当前位置:网站首页>What about data leakage? " Watson k'7 moves to eliminate security threats
What about data leakage? " Watson k'7 moves to eliminate security threats
2022-07-05 13:33:00 【Ink Sky Wheel】
Welcome to the morning news of Xihong radio :
T The company system is 3 month 18 The Japanese were attacked by cyber crime , The data of millions of customers and potential customers has been leaked .
C Research Institute in 4 month 29 Daily report , One contains about 3500 The mysterious marketing database of 10000 personal details was leaked on the Internet , There is no password .
......
Frequent security incidents
How to do data security ?
Seek medical advice
Jincang KES Bring new vitality !
However , in the light of KingbaseES Database security scheme , Caixiao x There are still some doubts :
Seven questions and seven answers
Jincang KES Build a solid shield of enterprise data security !
One question : anti-phishing
User identification and authentication
KingbaseES The default password encryption algorithm is SCRAM-SHA-256. It is according to RFC 7677 The description in SCRAM-SHA-256 authentication , It can prevent password sniffing on untrusted connections and support storing passwords in an encrypted hash on the server .
KingbaseES The user information and password of the database are stored in a file named sys_authid In the data sheet of . Here are KES Encryption form of password in database ,sys_authid Tabular rolpassword The field shows the encrypted key :
test=# select usename,passwd from sys_user where usename in('system','sao','sso');
usename | passwd
---------+----------
system | ********
sao | ********
sso | ********
(3 rows )
alter system set passwordcheck.enable=on;
alter system set passwordcheck.password_length = 10;
alter system set passwordcheck.password_condition_letter = 3;
alter system set passwordcheck.password_condition_digit = 3;
alter system set passwordcheck.password_condition_punct = 1;
select sys_reload_conf();
alter system set sys_audlog.max_error_user_connect_times = 10;
alter system set sys_audlog.error_user_connect_times = 6;
alter system set sys_audlog.error_user_connect_interval = 60;
select sys_reload_conf();
[test@4-34 bin]$ ./ksql test -U testu1 -p 54324 -h 127.0.0.1
user testu1 The password of :
[test@4-34 bin]$ ./ksql test -U testu1 -p 54324 -W -h 127.0.0.1
password :
ksql: error : Can't connect to the server : Fatal error : password authentication failed for user "testu1"
NOTICE: This is the 2 login failed. There are 4 left.
[test@4-34 bin]$ ./ksql test -U testu1 -p 54324 -W -h 127.0.0.1
password :
ksql: error : Can't connect to the server : Fatal error : password authentication failed for user "testu1"
NOTICE: This is the 3 login failed. There are 3 left.
[test@4-34 bin]$ ./ksql test -U testu1 -p 54324 -W -h 127.0.0.1
password :
ksql: error : Can't connect to the server : Fatal error : password authentication failed for user "testu1"
NOTICE: This is the 4 login failed. There are 2 left.
[test@4-34 bin]$ ./ksql test -U testu1 -p 54324 -W -h 127.0.0.1
password :
ksql: error : Can't connect to the server : Fatal error : password authentication failed for user "testu1"
NOTICE: This is the 5 login failed. There are 1 left.
[test@4-34 bin]$ ./ksql test -U testu1 -p 54324 -W -h 127.0.0.1
password :
ksql: error : Can't connect to the server : Fatal error : The user "testu1" is locked.please wait 60 minutes to retry
Access control
-- System permissions are actually some attribute permissions specified when creating users
--system
-- to grant authorization
create user u1 with superuser;
-- or
alter user u1 with superuser;
create user u2 with createrole;
-- or
alter user u2 with createrole;
create user u3 with login;
-- or
alter user u3 with login;
create user u4 with createdb;
-- or
alter user u4 with createdb;
-- The list is incomplete , You can see create user/alter user sentence .
-- revoke
alter user u1 with nosuperuser;
alter user u2 with nocreaterole;
alter user u3 with nologin;
alter user u4 with nocreatedb;
-- Object permissions are permissions that exist on database objects
-- Get ready
--system
create user u1;
create user u2;
--u1
\c test u1
create table testu1(id int);
insert into testu1 values(123);
--u2
\c test u2
select * from testu1; --error
-- to grant authorization
--u1
\c test u1
-- Column level permissions
grant select(id) on testu1 to u2;
-- Table level permissions
grant select all on testu1 to u2;
--u2
\c test u2
select id from test; -- success
select * from test; -- success
-- revoke
revoke select(id) on testu1 from u2;
revoke select all on testu1 from u2;
Two questions : tamper-proof
Three questions : Prevent information leakage
Transparent storage encryption
create tablespace ts location '/home/kingbase/ts' with(encryption = true, enckey ='k1eyenc2');
--encryption: Identify that the current table space is an encrypted table space
--enckey: User defined table space encryption key
--sysencrypt.encrypt_user_tablespace
-- This parameter belongs to the encryption plug-in ,true The table space created for is encrypted by default ,false Then close this parameter
-- How to confirm whether the data is encrypted
-- First, confirm the physical file location of the encrypted object where the data is located
-- Example :
select oid,relname, relfilenode from sys_class where relname = 'test';
-- Then according to this statement, the query relfilenode No. find the location of the physical file , or
select sys_relation_filepath(sys_relation_filenode('test'));
-- Find the specific location of the data file
--hexdump -c If the database file is compared with other plaintext files, it is obvious that the data is encrypted , Are some invisible characters or garbled , Prove encryption successful .
Four questions : Non repudiation
Audit
-- Database auditors SET statement level audit rules , The audit type is select table sentence , The audit user is the database administrator system, The audit object is public Mode of tab1
select sysaudit.set_audit_stmt('select table','system','public','tab1');
-- The database security officer sets object level audit rules , The audit type is table object , Audit users are ordinary users user1, The audit object is public Mode of tab2
select sysaudit.set_audit_object('table','user1','public','tab2');
-- Database auditors need to query views sysaudit_record_sao, You can view super users ( Including database administrators system) And the audit log of the database security officer
select * from sysaudit_record_sao;
-- The database security officer needs to query the view sysaudit_record_sso, You can view the audit logs of ordinary users and database auditors
select * from sysaudit_record_sso;
Five questions : Prevent privilege escalation
Separation of powers
\c test system
alter user sao rename to sao2;
alter user sso rename to sso2;
\du
select * from sys_authid;
Six questions : Anti denial of service
Seven questions : Safety qualification
Conclusion
KingbaseES It is a self-developed high security database product , Through the new structured system design and enhanced diversified mandatory access control model framework , Several high-level security features have been developed , And complete implementation, including the separation of privileges 、 Identification 、 Diversified access control 、 User data protection 、 Technical and functional requirements of all structured protection levels including audit .KingbaseES Defense in depth , Escort database security !
END
边栏推荐
- Although the volume and price fall, why are the structural deposits of commercial banks favored by listed companies?
- Win10 - lightweight gadget
- CAN和CAN FD
- "Baidu Cup" CTF competition in September, web:upload
- Idea设置方法注释和类注释
- Don't know these four caching modes, dare you say you understand caching?
- mysql econnreset_Nodejs 套接字报错处理 Error: read ECONNRESET
- 时钟周期
- How to choose note taking software? Comparison and evaluation of notion, flowus and WOLAI
- RHCSA8
猜你喜欢
[deep learning paper notes] hnf-netv2 for segmentation of brain tumors using multimodal MR imaging
一网打尽异步神器CompletableFuture
Word document injection (tracking word documents) incomplete
Mmseg - Mutli view time series data inspection and visualization
"Baidu Cup" CTF competition in September, web:sql
[深度学习论文笔记]TransBTSV2: Wider Instead of Deeper Transformer for Medical Image Segmentation
Godson 2nd generation burn PMON and reload system
redis6事务和锁机制
Interviewer soul torture: why does the code specification require SQL statements not to have too many joins?
stm32逆向入门
随机推荐
Jenkins installation
Binder通信过程及ServiceManager创建过程
go 指针
Word document injection (tracking word documents) incomplete
【MySQL 使用秘籍】一网打尽 MySQL 时间和日期类型与相关操作函数(三)
Cloudcompare - point cloud slice
leetcode 10. Regular Expression Matching 正则表达式匹配 (困难)
redis6事务和锁机制
一文详解ASCII码,Unicode与utf-8
French scholars: the explicability of counter attack under optimal transmission theory
Solve the problem of "unable to open source file" xx.h "in the custom header file on vs from the source
Resttemplate details
Although the volume and price fall, why are the structural deposits of commercial banks favored by listed companies?
Huawei push service content, read notes
一网打尽异步神器CompletableFuture
【服务器数据恢复】某品牌服务器存储raid5数据恢复案例
restTemplate详解
通讯录(链表实现)
【Hot100】34. Find the first and last positions of elements in a sorted array
“百度杯”CTF比赛 九月场,Web:SQL