権限チェック

調べた限りなし

(19c)
権限分析

-- 権限分析ポリシーの作成

select * from DBA_PRIV_CAPTURES;

---- データベース分析

BEGIN
DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE(
name => 'db_wide_capture_pol',
description => 'Captures database-wide privileges',
type => DBMS_PRIVILEGE_CAPTURE.G_DATABASE);
END;
/

---- ロール分析
BEGIN
DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE(
name => 'dba_roles_capture_pol',
description => 'Captures DBA and LBAC_DBA role use',
type => DBMS_PRIVILEGE_CAPTURE.G_ROLE,
roles => role_name_list('dba', 'aq_user_role'));
END;
/

---- コンテキスト分析
BEGIN
DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE(
name => 'sqlplus_capture_pol',
description => 'Captures privilege use during SQL*Plus use',
type => DBMS_PRIVILEGE_CAPTURE.G_CONTEXT,
condition => 'SYS_CONTEXT(''USERENV'', ''MODULE'')=''sqlplus''');
END;
/

 

-- 権限分析ポリシーの有効化

select * from DBA_PRIV_CAPTURES;

EXEC DBMS_PRIVILEGE_CAPTURE.ENABLE_CAPTURE ('db_wide_capture_pol');


-- 権限分析レポートの作成


EXEC DBMS_PRIVILEGE_CAPTURE.DISABLE_CAPTURE ('db_wide_capture_pol');
EXEC DBMS_PRIVILEGE_CAPTURE.GENERATE_RESULT ('db_wide_capture_pol');

select count(*) from DBA_USED_PRIVS;
select count(*) from DBA_UNUSED_PRIVS;

 

-- 権限分析ポリシーの削除
select * from DBA_PRIV_CAPTURES;


EXEC DBMS_PRIVILEGE_CAPTURE.DROP_CAPTURE ('sqlplus_capture_pol');

 

(13)
https://qiita.com/U_ikki/items/c7714f8cd19ab2012dd1
https://www.cybertec-postgresql.com/en/pg_permission-inspecting-your-postgresql-security-system/


-- インストール
git clone https://github.com/cybertec-postgresql/pg_permission.git

cd pg_permission
export PATH=$PATH:/usr/pgsql-13/bin
make install


CREATE EXTENSION pg_permissions ;

-- VIEWの確認
select * from all_permissions;
select * from database_permissions;
select * from schema_permissions;
select * from table_permissions;
select * from column_permissions;
select * from sequence_permissions;
select * from view_permissions;
select * from function_permissions;


-- 権限チェック

-- 検証例
user30を使用し、スキーマレベルとテーブルレベルで足りない権限と余計な権限を付与

-- あるべき権限
スキーマレベル: schema1へのusage権限,schema1へのcreate権限
テーブルレベル: schema1.tab1へのupdate権限,schema1.tab1へのselect権限

-- 実際の権限
スキーマレベル: schema1へのusage権限,schema2へのusage権限
テーブルレベル: schema1.tab1へのupdate権限,schema1.tab1へのdelete権限

-- 検証用ユーザ作成

drop owned by user30 cascade;
drop user user30;

drop schema schema1 cascade;
drop schema schema2 cascade;

create schema schema1;
create schema schema2;

create table schema1.tab1(col1 int);

create user user30 with login encrypted password 'user30';
grant usage on schema schema1 to user30;
grant usage on schema schema2 to user30;
grant update,delete on schema1.tab1 to user30;


-- あるべき権限をテーブルに登録
select * from permission_target;

truncate table permission_target;


insert into permission_target(role_name,permissions,object_type,schema_name)
values('user30','{USAGE,CREATE}','SCHEMA','schema1');

insert into permission_target(role_name,permissions,object_type,schema_name,object_name)
values('user30','{SELECT,UPDATE}','TABLE','schema1','tab1');

select * from permission_target;

select * from permission_diffs()
where role_name = 'user30'
;

missing | role_name | object_type | schema_name | object_name | column_name | permission
---------+-----------+-------------+-------------+-------------+-------------+------------
t | user30 | SCHEMA | schema1 | | | CREATE
f | user30 | TABLE | schema1 | tab1 | | DELETE
t | user30 | TABLE | schema1 | tab1 | | SELECT

→余計なスキーマ権限が検出できていない。その他は検出できている。

 

 

調べた限りなし