明御数据库审计与风险控制系统V6—用户使用手册
来源:造价师 发布时间:2020-07-30 点击:
明御数据库审计 与 风险控制系统 V4.6 6
— 用户使用手册
杭州安恒信息技术有限公司 二〇一六年一月
目录 1 产品简介 ································································································· 错误! 未定义书签。
1.1 产品概述······························································································ 错误! 未定义书签。
1.2 产品功能······························································································ 错误! 未定义书签。
1.3 产品特点······························································································ 错误! 未定义书签。
2 WEB 概述 ······························································································· 错误! 未定义书签。
2.1 功能简介······························································································ 错误! 未定义书签。
2.2 WEB 登录 ···························································································· 错误! 未定义书签。
2.2.1 通用版本 ····················································································· 错误! 未定义 书签。
2.2.2 医疗防统方专业版 ········································································· 错误! 未定义书签。
2.3 退出 WEB 登录 ····················································································· 错误! 未定义书签。
2.4 WEB 页面布局 ······················································································ 错误! 未定义书签。
3 主页 ······································································································· 错误! 未定义书签。
3.1 数据分析······························································································ 错误! 未定义书签。
3.1.1 整体概况 ····················································································· 错误! 未定义书签。
3.1.2 趋势分析 ····················································································· 错误! 未定义书签。
3.1.3 对比分析 ····················································································· 错误! 未定义书签。
3.2 行为模型······························································································ 错误! 未定义书签。
3.2.1 新增行为 ····················································································· 错误! 未定义书签。
3.2.2 账号视图 ····················································································· 错误! 未定义书签。
3.2.3 源 IP 视图 ···················································································· 错误! 未定义书签。
3.2.4 工具视图 ····················································································· 错误! 未定义书签。
3.2.5 权限视图 ····················································································· 错误! 未定义书签。
3.2.6 详细查询 ····················································································· 错误! 未定义书签。
3.3 医疗防统方专业版 ·················································································· 错误! 未定义书签。
3.3.1 统方监控 ····················································································· 错误! 未定义书签。
4 审计配置 ································································································· 错误! 未定义书签。
4.1 基本步骤······························································································ 错误! 未定义书签。
4.2 探测器 ································································································ 错误! 未定义书签。
4.2.1 组件配置 ····················································································· 错误! 未定义书签。
4.2.2 物理端口 ····················································································· 错误! 未定义书签。
4.2.3 物理端口配置举例 ········································································· 错误! 未定义书签。
4.2.4 探测器 ························································································ 错误! 未定义书签。
4.2.5 探测器配置举例 ············································································ 错误! 未定义书签。
4.3 审计查询······························································································ 错误! 未定义书签。
4.3.1 查询参数 ····················································································· 错误! 未定义书签。
4.3.2 综合查询 ····················································································· 错误! 未定义书签。
4.3.3 WEB 查询 ··················································································· 错 错误 误! 未定义书签。
4.3.4 会话查询 ····················································································· 错误! 未定义书签。
4.3.5 回放 ··························································································· 错误! 未定义书签。
4.4 审计过滤······························································································ 错误! 未定义书签。
4.4.1 审计选项 ····················································································· 错误! 未定义书签。
4.4.2 指定源 IP 审计 ·············································································· 错误! 未定义书签。
4.4.3 IP 过滤 ······················································································· 错误! 未定义书签。
4.4.4 报文过滤 ····················································································· 错误! 未定义书签。
5 告警 ······································································································· 错误! 未定义书签。
5.1 告警通知······························································································ 错误! 未定义书签。
5.1.1 通知告警 ····················································································· 错误! 未定义书签。
5.1.2 发送配置 ····················································································· 错误! 未定义书签。
5.1.3 发送情况 ····················································································· 错误! 未定义书签。
5.1.4 邮件 ··························································································· 错误! 未定义书签。
5.1.5 短信 ··························································································· 错误! 未定义书签。
5.1.6 FTP ··························································································· 错误! 未定义书签。
5.1.7 SYSLOG ···················································································· 错误! 未定义书签。
5.1.8 SNMP ························································································ 错误! 未定义书签。
5.2 告警查询······························································································ 错误! 未定义书签。
5.2.1 高危(未处理) ················································································ 错误! 未定义书签。
5.2.2 全部(未处理) ················································································ 错误! 未定义书签。
5.2.3 告警分析 ····················································································· 错误! 未定义书签。
5.2.4 查询 ··························································································· 错误! 未定义书签。
6 规则配置 ································································································· 错误! 未定义书签。
6.1 规则配置(DB)
··················································································· 错误! 未定义书签。
6.1.1 功能简介 ····················································································· 错误! 未定义书签。
6.1.2 配置 DB 规则 ··············································································· 错误! 未定义书签。
6.1.3 配置举例 ····················································································· 错误! 未定义书签。
6.2 规则配置(WEB)
················································································· 错误! 未定 义书签。
6.2.1 功能简介 ····················································································· 错误! 未定义书签。
6.2.2 配置 WEB 规则 ············································································· 错误! 未定义书签。
6.3 规则白名单 ··························································································· 错误! 未定义书签。
6.3.1 配置准备 ····················································································· 错误! 未定义书签。
6.3.2 配置规则白名单 ············································································ 错误! 未定义书签。
6.3.3 配置举例 ····················································································· 错误! 未定义书签。
7 统计告警 ································································································· 错误! 未定义书签。
7.1 统计告警配置 ························································································ 错误! 未定义书签。
7.2 统计告警查询 ························································································ 错误! 未定义书签。
8 反向代理 ································································································· 错误! 未定义书签。
9 报表 ······································································································· 错误! 未定义书签。
9.1 报表预览······························································································ 错误! 未定义书签。
9.1.1 功能简介 ····················································································· 错误! 未定义书签。
9.1.2 配置预览报表 ··············································································· 错误! 未定义书签。
9.2 自动发送······························································································ 错误! 未定义书签。
9.2.1 功能简介 ····················································································· 错误! 未定义书签。
9.2.2 配置自动发送 ··············································································· 错误! 未定义书签。
10 数据库扫描 ···························································································· 错误! 未定义书签。
10.1 端口扫描 ···························································································· 错误! 未定义书签。
10.2 风险评估 ···························································································· 错误! 未定义书签。
10.3 评估结果 ···························································································· 错误! 未定义书签。
11 权限管理 ······························································································· 错误! 未定义书签。
11.1 全部用户 ···························································································· 错误! 未定义书签。
11.2 用户安全设置 ······················································································ 错误! 未定义书签。
11.3 IP 访问控制 ························································································ 错误! 未定义书签。
12 数据维护 ······························································································· 错误! 未定义书签。
12.1 自动备份及恢复 ··················································································· 错误! 未定义书签。
12.2 手工备份及恢复 ··················································································· 错误! 未定义书签。
12.3 出厂设置 ···························································································· 错误! 未定义书签。
13 系统 ····································································································· 错误! 未定义书签。
13.1 常规 ·································································································· 错误! 未定义书签。
13.1.1 引擎管理 ··················································································· 错误! 未定义书签。
13.1.2 客户端工具 ················································································ 错误! 未定义书签。
13.1.3 来访客户网络 ············································································· 错误! 未定义书签。
13.2 运行状态 ···························································································· 错误! 未定义书签。
13.2.1 系统资源 ··················································································· 错误! 未定义书签。
13.2.2 采集设备 ··················································································· 错误! 未定义书签。
13.2.3 同步验证 ··················································································· 错误! 未定义书签。
13.3 系统管理 ···························································································· 错误! 未定义书签。
13.3.1 网络配置 ··················································································· 错误! 未定义书签。
13.3.2 时钟同步 ··················································································· 错误! 未定义书签。
13.3.3 SNMP 配置 ················································································ 错误! 未定义书签。
13.3.4 许可证 ······················································································ 错误! 未定义书签。
13.3.5 手动升级 ··················································································· 错误! 未定义书签。
13.3.6 系统调试 ··················································································· 错误! 未定义书签。
13.3.7 关机 ························································································· 错误! 未定义书签。
14 日志 ····································································································· 错误! 未定义书签。
14.1 操作日志 ···························································································· 错误! 未定义书签。
14.2 系统日志 ···························································································· 错误! 未定义书签。
1 产品简介 1.1
产品概述 明御®数据库审计与风险控制系统(简称:DAS-DBAuditor)是安恒信息在多年数据库安全理论研究与实践的基础上,结合各类法令法规(如等级保护、分级保护、企业内控、SOX、PCI 等)对数据库安全的要求,自主研发的业界首创细粒度审计、双向审计、全方位风险控制的数据库安全审计产品。可帮助用户带来如下价值点:
全面记录数据库访问行为,识别越权操作等违规行为,并完成追踪溯源 提供细粒度、灵活的规则和查询条件,对违规行为进行告警(通过邮件、短信、SYSLOG 等方式)
跟踪敏感数据访问行为轨迹,建立访问行为模型,及时发现敏感数据泄漏 检测数据库配置弱点、发现 SQL 注入等漏洞、提供解决建议 为数据库安全管理与性能优化提供决策依据 提供符合法律法规的报告,满足等级保护、企业内控等审计要求 本系统采用目前业界最流行的 B/S 架构,用户可以方便的通过网络对系统的运行状况、数据库的受攻击程度进行操作、监控。同时在很大程度上减少用户对系统成本的投入,减少维护成本。
1.2
产品功能 DAS-DBAuditor 产品功能分成原始信息收集、审计信息标准化、审计信息筛选、预警与报表共四大模块。
1. 原始信息收集 通过旁路镜像的模式部署 不改变用户现有网络结构 不占用数据库服务器资源 不影响数据库性能 支持分布式部署 实现配置与报表的集中管理 并发流量采集与处理、多点存储、多级管理 自动定期发现功能,及时发现一些未知数据库 2. 审计信息标准化 支持国内外主流数据库,包括 Oracle、SQL server、DB2、MySQL、Informix、Sybase、PostgreSQL 、神通 OSCAR、达梦 DM、人大金仓、南大通用 Gbase、CACHé 、Teradata共 13 种协议 将不同数据库协议按照标准化的格式进行展示,方便管理人员阅读和分析
3. 审计信息筛选 根据 5W1H(WHAT,WHERE,WHEN,WHO,WHY,HOW)分析模型进行规制设计,提供丰富的规则条件和向导式的规则配置方法 内置了 300 多条安全相关的审计分析规则 根据采集到的数据进行数据分析和产生行为模型 审计结果综合查询、WEB 查询、会话回放功能;还有针对历史数据的旧版本数据查询、恢复内容查询 4. 预警与报表 提供 SYSLOG、短信、邮件、SNMP、FTP 等丰富的告警通知方式,可第一时间通知管理人员 可与 SOC、安管平台等进行日志的整合 内置了 40 多种高价值、符合法律法规的分析报表,可从数据库账号增删、密码修改、权限变更、高危操作、违规告警、账号复用、数据库性能分析等角度进行分析 支持自定义的方式定制更多报表 1.3
产品特点 1. 采用多核、多线程并行处理技术,处理性能遥遥领先 该产品选用国际领先的、最适合审计产品特性的硬件平台,通过 intel 多核 CPU 的强大计算能力,以及安恒信息独有的多线程分布式处理技术,使得安恒数据库审计系统的处理能力大大提升,真正领先于国内同类型产品。
2. 数据库安全配置分析和漏洞评估 该产品继承了安恒信息数据库安全漏洞扫描技术优势,形成了从漏洞扫描、安全审计为一体的解决方案。可通过定制化任务方式实现周期性的自动扫描,发现数据库的配置不合理项、弱口令、安全漏洞。并可根据漏洞情况提供合理的安全建议和审计规则,生成安全漏洞扫描报告。
3. 智能关联分析 通过同时提取 WEB 业务端和数据库端的协议流量,提取出具体业务操作请求 URL、POST/GET值、业务账号、原始客户端 IP、MAC 地址、提交参数等。通过智能自动多层关联,关联出每条 SQL语句所对应 URL,以及其原始客户端 IP 地址等信息,实现追踪溯源。
4. 独有的双向审计 该产品可以实现真正的双向审计。双向审计不但包含了 SQL 语句执行状态、返回行数、返回时间等基本信息,最为关键是包含了数据库的返回结果内容。如 错误! 未找到引用源。所示。
图1-1 双向审计
5. 数据库行为轨迹分析 该产品通过创新的行为轨迹分析方法,使得审计员摆脱了从成千上万条日志进行枯燥分析的烦恼,大大提高了分析效率,提高了审计的易读性和价值。如 错误! 未找到引用源。所示。
图1-2 行为轨迹分析
6. 数据库行为模型分析 该产品通过自动学习建立数据库行为模型,行为模型是基于“总—分”逻辑分析思维,一层一层展示整个数据库的行为状态。通过行为模型的变更分析,可方便用户掌握最新访问动态。通过行为模型的对比分析则可以分析出两个不同时间段的模型差异,可以非常方便的发现数据库账号、源 IP、访问工具类型、权限的增删变更情况,方便进一步追踪分析。如 错误! 未找到引用源。所示。
图1-3 对比分析
2 WEB 概述 2.1
功能简介 通过 WEB 方式管理数据库审计系统。
2.2
WEB登录 2.2.1
通用版本 (1) 在浏览器中输入 https://Admin 管理 IP,进入登录窗口。如 错误! 未找到引用源。所示。
(2) 在登录窗口中输入用户名、密码。
图2-1 登录
(3) 单击<登录>后即可登录到整体概况页面,如 错误! 未找到引用源。所示。
出厂默认 Admin 管理 IP 为:192.168.1.100 出厂默认用户名/密码为:admin/Dbapp@2013 2.2.2
医疗防统方专业版 登录步骤和通用版本一样,登录窗口有医疗防统方专版标识,如 错误! 未找到引用源。所示。
图2-2 医疗防统方专版
2.3
退出WEB登录 在数据库审计系统页面上点击 (如 错误! 未找到引用源。),退出 WEB 登录。
退出系统时,系统不会自动保存当前配置。因此建议用户在退出系统前先设置保存当前配置。
通过直接关闭浏览器标签的方式,已登录到设备上的用户不能自动退出登录。
2.4
WEB页面布局 WEB 页面布局共分为:功能页签、管理链接、导航树和操作区四部分。如图 2-3 所示。
图2-3
WEB 页面布局
WEB 页面布局序号说明参见表 2-1。
表2-1 WEB 页面布局序号说明 序号 名称 说明 (1) 功能页签 以不同的角度提供了各类管理功能的配置入口,方便管理员根据实际需要进行切换 (2) 管理链接 显示了当前登录的操作员信息以及退出等相关功能链接 (3) 导航树 列出了当前功能页签对应的操作链接 (4) 操作区 该区域主要用于信息展示以及相关功能的操作 3 主页 3.1
数据分析 3.1.1
整体概况 1. 功能简介 整体概况可以帮助用户了解被审计服务器的整体情况和状态,具体包括以下几个方面的内容:
当前数据库核心指标 审计记录数对比 最新告警
行为模型 用户 WEB 登录后,默认进入[整体概况]菜单的页面。如 错误! 未找到引用源。所示。
图3-1 整体概况
2. 当前数据库核心指标 在数据库 IP 列表中,选择 IP,查看对应数据库核心指标。指标说明参见 错误!。
未找到引用源。。
表3-1 数据库核心指标 指标
说明 本日审计记录数 统计本日审计的总记录数 在线用户数 显示当前的在线用户数 并发会话数 显示在线的并发会话数
3. 审计记录数对比 (1) 单击本日审计记录数,查看本日与本周及历史最高日审计记录数对比曲线图。如 错误! 未找到引用源。所示。
图3-2 本日审计记录数对比
(2) 单击在线用户数,查看本日与本周及历史最高日用户数对比曲线图。如 错误! 未找到引用源。所示。
图3-3 用户数对比
(3) 并发会话数 单击并发会话数,查看本日与本周及历史最高日并发会话数对比曲线图。如 错误! 未找到引用源。所示。
图3-4 并发会话数对比
4. 最新告警 显示当日未处理的告警。包括高、中、低和关注行为四种告警,并循环显示每一条告警。如 错误!未找到引用源。所示。
图3-5 最新告警
图中序号说明参见 错误!。
未找到引用源。。
表3-2 最新告警序号说明 序号 说明 (1) 单击报警数,查看对应的告警列表 (2) 单击此图标,链接到[风险/告警/查询]页面 (3) 单击每一条告警,查看告警的详细信息
5. 行为模型 显示当前数据库用户行为模型。如 错误! 未找到引用源。所示。
图3-6 行为模型
行为模型显示信息说明参见 错误!。
未找到引用源。。
表3-3 行为模型显示信息 标题项 说明 服务器IP 数据库服务器IP 账号/应用账号 统计分析登录数据库账号情况 源IP/应用源IP 统计分析源IP/应用源IP情况 客户端工具 统计分析登录数据库服务器使用的客户端工具情况 表对象 统计分析操作数据库中表对象情况 操作类型 统计分析对数据库进行的操作类型
行为模型标题项后面的红色小球里面的数字表示新增行为。
3.1.2
趋势分析 1. 功能简介 对不同数据库的审计数据进行趋势分析和对同一数据库不同源 IP 数据进行趋势分析。
2. 趋势分析配置 (1) 通过[主页/数据分析/趋势分析],进入趋势分析页面。如 错误! 未找到引用源。所示。
图3-7 趋势分析
(2) 趋势分析配置。选项说明参见 错误! 未找到引用源。。
表3-4 趋势分析选项说明 选项 说明 时间段 可以快速选择本日、本周、本月、最近7天或最近30天,同时单击日期,支持自定义时间段。范围:1~365天 展现粒度 按小时、按天、按周或按月 添加服务器IP 不同服务器之间分析 分析不同数据库服务器的趋势,最多支持3个服务器
同一服务器不同来源IP分析 分析同一服务器不同来源IP的趋势, (1) 先选择一个服务器 IP (2) 再添加来源 IP,最多支持 3 个来源 IP (3) 单击<查看审计记录数趋势>,查看趋势分析结果。如 错误! 未找到引用源。所示。
图3-8 趋势分析结果图
3.1.3
对比分析 1. 功能简介 对同一服务器不同时间审计情况对比分析和对不同服务器同一时间审计情况对比分析。
2. 对比分析配置 (1) 通过[主页/数据分析/对比分析],进入对比分析页面。如 错误! 未找到引用源。所示。
图3-9 对比分析
(2) 选择对比分析类型、服务器和对比分析时间段。选项说明参见 错误! 未找到引用源。。
表3-5 对比分析选项说明 选项 说明 对比类型 同一服务器不同时间对比 针对同一服务器,不同时间段对比分析 不同服务器同一时间对比 针对不同服务器,相同时间段对比分析 服务器IP 选择对比分析的服务器IP 对比类型为同一服务器不同时间对比时,选择一个服务器 IP 对比类型为不同服务器同一时间对比时,选择两个服务器 IP 时间段 按天、月、季度或自定义
(3) 单击<查看对比结果>,查看对比分析的结果。如 错误! 未找到引用源。所示。
图3-10 对比分析结果图
3.2
行为模型 3.2.1
新增行为 1. 功能简介 新增行为页面主要是针对用户行为对服务器访问账号、源 IP、客户端工具行为进行汇总统计。
2. 新增行为配置
通过[主页/行为模型/新增行为]进入新增行为页面。如 错误! 未找到引用源。所示。
图3-11 行为模型
新增行为列表内容说明参见 错误!。
未找到引用源。。
表3-6 新增行为列表说明 选项 说明 服务器IP 对应服务器IP,可通过输入服务器IP过滤查看某一具体的服务器统计信息 账号/应用账号 对应账号统计值,点击具体数字,可查看详细账号信息 源IP/应用源IP 对应访问IP统计值,点击具体数字,可查看详细各个访问IP信息量 客户端工具 对应访问使用客户端工具统计值,点击具体数字,可查看详细客户端工具 表对象 对应表对象统计值,点击具体数字,可查看具体的对象信息 操作类型 对应数据库操作类型统计值,点击具体数字,可查看详细操作类型...
推荐访问:控制系统 使用手册 审计