符合通用准则(commoncriteriacompliance)
符合通用准则(common criteria compliance) 通用标准是一组国际准则和规范说明,它们能用来评估信息安全产品,特别是保证这些产品符合政府部署商定的安全标准。通用标准的正式称谓是“信息技术安全评估通用标准”。 符合通用准则(通常简称CC)是一套方法
符合通用准则(common criteria compliance)
通用标准是一组国际准则和规范说明,它们能用来评估信息安全产品,特别是保证这些产品符合政府部署商定的安全标准。通用标准的正式称谓是“信息技术安全评估通用标准”。
符合通用准则(通常简称CC)是一套方法,确保IT产品符合预定义的安全标准。它让信息系统的安全评估标准化。
通用准则建立了一套IT产品安全功能的通用需求。它是灵活的,描述的需求的实施有大量的自由度。它让供应商决定适当的实施,依据评估保证级别Evaluation Assurance Level(EAL)。一个特定的应用程序、操作系统,或者一些列配置文件也参照它作为评估目标Target of Evaluation(TOE)。这里,我们的TOE就是一个SQL Server安装。
EAL是安全需求的等级,范围从EAL1到EAL7。越高的数字应用了更严格的验证处理。应用更高的安全度不是必须的。
深入验证处理已经超出了DBA的范畴。然而,更多详细的配置需要确保对于符合不同EAL等级SQL server与建立的指导原则保持一致。
微软提供了安全配置选项给EAL1。这是一个服务器级别的选项,通过SSMS可用:
右键点击实例名,然后选择Properties。再选择Security。选择Enable Common Criteria compliance。
如果使用 sp_configure 系统存储过程来更改设置,则仅当 show advanced options 设置为 1 时才可以更改 common criteria compliance enabled。 该设置在服务器重新启动后生效。
sp_configure 'show advanced options', 1; GO RECONFIGURE; GO sp_configure 'common criteria compliance enabled', 1; GO RECONFIGURE GO
common criteria compliance enabled 服务器配置选项
common criteria compliance enabled 选项可启用通用准则所需的下列元素。
残留信息保护 (RIP)
RIP 要求将内存重新分配给新资源之前,用已知的位模式覆盖内存分配。 满足 RIP 标准有助于提高安全性;然而,覆盖内存分配会使性能降低。 启用 common criteria compliance enabled 选项之后,将执行覆盖操作。
查看登录统计信息的能力
启用 common criteria compliance enabled 选项之后,将启用登录审核。 用户每次成功登录到 SQL Server 时,系统都会提供有关上一次成功登录的时间、上一次登录失败的时间以及上一次成功登录时间和当前登录时间之间尝试登录的次数的信息。 可以通过查询 sys.dm_exec_sessions 动态管理视图来查看这些登录统计信息。
GRANT 列不应覆盖 DENY 表
启用 common criteria compliance enabled 选项之后,表级 DENY 将优先于列级 GRANT。 未启用该选项时,列级 GRANT 则优先于表级 DENY。
common criteria compliance enabled 选项是高级选项。 仅对 Enterprise Edition 和 Datacenter Edition 对通用准则进行评估和认证。
激活该选项使得SQL Server安装达到了EAL1等级。为了符合通用准则评估保证级别 4+ (EAL4+),还有一些其他操作:
1. 默认跟踪(Default Trace)必须正在运行。这是一个默认被激活的服务端跟踪。为了验证它被激活,执行如下:
SELECT * FROM fn_trace_getinfo(default);
出现了一些traceid列值为1的行。
650) this.width=650;" title="clip_image003" style="max-width:90%" alt="clip_image003" border="0" style="max-width:90%" />
如果没有行返回,用如下代码激活默认跟踪:
EXEC master.dbo.sp_configure 'allow updates', 1; GO EXEC master.dbo.sp_configure 'show advanced options', 1; GO EXEC master.dbo.sp_configure 'default trace enabled', 1; GO RECONFIGURE WITH OVERRIDE; GO EXEC master.dbo.sp_configure 'show advanced options', 0; GO EXEC master.dbo.sp_configure 'allow updates', 0; GO
2. 另一个有特定参数的服务端跟踪必须在SQL服务启动时执行。微软已经提供了这个跟踪的脚本。下面来拆分开来分析下:
第一部分检查是否运行在SQL Server 2005 SP1。存储过程不能运行在后续的服务包版本下,好像不大可能。我移除了这个部分,并且执行正确的在后续版本。
-- If the version is not SP1 then do not run the script
IF SERVERPROPERTY(N'ProductVersion') <> '9.00.2047.00'
BEGIN
RAISERROR('You can turn on EAL1 trace only on SQL Server 2005 SP1', 20, 127) WITH LOG
END
USE master
GO
if object_id('dbo.sp_create_evaltrace','P') IS NOT NULL
drop procedure dbo.sp_create_evaltrace
GO
第二部分基于注册表决定\LOG目录的位置。如果不起作用,只须手动设置@Tracefile参数。然后设置sp_trace_create的参数。这里重要的数字是第二个参数6。这是选项参数。6表示选项2和选项4被激活:2表示跟踪文件增加到100M时生成一个新文件循环利用;4表示如果跟踪失败就关闭SQL服务。如果只需要单个跟踪文件,那么循环利用将会被禁用通过设置选项4。在CC里这是可接受的,但是在跟踪失败时服务必须停止。循环文件的大小也是可配置的。
CREATE PROCEDURE sp_create_evaltrace
-- Create the trace
AS
-- Declare local variables
declare @rc int
declare @on bit
declare @instanceroot nvarchar(256)
declare @scriptname nvarchar(50)
declare @tracefile nvarchar(256)
declare @maxfilesize bigint
declare @filecount int
declare @traceid int
set @maxfilesize =100
set @filecount =100
-- Trace file name
set @scriptname = 'cc_trace_' + REPLACE(REPLACE(CONVERT( varchar(50), getdate(),126), ':', ''), '.','')
-- Get the instance specific LOG directory
-- Get the instance specific root directory.
set @instanceroot = ''
exec master.dbo.xp_instance_regread N'HKEY_LOCAL_MACHINE', N'SOFTWARE\Microsoft\MSSQLServer\Setup', N'SQLPath', @instanceroot OUTPUT
IF @instanceroot = '' OR @instanceroot = NULL
BEGIN
-- Exit the procedure
raiserror ('Could not obtain the instance root directory using xp_instance_regread.', 18,127)
return(1)
END
-- Prepare the Trace file.
IF SUBSTRING(@instanceroot, Len(@instanceroot)-1, 1) != '\'
set @instanceroot = @instanceroot + '\'
set @tracefile = @instanceroot + 'LOG\'+ @scriptname
-- Create the trace
exec @rc = sp_trace_create @traceid OUTPUT, 6, @tracefile, @maxfilesize, NULL , @filecount
IF (@rc != 0)
begin
return (1)
end
第三部分包含被跟踪捕获的事件,在注释中有所描述。
-- Add Trace Events set @on = 1 -- Audit Login exec sp_trace_setevent @TraceID, 14, 1, @on -- TextData exec sp_trace_setevent @TraceID, 14, 11, @on -- LoginName exec sp_trace_setevent @TraceID, 14, 14, @on -- StartTime exec sp_trace_setevent @TraceID, 14, 21, @on -- EventSubClass exec sp_trace_setevent @TraceID, 14, 23, @on -- Success exec sp_trace_setevent @TraceID, 14, 64, @on – SessionLoginName
仅仅从描述来看意义不是很清晰。下面详细描述一下。注意GDR事件类的范围,类似的语言用于subsequent类。
Audit Schema Object GDR 事件类 -- 每当 MicrosoftSQL Server 中的任何用户对架构对象权限发出 GRANT、REVOKE 或 DENY 时,都会发生 Audit Schema Object GDR 事件类。
Audit Database Scope GDR 事件类 -- 每当 MicrosoftSQL Server 中的用户发出针对语句权限的 GRANT、REVOKE 或 DENY 时(仅限于数据库操作,例如针对某个数据库授予权限),都会发生 Audit Database Scope GDR 事件类。
Audit Database Object GDR 事件类 -- 如果对数据库对象(例如,程序集和架构)发出 GRANT、REVOKE 或 DENY,则会发生 Audit Database Object GDR 事件类。
Audit Server Scope GDR 事件类 -- 当为了获取服务器范围内的权限(例如,创建登录名)而发出 GRANT、REVOKE 或 DENY 时,会产生 Audit Server Scope GDR 事件类。
Audit Server Object GDR 事件类 -- 只要 Microsoft SQL Server 中的任何用户针对服务器对象权限发出 GRANT、REVOKE 或 DENY,Audit Server Object GDR 事件类就会出现。
Audit Login 事件类 -- Audit Login 事件类指示用户已成功登录到 MicrosoftSQL Server。此类中的事件由新连接或从连接池中重用的连接触发。
Audit Logout 事件类 -- Audit Logout 事件类指示用户已注销 MicrosoftSQL Server。此类中的事件由新连接或从连接池中重用的连接触发。
Audit Login Failed 事件类 -- Audit Login Failed 事件类指明用户尝试登录到 MicrosoftSQL Server 但却失败了。此类中的事件由新连接或从连接池中重用的连接触发。
Audit Login Change Property 事件类 -- 当使用 sp_defaultdb 存储过程、sp_defaultlanguage 存储过程或 ALTER LOGIN 语句修改某个登录名的属性时,将发生 Audit Login Change Property 事件类。
Audit Login Change Password 事件类 -- 只要用户更改了其 MicrosoftSQL Server 登录密码,就会发生 Audit Login Change Password 事件类。
Audit Add Login to Server Role 事件类 -- 每当向固定服务器角色添加登录名或从其删除登录名时,都会发生 Audit Add Login to Server Role 事件类。此事件类用于 sp_addsrvrolemember 和 sp_dropsrvrolemember 存储过程。
Audit Add Member to DB Role 事件类 -- 在数据库角色中添加或删除登录名时,会发生 Audit Add Member to DB Role 事件类。此事件类与 sp_addrolemember、sp_changegroup 和 sp_droprolemember 存储过程一起使用。
Audit App Role Change Password 事件类 -- 每当更改了应用程序角色的密码时,都会发生 Audit App Role Change Password 事件类。
Audit Database Object Access 事件类 -- 在访问数据库对象(如架构)时,会发生 Audit Database Object Access 事件类。
Audit Schema Object Access 事件类 -- 当使用对象权限(例如 SELECT)时,将发生 Audit Schema Object Access 事件类。
Audit Backup/Restore 事件类 -- 每当发出备份或还原命令时,都会发生 Audit Backup/Restore 事件类。
Audit DBCC 事件类 -- 每当发出 DBCC 命令时,就会发生 Audit DBCC 事件类。
Audit Change Audit 事件类 -- 只要修改审核跟踪,就会发生 Audit Change Audit 事件类。
Audit Database Management 事件类 -- 创建、更改或删除数据库时,会发生 Audit Database Management 事件类。
Audit Database Object Management 事件类 -- 当对数据库对象(如架构)执行 CREATE、ALTER 或 DROP 语句时,会发生 Audit Database Object Management 事件类。
Audit Schema Object Management 事件类 -- Audit Schema Object Management 事件类会在创建、更改或删除服务器对象时发生。
Audit Server Principal Impersonation 事件类 -- 当服务器范围内存在模拟情况(如 EXECUTE AS
Audit Database Principal Impersonation 事件类 -- Audit Database Principal Impersonation 事件类在数据库作用域中出现模拟(例如 EXECUTE AS <用户> 或 SETUSER)时出现。
Audit Server Object Take Ownership 事件类 -- 当服务器作用域内的对象改变了所有者时,会发生 Audit Server Object Take Ownership 事件类。
Audit Database Object Take Ownership 事件类 -- 当发生数据库作用域内的对象所有者的更改时,会发生 Audit Database Object Take Ownership 事件类。
Audit Schema Object Take Ownership 事件类 -- 检查更改架构对象(例如表、过程或函数)的所有者的权限时,会发生 Audit Schema Object Take Ownership 事件类。使用 ALTER AUTHORIZATION 语句指定对象所有者时会出现这种情况。
Audit Change Database Owner 事件类 -- 当您使用 ALTER AUTHORIZATION 语句更改数据库的所有者时,将发生 Audit Change Database Owner 事件类,并检查该操作所需的权限。
Audit Server Operation 事件类 -- 当执行诸如更改设置、资源、外部访问或授权等安全审核操作时,会发生 Audit Server Operation 事件类。
Audit Server Alter Trace 事件类 -- 对于检查 ALTER TRACE 权限的所有语句,都会发生 Audit Server Alter Trace 事件类。检查 ALTER TRACE 的语句包括用于创建或配置跟踪或者在跟踪上设置筛选器的语句。
Audit Server Object Management 事件类 -- 在对服务器对象执行 CREATE、ALTER 或 DROP 的情况下,会发生 Audit Server Object Management 事件类。
Audit Server Principal Management 事件类 -- 创建、更改或删除服务器主体时,会发生 Audit Server Principal Management 事件类。
Audit Database Operation 事件类 -- 当数据库中发生各种操作(如检查点操作或订阅查询通知)时,会发生 Audit Database Operation 事件类。
存储过程内部最后一部分是执行这个跟踪。最后,在存储过程外部,这个存储过程被标记为当SQL服务启动时自动执行。跟踪通过sp_trace_setstatus设置启动。
-- Set the trace status to start exec sp_trace_setstatus @TraceID, 1 print 'INFO: Successfully created the trace with ID ' + CAST (@traceid AS varchar(10)) return (0) GO declare @rc int -- Set the proc for autostart exec @rc = sp_procoption 'dbo.sp_create_evaltrace', 'startup', 'on' IF @rc != 0 BEGIN print 'ERROR: sp_procoption returned ' + CAST(@rc AS NVARCHAR(10)) print 'ERROR: Could not set sp_create_evaltrace for autostart' END -- start the eval trace exec dbo.sp_create_evaltrace GO
Sp_trace_setstatus参数的解释:
0:停止跟踪
1:启动跟踪
2:关闭跟踪并从服务器删除
因为我们要在启动时运行存储过程,“Scan for startup procs”选项必须被激活。该选项默认是关闭的,但是当存储过程被标记为在启动时执行时被激活。所以一旦代码的最后行被执行,选项将被激活。也可以通过SSMS下的服务器属性—高级修改。
一旦上面的步骤都已完成,停止并重启SQL服务。当服务再次启动,将会看到在上面第二部分代码的目录中产生了一个跟踪文件。至此,CC的部署已经完成。
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
How to Download Drivers for Universal PnP Monitors: 5 Ways
Apr 21, 2023 pm 08:55 PM
If you have recently upgraded to Windows 10 or Windows 11, you may need to download a universal PnP monitor driver on your PC. Therefore, we have come up with a tutorial that will tell you more about Universal PnP Monitor and some quick ways to download and install Universal PnP Drivers on Windows. You may need to download drivers for most monitor brands, including the AcerGenericPnP monitor driver. When looking for monitor types in Device Manager or under the Monitors tab of the display adapter properties, you may notice Generic PnP Monitor. Chances are you'll find it in dual-monitor setups on both laptops and desktops. Down
How to disable universal watermark on Windows 11 PCs and laptops?
Apr 21, 2023 pm 02:49 PM
Are you bothered by the annoying watermark in the lower right corner of your Windows 11 screen? You don't know how to delete it? Universal WatermarkDisabler for Windows 11 is a tool that can help remove the annoying watermark in the lower right corner of the Windows screen that interferes with wallpapers and the overall experience. Without further ado, let’s get started. 3 Solutions to Remove Watermark from Windows 11 1. Use Universal Watermark Disabler to Remove Watermark The easiest way to remove evaluation copy watermark in Windows 11 is to use Universal Watermark Disabler, which is a third-party free software
How to get universal controls on Mac and iPad right now with beta
Jul 07, 2023 pm 09:49 PM
Requirements In addition to running macOS Monterey 12.3 or newer and iPadOS 15.4 or newer, you'll also need a newer Mac (any 2016 or newer MacBook Pro, or 2018 or newer MacBook Air, Mini, or iMac, or Mac Pro), and newer iPad (any iPad Pro, iPad Air 3rd generation or later, iPad 6th generation or later, iPad Mini 5th generation or later). Any device that wants to use Universal Control needs to be logged into the same Apple ID account that has iCloud enabled. Pass Beta now on M
Microsoft Teams is optimized for Apple Silicon as a 'Universal App' and is now available in beta
Apr 15, 2023 am 08:40 AM
Microsoft Teams has finally received a version that interacts directly with ARM-based chipsets in the latest Mac PCs. A beta version of Teams optimized for Apple Silicon is available directly from Microsoft. About a year and a half ago, Apple released Mac PCs with its own proprietary chipset. Designed by Apple engineers, the M1 SoC has received a lot of praise. While the previous generation of Apple PCs featured Intel processors, these are based on ARM
Honda, GM and Cruise form joint venture to launch driverless ride-hailing service in Japan in early 2026
Oct 19, 2023 pm 09:21 PM
According to news from this site on October 19, today, Japanese car manufacturer Honda Motor Co., U.S. General Motors Co., and autonomous driving technology company Cruise announced that the three companies have signed a memorandum of understanding to establish a joint venture to provide users with autonomous driving. Taxi service. Note from this site: Cruise is a subsidiary founded in 2013 to research autonomous driving solutions and was acquired by General Motors in 2016. The company is headquartered in San Francisco, California, and can be said to be one of the strongest autonomous driving design startups. According to reports, the three parties plan to establish a joint venture in the first half of 2024 after obtaining regulatory approval, and are expected to provide driverless taxi services in downtown Tokyo, Japan, in early 2026. The Service Lieutenant General
How to use the Universal Control function of macOS?
Apr 15, 2023 pm 08:40 PM
macOSMonterey12.3 officially introduces the UniversalControl universal control function. Through this function, users can use the Mac's keyboard and mouse to control an iPad or other Mac near the Mac. Users can also drag and drop files between different devices. System Requirements There are certain system requirements for using the UniversalControl function. Apple MacBook 2016 or later MacBook Pro 2016 or later MacBook Air 2018 or later Macmini 2018 or later iMac 2017 or later iMac (Retina
How to use universal controls on Mac and iPad
Apr 14, 2023 pm 03:31 PM
Universal Control System Requirements You need to make sure all Macs are running macOS Monterey 12.3 or higher, and iPads must be running iPadOS 15.4 or higher. In addition, all related devices must be logged into the same Apple ID and have Bluetooth and Wi-Fi enabled. The devices must also be in close proximity to each other. The individual Macs and iPads that support Universal Control are as follows: Macs supported by Universal Control: MacBookPro (2016 and newer models) MacBook (2016 and newer models) MacBook Air (2018 and newer models) iMac (20
How do I install the iOS 15 public beta and use Face ID with mask detection and universal controls?
Apr 26, 2023 pm 05:31 PM
How to Install the iOS 15 Public Beta to Make a Fresh Backup of Your iPhone or iPad On your iPhone or iPad, go to Apple’s Public Beta website and click on the arrow in the upper right corner. If you’re not already logged in, log in now and make sure you’re using iOS." Public Beta Tutorial" Scroll down and under the "Get Started" section, tap Register your iOS device. Scroll down again and tap Download profile. Tap Allow profile download. Tap Close. Go to Settings on your device and tap near the top. Click Install in the upper right corner of the downloaded profile, enter your password if required, read the agreement, and then double-tap to install your iPho
