繼上期為大家介紹了有關(guān)數(shù)據(jù)庫(kù)審計(jì)多語(yǔ)句無(wú)法有效分割的問(wèn)題,本期���,安華金和圍繞數(shù)據(jù)庫(kù)對(duì)象解析錯(cuò)誤分析數(shù)據(jù)庫(kù)審計(jì)產(chǎn)品常見(jiàn)缺陷���。數(shù)據(jù)庫(kù)審計(jì)產(chǎn)品中一個(gè)重要需求是要有效記錄下來(lái)SQL語(yǔ)句的操作類型����、訪問(wèn)對(duì)象���;根據(jù)這些操作類型和訪問(wèn)對(duì)象���,審計(jì)產(chǎn)品可以有效地制訂告警策略,可以有效地根據(jù)操作類型��、訪問(wèn)對(duì)象進(jìn)行事后的追蹤與檢索��。我國(guó)相關(guān)部門的數(shù)據(jù)庫(kù)審計(jì)產(chǎn)品標(biāo)準(zhǔn)中要求:應(yīng)對(duì)數(shù)據(jù)庫(kù)網(wǎng)絡(luò)訪問(wèn)對(duì)象的名稱進(jìn)行準(zhǔn)確審計(jì)�����,包括數(shù)據(jù)庫(kù)服務(wù)器名稱�、IP名稱、數(shù)據(jù)庫(kù)名稱��、表、視圖�����、序列����、包、存儲(chǔ)過(guò)程����、函數(shù)、庫(kù)���、索引和觸發(fā)器等�。
目前國(guó)內(nèi)大多數(shù)數(shù)據(jù)庫(kù)審計(jì)產(chǎn)品都會(huì)宣稱支持對(duì)SQL語(yǔ)句操作類型和訪問(wèn)對(duì)象的審計(jì)支持�;但事實(shí)上,很多審計(jì)產(chǎn)品的支持能力有限���,往往只能支持一些簡(jiǎn)單語(yǔ)句的解析,比如這樣的語(yǔ)句:
Select * from tbl1 where col1 > ’1’;
但筆者曾經(jīng)見(jiàn)過(guò)一家大型的信息安全廠商的產(chǎn)品�,僅僅是在表名前增加一個(gè)schema名稱,就發(fā)生了令人震驚的錯(cuò)誤�����;這個(gè)產(chǎn)品居然將schema名稱審計(jì)為了表名。如上面這條語(yǔ)句改為�;
Select * from user1.tbl1 where col1 > ‘1’;
這種數(shù)據(jù)庫(kù)審計(jì)產(chǎn)品就會(huì)將user1記錄為表名。
出現(xiàn)這種情況說(shuō)明產(chǎn)品設(shè)計(jì)的比較粗糙�,還遠(yuǎn)遠(yuǎn)達(dá)不到專業(yè)的數(shù)據(jù)庫(kù)審計(jì)產(chǎn)品的要求;這通常是一些網(wǎng)絡(luò)審計(jì)產(chǎn)品廠商��,未經(jīng)過(guò)嚴(yán)肅的產(chǎn)品開(kāi)發(fā)過(guò)程���,僅對(duì)原有的網(wǎng)絡(luò)審計(jì)產(chǎn)品進(jìn)行了簡(jiǎn)單包裝就推向了市場(chǎng)�����;這些廠商依靠已經(jīng)積累的品牌和用戶的信任�,提供了不嚴(yán)肅的數(shù)據(jù)庫(kù)審計(jì)產(chǎn)品���。而國(guó)家相關(guān)部門在產(chǎn)品的認(rèn)證過(guò)程中以及用戶的演示中�,并未真正仔細(xì)地對(duì)此進(jìn)行測(cè)試����。
事實(shí)上,上面被誤報(bào)的例子�,是一個(gè)非常簡(jiǎn)單的例子�����,大多數(shù)專業(yè)的數(shù)據(jù)庫(kù)審計(jì)產(chǎn)品都不會(huì)犯這樣的錯(cuò)誤�����。事實(shí)上�,真正的挑戰(zhàn)要比上面的例子復(fù)雜很多����。安華金和的數(shù)據(jù)庫(kù)審計(jì)專家為讀者準(zhǔn)備了一些示例,讀者可以驗(yàn)證下所使用的數(shù)據(jù)庫(kù)審計(jì)產(chǎn)品是否支持對(duì)這些類型的語(yǔ)句的操作類型和訪問(wèn)對(duì)象的正確解析�。下面的示例,若是未明確說(shuō)明數(shù)據(jù)庫(kù)類型�,那么均可在Oracle上執(zhí)行通過(guò)。
一��、對(duì)帶Schema的表能否準(zhǔn)確解析并審計(jì)
示例1:
Select * from user1.tbl1 where col1 > ‘1’;
挑戰(zhàn):
是否準(zhǔn)確識(shí)別出表名是tbl1,數(shù)據(jù)庫(kù)名稱是user1����;
示例2:以下語(yǔ)句在SQL Server上可運(yùn)行
SELECT [Name],
[SalesAmount]
FROM [AdventureWorks].[Production].[Product] P
挑戰(zhàn):
是否準(zhǔn)確識(shí)別出表名是product,數(shù)據(jù)庫(kù)名稱是AdventureWorks���,Schema名稱是Production;
二、對(duì)Union中的多表能否準(zhǔn)確解析并審計(jì)
如:
Select col1, col2 from tbl1
Union
Select col1,col2 from tbl2
Union
Select myCol1,myCol2 from tbl3
Union
Select col3,col4 from tbl1;
挑戰(zhàn):
是否準(zhǔn)確識(shí)別出表是tbl1��、tbl2��、tbl3
三��、對(duì)Update中的多表能否能否準(zhǔn)確解析并審計(jì)
示例1:Oracle上的多表更新語(yǔ)句:
update landleveldata a set (a.gqdltks, a.bztks)= (select b.gqdltks, b.bztks from gdqlpj b where a.GEO_Code=b.lxqdm)
挑戰(zhàn):
是否準(zhǔn)確識(shí)別出涉及的表包括landleveldata��、gdqlpj
示例2:SQL Server上的多表更新語(yǔ)句:
update a set a.gqdltks=b.gqdltks,a.bztks=b.bztks from landleveldata a,gdqlpj b where a.GEO_Code=b.lxqdm
挑戰(zhàn):
是否準(zhǔn)確識(shí)別出涉及的表包括landleveldata����、gdqlpj
示例3:MySQL上的多表更新語(yǔ)句:
update landleveldata a, gdqlpj b set a.gqdltks= b.gqdltks, a.bztks= b.bztks where a.GEO_Code=b.lxqdm
挑戰(zhàn):
是否準(zhǔn)確識(shí)別出涉及的表包括landleveldata、gdqlpj
四����、對(duì)insert中的多表能否能否準(zhǔn)確解析并審計(jì)
Insert語(yǔ)句有兩種句式涉及多表:insert into .... Select....
Select ....into [table] from
示例1:
Insert into tbl1(col1,col2,col3) select col1,col2,col3 from tbl2 where tbl2.col1=’new’;
挑戰(zhàn):識(shí)別出tbl1和tbl2;
示例2:以下語(yǔ)句在SQL Server上可運(yùn)行
Select col1,col2,col3 into tbl1 from tbl2 where tbl2.col1=’new’;
挑戰(zhàn):識(shí)別出tbl1和tbl2;
五、對(duì)join中的多表能否準(zhǔn)確解析并審計(jì):
Join是多表關(guān)聯(lián)查詢的基礎(chǔ)���,形式也更多樣���;挑戰(zhàn)也更巨大:
示例1:簡(jiǎn)單join語(yǔ)句
Select t1.a,t2.b from t1, t2 where t1.c=t2.c
挑戰(zhàn):
將表t1和t2均識(shí)別出來(lái)
示例2:inner join的語(yǔ)句
Select t1.a,t2.b from t1 inner join t2 ON t1.c=t2.c
left join t3 on t1.c=t3.c where t1.name like ‘劉%’ and prince = ‘北京’;
挑戰(zhàn):
將t1�、t2、t3表都準(zhǔn)確地識(shí)別出來(lái)����。
示例3:一個(gè)更為復(fù)雜的join情況��,該語(yǔ)句是在SQL Server中執(zhí)行的�,由開(kāi)放應(yīng)用軟件opencms實(shí)際發(fā)出的�,以下語(yǔ)句在SQL Server上可運(yùn)行:
SELECT CLMNS.COLUMN_ID AS [ID],CLMNS.NAME AS [NAME],CLMNS.IS_NULLABLE AS [NULLABLE],
CAST(ISNULL(CIK.INDEX_COLUMN_ID,0)AS BIT)AS [INPRIMARYKEY],CLMNS.IS_IDENTITY AS [IDENTITY],USRT.NAME AS [DATATYPE],
ISNULL(BASET.NAME,N'')AS [SYSTEMTYPE],CAST(CASE WHEN BASET.NAME IN(N'nchar',N'nvarchar')AND CLMNS.MAX_LENGTH<>-1
THEN CLMNS.MAX_LENGTH/2 ELSE CLMNS.MAX_LENGTH END AS INT)AS [LENGTH],CAST(CLMNS.PRECISION AS INT)AS
[NUMERICPRECISION],CAST(CLMNS.SCALE AS INT)AS [NUMERICSCALE],ISNULL(XSCCLMNS.NAME,N'')AS [XMLSCHEMANAMESPACE],
ISNULL(S2CLMNS.NAME,N'')AS [XMLSCHEMANAMESPACESCHEMA],
ISNULL((CASE CLMNS.IS_XML_DOCUMENT WHEN 1 THEN 2 ELSE 1 END),0)AS [XMLDOCUMENTCONSTRAINT],SCLMNS.NAME AS [DATATYPESCHEMA]
FROM SYS.TABLES AS TBL
INNER JOIN
SYS.ALL_COLUMNS AS CLMNS ON CLMNS.OBJECT_ID=TBL.OBJECT_ID LEFT
OUTER JOIN
SYS.INDEXES AS IK ON IK.OBJECT_ID=CLMNS.OBJECT_ID AND 1=IK.IS_PRIMARY_KEY LEFT
OUTER JOIN
SYS.INDEX_COLUMNS AS CIK ON CIK.INDEX_ID=IK.INDEX_ID AND CIK.COLUMN_ID=CLMNS.COLUMN_ID AND CIK.OBJECT_ID=CLMNS.OBJECT_ID AND 0=CIK.IS_INCLUDED_COLUMN
LEFT OUTER JOIN
SYS.TYPES AS USRT ON USRT.USER_TYPE_ID=CLMNS.USER_TYPE_ID
LEFT OUTER JOIN
SYS.TYPES AS BASET ON(BASET.USER_TYPE_ID=CLMNS.SYSTEM_TYPE_ID AND BASET.USER_TYPE_ID=BASET.SYSTEM_TYPE_ID)OR((BASET.SYSTEM_TYPE_ID=CLMNS.SYSTEM_TYPE_ID)
AND(BASET.USER_TYPE_ID=CLMNS.USER_TYPE_ID)AND(BASET.IS_USER_DEFINED=0)AND(BASET.IS_ASSEMBLY_TYPE=1))
LEFT OUTER JOIN
SYS.XML_SCHEMA_COLLECTIONS AS XSCCLMNS ON XSCCLMNS.XML_COLLECTION_ID=CLMNS.XML_COLLECTION_ID
LEFT OUTER JOIN
SYS.SCHEMAS AS S2CLMNS ON S2CLMNS.SCHEMA_ID=XSCCLMNS.SCHEMA_ID
LEFT OUTER JOIN
SYS.SCHEMAS AS SCLMNS ON SCLMNS.SCHEMA_ID=USRT.SCHEMA_ID
WHERE(TBL.NAME='CMS_HISTORY_PROJECTS' AND SCHEMA_NAME(TBL.SCHEMA_ID)='opencms')ORDER BY [ID] ASC
挑戰(zhàn):
將表名:[SYS].[ALL_COLUMNS]; [SYS].[INDEXES]; [SYS].[INDEX_COLUMNS]; [SYS].[SCHEMAS]; [SYS].[TABLES]; [SYS].[TYPES]; [SYS].[XML_SCHEMA_COLLECTIONS]都識(shí)別出來(lái)。
六�����、對(duì)子查詢中的表能否準(zhǔn)確記錄并審計(jì)
子查詢是另外一種復(fù)雜的情況�,整個(gè)SQL語(yǔ)句中的表并未老老實(shí)實(shí)地呆在from語(yǔ)句和where語(yǔ)句之間,而是滲透到了語(yǔ)句中����,這個(gè)時(shí)候我們要是審計(jì)到所有的表對(duì)象,將有更大的挑戰(zhàn)��。
示例1:一個(gè)簡(jiǎn)單的子查詢語(yǔ)句
Select * from tbl1 where tbl1.col1 in (select col1 from tbl2 where col2=’中國(guó)’)����;
挑戰(zhàn):
識(shí)別出表tbl1和tbl2
示例2:在join中的子查詢
SELECT P.ProductID, P.Name, P.ProductNumber, M.Name AS ProductModelName
FROM Production.Product P INNER JOIN
(SELECT Name, ProductModelID
FROM Production.ProductModel) M
ON P.ProductModelID = M.ProductModelID
挑戰(zhàn):
識(shí)別出表Production.Product和Production.ProductModel
示例3:作為計(jì)算列的子查詢,以下語(yǔ)句在SQL Server上可運(yùn)行
SELECT [Name],
(SELECT COUNT(*) FROM AdventureWorks.Sales.SalesOrderDetail S
WHERE S.ProductID=P.ProductID) AS SalesAmount
FROM [AdventureWorks].[Production].[Product] P
挑戰(zhàn):
識(shí)別出表AdventureWorks.Sales.SalesOrderDetail和[AdventureWorks].[Production].[Product]
七�、一個(gè)充滿挑戰(zhàn)的示例,綜合了各種因素
毫無(wú)疑問(wèn)�,下面這個(gè)示例將是所有基于正則表達(dá)等方式進(jìn)行匹配分析的數(shù)據(jù)庫(kù)審計(jì)產(chǎn)品的噩夢(mèng)��;這里融合了多種SQL復(fù)雜的語(yǔ)法特征,只有基于yacc/lex這樣的詞法和語(yǔ)法分析技術(shù)的專業(yè)數(shù)據(jù)庫(kù)審計(jì)產(chǎn)品才能勝任��;這條語(yǔ)句來(lái)源于OpenCMS開(kāi)放應(yīng)用�,該語(yǔ)句在sqlserver中可執(zhí)行:
insert #t1 (object_id, object_type, relative_id, relative_type, rank)
select distinct
case when 77 = t.relative_type then obj2.parent_object_id else t.relative_id end, -- object_id
case when 77 = t.relative_type then 1 else relative_type end, -- object_type
dp.referenced_major_id, -- relative_id
case -- relative_type
when dp.class < 2 then
case when 'U' = obj.type then 1
when 'V' = obj.type then 2
when 'TR' = obj.type then 3
when 'AF' = obj.type then 4
when obj.type in ( 'P', 'RF', 'PC' ) then 5
when obj.type in ( 'TF', 'FN', 'IF', 'FS', 'FT' ) then 6
when exists (select * from sys.synonyms syn where syn.object_id = dp.referenced_major_id ) then 7
end
when dp.class = 2 then (case
when exists (select * from sys.assembly_types sat where sat.user_type_id = dp.referenced_major_id) then 8
else 9
end)
end,
3
from #t1 as t
join sys.sql_dependencies as dp on
-- reference table, view procedure
( class < 2 and dp.object_id = t.relative_id and t.relative_type in ( 1, 2, 3, 4, 5, 6, 77) )
--reference type
or ( 2 = class and dp.object_id = t.relative_id ) -- t.relative_type?
--reference xml namespace ( not supported by server right now )
--or ( 3 = class and dp.referenced_major_id = t.relative_id and 10 = t.relative_type )
left join sys.objects as obj on obj.object_id = dp.referenced_major_id and dp.class < 2 and obj.type in ( 'U', 'V', 'P', 'RF', 'PC', 'TF', 'FN', 'IF', 'FS', 'FT', 'TR', 'AF')
left join sys.objects as obj2 on obj2.object_id = t.relative_id and 77 = t.relative_type
where 3 = t.rank
挑戰(zhàn):
能夠完全識(shí)別出訪問(wèn)的數(shù)據(jù)庫(kù)表包括:#t1、sys.synonyms�����、sys.assembly_types���、sys.sql_dependencies��、sys.objects
產(chǎn)品咨詢:4000 258 365 
