First, Data dictionary protection
Enable data dictionary protection, only SYSDBA The user can access the data dictionary base table
Use Show Parameters command to check the parameters o7_dictionary_accessibility whether to FALSE .
Second, account security management
1, according to the user's business needs, configure the minimum permissions
Use the following SQL Query has DBA Permissions for users
Select grantee as Usern from dba_role_privswhere granted_role = ' dba ' intersect select username from dba_users;
Use the following SQL Query has DBA Role of Permissions
Select grantee as Usern from dba_role_privswhere granted_role = "dba" Minus (select Grantee as Usern from dba_role_privswhe Re granted_role = ' DBA ' intersect select username from dba_users);
2. Use database Roles ( ROLE) to manage permissions for an object
Use SELECT * from Dba_role_privs or Dba_tab_privs; select* from User_role_privs; check the account role and determine if the account permissions are clearly divided.
3, the user's attributes to control, including password policy, resource constraints and so on.
for different business users to create different Profile , set database password complexity, expiration date and lock configuration, etc. Profile The parameters are explained as follows:
A . Restricting Database Resources
Sessions_per_user number of concurrent sessions allowed per user name
cpu_per_session A session can be used altogether. CPU time, Unit is 1% seconds
Cpu_per_call One time SQL called ( parsing, execution, and acquisition ) allowed to use CPU Time
Connect_time Limit session connection time in minutes
Idle_time The time, in minutes, allowed for an idle session
logical_reads_per_session limit the session to read blocks of data, in blocks
Logical_reads_per_call Limit SQL call to read a block of data, in blocks
Composite_limit Specifies the total resource consumption of a session to serviceunits Unit Representation
PRIVATE_SGA Restrict sessions to SGA in Shared Pool allocation of private spaces in
B . Restrictions on Passwords
failed_login_attempts number of errors that can be attempted before an account is locked
Password_life_time the number of days the password can be used, in days, the default value the days
Password_reuse_time Password Reusable time interval ( combined with Password_reuse_max)
Password_reuse_max maximum number of changes in password ( combined with password_reuse_time)
Password_lock_time number of days that the user is locked out after the number of error attempts, default 1 days
Password_grace_time How many days you can use the original password after the password expires
password_verify_function password complexity settings, at least 8 uppercase letters of characters + Lowercase Letters + Digital + Special Symbols
Examples of specific usage:
Alter profile profile_name Limitpassword_verify_function verify_function_11g; --Set Database password complexity alter profile profile_name limit FAILED_LOGIN_ATTEMPTS5--Set Database password error 5 times locked
4, according to business restrictions with the database Super Administrator ( SYSDBA) permissions for users to Telnet
Use Show Parameters command to check the parameters Remote_login_passwordfile whether to NONE . (Build dg,rman Backup etc requires administrator privileges, according to business settings)
5, limited to number of operating system users in the DBA group
limit except Oracle,grid other operating system users outside of the DBA Group to prevent its users from string changes or deletions Oracle The contents of the software files.
Third, Trusted IP Address access control
restricted by the operating system or firewall where the database resides, only trusted IP address to access the database through the listener, you can set the $ORACLE _home/network/admin/sqlnet.ora parameters in File tcp.validnode_checking and the Tcp.invited_nodes to implement the restrictions, restart the monitoring.
Iv. recording of operational events
1. Create a trigger to log user logins
Build Table Login_check_log
CREATE TABLE Login_check_log (Session_idnumber (8,0) not null,login_on_time date,user_in_db varchar (), IP_ Addressvarchar (20));
Build Trigger Login_check
Create trigger Login_checkafter logon on Databasebegin insert into Login_check_log (session_id,login_on_time,user_in_db , ip_address) Select Audsid,sysdate,sys.login_user,sys_context (' Userenv ', ' ip_address ') from V$session where audsid= Userenv (' SessionID '); end;/
you can also use related triggers by creating a database connection, such as: Limit only IP to be XXX the client uses PL/SQL connecting to a database
2, the database should configure the logging function, record the user's operation to the database
By recording the operation log, the record needs to include user account number, operation time, operation content and operation result. such as opening the listener log.
Lsnrctl>set log_directory $ORACLE _home/diag/tnslsnr/
3, according to business requirements to develop database audit strategy
Use Show Parameter command to check the parameters Audit_trail is set, with the following parameters:
None : Is the default value, disable database auditing.
OS : Enable auditing and direct database audit records to OS Audit Records.
db : Enable auditing and direct database audit records to the database Span style= "FONT-FAMILY:CALIBRI;" > SYS. aud$ 11g db
db_extended : Enables auditing and directs all audit records of the database to the database of the SYS. The aud$ table contains the SYS. the SQLBIND columns and sqltextclob columns of the aud$ table . The result of the audit, in addition to the connection information also contains the specific statements executed at that time.
XML : Enable database auditing and write all records to XML format of OS system files.
xml_extended : Enable database auditing to output all columns of audit records, including SQLText and the SQLBind .
interested children's shoes can also know ORACLE Security Audit Products: Oracle Audit Vault and Database Firewall ( AVDF )
Five, Database vulnerability management
scanning using the mainstream vulnerability scanning tool, for medium-high-risk vulnerabilities, should be repaired in a timely manner, check the system's detailed version number , Timely Updates ORACLE The release of medium-high-risk patches, for the temporary repair of loopholes, should be through other technical means of risk avoidance. For details, please refer to: The CVE Vulnerability Library of domestic and foreign authority .
CVE Chinese Vulnerability Information Base -scap Chinese Community: http://cve.scap.org.cn/
Cve-common Vulnerabilities and Exposures (CVE) : http://cve.mitre.org/
Oracle Database Security Basics