开发者社区> rudy_gao> 正文
阿里云
为了无法计算的价值
打开APP
阿里云APP内打开

数据库安全

简介: --1.创建角色并给角色授权进行授权 select 'GRANT '||PRIVILEGE || ' TO WCS_ROLE;' from dba_sys_privs WHERE GRANT...
+关注继续查看
--1.创建角色并给角色授权进行授权


select 'GRANT '||PRIVILEGE || ' TO WCS_ROLE;' from dba_sys_privs WHERE GRANTEE='WCS_ROLE';


--查看当前session内的权限,注意其可能不是最新的
SELECT * FROM Session_Privs;
--查看角色权限
select * from DBA_sys_privs WHERE grantee='WCS_ROLE';
--查看当前用户权限
SELECT * FROM user_role_privs;
SELECT * FROM Dba_Role_Privs WHERE grantee='WCS_ROLE';


--创建角色并给角色授权进行授权
CREATE ROLE wcs_role;
--GRANT CONNECT,RESOURCE,CTXAPP TO wcs_role;
--REVOKE DBA FROM rudy;
--DROP ROLE wcs_role;
GRANT wcs_role TO rudy;
GRANT CREATE VIEW TO wcs_role;
GRANT CREATE MATERIALIZED VIEW TO WCS_ROLE;
GRANT CREATE SESSION TO WCS_ROLE;
GRANT RESUMABLE TO WCS_ROLE;
GRANT CREATE TYPE TO WCS_ROLE;
GRANT CREATE TRIGGER TO WCS_ROLE;
GRANT CREATE VIEW TO WCS_ROLE;
GRANT CREATE JOB TO WCS_ROLE;
GRANT CREATE EVALUATION CONTEXT TO WCS_ROLE;
GRANT CREATE INDEXTYPE TO WCS_ROLE;
GRANT CREATE  SEQUENCE TO WCS_ROLE;
GRANT CREATE  TABLE TO WCS_ROLE;
GRANT MANAGE SCHEDULER TO WCS_ROLE;
GRANT DROP PUBLIC DATABASE LINK TO WCS_ROLE;
GRANT UNLIMITED TABLESPACE TO WCS_ROLE;
GRANT DEBUG CONNECT SESSION TO WCS_ROLE;
GRANT ON COMMIT REFRESH TO WCS_ROLE;
GRANT CREATE ANY INDEXTYPE TO WCS_ROLE;
GRANT EXECUTE ANY INDEXTYPE TO WCS_ROLE;
GRANT CREATE TYPE TO WCS_ROLE;
GRANT CREATE PROCEDURE TO WCS_ROLE;
GRANT FORCE TRANSACTION TO WCS_ROLE;
GRANT CREATE SEQUENCE TO WCS_ROLE;
GRANT CREATE VIEW TO WCS_ROLE;
GRANT DROP PUBLIC SYNONYM TO WCS_ROLE;
GRANT CREATE TABLE TO WCS_ROLE;
GRANT CREATE  TRIGGER TO WCS_ROLE;
GRANT CREATE PUBLIC SYNONYM TO WCS_ROLE;
GRANT CREATE SYNONYM TO WCS_ROLE;
GRANT FLASHBACK ARCHIVE ADMINISTER TO WCS_ROLE;
GRANT CREATE MATERIALIZED VIEW TO WCS_ROLE;
GRANT CREATE PUBLIC DATABASE LINK TO WCS_ROLE;
GRANT CREATE DATABASE LINK TO WCS_ROLE;
GRANT CREATE ANY SYNONYM TO WCS_ROLE;
GRANT EXECUTE ANY EVALUATION CONTEXT TO WCS_ROLE;
GRANT EXECUTE ANY LIBRARY TO WCS_ROLE;
GRANT EXECUTE ANY PROCEDURE TO WCS_ROLE;
GRANT EXECUTE ANY PROGRAM TO WCS_ROLE;
GRANT EXECUTE ANY OPERATOR TO WCS_ROLE;
GRANT EXECUTE ANY INDEXTYPE TO WCS_ROLE;
GRANT EXECUTE ANY ASSEMBLY TO WCS_ROLE;
GRANT EXECUTE ANY CLASS TO WCS_ROLE;
GRANT EXECUTE ANY TYPE TO WCS_ROLE;
--grant unlimited tablespace to rudy;


--禁止某一用户执行ddl
CREATE OR REPLACE TRIGGER DDL_DENY
  BEFORE CREATE OR ALTER OR DROP OR TRUNCATE OR GRANT OR REVOKE ON DATABASE
DECLARE
BEGIN


  IF ORA_LOGIN_USER = 'RUDY' THEN
    /*IF ORA_SYSEVENT = 'CREATE' THEN
      RAISE_APPLICATION_ERROR(-20001,
                              'You have no permission to create object:' ||
                              ORA_DICT_OBJ_OWNER || '.' ||
                              ORA_DICT_OBJ_NAME || ' ' ||
                              ', please connect to admin');
    ELS
*/
IF ORA_SYSEVENT = 'ALTER' THEN
      RAISE_APPLICATION_ERROR(-20001,
                              'You have no permission to alter object:' ||
                              ORA_DICT_OBJ_OWNER || '.' ||
                              ORA_DICT_OBJ_NAME || ' ' ||
                              ', please connect to admin');
    ELSIF ORA_SYSEVENT = 'DROP' THEN
      RAISE_APPLICATION_ERROR(-20001,
                              'You have no permission to drop object:' ||
                              ORA_DICT_OBJ_OWNER || '.' ||
                              ORA_DICT_OBJ_NAME || ' ' ||
                              ', please connect to admin');
    ELSIF ORA_SYSEVENT = 'TRUNCATE' THEN
      RAISE_APPLICATION_ERROR(-20001,
                              'You have no permission to truncate object:' ||
                              ORA_DICT_OBJ_OWNER || '.' ||
                              ORA_DICT_OBJ_NAME || ' ' ||
                              ', please connect to admin');
    ELSIF ORA_SYSEVENT = 'GRANT' THEN
      RAISE_APPLICATION_ERROR(-20001,
                              'You have no permission grant privilege' ||
                              ', please connect to admin');
    ELSIF ORA_SYSEVENT = 'REVOKE' THEN
      RAISE_APPLICATION_ERROR(-20001,
                              'You have no permission revoke privilege' ||
                              ', please connect to admin');
    END IF;
  END IF;


EXCEPTION
  WHEN NO_DATA_FOUND THEN
    NULL;
END;






--2. 查看用户使用默认密码以及状态


select * FROM dba_users_with_defpwd ORDER by 1;


SELECT * FROM dba_users WHERE ACCOUNT_STATUS='OPEN';


SELECT * FROM dba_users WHERE username IN (select username FROM dba_users_with_defpwd);


--用户密码默认180天过期
SELECT * FROM Dba_Profiles WHERE PROFILE='DEFAULT';


--密码永不过期
ALTER PROFILE DEFAULT LIMIT PASSWORD_LIFE_TIME UNLIMITED;


--3.审计


--查看审计是否打开
show parameter audit


--打开sys用户的审计,并打开外部审计
Alter system set audit_sys_operations=true scope=spfile;
alter system set audit_trail=db,extended scope=spfile;
--audit table


--查看当前审计的内容
SELECT user_name, audit_option, success, failure from sys.dba_stmt_audit_opts


revoke dba from rudy;
grant connect,resource,unlimited tablespace  to wcs_p;


--查看当前用户权限
SELECT * FROM session_privs;






AUDIT CREATE JOB;
AUDIT CREATE LIBRARY;
AUDIT TABLE;
AUDIT ALTER TABLE;
AUDIT CREATE TABLE;


NOAUDIT DROP ANY PROCEDURE;
NOAUDIT ALTER ANY PROCEDURE;
NOAUDIT CREATE ANY PROCEDURE;
NOAUDIT CREATE PROCEDURE;
NOAUDIT PROCEDURE;


AUDIT CREATE VIEW;
AUDIT CREATE ANY VIEW;
AUDIT VIEW;
AUDIT DROP ANY VIEW;


AUDIT CREATE MATERIALIZED VIEW;
AUDIT CREATE ANY MATERIALIZED VIEW;
AUDIT ALTER ANY MATERIALIZED VIEW;
AUDIT MATERIALIZED VIEW;
AUDIT DROP ANY MATERIALIZED VIEW;


AUDIT CREATE ANY INDEX;
AUDIT ALTER ANY INDEX;
AUDIT INDEX;
AUDIT DROP ANY INDEX;


AUDIT CREATE TYPE;
AUDIT CREATE ANY TYPE;
AUDIT ALTER ANY TYPE;
AUDIT TYPE;
AUDIT DROP ANY TYPE;


--4.端口


--查看监听端口是什么,以及状态


lsnrctl status


--关闭监听


lsnrctl stop


--修改监听端口
listener.ora


--查看端口是否被占用
netstat -apn|grep  31564


--修改数据库监听端口,注意如果是asm,则asm上也要执行这个操作
alter system set local_listener="(address=(protocol=tcp)(host=asm)(port=31564))" scope=both;


--查看数据库监听端口
show parameter local_listener


--修改客户端监听端口
tnsnames.ora


--数据库端配置
asm_centos01 =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST = asm_centos01)(PORT = 31564))
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = orcl)
    )
  )
--asm实现配置
asm_centos02 =
  (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST = asm_centos01)(PORT = 31564))
    (CONNECT_DATA =
      (SERVER = DEDICATED)
      (SERVICE_NAME = +ASM)
    )
  )


--打开监听
lsnrctl start


--受影响网络
--112.124.109.24 运营一个服务,stage一个服务
--112.124.2.225 一个prd服务
--112.124.2.252 一个prd服务
--112.124.41.131 一个stage服务,一个prd服务
--192.168.10.191 dev服务


--设置密码


set password
set current_listener listener
change_password
save_config


--设置密码后,远程操作将会因缺失密码而出现失败,但本地操作还是有需要密码的

版权声明:本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。

相关文章
数据库
●数据库 OrmLite (JDBC和Android的轻量级ORM java包) Sugar (用超级简单的方法处理Android数据库) GreenDAO (一种轻快地将对象映射到SQLite数据库的ORM解决方案,使用的App有:薄荷,京...
864 0
如何提高数据库安全
数据库作为非常重要的存储工具,里面往往会存放着大量有价值或敏感信息。因此,数据库往往会成为黑客们的主要攻击对象。黑客们会利用各种途径来获取想要的信息,因此,保证数据库安全就变得尤为重要。
2825 0
+关注
486
文章
0
问答
文章排行榜
最热
最新
相关电子书
更多
低代码开发师(初级)实战教程
立即下载
阿里巴巴DevOps 最佳实践手册
立即下载
冬季实战营第三期:MySQL数据库进阶实战
立即下载