使用ACFS Security & Encryption时应该注意的几个问题
1、 Encryption属性设置注意事项:
所有的Encryption设置类的操作必须在root或者文件owner用户下进行,不能在Security Administrator用户下进行
--init完之后,为/acfs3设置一个统一的Encryption算法,设置完成后加密处于关闭状态
root[C1] @ora12c1:/acfs3/dircd>acfsutil encr set -m /acfs3 -a AES -k 128
FS-level encryption parameters have been set to:
Algorithm (AES 128-bit), Key length (16 bytes)
root@ora12c1:/acfs3/dircd>acfsutil encr info -m /acfs3
File system: /acfs3
Encryption status: OFF
Algorithm: AES 128-bits
Key length: 16 bytes
--设置Encryption之前在/acfs3里已存在的文件不进行加密:
root@ora12c1:/acfs3/dircd>acfsutil encr info -m /acfs3 -r /acfs3
Path: /acfs3
Encryption status: OFF
Path: /acfs3/dircd
Encryption status: OFF
Path: /acfs3/dircd/dd
Encryption status: OFF
Path: /acfs3/dircd/dnsmasq.conf
Encryption status: OFF
Path: /acfs3/dircd/dracut.conf
Encryption status: OFF
Path: /acfs3/dircd/dirc
Encryption status: OFF
Path: /acfs3/dircd/dirc/cas.conf
Encryption status: OFF
Path: /acfs3/dircd/dirc/cron.deny
Encryption status: OFF
Path: /acfs3/dircd/dirc/crontab
Encryption status: OFF
--设置Encryption之后在/acfs3里新建的文件也不进行加密:
root@ora12c1:/acfs3>touch cc
root@ora12c1:/acfs3>acfsutil encr info -m /acfs3 /acfs3/cc
Path: /acfs3/cc
Encryption status: OFF
--为/acfs3/dirb这个目录及下面的文件设置192bit不同于FS层的Encryption
root@ora12c1:/acfs3/dircd>acfsutil encr on -m /acfs3 -a AES -k 192 -r /acfs3/dirb
Using user-provided parameters: algorithm (AES), key length (24 bytes)
Encrypting (/acfs3/dirb)... done.
Encrypting (/acfs3/dirb/bashrc)... done.
root@ora12c1:/acfs3/dircd>acfsutil encr info -m /acfs3 -r /acfs3/dirb
Path: /acfs3/dirb
Encryption status: ON
Algorithm: AES 192-bits
Key length: 24 bytes
Path: /acfs3/dirb/bashrc
Encryption status: ON
Algorithm: AES 192-bits
Key length: 24 bytes
--在[C2] /acfs3层面打开Encrytion开关,除/acfs3/dirb外的其它文件才开始使用了128bit的算法进行加密,/acfs3/dirb依然使用前一步设置的192bit加密算法
root@ora12c1:/acfs3>acfsutil encr on -m /acfs3
Encryption has been enabled on (/acfs3)
Encrypting (/acfs3/dircd)... done.
Encrypting (/acfs3/dircd/dd)... done.
Encrypting (/acfs3/dircd/dnsmasq.conf)... done.
Encrypting (/acfs3/dircd/dracut.conf)... done.
Encrypting (/acfs3/dircd/dirc)... done.
Encrypting (/acfs3/dircd/dirc/cas.conf)... done.
Encrypting (/acfs3/dircd/dirc/cron.deny)... done.
Encrypting (/acfs3/dircd/dirc/crontab)... done.
Encrypting (/acfs3/dircd/dirc/crypttab)... done.
Encrypting (/acfs3/dircd/dirc/csh.cshrc)... done.
Encrypting (/acfs3/dircd/dirc/csh.login)... done.
Encrypting (/acfs3/dira)... done.
Encrypting (/acfs3/dira/adjtime)... done.
Encrypting (/acfs3/dira/aliases.db)... done.
Encrypting (/acfs3/dira/anacrontab)... done.
Encrypting (/acfs3/dira/anthy-conf)... done.
Encrypting (/acfs3/dira/asound.conf)... done.
Encrypting (/acfs3/dira/aliases)... done.
Encrypting (/acfs3/dira/autofs_ldap_auth.conf)... done.
Encrypting (/acfs3/dira/auto.master)... done.
Encrypting (/acfs3/dira/.auto.misc.swp)... done.
Encrypting (/acfs3/dira/.auto.misc.swx)... done.
Encrypting (/acfs3/dira/.auto.smb.swp)... done.
Encrypting (/acfs3/dira/.auto.smb.swx)... done.
Encrypting (/acfs3/dira/.abc.txt.swp)... done.
Encrypting (/acfs3/dira/.abc.txt.swx)... done.
Encrypting (/acfs3/dira/.auto.net.swp)... done.
Encrypting (/acfs3/dira/.auto.net.swx)... done.
Encrypting (/acfs3/dirb)... File is already encrypted
Encrypting (/acfs3/dirb/bashrc)... File is already encrypted
Encrypting (/acfs3/.Security)... done.
Open failed for /acfs3/.Security/backup
Encrypting (/acfs3/.Security/realm)... done.
Open failed for /acfs3/.Security/realm/logs
Encrypting (/acfs3/.Security/encryption)... done.
Encrypting (/acfs3/.Security/encryption/logs)... done.
Encrypting (/acfs3/.Security/encryption/logs/encr-ora12c2-727777111.log)... done.
Encrypting (/acfs3/.Security/encryption/logs/encr-ora12c1-727777111.log)... done.
Encrypting (/acfs3/enscript.cfg)... done.
Encrypting (/acfs3/environment)... done.
Encrypting (/acfs3/ethers)... done.
Encrypting (/acfs3/exports)... done.
Encrypting (/acfs3/cc)... done.
2、 文件或目录的是否加密的属性取决于其所在的域属性
--创建一个不加密的域
acfsadm1@ora12c1:/home/acfsadm1>acfsutil sec realm create encrealm1 -m /acfs3 -e off -o enable
acfsadm1@ora12c1:/home/acfsadm1>acfsutil sec info -m /acfs3 -n encrealm1
ACFS Security administrator password:
Realm status: ENABLED
Users present in realm 'encrealm1' are as follows :
Groups present in realm 'encrealm1' are as follows :
Filters present in realm 'encrealm1' are as follows :
Encryption status : OFF
Realm description : ''
--/acfs3/dirb的加密属性
acfsadm1@ora12c1:/acfs3>acfsutil encr info -m /acfs3 -r /acfs3/dirb
Path: /acfs3/dirb
Encryption status: ON
Algorithm: AES 192-bits
Key length: 24 bytes
Path: /acfs3/dirb/bashrc
Encryption status: ON
Algorithm: AES 192-bits
Key length: 24 bytes
--将/acfs3/dirb加入域
acfsadm1@ora12c1:/acfs3>acfsutil sec realm add encrealm1 -m /acfs3 -f -r /acfs3/dirb
--再次查询/acfs3/dirb的加密属性,已经变成OFF
acfsadm1@ora12c1:/acfs3>acfsutil encr info -m /acfs3 -r /acfs3/dirb
Path: /acfs3/dirb
Encryption status: OFF
Path: /acfs3/dirb/bashrc
Encryption status: OFF
结论:某个文件或者目录的Encryption属性跟着域里的Encryption属性走
3、 利用ACFS Security控制访问用户与访问时间
案例1:仅oracle用户在8:00~21:00可以读取/acfs3/dira内容
--建立rule、ruleset,rule加入到ruleset
acfsadm1@ora12c1:/acfs3>acfsutil sec rule create sec_rule1_time -m /acfs3 -t time 08:00:00,21:00:00 -o ALLOW
ACFS Security administrator password:
acfsadm1@ora12c1:/acfs3>acfsutil sec info -m /acfs3 -l sec_rule1_time
ACFS Security administrator password:
Information of rule 'sec_rule1_time' are as follows :
Type : TIME
Value : '08:00:00' - '21:00:00'
Option : ALLOW
acfsadm1@ora12c1:/acfs3>acfsutil sec rule create sec_rule1_user -m /acfs3 -t username oracle -o ALLOW
ACFS Security administrator password:
acfsadm1@ora12c1:/acfs3>acfsutil sec info -m /acfs3 -l sec_rule1_user
ACFS Security administrator password:
Information of rule 'sec_rule1_user' are as follows :
Type : USERNAME
Value : oracle
Option : ALLOW
acfsadm1@ora12c1:/acfs3>acfsutil sec ruleset create sec_rule1_set -m /acfs3
acfsadm1@ora12c1:/acfs3>acfsutil sec ruleset edit sec_rule1_set -m /acfs3 -a sec_rule1_user,sec_rule1_time -o ALL_TRUE
acfsadm1@ora12c1:/acfs3>acfsutil sec info -m /acfs3 -s sec_rule1_set
ACFS Security administrator password:
Rules present in rule set 'sec_rule1_set' are as follows :
sec_rule1_user
sec_rule1_time
Ruleset option : ALL TRUE
--创建域,将用户、目录等对象加入到域中
acfsadm1@ora12c1:/acfs3>acfsutil sec realm create secrealm1 -m /acfs3 -e on -a AES -k 256 -o enable
acfsadm1@ora12c1:/acfs3>acfsutil sec realm add secrealm1 -m /acfs3 -u oracle -l READ:sec_rule1_set -f -r /acfs3/dira
ACFS Security administrator password:
acfsadm1@ora12c1:/acfs3>acfsutil sec info -m /acfs3 -n secrealm1
ACFS Security administrator password:
Realm status: ENABLED
Users present in realm 'secrealm1' are as follows :
oracle
Groups present in realm 'secrealm1' are as follows :
Filters present in realm 'secrealm1' are as follows :
READ : sec_rule1_set
Encryption status : ON
Encryption algorithm : AES
Encryption key length : 256
Realm description : ''
--至此oracle用户具有读写相关的任何权限,因为添加的:/READ:sec_rule1_set 虽然只是允许读的权限,但也不存在其它拒绝写的:。
--Root用户由于没有加入到secrealm1,所以没有任何权限连列出目录的权限都没有
root@ora12c1:/acfs3/dira>ls -rlt
ls: cannot open directory .: Permission denied
--将Root用户加入到secrealm1后,也只有列出目录的权限,没有读取文件内容的权限,因为读取文件内容必须同时具备用户名为oracle(-t username oracle -o ALLOW),时间段为8:00~21:00(-t time 08:00:00,21:00:00 -o ALLOW)两个条件(-a sec_rule1_user,sec_rule1_time -o ALL_TRUE),ruleset中定义的ALL_TRUE正是指同时满足上述两个条件,所以root用户登陆后第一个条件总是不满足,所以就不适用于READ:sec_rule1_set,因此就无读的权限
acfsadm1@ora12c1:/acfs3>acfsutil sec realm add secrealm1 -m /acfs3 -u root -f -r /acfs3/dira
root@ora12c2:/acfs3/dira>ls -rlt
total 28
-rwxr-xr-x. 1 oracle oinstall 541 Feb 5 13:33 anacrontab
-rwxr-xr-x. 1 oracle oinstall 12288 Feb 5 13:33 aliases.db
-rwxr-xr-x. 1 oracle oinstall 245 Feb 5 13:33 anthy-conf
-rwxrwxrwx. 1 oracle oinstall 1521 Feb 5 13:33 aliases
-rwxr-xr-x. 1 oracle oinstall 232 Feb 5 13:33 autofs_ldap_auth.conf
-rw-------. 1 oracle oinstall 0 Feb 5 13:46 asound_c.swp
-rwxr-xr-x. 1 oracle oinstall 0 Feb 5 13:46 aliases.bak
-rwxr-xr-x. 1 oracle oinstall 0 Feb 5 13:49 asound.conf
root@ora12c2:/acfs3/dira>cat aliases.bak
cat: aliases.bak: Permission denied
案例2: oracle用户在8:00~21:00不能针对/acfs3/dire目录及下面的文件进行修改、删除、更改权限的操作,但可以读取其中内容,root用户对于/acfs3/dire具有所有权限
acfsutil sec rule create rule_dire_user -m /acfs3 -t username oracle -o DENY
acfsutil sec rule create rule_dire_time -m /acfs3 -t time 08:00:00,23:00:00 -o DENY
acfsutil sec ruleset create rule_dire_set -m /acfs3 -o ANY_TRUE
acfsutil sec ruleset edit rule_dire_set -m /acfs3 -a rule_dire_user,rule_dire_time -o ANY_TRUE
acfsutil sec realm create rule_dire_realm1 -m /acfs3 -e on -a AES -k 192 -o enable
acfsutil sec realm add rule_dire_realm1 -m /acfs3 -u oracle,root -l CHMOD:rule_dire_set,DELETEFILE:rule_dire_set,WRITE:rule_dire_set -f -r /acfs3/dire
acfsutil sec info -m /acfs3 -n rule_dire_realm1
Realm status: ENABLED
Users present in realm 'rule_dire_realm1' are as follows :
root
oracle
Groups present in realm 'rule_dire_realm1' are as follows :
Filters present in realm 'rule_dire_realm1' are as follows :
WRITE : rule_dire_set
DELETEFILE : rule_dire_set
CHMOD : rule_dire_set
Encryption status : ON
Encryption algorithm : AES
Encryption key length : 192
Realm description : ''
acfsutil sec info -m /acfs3 -s rule_dire_set
ACFS Security administrator password:
Rules present in rule set 'rule_dire_set' are as follows :
rule_dire_user
rule_dire_time
Ruleset option : ANY TRUE
--oracle用户22:00登陆,测试权限
写权限:
su - oracle
cd /acfs3/dire
vi ethers
"ethers" [readonly] 1L, 28C
oracle@ora12c1:/acfs3/dire>ls -rlt
total 12
-rw-r--r--. 1 oracle oinstall 0 Feb 11 21:42 environment
-rw-r--r--. 1 oracle oinstall 0 Feb 11 21:42 exports
-rw-r--r--. 1 oracle oinstall 4843 Feb 11 22:03 enscript.cfg
-rw-r--r--. 1 oracle oinstall 28 Feb 11 22:03 ethers
删除文件的权限:
oracle@ora12c1:/acfs3/dire>rm ethers
rm: cannot remove `ethers': Permission denied
chmod权限:
oracle@ora12c1:/acfs3/dire>chmod 777 ethers
chmod: changing permissions of `ethers': Permission denied
chown权限并没有限制掉:
oracle@ora12c1:/acfs3/dire>chown oracle:dba ethers
oracle@ora12c1:/acfs3/dire>ls -rlt
total 12
-rw-r--r--. 1 oracle oinstall 0 Feb 11 21:42 environment
-rw-r--r--. 1 oracle oinstall 0 Feb 11 21:42 exports
-rw-r--r--. 1 oracle oinstall 4843 Feb 11 22:03 enscript.cfg
-rw-r--r--. 1 oracle dba 28 Feb 11 22:03 ethers
--root用户登陆后测试下来具有任何权限
结论:ACFS里的权限控制关键在于如何理解rule中的-o ALLOW/DENY,ruleset中的-o ALL_TRUE/ANY_TRUE:ruleset中的ALL_TRUE是指其包含的每一个Rule表达式的评估结果必须为TRUE,例如对于-t username oracle -o ALLOW来说,如果登陆的用户是oracle那么这个Rule表达式的结果就是TRUE;对于-t username oracle -o DENY来说,如果登陆的用户是oracle那么这个Rule表达式的结果就是FALSE;只有每一个表达式都为TRUE的情况下,才具有command_rule:ruleset所指定的权限,否则就没有该权限。ruleset中的ALL_TRUE是指其包含的所有Rule表达式中只要有一个评估值为TRUE,就能具有command_rule:ruleset所指定的权限。另外在ACFS里对于没有明确拒绝的权限或者说没有提及的权限,例如案例1中的oracle用户虽然只具有READ:sec_rule1_set权限,但因为没有明确拒绝其他权限所有oracle还是会拥有包括READ在内的所有权限
来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/53956/viewspace-1279999/,如需转载,请注明出处,否则将追究法律责任。
转载于:http://blog.itpub.net/53956/viewspace-1279999/
1180
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
