veritabanı yönetimi
TRANSCRIPT
-
8/8/2019 Veritaban Ynetimi
1/93
-
8/8/2019 Veritaban Ynetimi
2/93
-
8/8/2019 Veritaban Ynetimi
3/93
-
8/8/2019 Veritaban Ynetimi
4/93
-
8/8/2019 Veritaban Ynetimi
5/93
-
8/8/2019 Veritaban Ynetimi
6/93
-
8/8/2019 Veritaban Ynetimi
7/93
-
8/8/2019 Veritaban Ynetimi
8/93
-
8/8/2019 Veritaban Ynetimi
9/93
-
8/8/2019 Veritaban Ynetimi
10/93
-
8/8/2019 Veritaban Ynetimi
11/93
This document was created with Win2PDF available at http://www.daneprairie.com.The unregistered version of Win2PDF is for evaluation or non-commercial use only.
http://www.daneprairie.com/http://www.daneprairie.com/http://www.daneprairie.com/http://www.daneprairie.com/ -
8/8/2019 Veritaban Ynetimi
12/93
-
8/8/2019 Veritaban Ynetimi
13/93
-
8/8/2019 Veritaban Ynetimi
14/93
-
8/8/2019 Veritaban Ynetimi
15/93
-
8/8/2019 Veritaban Ynetimi
16/93
-
8/8/2019 Veritaban Ynetimi
17/93
-
8/8/2019 Veritaban Ynetimi
18/93
This document was created with Win2PDF available at http://www.daneprairie.com.The unregistered version of Win2PDF is for evaluation or non-commercial use only.
http://www.daneprairie.com/http://www.daneprairie.com/http://www.daneprairie.com/http://www.daneprairie.com/ -
8/8/2019 Veritaban Ynetimi
19/93
-
8/8/2019 Veritaban Ynetimi
20/93
-
8/8/2019 Veritaban Ynetimi
21/93
-
8/8/2019 Veritaban Ynetimi
22/93
-
8/8/2019 Veritaban Ynetimi
23/93
-
8/8/2019 Veritaban Ynetimi
24/93
This document was created with Win2PDF available at http://www.daneprairie.com.The unregistered version of Win2PDF is for evaluation or non-commercial use only.
http://www.daneprairie.com/http://www.daneprairie.com/http://www.daneprairie.com/http://www.daneprairie.com/ -
8/8/2019 Veritaban Ynetimi
25/93
-
8/8/2019 Veritaban Ynetimi
26/93
-
8/8/2019 Veritaban Ynetimi
27/93
-
8/8/2019 Veritaban Ynetimi
28/93
-
8/8/2019 Veritaban Ynetimi
29/93
This document was created with Win2PDF available at http://www.daneprairie.com.The unregistered version of Win2PDF is for evaluation or non-commercial use only.
http://www.daneprairie.com/http://www.daneprairie.com/http://www.daneprairie.com/http://www.daneprairie.com/ -
8/8/2019 Veritaban Ynetimi
30/93
-
8/8/2019 Veritaban Ynetimi
31/93
-
8/8/2019 Veritaban Ynetimi
32/93
-
8/8/2019 Veritaban Ynetimi
33/93
-
8/8/2019 Veritaban Ynetimi
34/93
-
8/8/2019 Veritaban Ynetimi
35/93
-
8/8/2019 Veritaban Ynetimi
36/93
This document was created with Win2PDF available at http://www.daneprairie.com.The unregistered version of Win2PDF is for evaluation or non-commercial use only.
http://www.daneprairie.com/http://www.daneprairie.com/http://www.daneprairie.com/http://www.daneprairie.com/ -
8/8/2019 Veritaban Ynetimi
37/93
-
8/8/2019 Veritaban Ynetimi
38/93
-
8/8/2019 Veritaban Ynetimi
39/93
-
8/8/2019 Veritaban Ynetimi
40/93
-
8/8/2019 Veritaban Ynetimi
41/93
-
8/8/2019 Veritaban Ynetimi
42/93
Order Values: Sequence numaralar n bir s ra ile retilmesini sa lar. Bu seenek sequencitarih bilgisi olarak kulllan yorsan z faydal d r. Sequencein s ral olmas primary key retensequencelar iin nemli de ildir.Cache Options: Daha h zl eri im iin ka tane sequencein bellekte tutulaca n d eridir. Butamsay enok 28 basamak olabilir. Bu parametre iin minimum de er 2 dir. Dnensequencelar iin bu de er dnen de er miktar ndan az olmal d r.
Sequence KullanmakSQL komutlar nda pseudo sutunlar kullanarak sequence de erlerine ula abilirsiniz.CURRVAL: Sequencecin o anki de erini dndrr.NEXT VAL: Sequence artt r r ve bir sonraki de eri dndrr.Bu 2 de eri sequence ad yla beraber kullanmal s n z.NEXTVAL e ilk eri im sequencein ba lang de erini dndrr. Daha sonraki eri imlerdeNEXTVAL sequence de eri bir artt r larak yeni de er dndrlr. CURRVALe her eri imsequencein o anki de erini dndrr.
-
8/8/2019 Veritaban Ynetimi
43/93
-
8/8/2019 Veritaban Ynetimi
44/93
-
8/8/2019 Veritaban Ynetimi
45/93
-
8/8/2019 Veritaban Ynetimi
46/93
-
8/8/2019 Veritaban Ynetimi
47/93
-
8/8/2019 Veritaban Ynetimi
48/93
-
8/8/2019 Veritaban Ynetimi
49/93
-
8/8/2019 Veritaban Ynetimi
50/93
-
8/8/2019 Veritaban Ynetimi
51/93
This document was created with Win2PDF available at http://www.daneprairie.com.The unregistered version of Win2PDF is for evaluation or non-commercial use only.
http://www.daneprairie.com/http://www.daneprairie.com/http://www.daneprairie.com/http://www.daneprairie.com/ -
8/8/2019 Veritaban Ynetimi
52/93
-
8/8/2019 Veritaban Ynetimi
53/93
-
8/8/2019 Veritaban Ynetimi
54/93
-
8/8/2019 Veritaban Ynetimi
55/93
DBMS_OBFUSCATION_TOOLKIT: Verileri ifreler. Genelde, o u kullan c ya verileri
ifreleme yetkisi verilmemelidir. nk ifreleme anahtar gvenli olarak depolan p
ynetilemez ise ifrelenmi veri de ifrelenemez.
Bu paketler onlara ihtiya duyan uygulamalar iin ok kullan l d r. Ama gvenlik iin do ru
yap land r lmalar gerekmektedir. Bu nedenle gerekmedike, PUBLIC ten bu yetkileri gerialmal ve sadece bireysel kullan c lara gerekti inde izin vermelisiniz.
PUBLIC taraf ndan al t r labilen nesneleri listeleme
SYS nin sahibi oldu u ve PUBLIC taraf ndan al t rma yetkisi bulunan nesnelerin listesini
grmek iin u sorguyu al t r n:
SQL>SELECTtable_name
2 FROM dba_tab_privs
3 WHERE owner='SYS'4 AND privilege = 'EXECUTE'
5 AND grantee='PUBLIC'
6 /
TABLE_NAME
--------------------
AGGXMLIMP
AGGXMLINPUTTYPE
...
XMLTYPEEXTRA
XMLTYPEPI
437 rows selected.
SQL>
-
8/8/2019 Veritaban Ynetimi
56/93
-
8/8/2019 Veritaban Ynetimi
57/93
-
8/8/2019 Veritaban Ynetimi
58/93
-
8/8/2019 Veritaban Ynetimi
59/93
-
8/8/2019 Veritaban Ynetimi
60/93
Parola ya lanma ve sresi dolma
Veritaban yneticisi PASSWORD_GRACE_TIME ile belirtilen, parolan n sresi dolduktan
sonraki ilk ba ar l oturum amada ba layan ve parolan n de i tirilmesine kadar geebilecekmaximum gn say s n temsil eden sreyi belirleyebilir. Kullan c oturum amaya al t
her defas nda uyar al r ve belirtilen zamana kadar parolas n de i tirmez ise
PASSWORD_GRACE_TIME zaman sonra hesab kilitlenir.
Not: E er hesap bir uygulama hesab ise (SQL*Plus ile eri emez ise), uygulama parola sresi
dolmadan de i tirme aktif edebilir. DBA lerin o u uygulama kullan c hesab iin ayr profil
atan r. Bir kullan c hesab n n manual olarak da sresi doldurulabilir.
SQL> ALTER USER hr PASSWORD EXPIRE;
User altered.
SQL> CONNECT hr/hr
ERROR: ORA-28001: the password has expired
Changing password for hr
New password: ********
Retype new password: ********
Password changed
-
8/8/2019 Veritaban Ynetimi
61/93
Parola Gemi i
Parola gemi i, parolan n belirlenen sre kadar ayn parolan n tekrar kullan lmas n nler.
Bu kontrol u parametre ile yap labilir:PASSWORD_REUSE_TIME: Bu parametre ile verilen gn kadar parola tekrar kullan lamaz.
PASSWORD_REUSE_MAX: Mevcut parolan n tekrar kullan labilmesi iin parolan n ka defa
de i tirilmesi gerekti idir.
Bu iki parametre kar l kl birbirine zeldir, dolay s yla bir parametreye de er atanm ise
di erine UNLIMITED atanmal d r.
-
8/8/2019 Veritaban Ynetimi
62/93
Parola do rulama
Bir kullan c ya yeni bir parola atanmadan, PL/SQL fonksiyonlar parolan n geerli olup
olmad n do rular. Oracle varsay lan olarak bir parola do rulama beti i sunar:$ORACLE_HOME/rdbms/admin/utlpwdmg.sql veya veritaban yneticisi kendi zel
ihtiyalar na cevap verebilecek bir PL/SQL fonksiyonu yazabilir.
Bunlara ek olarak, zel parola do rulama fonksiyonlar giri de i kenlerini u ekilde
belirterek kullan labilir:
function_name(userid_parameterIN VARCHAR2,
password_parameterIN VARCHAR2,
old_password_parameterINVARCHAR2)
RETURN BOOLEAN
E er parola fonksiyonu bir hata kar r veya geersiz olursa, bir hata mesaj al n r ve ALTER
USERveyaCREATE USER komutlar sonland r l r.
-
8/8/2019 Veritaban Ynetimi
63/93
Parola do rulama fonksiyonu:VERIFY_FUNCTION
Oracle VERIFY_FUNCTION ad nda bir karma kl k fonksiyonu sunar. Bu fonksiyon
$ORACLE_HOME/rdbms/admin/utlpwdmg.sql beti i ile olu turulabilir. Parola
do rulama fonksiyonu SYS emas n n iinde olu turulmu olmal d r. utlpwdmg beti i
VERIFY_FUNCTION olu turmas na ek olarak DEFAULT profili ALTER PROFILE
komutuyla de i tirmeye de yarar.
ALTER PROFILE default LIMIT
PASSWORD_LIFE_TIME 60
PASSWORD_GRACE_TIME 10
PASSWORD_REUSE_TIME 1800
PASSWORD_REUSE_MAX UNLIMITED
FAILED_LOGIN_ATTEMPTS 3
PASSWORD_LOCK_TIME 1/1440
PASSWORD_VERIFY_FUNCTION verify_function;
-
8/8/2019 Veritaban Ynetimi
64/93
-
8/8/2019 Veritaban Ynetimi
65/93
-
8/8/2019 Veritaban Ynetimi
66/93
-
8/8/2019 Veritaban Ynetimi
67/93
-
8/8/2019 Veritaban Ynetimi
68/93
-
8/8/2019 Veritaban Ynetimi
69/93
-
8/8/2019 Veritaban Ynetimi
70/93
-
8/8/2019 Veritaban Ynetimi
71/93
-
8/8/2019 Veritaban Ynetimi
72/93
zleme kayd FGA kural n , al t r lan SQL ifadesini ierir.
Olay yneticisi iki argman ile belirtilir:
PL /SQL kodlar n ieren ema
PL/SQL kodlar n n ad
Slayttaki rnek SECURE.LOG_EMPS_SALARY prosedr u iki parametre ile al t r r:handler_schema => 'secure'
handler_module => 'log_emps_salary'
Status
FGA kural n n durumunu gsterir(enabled/disabled). u parametre ile durumu de i tirilebilir.
enable => TRUE
DBMS_FGAPackage
DBMS_FGA paketi fine-grained izleme fonksiyonlar iin ynetim arac d r. DBMS_FGA
zerine al t rma yetkisi gerekmektedir. Ve sadece yneticiye verilmelidir. nk nemli ve
gizli bilgiler ierebilir.
FGA kural n aktif/pasif etme
FGA kural n pasif etme demek kural n izleme kayd retmemesi demektir. Yani izlememesidemektir. Tekrar aktif ederek izlemeyi ba latabilirsiniz. Varsay lan olarak olu turuldu unda
aktif gelir. rnek kural n nas l aktif/pasif edilece ini anlatmaktad r. Her iki prosedr iin de
btn argmanlar gerekmektedir.
FGA kural n silme
Bir FGA kural na daha fazla ihtiya duymuyorsan z DBMS_FGA.DROP_POLICY ile
silebilirsiniz. Btn argmanlar gereklidir.
-
8/8/2019 Veritaban Ynetimi
73/93
-
8/8/2019 Veritaban Ynetimi
74/93
DBA_FGA_AUDIT_TRAIL (continued)
FGA zleme tablosundan seme
A a daki rnek iki izleme kayd n n gsterir.
rnek
SQL> COL timestamp FORMAT A10
SQL> COL db_user FORMAT A7
SQL> COL policy_name FORMAT A20
SQL> COL sql_bind FORMAT A20
SQL> COL sql_text FORMAT A60
SQL>
SQL> SELECT to_char(timestamp, 'YYMMDDHH24MI')
2 AS timestamp,
3 db_user,
4 policy_name,
5 sql_bind,
6 sql_text
7 FROM dba_fga_audit_trail;
TIMESTAMP DB_USER POLICY_NAME SQL_BIND
---------- ---------------------------------------------
SQL_TEXT
----------------------------------------------------------
0201221740 SYSTEM AUDIT_EMPS_SALARY #1(4):1000
SELECT count(*)
FROM hr.employees
WHERE department_id = 10
AND salary > :b1
0201221741 SYSTEM AUDIT_EMPS_SALARY
SELECT salary
FROM hr.employees
SQL>
-
8/8/2019 Veritaban Ynetimi
75/93
-
8/8/2019 Veritaban Ynetimi
76/93
-
8/8/2019 Veritaban Ynetimi
77/93
1. Prevent the use of simple passwords
a) What profiles exist within the database?
b) Use Enterprise Manager to see what password restrictions are enforced by the default
profile?c) Using SQL*Plus, connect to the database as sysdba and run the utlpwdmg.sql script
located in $ORACLE_HOME/rdbms/admin
SQL> connect / as sysdba
SQL> @?/rdbms/admin/utlpwdmg.sql
Function created.
Profile altered.
d) Using Enterprise Manager, view the changes made to the default profile by the
utlpwdmg.sql script. Note that:- Passwords now expire every 60 days.
- If a user doesn t change his or her password within 10 days of expiration, the account will
be locked.
- Passwords may not be reused within 1800 days.
- After a user fails to provide the correct password within three consecutive login attempts
the account will automatically lock for one minute.
2. Edit the default profile so that users who fail to log in correctly four times in a row will
have their accounts locked for 10 minutes.
-
8/8/2019 Veritaban Ynetimi
78/93
Practice 11-1 Overview: Database Security (Part 1) (continued)
3. Exempt the HR user from forced password changes.a) Create a new profile called HRPROFILE using the default profile as a template.
b) Edit the new profile to make password expiration unlimited.
c) Assign user HR to the new profile.
d) If you were to drop the HRPROFILE what would happen to the HR user?
1. Nothing would happen to the HR user. The drop statement would fail
because the HRPROFILE cannot be dropped while a user is assigned to it.
2. The HR user would also be dropped.
3. The HRPROFILE would be dropped and the HR user would be unable to
log in until the administrator assigned a different profile.
4. The HR user would be automatically assigned the DEFAULT profile.
4. Audit unsuccessful attempts to connect to the database
a) Enable collection of audit information. Store the audit information in the database.
b) Begin collecting audit records for users who unsuccessfully attempt to log in.
c) Verify that unsuccessful attempts to connect to the database are captured.
d) Why did you have to restart the instance after changing the AUDIT_TRAIL initialization
parameter?
e) What would have happened if you had left AUDIT_TRAIL at its default setting ofNONE?
-
8/8/2019 Veritaban Ynetimi
79/93
Practice 11-2: Database Security (Part 2)
Background
You suspect that someone has been viewing and possibly changing employee salary data
without proper permission. Configure your database to detect unauthorized access to salary
data and capture any changes to salary information.Tasks
Audit select on the SALARY column of the EMPLOYEES table
Audit changes to the SALARY column of the EMPLOYEES table. Capture
old value - new value
which user made the change - what location the change was made from.
1. Audit select on the salary column of the employees table. Because we only want to
capture audit information if someone selects the salary column we must use fine grained
auditing rather than standard database auditing.
Note: - is used to continue a statement on a new line in PL/SQL
a) Use the DBMS_FGA package to add a fine grained audit policy to HR s employees
table. Only capture audit information if someone reads the salary column.
b) Verify that only SELECT statements that include the salary column generate an audit
trail.
2. Audit changes to the salary column of the employees table. Because you want to
capture the old and new values rather than just the fact that a change happened, you must use
value-based auditing rather than standard database auditing. Remember that value-based
auditing is implemented through the use of database triggers.
a) Create a table called AUDIT_EMPLOYEES in the SYSTEM schema to hold information
captured through database auditing. Make the table a standard, heap-organized table with four
columns:
who varchar2(10)
event_datedate
ipaddress varchar2(16)
what varchar2(2000)
b) Create a trigger to capture changes to the salary column.
Connect as user system
Run the script $HOME/LABS/hrsalarytrig.sql
SQL> connect system/manager@dba10g
-
8/8/2019 Veritaban Ynetimi
80/93
Connected.
SQL> @$HOME/LABS/hrsalarytrig.sql
Trigger Created.
c) Verify that audit information about changes to the salary column are now captured.
-
8/8/2019 Veritaban Ynetimi
81/93
-
8/8/2019 Veritaban Ynetimi
82/93
-
8/8/2019 Veritaban Ynetimi
83/93
-
8/8/2019 Veritaban Ynetimi
84/93
4
LSNRCTL> STATUS
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 10.1.0.1.0 - Beta
Start Date 05-NOV-2003 15:48:08
Uptime 0 days 16 hr. 40 min. 2 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File /oracle/product/ora10g/network/admin/listener.ora
Listener Log File /oracle/product/ora10g/network/log/listener.log
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=rhel)(PORT=1521)))
Services Summary...
Service "dba10g" has 2 instance(s).
Instance "dba10g", status READY, has 1 handler(s) for this service...
Instance "dba10g", status UNKNOWN, has 1 handler(s) for this service...
Service "rhel" has 1 instance(s).Instance "dba10g", status READY, has 1 handler(s) for this service...
The command completed successfully
The command completed successfully
LSNRCTL> STATUS
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 10.1.0.1.0 - Beta
Start Date 05-NOV-2003 15:48:08
Uptime 0 days 16 hr. 40 min. 2 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File /oracle/product/ora10g/network/admin/listener.ora
Listener Log File /oracle/product/ora10g/network/log/listener.log
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=rhel)(PORT=1521)))
Services Summary...
Service "dba10g" has 2 instance(s).
Instance "dba10g", status READY, has 1 handler(s) for this service...
Instance "dba10g", status UNKNOWN, has 1 handler(s) for this service...
Service "rhel" has 1 instance(s).
Instance "dba10g", status READY, has 1 handler(s) for this service...
The command completed successfullyDurum bilgisinin ierdikleri:- Listener ad ve versiyonu- Listener n ne zaman ba alt ld ve ne kadard r al t- Konfigrasyon ve log dosyalar m n yerleri- Trace seviyesi ve gvenlik durumu- Host, prot ve protokol serivslerini ieren listener adres bilgisi
-
8/8/2019 Veritaban Ynetimi
85/93
-
8/8/2019 Veritaban Ynetimi
86/93
-
8/8/2019 Veritaban Ynetimi
87/93
-
8/8/2019 Veritaban Ynetimi
88/93
-
8/8/2019 Veritaban Ynetimi
89/93
-
8/8/2019 Veritaban Ynetimi
90/93
-
8/8/2019 Veritaban Ynetimi
91/93
-
8/8/2019 Veritaban Ynetimi
92/93
-
8/8/2019 Veritaban Ynetimi
93/93
Oracle shared server mimarisi process ve bellek kullan m iin verimli bir modeldir,fakat herba lant iin uygun olmayabilir. Ortak request queue ve dispatcher response queue payla myznden, byk miktarda verilerle u ra rken shared Serverlar ok verimli al maya bilirler.o u administration grevleri shared server ba lat s ile yap lamaz.Bunlar instance n ba lams ve durdurulmas i tablespace veya datafile yarat lmas , index ve tablo
bak m i istatistikerin analizi gibi. Tm DBA oturumlar nda dedicated server seilmelidir.