Embed Size (px)
Citation preview
2017.01.17 - JPOUG in 15 minutes #3 Michitoshi Yoshida
(@miyosh0008)
Oracle DB
before 12.1
FGA_LOGS$
AUDIT_FILE_DEST
AUD$
AUDIT_FILE_DEST
syslog
AUDIT_FILE_DEST
DB
DB
DBA DB
AUDIT_TRAIL
AUDIT_SYS_OPERATIONS
AUDIT_SYSLOG_LEVEL
DBMS_FGA OS
OS
OS
OS
orz
from 12.1
DBA DB
DBMS_FGA
SYS.UNIFIED_AUDIT_TRAIL
DB
• ➡ ➡
※ immediate write mode
➡ DataPump : SQL*Loader
RMAN
• ➡
➡ syslog OS
1.
# $ cd $ORACLE_HOME/rdbms/lib$ make -f ins_rdbms.mk uniaud_on ioracle
-- SQL> select value from v$option WHERE parameter=‘Unified Auditing’;
VALUE-----------TRUE
2. : SYSAUX
--
-- ※ SQL> alter user AUDSYS quota unlimited on AUDITTBS;
SQL> begin DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_LOCATION ( AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, AUDIT_TRAIL_LOCATION_VALUE => ‘AUDITTBS’ ); end; /
3.
-- AUDIT_ADMIN
-- -
-- -
-- - SQL> create user AUDITADMIN identified by **********;SQL> grant CREATE SESSION,AUDIT_ADMIN to AUDITADMIN;
-- AUDIT_VIEWER
-- -
SQL> create user AUDITVIEWER identified by **********;SQL> grant CREATE SESSION,AUDIT_VIEWER to AUDITVIEWER;
• →
•
➡ sys system
➡
• ORA_SECURECONFIG
• ORA_LOGON_FAILURES
46
EXECUTE on SYS.DBMS_RLS DROP DIRECTORY CREATE ANY JOB DROP PUBLIC SYNONYM
ALTER DATABASE LINK DROP PLUGGABLE DATABASE CREATE ANY LIBRARY DROP USER
ALTER PLUGGABLE DATABASE DROP PROFILE CREATE ANY PROCEDURE EXEMPT ACCESS POLICY
ALTER PROFILE DROP ROLE CREATE ANY SQL TRANSLATION PROFILE EXEMPT REDACTION POLICY
ALTER ROLE SET ROLE CREATE ANY TABLE GRANT ANY OBJECT PRIVILEGE
ALTER USER ADMINISTER KEY MANAGEMENT CREATE EXTERNAL JOB GRANT ANY PRIVILEGE
CREATE DATABASE LINK ALTER ANY PROCEDURE CREATE PUBLIC SYNONYM GRANT ANY ROLE
CREATE DIRECTORY ALTER ANY SQL TRANSLATION PROFILE CREATE SQL TRANSLATION PROFILE LOGMINING
CREATE PLUGGABLE DATABASE ALTER ANY TABLE CREATE USER PURGE DBA_RECYCLEBIN
CREATE PROFILE ALTER DATABASE DROP ANY PROCEDURE TRANSLATE ANY SQL
CREATE ROLE ALTER SYSTEM DROP ANY SQL TRANSLATION PROFILE
DROP DATABASE LINK AUDIT SYSTEM DROP ANY TABLE
-- SQL> create audit policy NONAPP_ACCESS_CUSTOMER actions ALL ON SECDEMO.CUSTOMER when 'SYS_CONTEXT(''USERENV'',''SESSION_USER'') <> ''SECDEMO'' or SYS_CONTEXT(''USERENV'',''IP_ADDRESS'') <> ''192.168.114.233''' evaluate per statement ;
-- SQL> audit policy NONAPP_ACCESS_CUSTOMER;
SQL UNIFIED_AUDIT_TRAIL
: Oracle EM Cloud Control
※
Enterprise Edition
—
•
→
Oracle® Database 12c 1 (12.1)
http://docs.oracle.com/cd/E57425_01/121/DBSEG/audit_config.htm#GUID-AAE7D86F-4C64-402A-9D3E-BE7D13196E22
DB DoS
syslog syslog
• SECDEMO CUSTOMER
•
• syslog
syslog 1/41. syslog
# Oracle DB C RHEL/Oracle Linux 6 $ vi $ORACLE_HOME/hs/admin/extproc.oraSET EXTPROC_DLLS= !!!SET EXTPROC_DLLS=DLL:/lib64/libc.so.6
— syslog SQL> create or replace library libc as '/lib64/libc.so.6'; /SQL> create or replace procedure output_syslog (priority binary_integer, message varchar2) is external library libc name "syslog" language C calling standard C parameters( priority , message string ); /
syslog 2/42. syslog
-- syslog SQL> create or replace procedure fga_warn_syslog ( object_schema varchar2 , object_name varchar2 , policy_name varchar2 ) is LOG_WARNING constant binary_integer := 4; MSG VARCHAR2(4000); begin MSG := 'Oracle Audit Trail '; MSG := MSG || 'DB_NAME="' || sys_context('USERENV','DB_NAME') || '", '; MSG := MSG || 'SESSION_USER="' || sys_context('USERENV','SESSION_USER') || '", '; MSG := MSG || 'CLIENT_IDENTIFIER="' || sys_context('USERENV','CLIENT_IDENTIFIER') || '", '; MSG := MSG || 'HOST="' || sys_context('USERENV','HOST') || '", '; MSG := MSG || 'MODULE="' || sys_context('USERENV','MODULE') || '", '; MSG := MSG || 'OS_USER="' || sys_context('USERENV','OS_USER') || '", '; MSG := MSG || 'CURRENT_SQL="' || sys_context('USERENV','CURRENT_SQL') || ‘“‘; -- output_syslog syslog
output_syslog(LOG_WARNING, MSG); end; /
syslog 3/43. Optional
-- SQL> create or replace function audit_secdemo_is_nonapp return number as begin --
-- 1. : system
-- 2. : DB
-- 3.
if sys_context('USERENV','SESSION_USER') <> 'SECDEMO' or sys_context('USERENV','HOST') <> 'olvsecdap1.intellilink.co.jp' or sys_context('USERENV','IP_ADDRESS') <> '192.168.114.233' or sys_context('USERENV','CLIENT_IDENTIFIER') is null then return 1; else return 0; end if; end; /
syslog 4/44.
-- SECDEMO.CUSTOMER
SQL> begin DBMS_FGA.ADD_POLICY ( object_schema => ‘SECDEMO’, object_name => ‘CUSTOMER’, statement_types => ‘SELECT, UPDATE, DELETE’ policy_name => ‘SECDEMO_CUSTOMER_NONAP_ACCESS’, audit_condition => ‘audit_secdemo_is_nonapp=1’, handler_module => ‘fga_warn_syslog’, enable => TRUE ); end; /
system CUSTOMER
# tail -n 1 /var/log/messagesJan 14 20:17:33 olvdapd01 extproc: Oracle Audit Trail DB_NAME="orcl1", SESSION_USER="SYSTEM", CLIENT_IDENTIFIER="", HOST="olvdapd01.intellilink.co.jp", MODULE="SQL*Plus", OS_USER="oracle", CURRENT_SQL="select * from CUSTOMER where ROWNUM <= 10”
BI
https://github.com/airbnb/superset
Airbnb OSS BI
• Python Web pip
→ PC OK
• MySQL Oracle
•
1. • Oracle InstantClient (http://www.slideshare.net/MichitoshiYoshida1/dba-
oracle-database) ※ 20
• cx_Oracle (pip install cx_Oracle) • superset (http://airbnb.io/superset/installation.html)
2.
Sources > Databases > Add Oracle URI: oracle://<user>:<password>@<host>:<port>/<service>
: oracle://auditviewer:[email protected]:1521/orcl1
3.
4. Slice
5. →
DB
Distribution - Bar Chart
Table ViewFilter
m(_ _)m
