veritabanı yönetimi

8/8/2019 Veritaban Ynetimi

1/93


2/93


3/93


4/93


5/93


6/93


7/93


8/93


9/93


10/93


11/93

This document was created with Win2PDF available at http://www.daneprairie.com.The unregistered version of Win2PDF is for evaluation or non-commercial use only.
http://www.daneprairie.com/http://www.daneprairie.com/http://www.daneprairie.com/http://www.daneprairie.com/


12/93


13/93


14/93


15/93


16/93


17/93


18/93



19/93


20/93


21/93


22/93


23/93


24/93



25/93


26/93


27/93


28/93


29/93



30/93


31/93


32/93


33/93


34/93


35/93


36/93



37/93


38/93


39/93


40/93


41/93


42/93

Order Values: Sequence numaralar n bir s ra ile retilmesini sa lar. Bu seenek sequencitarih bilgisi olarak kulllan yorsan z faydal d r. Sequencein s ral olmas primary key retensequencelar iin nemli de ildir.Cache Options: Daha h zl eri im iin ka tane sequencein bellekte tutulaca n d eridir. Butamsay enok 28 basamak olabilir. Bu parametre iin minimum de er 2 dir. Dnensequencelar iin bu de er dnen de er miktar ndan az olmal d r.

Sequence KullanmakSQL komutlar nda pseudo sutunlar kullanarak sequence de erlerine ula abilirsiniz.CURRVAL: Sequencecin o anki de erini dndrr.NEXT VAL: Sequence artt r r ve bir sonraki de eri dndrr.Bu 2 de eri sequence ad yla beraber kullanmal s n z.NEXTVAL e ilk eri im sequencein ba lang de erini dndrr. Daha sonraki eri imlerdeNEXTVAL sequence de eri bir artt r larak yeni de er dndrlr. CURRVALe her eri imsequencein o anki de erini dndrr.


43/93


44/93


45/93


46/93


47/93


48/93


49/93


50/93


51/93



52/93


53/93


54/93


55/93

DBMS_OBFUSCATION_TOOLKIT: Verileri ifreler. Genelde, o u kullan c ya verileri

ifreleme yetkisi verilmemelidir. nk ifreleme anahtar gvenli olarak depolan p

ynetilemez ise ifrelenmi veri de ifrelenemez.

Bu paketler onlara ihtiya duyan uygulamalar iin ok kullan l d r. Ama gvenlik iin do ru

yap land r lmalar gerekmektedir. Bu nedenle gerekmedike, PUBLIC ten bu yetkileri gerialmal ve sadece bireysel kullan c lara gerekti inde izin vermelisiniz.

PUBLIC taraf ndan al t r labilen nesneleri listeleme

SYS nin sahibi oldu u ve PUBLIC taraf ndan al t rma yetkisi bulunan nesnelerin listesini

grmek iin u sorguyu al t r n:

SQL>SELECTtable_name

2 FROM dba_tab_privs

3 WHERE owner='SYS'4 AND privilege = 'EXECUTE'

5 AND grantee='PUBLIC'

6 /

TABLE_NAME

--------------------

AGGXMLIMP

AGGXMLINPUTTYPE

...

XMLTYPEEXTRA

XMLTYPEPI

437 rows selected.

SQL>


56/93


57/93


58/93


59/93


60/93

Parola ya lanma ve sresi dolma

Veritaban yneticisi PASSWORD_GRACE_TIME ile belirtilen, parolan n sresi dolduktan

sonraki ilk ba ar l oturum amada ba layan ve parolan n de i tirilmesine kadar geebilecekmaximum gn say s n temsil eden sreyi belirleyebilir. Kullan c oturum amaya al t

her defas nda uyar al r ve belirtilen zamana kadar parolas n de i tirmez ise

PASSWORD_GRACE_TIME zaman sonra hesab kilitlenir.

Not: E er hesap bir uygulama hesab ise (SQL*Plus ile eri emez ise), uygulama parola sresi

dolmadan de i tirme aktif edebilir. DBA lerin o u uygulama kullan c hesab iin ayr profil

atan r. Bir kullan c hesab n n manual olarak da sresi doldurulabilir.

SQL> ALTER USER hr PASSWORD EXPIRE;

User altered.

SQL> CONNECT hr/hr

ERROR: ORA-28001: the password has expired

Changing password for hr

New password: ********

Retype new password: ********

Password changed


61/93

Parola Gemi i

Parola gemi i, parolan n belirlenen sre kadar ayn parolan n tekrar kullan lmas n nler.

Bu kontrol u parametre ile yap labilir:PASSWORD_REUSE_TIME: Bu parametre ile verilen gn kadar parola tekrar kullan lamaz.

PASSWORD_REUSE_MAX: Mevcut parolan n tekrar kullan labilmesi iin parolan n ka defa

de i tirilmesi gerekti idir.

Bu iki parametre kar l kl birbirine zeldir, dolay s yla bir parametreye de er atanm ise

di erine UNLIMITED atanmal d r.


62/93

Parola do rulama

Bir kullan c ya yeni bir parola atanmadan, PL/SQL fonksiyonlar parolan n geerli olup

olmad n do rular. Oracle varsay lan olarak bir parola do rulama beti i sunar:$ORACLE_HOME/rdbms/admin/utlpwdmg.sql veya veritaban yneticisi kendi zel

ihtiyalar na cevap verebilecek bir PL/SQL fonksiyonu yazabilir.

Bunlara ek olarak, zel parola do rulama fonksiyonlar giri de i kenlerini u ekilde

belirterek kullan labilir:

function_name(userid_parameterIN VARCHAR2,

password_parameterIN VARCHAR2,

old_password_parameterINVARCHAR2)

RETURN BOOLEAN

E er parola fonksiyonu bir hata kar r veya geersiz olursa, bir hata mesaj al n r ve ALTER

USERveyaCREATE USER komutlar sonland r l r.


63/93

Parola do rulama fonksiyonu:VERIFY_FUNCTION

Oracle VERIFY_FUNCTION ad nda bir karma kl k fonksiyonu sunar. Bu fonksiyon

$ORACLE_HOME/rdbms/admin/utlpwdmg.sql beti i ile olu turulabilir. Parola

do rulama fonksiyonu SYS emas n n iinde olu turulmu olmal d r. utlpwdmg beti i

VERIFY_FUNCTION olu turmas na ek olarak DEFAULT profili ALTER PROFILE

komutuyla de i tirmeye de yarar.

ALTER PROFILE default LIMIT

PASSWORD_LIFE_TIME 60

PASSWORD_GRACE_TIME 10

PASSWORD_REUSE_TIME 1800

PASSWORD_REUSE_MAX UNLIMITED

FAILED_LOGIN_ATTEMPTS 3

PASSWORD_LOCK_TIME 1/1440

PASSWORD_VERIFY_FUNCTION verify_function;


64/93


65/93


66/93


67/93


68/93


69/93


70/93


71/93


72/93

zleme kayd FGA kural n , al t r lan SQL ifadesini ierir.

Olay yneticisi iki argman ile belirtilir:

PL /SQL kodlar n ieren ema

PL/SQL kodlar n n ad

Slayttaki rnek SECURE.LOG_EMPS_SALARY prosedr u iki parametre ile al t r r:handler_schema => 'secure'

handler_module => 'log_emps_salary'

Status

FGA kural n n durumunu gsterir(enabled/disabled). u parametre ile durumu de i tirilebilir.

enable => TRUE

DBMS_FGAPackage

DBMS_FGA paketi fine-grained izleme fonksiyonlar iin ynetim arac d r. DBMS_FGA

zerine al t rma yetkisi gerekmektedir. Ve sadece yneticiye verilmelidir. nk nemli ve

gizli bilgiler ierebilir.

FGA kural n aktif/pasif etme

FGA kural n pasif etme demek kural n izleme kayd retmemesi demektir. Yani izlememesidemektir. Tekrar aktif ederek izlemeyi ba latabilirsiniz. Varsay lan olarak olu turuldu unda

aktif gelir. rnek kural n nas l aktif/pasif edilece ini anlatmaktad r. Her iki prosedr iin de

btn argmanlar gerekmektedir.

FGA kural n silme

Bir FGA kural na daha fazla ihtiya duymuyorsan z DBMS_FGA.DROP_POLICY ile

silebilirsiniz. Btn argmanlar gereklidir.


73/93


74/93

DBA_FGA_AUDIT_TRAIL (continued)

FGA zleme tablosundan seme

A a daki rnek iki izleme kayd n n gsterir.

rnek

SQL> COL timestamp FORMAT A10

SQL> COL db_user FORMAT A7

SQL> COL policy_name FORMAT A20

SQL> COL sql_bind FORMAT A20

SQL> COL sql_text FORMAT A60

SQL>

SQL> SELECT to_char(timestamp, 'YYMMDDHH24MI')

2 AS timestamp,

3 db_user,

4 policy_name,

5 sql_bind,

6 sql_text

7 FROM dba_fga_audit_trail;

TIMESTAMP DB_USER POLICY_NAME SQL_BIND

---------- ---------------------------------------------

SQL_TEXT

----------------------------------------------------------

0201221740 SYSTEM AUDIT_EMPS_SALARY #1(4):1000

SELECT count(*)

FROM hr.employees

WHERE department_id = 10

AND salary > :b1

0201221741 SYSTEM AUDIT_EMPS_SALARY

SELECT salary

FROM hr.employees

SQL>


75/93


76/93


77/93

1. Prevent the use of simple passwords

a) What profiles exist within the database?

b) Use Enterprise Manager to see what password restrictions are enforced by the default

profile?c) Using SQL*Plus, connect to the database as sysdba and run the utlpwdmg.sql script

located in $ORACLE_HOME/rdbms/admin

SQL> connect / as sysdba

SQL> @?/rdbms/admin/utlpwdmg.sql

Function created.

Profile altered.

d) Using Enterprise Manager, view the changes made to the default profile by the

utlpwdmg.sql script. Note that:- Passwords now expire every 60 days.

- If a user doesn t change his or her password within 10 days of expiration, the account will

be locked.

- Passwords may not be reused within 1800 days.

- After a user fails to provide the correct password within three consecutive login attempts

the account will automatically lock for one minute.

2. Edit the default profile so that users who fail to log in correctly four times in a row will

have their accounts locked for 10 minutes.


78/93

Practice 11-1 Overview: Database Security (Part 1) (continued)

3. Exempt the HR user from forced password changes.a) Create a new profile called HRPROFILE using the default profile as a template.

b) Edit the new profile to make password expiration unlimited.

c) Assign user HR to the new profile.

d) If you were to drop the HRPROFILE what would happen to the HR user?

1. Nothing would happen to the HR user. The drop statement would fail

because the HRPROFILE cannot be dropped while a user is assigned to it.

2. The HR user would also be dropped.

3. The HRPROFILE would be dropped and the HR user would be unable to

log in until the administrator assigned a different profile.

4. The HR user would be automatically assigned the DEFAULT profile.

4. Audit unsuccessful attempts to connect to the database

a) Enable collection of audit information. Store the audit information in the database.

b) Begin collecting audit records for users who unsuccessfully attempt to log in.

c) Verify that unsuccessful attempts to connect to the database are captured.

d) Why did you have to restart the instance after changing the AUDIT_TRAIL initialization

parameter?

e) What would have happened if you had left AUDIT_TRAIL at its default setting ofNONE?


79/93

Practice 11-2: Database Security (Part 2)

Background

You suspect that someone has been viewing and possibly changing employee salary data

without proper permission. Configure your database to detect unauthorized access to salary

data and capture any changes to salary information.Tasks

Audit select on the SALARY column of the EMPLOYEES table

Audit changes to the SALARY column of the EMPLOYEES table. Capture

old value - new value

which user made the change - what location the change was made from.

1. Audit select on the salary column of the employees table. Because we only want to

capture audit information if someone selects the salary column we must use fine grained

auditing rather than standard database auditing.

Note: - is used to continue a statement on a new line in PL/SQL

a) Use the DBMS_FGA package to add a fine grained audit policy to HR s employees

table. Only capture audit information if someone reads the salary column.

b) Verify that only SELECT statements that include the salary column generate an audit

trail.

2. Audit changes to the salary column of the employees table. Because you want to

capture the old and new values rather than just the fact that a change happened, you must use

value-based auditing rather than standard database auditing. Remember that value-based

auditing is implemented through the use of database triggers.

a) Create a table called AUDIT_EMPLOYEES in the SYSTEM schema to hold information

captured through database auditing. Make the table a standard, heap-organized table with four

columns:

who varchar2(10)

event_datedate

ipaddress varchar2(16)

what varchar2(2000)

b) Create a trigger to capture changes to the salary column.

Connect as user system

Run the script $HOME/LABS/hrsalarytrig.sql

SQL> connect system/manager@dba10g


80/93

Connected.

SQL> @$HOME/LABS/hrsalarytrig.sql

Trigger Created.

c) Verify that audit information about changes to the salary column are now captured.


81/93


82/93


83/93


84/93

4

LSNRCTL> STATUS

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC)))

STATUS of the LISTENER

------------------------

Alias LISTENER

Version TNSLSNR for Linux: Version 10.1.0.1.0 - Beta

Start Date 05-NOV-2003 15:48:08

Uptime 0 days 16 hr. 40 min. 2 sec

Trace Level off

Security ON: Local OS Authentication

SNMP OFF

Listener Parameter File /oracle/product/ora10g/network/admin/listener.ora

Listener Log File /oracle/product/ora10g/network/log/listener.log

Listening Endpoints Summary...

(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC)))

(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=rhel)(PORT=1521)))

Services Summary...

Service "dba10g" has 2 instance(s).

Instance "dba10g", status READY, has 1 handler(s) for this service...

Instance "dba10g", status UNKNOWN, has 1 handler(s) for this service...

Service "rhel" has 1 instance(s).Instance "dba10g", status READY, has 1 handler(s) for this service...

The command completed successfully

The command completed successfully

LSNRCTL> STATUS

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC)))

STATUS of the LISTENER

------------------------

Alias LISTENER

Version TNSLSNR for Linux: Version 10.1.0.1.0 - Beta

Start Date 05-NOV-2003 15:48:08

Uptime 0 days 16 hr. 40 min. 2 sec

Trace Level off

Security ON: Local OS Authentication

SNMP OFF

Listener Parameter File /oracle/product/ora10g/network/admin/listener.ora

Listener Log File /oracle/product/ora10g/network/log/listener.log

Listening Endpoints Summary...

(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC)))

(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=rhel)(PORT=1521)))

Services Summary...

Service "dba10g" has 2 instance(s).


Instance "dba10g", status UNKNOWN, has 1 handler(s) for this service...

Service "rhel" has 1 instance(s).


The command completed successfullyDurum bilgisinin ierdikleri:- Listener ad ve versiyonu- Listener n ne zaman ba alt ld ve ne kadard r al t- Konfigrasyon ve log dosyalar m n yerleri- Trace seviyesi ve gvenlik durumu- Host, prot ve protokol serivslerini ieren listener adres bilgisi


85/93


86/93


87/93


88/93


89/93


90/93


91/93


92/93


93/93

Oracle shared server mimarisi process ve bellek kullan m iin verimli bir modeldir,fakat herba lant iin uygun olmayabilir. Ortak request queue ve dispatcher response queue payla myznden, byk miktarda verilerle u ra rken shared Serverlar ok verimli al maya bilirler.o u administration grevleri shared server ba lat s ile yap lamaz.Bunlar instance n ba lams ve durdurulmas i tablespace veya datafile yarat lmas , index ve tablo

bak m i istatistikerin analizi gibi. Tm DBA oturumlar nda dedicated server seilmelidir.

veritabanı yönetimi

Documents