ITPub博客

首页 > 数据库 > Oracle > ACFS Security & Encryption特性使用须知

ACFS Security & Encryption特性使用须知

原创 Oracle 作者:oliseh 时间:2014-09-24 23:33:09 0 删除 编辑


使用ACFS Security & Encryption时应该注意的几个问题

 

1、 Encryption属性设置注意事项:

所有的Encryption设置类的操作必须在root或者文件owner用户下进行,不能在Security Administrator用户下进行

 

--init完之后,为/acfs3设置一个统一的Encryption算法,设置完成后加密处于关闭状态

root[C1] @ora12c1:/acfs3/dircd>acfsutil encr set -m /acfs3 -a AES -k 128

FS-level encryption parameters have been set to:

Algorithm (AES 128-bit), Key length (16 bytes)

 

root@ora12c1:/acfs3/dircd>acfsutil encr info -m /acfs3              

File system: /acfs3

        Encryption status: OFF

        Algorithm: AES 128-bits

        Key length: 16 bytes

 

--设置Encryption之前在/acfs3里已存在的文件不进行加密:

root@ora12c1:/acfs3/dircd>acfsutil encr info -m /acfs3 -r /acfs3    

 

 Path: /acfs3

        Encryption status: OFF

 Path: /acfs3/dircd

        Encryption status: OFF

 Path: /acfs3/dircd/dd

        Encryption status: OFF

 Path: /acfs3/dircd/dnsmasq.conf

        Encryption status: OFF

 Path: /acfs3/dircd/dracut.conf

        Encryption status: OFF

 Path: /acfs3/dircd/dirc

        Encryption status: OFF

 Path: /acfs3/dircd/dirc/cas.conf

        Encryption status: OFF

 Path: /acfs3/dircd/dirc/cron.deny

        Encryption status: OFF

 Path: /acfs3/dircd/dirc/crontab

        Encryption status: OFF

 

--设置Encryption之后在/acfs3里新建的文件也不进行加密:

root@ora12c1:/acfs3>touch cc

root@ora12c1:/acfs3>acfsutil encr info -m /acfs3 /acfs3/cc

 

 Path: /acfs3/cc

        Encryption status: OFF

 

--/acfs3/dirb这个目录及下面的文件设置192bit不同于FS层的Encryption

root@ora12c1:/acfs3/dircd>acfsutil encr on -m /acfs3 -a AES -k 192 -r /acfs3/dirb

Using user-provided parameters: algorithm (AES), key length (24 bytes)

Encrypting (/acfs3/dirb)... done.

Encrypting (/acfs3/dirb/bashrc)... done.

 

root@ora12c1:/acfs3/dircd>acfsutil encr info -m /acfs3 -r /acfs3/dirb           

 

 Path: /acfs3/dirb

        Encryption status: ON

        Algorithm: AES 192-bits

        Key length: 24 bytes

 Path: /acfs3/dirb/bashrc

        Encryption status: ON

        Algorithm: AES 192-bits

        Key length: 24 bytes

 

--[C2] /acfs3层面打开Encrytion开关,除/acfs3/dirb外的其它文件才开始使用了128bit的算法进行加密,/acfs3/dirb依然使用前一步设置的192bit加密算法

root@ora12c1:/acfs3>acfsutil encr on -m /acfs3           

Encryption has been enabled on (/acfs3)

Encrypting (/acfs3/dircd)... done.

Encrypting (/acfs3/dircd/dd)... done.

Encrypting (/acfs3/dircd/dnsmasq.conf)... done.

Encrypting (/acfs3/dircd/dracut.conf)... done.

Encrypting (/acfs3/dircd/dirc)... done.

Encrypting (/acfs3/dircd/dirc/cas.conf)... done.

Encrypting (/acfs3/dircd/dirc/cron.deny)... done.

Encrypting (/acfs3/dircd/dirc/crontab)... done.

Encrypting (/acfs3/dircd/dirc/crypttab)... done.

Encrypting (/acfs3/dircd/dirc/csh.cshrc)... done.

Encrypting (/acfs3/dircd/dirc/csh.login)... done.

Encrypting (/acfs3/dira)... done.

Encrypting (/acfs3/dira/adjtime)... done.

Encrypting (/acfs3/dira/aliases.db)... done.

Encrypting (/acfs3/dira/anacrontab)... done.

Encrypting (/acfs3/dira/anthy-conf)... done.

Encrypting (/acfs3/dira/asound.conf)... done.

Encrypting (/acfs3/dira/aliases)... done.

Encrypting (/acfs3/dira/autofs_ldap_auth.conf)... done.

Encrypting (/acfs3/dira/auto.master)... done.

Encrypting (/acfs3/dira/.auto.misc.swp)... done.

Encrypting (/acfs3/dira/.auto.misc.swx)... done.

Encrypting (/acfs3/dira/.auto.smb.swp)... done.

Encrypting (/acfs3/dira/.auto.smb.swx)... done.

Encrypting (/acfs3/dira/.abc.txt.swp)... done.

Encrypting (/acfs3/dira/.abc.txt.swx)... done.

Encrypting (/acfs3/dira/.auto.net.swp)... done.

Encrypting (/acfs3/dira/.auto.net.swx)... done.

Encrypting (/acfs3/dirb)... File is already encrypted

Encrypting (/acfs3/dirb/bashrc)... File is already encrypted

Encrypting (/acfs3/.Security)... done.

Open failed for /acfs3/.Security/backup

Encrypting (/acfs3/.Security/realm)... done.

Open failed for /acfs3/.Security/realm/logs

Encrypting (/acfs3/.Security/encryption)... done.

Encrypting (/acfs3/.Security/encryption/logs)... done.

Encrypting (/acfs3/.Security/encryption/logs/encr-ora12c2-727777111.log)... done.

Encrypting (/acfs3/.Security/encryption/logs/encr-ora12c1-727777111.log)... done.

Encrypting (/acfs3/enscript.cfg)... done.

Encrypting (/acfs3/environment)... done.

Encrypting (/acfs3/ethers)... done.

Encrypting (/acfs3/exports)... done.

Encrypting (/acfs3/cc)... done.

 

2、 文件或目录的是否加密的属性取决于其所在的域属性

--创建一个不加密的域

acfsadm1@ora12c1:/home/acfsadm1>acfsutil sec realm create encrealm1 -m /acfs3 -e off -o enable

 

acfsadm1@ora12c1:/home/acfsadm1>acfsutil sec info -m /acfs3 -n encrealm1     

ACFS Security administrator password:

Realm status: ENABLED

 

Users present in realm 'encrealm1' are as follows :

 

Groups present in realm 'encrealm1' are as follows :

 

Filters present in realm 'encrealm1' are as follows :

 

Encryption status : OFF

 

Realm description : ''

 

--/acfs3/dirb的加密属性

acfsadm1@ora12c1:/acfs3>acfsutil encr info -m /acfs3 -r /acfs3/dirb

 

 Path: /acfs3/dirb

        Encryption status: ON

        Algorithm: AES 192-bits

        Key length: 24 bytes

 Path: /acfs3/dirb/bashrc

        Encryption status: ON

        Algorithm: AES 192-bits

        Key length: 24 bytes

 

--/acfs3/dirb加入域

acfsadm1@ora12c1:/acfs3>acfsutil sec realm add encrealm1 -m /acfs3 -f -r /acfs3/dirb

 

--再次查询/acfs3/dirb的加密属性,已经变成OFF

acfsadm1@ora12c1:/acfs3>acfsutil encr info -m /acfs3 -r /acfs3/dirb

 Path: /acfs3/dirb

        Encryption status: OFF

 Path: /acfs3/dirb/bashrc

        Encryption status: OFF

 

结论:某个文件或者目录的Encryption属性跟着域里的Encryption属性走

 

3、 利用ACFS Security控制访问用户与访问时间

案例1:仅oracle用户在8:00~21:00可以读取/acfs3/dira内容

--建立rulerulesetrule加入到ruleset

acfsadm1@ora12c1:/acfs3>acfsutil sec rule create sec_rule1_time -m /acfs3 -t time 08:00:00,21:00:00 -o ALLOW

ACFS Security administrator password:

acfsadm1@ora12c1:/acfs3>acfsutil sec info -m /acfs3 -l sec_rule1_time                                      

ACFS Security administrator password:

 

Information of rule 'sec_rule1_time' are as follows :

Type : TIME

Value : '08:00:00' - '21:00:00'

Option : ALLOW

 

acfsadm1@ora12c1:/acfs3>acfsutil sec rule create sec_rule1_user -m /acfs3 -t username oracle -o ALLOW          

ACFS Security administrator password:

acfsadm1@ora12c1:/acfs3>acfsutil sec info -m /acfs3 -l sec_rule1_user                               

ACFS Security administrator password:

 

Information of rule 'sec_rule1_user' are as follows :

Type : USERNAME

Value : oracle

Option : ALLOW

 

acfsadm1@ora12c1:/acfs3>acfsutil sec ruleset create sec_rule1_set -m /acfs3

 

acfsadm1@ora12c1:/acfs3>acfsutil sec ruleset edit sec_rule1_set -m /acfs3 -a sec_rule1_user,sec_rule1_time -o ALL_TRUE

 

acfsadm1@ora12c1:/acfs3>acfsutil sec info -m /acfs3 -s sec_rule1_set                                                                   

ACFS Security administrator password:

 

Rules present in rule set 'sec_rule1_set' are as follows :

        sec_rule1_user

        sec_rule1_time

Ruleset option : ALL TRUE

 

--创建域,将用户、目录等对象加入到域中

acfsadm1@ora12c1:/acfs3>acfsutil sec realm create secrealm1 -m /acfs3 -e on -a AES -k 256 -o enable

acfsadm1@ora12c1:/acfs3>acfsutil sec realm add secrealm1 -m /acfs3 -u oracle -l READ:sec_rule1_set -f -r /acfs3/dira

ACFS Security administrator password:

acfsadm1@ora12c1:/acfs3>acfsutil sec info -m /acfs3 -n secrealm1                                                   

ACFS Security administrator password:

Realm status: ENABLED

 

Users present in realm 'secrealm1' are as follows :

        oracle

 

Groups present in realm 'secrealm1' are as follows :

 

Filters present in realm 'secrealm1' are as follows :

        READ : sec_rule1_set

 

Encryption status : ON

Encryption algorithm : AES

Encryption key length : 256

 

Realm description : ''

 

--至此oracle用户具有读写相关的任何权限,因为添加的:/READ:sec_rule1_set 虽然只是允许读的权限,但也不存在其它拒绝写的:

 

--Root用户由于没有加入到secrealm1,所以没有任何权限连列出目录的权限都没有

root@ora12c1:/acfs3/dira>ls -rlt

ls: cannot open directory .: Permission denied

 

--Root用户加入到secrealm1后,也只有列出目录的权限,没有读取文件内容的权限,因为读取文件内容必须同时具备用户名为oracle(-t username oracle -o ALLOW),时间段为8:00~21:00(-t time 08:00:00,21:00:00 -o ALLOW)两个条件(-a sec_rule1_user,sec_rule1_time -o ALL_TRUE)ruleset中定义的ALL_TRUE正是指同时满足上述两个条件,所以root用户登陆后第一个条件总是不满足,所以就不适用于READ:sec_rule1_set,因此就无读的权限

acfsadm1@ora12c1:/acfs3>acfsutil sec realm add secrealm1 -m /acfs3 -u root -f -r /acfs3/dira

root@ora12c2:/acfs3/dira>ls -rlt

total 28

-rwxr-xr-x. 1 oracle oinstall   541 Feb  5 13:33 anacrontab

-rwxr-xr-x. 1 oracle oinstall 12288 Feb  5 13:33 aliases.db

-rwxr-xr-x. 1 oracle oinstall   245 Feb  5 13:33 anthy-conf

-rwxrwxrwx. 1 oracle oinstall  1521 Feb  5 13:33 aliases

-rwxr-xr-x. 1 oracle oinstall   232 Feb  5 13:33 autofs_ldap_auth.conf

-rw-------. 1 oracle oinstall     0 Feb  5 13:46 asound_c.swp

-rwxr-xr-x. 1 oracle oinstall     0 Feb  5 13:46 aliases.bak

-rwxr-xr-x. 1 oracle oinstall     0 Feb  5 13:49 asound.conf

root@ora12c2:/acfs3/dira>cat aliases.bak

cat: aliases.bak: Permission denied

 

案例2 oracle用户在8:00~21:00不能针对/acfs3/dire目录及下面的文件进行修改、删除、更改权限的操作,但可以读取其中内容,root用户对于/acfs3/dire具有所有权限

acfsutil sec rule create rule_dire_user -m /acfs3 -t username oracle -o DENY

acfsutil sec rule create rule_dire_time -m /acfs3 -t time 08:00:00,23:00:00 -o DENY

acfsutil sec ruleset create rule_dire_set -m /acfs3 -o ANY_TRUE

acfsutil sec ruleset edit rule_dire_set -m /acfs3 -a rule_dire_user,rule_dire_time -o ANY_TRUE

acfsutil sec realm create rule_dire_realm1 -m /acfs3 -e on -a AES -k 192 -o enable

acfsutil sec realm add rule_dire_realm1 -m /acfs3 -u oracle,root -l CHMOD:rule_dire_set,DELETEFILE:rule_dire_set,WRITE:rule_dire_set -f -r /acfs3/dire

acfsutil sec info -m /acfs3 -n rule_dire_realm1

Realm status: ENABLED

 

Users present in realm 'rule_dire_realm1' are as follows :

        root

        oracle

 

Groups present in realm 'rule_dire_realm1' are as follows :

 

Filters present in realm 'rule_dire_realm1' are as follows :

        WRITE : rule_dire_set

        DELETEFILE : rule_dire_set

        CHMOD : rule_dire_set

 

Encryption status : ON

Encryption algorithm : AES

Encryption key length : 192

 

Realm description : ''

 

acfsutil sec info -m /acfs3 -s rule_dire_set

ACFS Security administrator password:

 

Rules present in rule set 'rule_dire_set' are as follows :

        rule_dire_user

        rule_dire_time

Ruleset option : ANY TRUE

 

--oracle用户22:00登陆,测试权限

写权限:

su - oracle

cd /acfs3/dire

vi ethers

"ethers" [readonly] 1L, 28C

 

oracle@ora12c1:/acfs3/dire>ls -rlt

total 12

-rw-r--r--. 1 oracle oinstall    0 Feb 11 21:42 environment

-rw-r--r--. 1 oracle oinstall    0 Feb 11 21:42 exports

-rw-r--r--. 1 oracle oinstall 4843 Feb 11 22:03 enscript.cfg

-rw-r--r--. 1 oracle oinstall   28 Feb 11 22:03 ethers

 

删除文件的权限:

oracle@ora12c1:/acfs3/dire>rm ethers

rm: cannot remove `ethers': Permission denied

 

chmod权限:

oracle@ora12c1:/acfs3/dire>chmod 777 ethers

chmod: changing permissions of `ethers': Permission denied

 

chown权限并没有限制掉:

oracle@ora12c1:/acfs3/dire>chown oracle:dba ethers

oracle@ora12c1:/acfs3/dire>ls -rlt

total 12

-rw-r--r--. 1 oracle oinstall    0 Feb 11 21:42 environment

-rw-r--r--. 1 oracle oinstall    0 Feb 11 21:42 exports

-rw-r--r--. 1 oracle oinstall 4843 Feb 11 22:03 enscript.cfg

-rw-r--r--. 1 oracle dba        28 Feb 11 22:03 ethers

 

--root用户登陆后测试下来具有任何权限

 

结论:ACFS里的权限控制关键在于如何理解rule中的-o ALLOW/DENYruleset中的-o ALL_TRUE/ANY_TRUEruleset中的ALL_TRUE是指其包含的每一个Rule表达式的评估结果必须为TRUE,例如对于-t username oracle -o ALLOW来说,如果登陆的用户是oracle那么这个Rule表达式的结果就是TRUE;对于-t username oracle -o DENY来说,如果登陆的用户是oracle那么这个Rule表达式的结果就是FALSE;只有每一个表达式都为TRUE的情况下,才具有command_rule:ruleset所指定的权限,否则就没有该权限。ruleset中的ALL_TRUE是指其包含的所有Rule表达式中只要有一个评估值为TRUE,就能具有command_rule:ruleset所指定的权限。另外在ACFS里对于没有明确拒绝的权限或者说没有提及的权限,例如案例1中的oracle用户虽然只具有READ:sec_rule1_set权限,但因为没有明确拒绝其他权限所有oracle还是会拥有包括READ在内的所有权限

 


 [C1]只有先在FS层面先设置好统一的加密算法后,才能使用acfsutil  encr on设置具体目录的加密算法,否则会收到” acfsutil encr on: ACFS-10577: Encryption parameters not set.”报错

 [C2]如果在/acfs3层打开了Encryption开关就不能对其下的某个子目录单独关闭:

oracle@ora12c1:/acfs3>acfsutil encr off -m /acfs3 /acfs3/ethers

acfsutil encr off: ACFS-10415: File system level encryption is on, file level encryption operations are not allowed

来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/53956/viewspace-1279999/,如需转载,请注明出处,否则将追究法律责任。

请登录后发表评论 登录
全部评论
不仅仅专注Oracle database技术, member of SHOUG

注册时间:2014-04-06

  • 博文量
    128
  • 访问量
    1617084