1. RULE_SET概念
规则集(RULE_SET)是由多个规则组成(RULE),当所有的规则为TRUE时,规则集才为TRUE。规则集为访问Realm内的业务对象,或执行Command rule定义的命令时进行条件限制。

2. 创建、删除RULE_SET
目的:测试alertsystem命令只允许在服务器上操作,不允许远程客户端操作
创建rule_set(规则集)
begin
DVSYS.DBMS_MACADM.CREATE_RULE_SET(
rule_set_name =>'Access_From_Local',
description => 'limit altersystem operation only from local',
enabled => 'Y',
eval_options => DVSYS.DBMS_MACUTL.g_ruleset_eval_all, -- 全部为真
audit_options =>DVSYS.DBMS_MACUTL.g_ruleset_audit_fail, -- 失败时审计
fail_options => DVSYS.DBMS_MACUTL.g_ruleset_fail_show, -- 显示错误消息
fail_message => 'RestrictedCommand', -- 错误消息
fail_code => -20001,
handler_options => 0,
handler => null);
commit;
end;
/
删除rule_set
EXEC DVSYS.DBMS_MACADM.DELETE_RULE_SET('Access_From_Local');
3. 创建、删除RULE
创建RULE(规则)
begin
DVSYS.DBMS_MACADM.CREATE_RULE(
rule_name => 'ip_limit',
rule_expr => 'sys_context(''userenv'',''ip_address'')=''127.0.0.1'' or sys_context(''userenv'',''ip_address'')is null'); -- 规则表达式
commit;
end;
/
删除RULE
exec DVSYS.DBMS_MACADM.DELETE_RULE('ip_limit');
4. 向规则集添加、删除规则
向规则集添加规则
begin
DVSYS.DBMS_MACADM.add_rule_to_rule_set(
rule_set_name=> 'Access_From_Local',
rule_name => 'ip_limit');
commit;
end;
/
从规则集删除规则
begin
DVSYS.DBMS_MACADM.delete_rule_from_rule_set(
rule_set_name=> 'Access_From_Local',
rule_name => 'ip_limit');
end;
/
SQL>select rule_set_name,rule_name,enabled,rule_order, rule_expr
2 fromDBA_DV_RULE_SET_RULE
3 where rule_set_name='Access_From_Local';
RULE_SET_NAME RULE_NAME ENABLED RULE_ORDER RULE_EXPR
------------------------------ ------- ---------- --------------------------------------------------------------------------------
Access_From_Local ip_limit Y 1 sys_context('userenv','ip_address')='127.0.0.1' or sys_context('userenv','ip_ad
5. 修改命令集关联的规则集
-- ALTERSYSTEM命令集是系统默认定义,已存在
-- 该命令集对应在系统上发出alter system set open_cursors=500 等此类改变系统参数的命令。
-- select * fromdba_dv_command_rule r where r.command = 'ALTER SYSTEM';
begin
DVSYS.DBMS_MACADM.update_command_rule(
command => 'ALTER SYSTEM',
rule_set_name=> 'Access_From_Local',
object_owner => '%',
object_name => '%',
enabled => 'Y');
end;
/
6. 测试:
远程客户端:
SQL>alter system set open_cursors = 500;
altersystem set open_cursors = 500
ORA-01031:insufficient privileges
服务器本地客户端:
SQL>conn / as sysdba
Connected.
SQL>alter system set open_cursors = 500;
Systemaltered.
7. 访问Relam时使用Rule_Set
在访问Relam时,是由DVSYS.DBMS_MACADM.add_auth_to_realm添加授权,在该方法上可以设置Rule_Set。这里拿前面已定义的auth来进行修改。
SQL>SELECT * FROM DBA_DV_REALM_AUTH R WHERE R.realm_name = 'SCOTT_REALM';
REALM_NAME GRANTEE AUTH_RULE_SET_NAME AUTH_OPTIONS
------------- ---------------------------- --------------
SCOTT_REALM SYSTEM Participant
SCOTT_REALM SCOTT Owner
begin
DVSYS.DBMS_MACADM.update_realm_auth(
realm_name => 'SCOTT_REALM',
grantee => 'SYSTEM',
rule_set_name => 'Access_From_Local',
auth_options =>DVSYS.DBMS_MACUTL.g_realm_auth_participant);
end;
/
如此SYSTEM用户只能在服务器上访问SCOTT_REALM内的对象了
SQL>select * from scott.emp;
select* from scott.emp
ORA-47306:18446744073709531615: Restricted Command
8. 相关视图
DBA_DV_RULE_SET
DBA_DV_RULE
DBA_DV_RULE_SET_RULE
DBA_DV_COMMAND_RULE
DBA_DV_REALM_AUTH
本文介绍了Oracle Database Vault的Rule_Set概念,用于限制特定命令和访问Realm内对象。通过创建、删除Rule_Set和Rule,设置条件限制,确保如ALTER SYSTEM命令只能在服务器本地执行。同时,展示了如何将Rule_Set应用到Realm授权,增强数据库安全性。
4万+

被折叠的 条评论
为什么被折叠?



