Basic knowledge of Oracle Database Security

With the popularization of computers and the development of networks, databases are no longer just the proprietary topics of programmers. Oracle databases, however, have a place in the database market thanks to their superior performance and convenient and flexible operations. However, as network technology continues to improve and data information continues to increase, data security is no longer an old saying ", it is also not the "unattainable" rules in previous books.

Perhaps a long time ago, everyone felt that the security of Oracle databases was not a risk, because Oracle began to promote its database software in March, with the slogan "only Oracle9i can achieve absolute security ". However, whether it is for promotion or to increase awareness, it was accompanied by the buffer overflow vulnerability caused by program errors found in 9iAS by British security expert David Litchfield in February and later, penTest Limited and eEye Digital Security each proposed a small vulnerability. All users who use Oracle products cannot help but become nervous about the originally relaxed brain, after all, it is related to your own "Personal Life ".

I will take you into the world of Oracle data security. Due to my limited level, the shortcomings are inevitable.

(1) Basic knowledge about Oracle databases

This is just to lay some foundation for future security, because we will use them later.

1. components contained in Oracle:

In Oracle, a database refers to the entire Oracle RDBMS environment. It includes the following components:

· Oracle Database process and buffer (instance ).

· The SYSTEM tablespace contains a centralized SYSTEM category, which can be composed of one or more data files.

· Other tablespaces defined by the database administrator (DBA) (Optional). Each tablespace consists of one or more data files.

· More than two online recovery logs.

· Archive recovery logs (optional ).

· Other files (control files, Init. ora, Config. ora, etc ).

Each Oracle database runs on a central SYSTEM category and data dictionary. It is located in the SYSTEM tablespace.

2. About "logs"

Oracle databases use several structures to protect data: database backup, logs, rollback segments, and control files. Here we will take a general look at the "log" as one of the main structures ":

Each Oracle database instance provides logs to record all modifications made in the database. Each running Oracle database instance has an online log, which works with the Oracle background process LGWR and immediately records all modifications made to the instance. Archive (offline) logs are optional. Once an Oracle database instance is filled with online logs, an online log archive file can be formed. Archived online log files are uniquely identified and merged into archived logs.

· Online logs: each instance of an Oracle database has an associated online log. An online log consists of multiple online log files. Fill in the online redo log file with the redo entry. The data recorded in the log entry is used to reconstruct all modifications made to the database.

· Archive logs: Archive logs (archived redo logs) must be created when Oracle wants to archive all online log File groups ). It is useful for database backup and recovery:

<1> database backup and online and archive log files Ensure that all submitted items can be recovered in case of an operating system or disk failure.

<2> online backup can be used if the archived logs are permanently saved when the database is enabled and normally used by the system.

Databases can run in NOARCHIVELOG or ARCHIVELOG modes. When a database is used in NOARCHIVELOG mode, online logs cannot be archived. If the database runs in ARCHIVELOG mode, you can archive online logs.

3. physical and logical storage structure:

Oracle RDBMS is composed of tablespaces, and tablespaces are composed of data files. The tablespace data file is formatted as an internal block unit. The block size is set by DBA when Oracle was first created. It can be changed within the range of 512 to 8192 bytes. When an object is created in an Oracle tablespace, the user uses the unit of length (initial extent), next length (next extent), and min extents (min extents) and max extents to indicate the size of the object. The length of an Oracle database can be changed, but it must contain a chain consisting of at least five consecutive blocks.

4. The connection protocols for Oracle and Microsoft SQL Server:

(2) Oracle Data Security Maintenance

I remember a philosopher saying, "The changes of things are inseparable from internal and external causes ." Therefore, Oracle data security is also divided into "internal" and "external. Well, let's start with "inner:

1. Starting from the Oracle system itself

Let's take a look at our database without worrying about the "hacker" and other external reasons. What disk damage, what software damage, what operations ...... A series of system problems caused by our "negligence" can completely let the data in the database we have worked hard to build go forever. Then, let's look for reasons from ourselves.

[1] solutions to system problems-database backup and recovery

· Database backup:

There are three methods for Oracle Database Backup: Export/Import, cold backup, and hot backup. Exporting backup is a logical backup, while cold backup and hot backup are physical backup.

<1> Export/Import (Export/Import)

The Export can be used to extract data from the database, and the Import can be used to send the extracted data back to the Oracle database.

A. Simple Export of data (Export) and Import data (Import)

Oracle supports three types of output:

(1) the data of the specified table is exported in the T mode.

(2) user mode (U mode), which exports all objects and data of the specified user.

(3) Full database mode (Full mode) to export all objects in the database.

The data Export process is the inverse process of the data Import (Export). Their data flows are different.

B. incremental Export/Import

Incremental export is a common data backup method. It can only be implemented for the entire database and must be exported as a SYSTEM. During this export, the system does not require any answers. The default export file name is export. dmp. If you do not want your output file to be named export. dmp, you must specify the file name to use in the command line.

Incremental export includes three types:

(1) "Complete" incremental Export (Complete)

Back up the entire database, for example:

$ Exp system/manager inctype = complete file = 990702.dmp

(2) incremental Export

Back up the data changed after the last backup. For example:

$ Exp system/manager inctype = incremental file = 990702.dmp

(3) Cumulative)

The accumulative export mode only exports the changed information in the database after the last "full" export. For example:

$ Exp system/manager inctype = cumulative file = 990702.dmp

The database administrator can schedule a backup schedule and export the data in three different ways. For example, the database backup task can be arranged as follows:

· Monday: full export ()

· Tuesday: Incremental Export (B)

· Wednesday: Incremental Export (C)

· Thursday: Incremental Export (D)

· Friday: accumulative Export (E)

· Saturday: Incremental Export (F)

· Sunday: Incremental Export (G)

If the database is accidentally damaged on Sunday, the database administrator can follow these steps to restore the database:

Step 1: Use the create database Command to regenerate the DATABASE structure;

Step 2: create an additional return segment that is large enough.

Step 3: import A in full Increments:

$ Imp system./manager inctype = rectore full = y file =

Step 4: Accumulative incremental import E:

$ Imp system/manager inctype = rectore full = y file = E

Step 5: import the latest incremental F:

$ Imp system/manager inctype = restore full = y file = F

<2> cold backup

Cold backup occurs when the database is shut down normally. When the database is shut down normally, it will provide us with a complete database. Cold backup is a way to copy key files to another location. Cold backup is the fastest and safest way to back up Oracle information. Advantages of cold backup:

· A very fast backup method (just copy files)

· Easy to archive (simple copy)

· Easy recovery to a certain point in time (you only need to copy the file back)

· Can be combined with archiving methods to restore the database to the "latest State.

· Low maintenance and high security.

However, cold backup also has the following shortcomings:

· When used separately, only recovery at a certain time point can be provided.

· During the entire backup process, the database must be backed up instead of other work. That is to say, in the cold backup process, the database must be closed.

· If the disk space is limited, it can only be copied to tape and other external storage devices, and the speed will be very slow.

· Cannot be restored by table or by user.

If possible (mainly for efficiency), back up the information to the disk and start the database (allowing the user to work) and copy the backed up information to the tape (the database can work at the same time ). Files that must be copied in cold backup include:

· All data files

· All control files

· All online redo log files

· Init. ora file (optional)

It is worth noting that cold backup must be performed when the database is closed. When the database is turned on, the execution of database file system backup is invalid.

The following is a complete example of cold backup:

(1) shut down the database $ sqldba lmode = y

SQLDBA> connect internal;

SQLDBA> shutdown normal;

(2) Use the Copy command to back up all the time files, redo log files, control files, and initialize parameter files.

SQLDBA>! Cp <file> <backup directory>

(3) restart the Oracle database

$ Sqldba lmode = y

SQLDBA> connect internal;

SQLDBA> startup;

<3> Hot Backup

Hot Backup is used when the database is running.