt cch an ton h thng bo v h thng khi s truy cp tri php.

Vic lm cng h thng l cn thit i vi bt k h thng no c mt lot cc ty chn cu hnh, v l phng n kh thi vi bt k h thng no c y bin php bo m thch hp cho vic s dng trong cc mi trng nh hng bo mt.

Mc ch lm cng ha h thng l loi tr nguy c bo mt cng nhiu cng tt Thc hin bng cch


cng nhiu cng tt. Thc hin bng cch Loi b tt c cc yu t khng cn thit t h thng. Ty chn cu hnh gii hn truy cp v gim thiu ri ro

3Cng ha CSDL Oracle

Oracle pht trin nhiu la chn hn, v nhiu la chn sn c trong h thng, cc cc ty chn ny cung cp cch thc mi truy cp d liu.i khi nhiu la chn khng thch hp gip cho k tn cng truy i khi nhiu la chn khng thch hp gip cho k tn cng truy cp tri php.

Kh khn hn trong vic lm cng ha v nhng ri ro bo mt c th c mt trong h thng

Nhng Oracle cng c nhiu ty chn bo mt hn sn c s dng bo mt.

Cng ha CSDL Oracle bao gm mt lot cc hot ng lin quan hi l i t h h h


n nhiu loi ty chn cu hnh Hng dn quan trong nht l Tnh nng khng s dng th g b Cng gim thiu b mt tip xc, th cng an ton.

Cng ha CSDL Oracle

Hy b hoc kha cc ti khon c nh ngha trc m bn khng s dng. Thay i mt khu cho nhng ti khon c nh ngha trc m bn cn s dng (O l 11 h h h )(Oracle 11g c cu hnh nh vy)

Hy b cc Roles nh ngha trc m bn khng s dng.

Hy b cc thnh phn trong phn mm c s d liu m bn khng s dng.

Hy b ty chn m bn khng s dng - chng hn, loi b EXTPROC t Listener nu bn khng s dng external


b EXTPROC t Listener nu bn khng s dng external procedure.

Hy b c quyn t Public m bn khng yu cu. Vic a ra danh sch cc hot ng cn xem xt l cng

vic ln.

4 Tng quan cng ha h thng c s d liuTng quan cng ha h thng c s d liu Chn la hng dn cho vic cng ha Oracle Cng c s dng nh gi im d tn thng (VA

Tools) C s to v duy tr cu hnh an ton bo mt Lm sch d liu i vi mi trng th nghim Tho lun: Phng th chiu su


Tho lun: Phng th chiu su

Hng dn cho vic lm cng Oracle

Lm cng mt h thng phc tp bt k gm nhiu chi tit nh, mt h thng c th c nhiu cu hnh

Bn cn c mt danh sch cc cng vic bn cn thc hin (hoc chng thc) to ra mt cu hnh cng.

Vi Oracle l mt danh sch di, nhng c cng khai v min ph

C 2 ti liu hng dn vit rt k cng cn thn i vi vic ci t mt h thng c cu hnh an ton. Bn cn xem khi to qu trnh x l vic cng ha ca ring bn

D t b S it T h i l I l t ti G id (STIG)


Database Security Technical Implementation Guide (STIG) c pht trin bi Defense Information Systems Agency (DISA) cho Department of Defense (DOD)

Center for Internet Security (CIS) Benchmark for Oracle c pht trin bi CIS

51. Database STIG

STIGs l ti liu c xut bn bi cc DISA h tr ci thin an ninh ca h thng thng tin ca B Quc phng

C nhiu ti liu STIG-tt c chng c th truy cp ti: http://iase.disa.mil/stigs/stig/index.html

Danh sch kim tra (checklist) c th ti ti: http://iase.disa.mil/stigs/checklist/index.html

Database STIG tp trung vo cc CSDL quan h Database STIG c mt phn chung vch ra hng dn

lin quan n bt k h thng qun l c s d liu (DBMS) no v c mt phn c th cho Oracle c thm


(DBMS) no v c mt phn c th cho Oracle c thm cc bc lin quan ch cho ring Oracle.

STIGs: Phn chung cho cc h thng DBMS

1. Integrity (tnh ton vn)a. Software integrityb. Database software developmentc. Ad-hoc queriesd. Multiple services host systemse. Data integrityincluding file integrity, software baseline, and file

backup and recovery

2. Discretionary access control (iu khin quyn truy cp)a. Account controlb. Authentication


c. Database accountsd. Authorizationse. Protection of sensitive dataf. Protection of stored applicationsg. Protection of database files

6STIGs: Phn chung cho cc h thng DBMS(tip theo)

3. Database auditinga. Audit data requirementsb. Audit data backupsc. Audit data reviewsd. Audit data accesse. Database monitoring

4. Network accessa. Protection of database identification parametersb. Network connections to the databasec. Database replication


d. Database links

5. Operating system (OS)a. File accessb. Local database accountsc. Administrator accountsd. OS groups

STIGs: Cc chnh sch c th ring cho Oracle

6. Oracle access controla. Oracle identification and authenticationb. Oracle connection poolingc. Secure distributed computingd. Oracle administrative connectionse. Oracle administrative OS groupsf. Default accountsg. Default passwordsh. Oracle password management requirements

7. Oracle authorizations


a. Predefined rolesb. System privilegesc. Object privilegesd. Administration of privileges

8. Oracle replication

7STIGs: Cc chnh sch c th ring cho Oracle(tip theo)

9. Network securitya. Encrypting network loginsb. Protecting network communicationsc. Listener securityd. XML DB protocol server

10. Oracle Intelligent Agent/Oracle Enterprise Manager (OEM)11. Oracle account protections12. ARCHIVELOG13. Securing SQL*Plus


14. Protecting stored procedures15. Oracle trace utility16. Auditing in Oracleincludes standard auditing, fine-grained

auditing, mandatory auditing, and architectural discussions

STIGs: Cc chnh sch c th ring cho Oracle(tip theo)

17. File and directory permissions at the OS level18. Critical file managementincluding control files, redo log g g , g

files, and data files19. Optimal Flexible Architecture (OFA)20. Initialization parameters21. Miscellaneous OS requirementsincluding Unix, Window,

and z/OS


82. CIS Oracle Benchmark

CCIS (www.cisecurity.org) ban hnh cc chun CIS cho Oracle nh l mt phn ca mt tp hp cc tiu ch chun, rt nhiu cng c, phn mm, d liu, v cc dch v khc b h l t d h h tt i d t c cng b nh l mt dch v cho tt c ngi dng trn ton th gii.

Bn c th ti v cc tiu chun t:http://www.cisecurity.org/bench_oracle.html

Cc khuyeend ngh trong kt qu Oracle benchmark l mt qu trnh xy dng ng thun t cc chuyn gia bo mt Oracle hng u

Cc chun CIS c dng ca mt danh sch kim tra chia thnh mt s on


s on Trong mi phn l mt danh sch cc mc cn c xc nhn Mi mc nh vy bao gm: m t, cc hnh ng hoc

ngh thit lp cho cc tham s, kin, phin bn Oracle p dng, h iu hnh..

Cc phn chnh CIS Oracle benchmark

1. OS-specific settings2. Installation and patch3. Oracle directory and file permissions4. Oracle parameter settings5. Encryption-specific settings6. Startup and shutdown7. Backup and disaster recovery8. Oracle user profile setup settings9. Oracle user profile access settings10 E t i M /G id C t l/A t


10. Enterprise Manager/Grid Control/Agents11. Items relevant to specific subsystems12. General policy and procedures13. Auditing policy and procedures14. Appendix Aadditional settings

9Tm tt 02 ti liu

C hai ti liu c cch tip cn rng i vi vic cng ha CSDL

Khng c gii thch theo ngha hp vic cng ha CSDL m ch bao hm cc thit lp cu hnh nht nh, loi b cc

thnh phn mc nh, kha ngi s dng, Cung cp mt danh sch y bao gm c nhng hot

ng phi c kim ton, chia ra trch nhim cn thc hin u, v nhng hot ng cn phi c thc hin, vv

STIG tp trung hn vo vic ci t chung process tin


STIG tp trung hn vo vic ci t chung, process-tin trnh, roles-vai trnhng vn cn tham gia trong vic an ton bo mt mi trng Oracle.

Hai vic cn nh v vic chn hng dncng ha CSDL

1. Khng nn t mnh ngh v xy dng danh sch kim tra (checklist) vic lm cng CSDL; C cc hng dn tt cho bn chn la nh l CIS Oracle benchmark hoc Database STIGSTIG

2. S dng cc ti liu ny khng ch l mt hng dn lm cng CSDL m cn l c s ci t an ton bo mt Oracle mt cch ton din. Cc ti liu ny phc tho cc thit lp cu hnh cng nh phc tho cc tin trnh, th tc v nhng g bn cn tp trung vo. Theo nhiu cch tt c bi hc trong kha ny gii thch lm th no s dng cng c


g y g g g Oracle thc hin iu m hai ti liu ngh bn lm.

10

Hng dn cng c s dng nh gi im d tn thng (VA Tools)

Vic s dng checklist vic cng ha h thng l n gin nhng t nht

Checklist c nhiu phn kim tra v chnh sa c th c thc hin t ng

Trong thc t khng t ng cc cng vic ny nhanh chng tr ln khng th qun l (trong trng hp bn c hng chc, hng trm trng hp v tt c khng th ph hp s dng vi ch 1 gold build.

Cng c c s dng gi l vulnerability assessment (VA) tools hoc vulnerability scanners


tools hoc vulnerability scanners

Vulnerability assessment (VA) tools

Qut cc trng hp CSDL v a ra kt qu mt bo co cho thy nhng thay i cn thc hin lm CSDL an ton hn Kt qu trnh by di hnh thc 1 bn bo co an ninh v

phn loi cc vn , khuyn co thc hin CSDL an ton hn, tit kim hu ht cc cng vic t nht lin quan r sot c s d liu v s lin kt kt qu vi checklists


11

VA tools

C nhiu cng c VA cho Oracle bao gm: AppDetective, AppSentry, Guardium, IPLocks,v NGS Squirrel

VA Tool thc hin nhiu loi kim tra, cc loi ny c th chia lm 3 nhm chnh:

Kim tra l hng phn mm Kim tra cu hnh sai Kim tra vic s dng sai i vi CSDL

Tt c cc kim tra l cn thit kim tra l hng trong c s d liu ca bn.

Vic kim tra cc l hng (trong tt c cc loi) c thc hin bng cch s dng mt cch tip cn a hng.


g g p g Mt s iu c th c kim tra t bn ngoi vo Mt s kim tra khc c thc hin t bn trong c s d liu.

Cng c VA c nhiu ch lm vic cung cp cho bn hnh nh y .

Ba iu cn nh v vicS dng mt cng c nh gi

1. Mt s cng c VA l phn mm quyt c lp v nhng cng c khc l mt phn ca b sn phm phn mm bo mt CSDL ln hn. Nu bn ang mun thc hin y ki h d D t b STIG t d h h ki tcc kin ngh do Database STIG trong danh sch kim tra

CIS, Bn nn xem xt cc b sn phm c th h kim tonvic trin khai ca bn, thc hin pht hin xm nhp, chia tch trch nhim,v.v..

2. VA qut kim tra c hai l hng v CPU ci t (hoc bn cn phi ci t) cng nh cc cu hnh ca CSDL.

3 Mt s cc kim tra m bn cn thc hin c cp h


3. Mt s cc kim tra m bn cn thc hin c cp h iu hnh. Hy chc chn rng cng c VA bn chn c th thc hin kim tra v s hu tp tin, quyn tp tin, ..vv..

12

C sTo v Duy tr mt cu hnh an ton bo mt

Khi hon thnh vic lm cng CSDL, bn c mt cu hnh cht ch, nhng bn cn phi m bo rng n vn cn cht ch v khng b gim st theo thi gian.

C hai iu bn c th lm g m bo duy tr cu hnh an ton bo mt

Thc hin chy cc nh gi trn c s lch c lp tm cc l hng mi khi chng c to ra

V To ra mt c s i vi mt cu hnh m bn ng vi n v theo di bt k thay i t cu hnh ny bng cch s dng mt cnh bo cn phi c xem xt v ph duyt.


g yCc thc hin tt nht cho thy rng bn lm c hai bi v chng b sung cho nhau

Cng c theo di s thay i to ra mt ng ranh gii gia cc cu hnh ca bn v cnh bo bn v bt k thay i no c thc hin.

Cng c theo di cc thay i

l mt phn ca vic thc hin bo mt c s d liu l cch duy nht bn c th m bo rng khng c ai

thay th cc file ca bn vi cc phin bn Trojanthay th cc file ca bn vi cc phin bn Trojan l nhng cch hiu qu nht m bo rng scipts

chy theo nh k khng c s dng nh l mt l mt im ca s tha hip.

Hy tm mt cng c VA bao gm mt cng c theo di s thay i m bo vic tun th v duy tr tnh lin tc


13

Ba iu cn nh v c sto v duy tr cu hnh an ton bo mt

1. Cng c theo di cc thay i c s dng nhiu ln trong vic thc hin bo mt Oracle.Mt s trong s ny c th to v theo di c s an ton bo mt tip theo giai on lm h C VA kt h i th di thcng ha. Cc cng c VA kt hp vi cng c theo di thay i cho bn nhiu la chn hn trong vic tun th c tip tc

2. Baseline c to ra bi vic to ra bn tm tt c h thng xc nh duy nht file v script. Bt k thay i no s c a ra bo co

3 Baseline bao gm bng tm tt c h thng danh sch cc


3. Baseline bao gm bng tm tt c h thng danh sch cc file khng ln thay i, tm tt cc kt qu script OS, tm tt cc kt qu truy vn, tm tt cc gi tr bin mi trng, hoc cc im nhp trong regitry

Cp nht bn v li OracleCritical Patch Updates (CPU)

Lun lun ci t bn v li cho cc vn an ninh ngay khi chng c sn t Oracle

Khi cc l hng c pht hin, Oracle a ra cc bn v v bn phi ci t bn v loi b cc l hng

Cc bn v bo mt c a ra vi hnh thc CPU,Mt CPU l mt gi cc bn v li c pht hnh hng qu khc phc cc vn an ninh

CPU c a ra t nm 2005, trc khi CPU c c s dng cc cnh bo (Alert) v an ninh c ban hnh khi cc l hng c pht hin v c sa li


cc l hng c pht hin v c sa li Oracle CPU bao gm cc bn v sa li cho tt c cc thnh

phn phn mm ca Oracle Mi bn v c pht hnh ng vi mi phin bn ca

CSDL, Application Server, Enterprise Manager.

14

Cp nht bn v li OracleCritical Patch Updates (CPU)

Nm 2007, oracle gii thiu bn v x l p dng cho nhiu sn phm 1 lc (n-apply process) cc bn v c pht hnh i vi Oracle E-Business Suite, PeopleSoft, Siebel, v cc d khng dng khc.

Cc bn v li cho c s d liu c tch ly cc CPU mi nht bao gm tt c cc bn sa li cc CPU trc (tr khi c quy nh khc)

Mi CPU bao gm tp hp cc bn v li, mt t vn (advisory), cc ghi ch trc khi ci t, cc ghi ch v phin bn


bn

V d: database risk matrix in a CPU.


15

Common Vulnerability Scoring System (CVSS)H thng nh gi l hng bo mt


Database n-Apply CPUs

CPU thng 7/2007 vi nh dng n-Apply CPU c nhng li ch sau:

Cc bn v c ty bin gi quyt c cc xung t Loi tr c vic rollback v ci li cc CPU thc s

c ci t gim thiu gii hn thi gian cht. CPU vn cn tch ly, nhng vy qu trnh ci t c ci thin.

Kh nng thc hin ci t ch cc phn CPU mi c sa li hn l phi ci t li ton b cc CPU

N-Apply CPU l mt tp tin zip c cha cc phn t v c ci t bng cch s dng opatch. Mi phn t l mt nhm


g g p p cc bn sa li bo mt. Mi Phn t l mt bn v c lp khng xung t vi bt k phn t no khc trong CPU.

16

5 iu cn nh v CPU

1. CPU c pht hnh ba thng mt ln ti cc ngy c th,bn c th hoch nh trc th nghim v trin khai cc bn sa li.

2. CPU bao gm cc bn sa li bo mt cho l hng c pht hin. iu rt quan trng p dng bn sa li bo mt v y l cch tt nht bo v mnh khi cc cuc tn cng khai thc l hng

3. CPU bao gm mt ma trn cc nguy c cho php xc nh cch thc lm th no sa li cho cc mi trng ca bn


bn4. CPU c tch ly, nu p dng cc CPU mi nht bao

gm tt c cc bn sa li cho tt c cc l hng trc y.5. Vic gi n-Apply CPU cho php trin khai mt s l hng

mi so vi l hng c c a ra trong 1 bn v duy nht

Lm sch d liu i vi mi trng th nghim

Cc DBA m bo vic export d liu t production database cho mc ch pht trin hoc th nghim, cc thng tin nhy cm nh lng, thng tin c nhn,..b loi b hoc b isa i.

Cc Production database thng c gim st v qun l vic truy nhp cao hn so vi mi trng pht trin, iu ny ch c ngha khi d liu trong mi trng th nghim v pht trin thp hn so vi product

Cc nh pht trin c th truy cp c s d liu pht trin v th nghim nhng thng khng c vo my ch product


th nghim, nhng thng khng c vo my ch product

17

Lm sch d liu nhy cm

L mt cng vic ht sc kh khn, khng ch bn cn phi bit ni lu gi d liu nhy cm bn cn phi:

Thay i rt nhiu d liu m khng lm mt hiu lc ca ng dng cho cc th nghim (test d liu)nghim (test d liu)

Bn khng th thay i ngu nhin d liu. Nu c cc foreign keys cn chc chm rng key c bo ton v tt c tham chiu l nguyn vn

Mt vi fields i hi vic m ha logic Chc chn rng d liu cc ct c s dng cho index dy tr vic phn b thng

k l gn vi d liu product, nu khng vic kim tra v tc thc hin s khng th hin c gn vi mi trng product

Trn tt c l vic lm sch d liu product trc khi th nghim l vn kh gii quyt l l do ti sao nhiu t


nghim l vn kh gii quyt, l l do ti sao nhiu t chc pht trin khng lm iu v s dng d liu product nh l d liu th nghim. iu ny vi php cc hng dn an ninh

Enterprise Management Grid Control

Cng c u tin gip bn lm iu ny l la chn Data Masking trong Enterprise Manager

Cc bc cho php la chn Data Masking trong Enterprise Management Grid Control:

Bc 1: Log onto EM Bc 2: Kch chn Targets tab v Databases subtab Bc 3: La chn database m bn mun mt l d liu nhy cm Bc 4: Kch vo lin kt Administration. gc di bn phi l

phn Data Masking: Lin kt Definitions cho php bn thit lp cc quy tc lc


Lin kt Definitions cho php bn thit lp cc quy tc lc. Lin kt Format Library cho php bn xy dng mt th vin Data Masking. Mt nh dng mt n d liu xc nh cch bn mun mt n d liu nhy

cm.

18

Enterprise Management Grid Control(tip theo)

Bc 5: Kch lin kt Format Library, a n mt trang vi mt danh sch cc nh dng c sn. Bm vo Create.


Bc 6: Hnh trn cho thy mt nh dng che cc s an sinh x hi. Nhng con s ny c mt mu ca [0-9] {3} - [0-9] {2} - [0-9] {4}. Trong trng hp ny bn c th chn ngu nhin cc ch s t th xung v nhn vo Go. Nhp 1 l bt u v 11 l kt thc yu cu Oracle to ra 11 ch s ngu nhin cho bn. Nhp chut vo OK. Sau , bn s phi gi mt PL / SQL th tc a vo cc du gch ngang v tr 4 v 7, do nhp vo tn ca th tc ca bn v bm OK.


Bc 7: Kch chut vo mc Masking Definitions a bn tr li mn hnh Masking definitions. Nhp chut vo Mask to ra job to mt n. To job vi mt tn v chn d li i d li h t cc c s d liu ni cc d liu nhy cm c tr.

Bc 8: Nhp chut vo Add nh ngha ct lm mt n v thc hin lm mt n nh th no. a vo schemaname v nhp vo biu tng tm kim. Chn ct nhy cm t danh sch (hoc nhiu ct). Nhp chut vo Define Format v bm Add.


19


Bc 9: Kch Import From Library bi v bn to ra cc dng mt n. Chn nh dng ca bn v bm Import. By gi bn chn d liu nhy cm lm u v lm mt n

h th ( h h ) B N tn nh th no (xem hnh sau). Bm Next.



Bc 10: Kch bn c to ra. Xem li thng tin to ra v bmNext. Nhp cc thng tin host m kch bn s c lu tr. Nhp schedule nu job c lp lch hoc chn thc hin ngay. Nhp chut vo Nextchut vo Next.

Bc 11: Oracle to ra cc kch bn v bn c th xem n nh th hin trong hnh sau. Submit thc hin cng vic to mt n


20


Bn c th xem li trng thi (v cc li c th) ca vic lm mt n nh sau:



V d, nu bn s dng ch s ngu nhin v mt th tc PL/SQL b sung thm cc du gch ngang, v nu d liu ban u nh sau:


21


Kt qu sau khi d liu c lm mt n s nh sau:


Data Masking

La chn Data Masking l mt sn phm mi v v th ch c cc nh dng th s. Vi thi gian cc th vin nh dng mt n s pht trin v s bo qun c qun l thng k l iv logic

Tuy nhin, c mt tp hp ln cng c ca third-party thc hin chc nng ny v c mt b hon chnh cc thc hin v cc nh dng. V d nh Princeton Softech (nay l IBM Optim), Application, Solix, v HP/Outerbay.


22

3 iu cn nh v Lm sch d liu Test

1. Phi dn dp thng tin nhy cm nu mun to ra d liu th nghim bng cch sao chp d liu thc t t h thng product.

2. Dn dp d liu l tm thng, c th khng ch n gin thay th d liu vi cc chui ngu nhin hoc s. Phi gi gn logic ng dng, thng c m ha d liu v phi bo tn phn b thng k cho cc bi kim tra v tc thc hin.

3. Nn s dng cc cng c dn dp d liu, s dng gi data masking l mt phn ca Enterprise Management Grid


data masking l mt phn ca Enterprise Management Grid Control hoc s dng cc cng c ca bn th ba.

Tho lun v chin thutPhng th chiu su

Tt c cc bo mt thng tin hin i c thnh lp trn 1 khi nim gi l phng th chiu su

Phng th chiu su bao gm nhiu lp bo v lm tng chi ph ca mt cuc tn cng vo ni c nhiu ro cn

Nhiu k thut v nhiu h thng gip gim thiu nhng tc ng khi mt thnh phn phng th b tn thng hoc ph v

Cung cp cc vng t h thng gim st v xc nh xm nhp gip ta c c thi gian pht hin v phn cng

Phng th chiu su c xem l chin lc ch kh thi cho h th th ti


cc h thng thng tin Bo v mi trng Oracle phi tun theo nhng chin lc Lun nh lun n chnh ca phng th chiu su l khng da

ch vo 1 lp

23

Tng Kt

Ni dung tho lun trong phn ny bao gm:Ni dung tho lun trong phn ny bao gm: Tng quan cng ha h thng c s d liu Chn la hng dn cho vic cng ha Oracle Cng c s dng nh gi im d tn thng (VA

Tools) C s to v duy tr cu hnh an ton bo mt Lm sch d liu i vi mi trng th nghim


Lm sch d liu i vi mi trng th nghim Tho lun: Phng th chiu su

Documents

02-Harding the Database