Full analysis of data security in Oracle databases

Full analysis of data security in Oracle databases

With the popularization of computers and the development of networks, databases are no longer just the proprietary topics of programmers. Oracle databases, however, have a place in the database market thanks to their superior performance and convenient and flexible operations. However, as network technology continues to improve and data information continues to increase, data security is no longer an old saying ", it is also not the "unattainable" rules in previous books.

Perhaps a long time ago, everyone felt that the security of Oracle databases was not a risk, because Oracle began to promote its database software in March, with the slogan "only Oracle9i can achieve absolute security ". However, whether it is for promotion or to increase awareness, it was accompanied by the buffer overflow vulnerability caused by program errors found in 9iAS by British security expert David Litchfield in February and later, penTestLimited and eEyeDigitalSecurity each proposed a small vulnerability. All users who use Oracle products cannot help but become nervous about the originally relaxed brain, after all, it is related to your own "Personal Life ".

I will take you into the world of Oracle data security. Due to my limited level, the shortcomings are inevitable.

(1) Basic knowledge about Oracle databases

This is just to lay some foundation for future security, because we will use them later.

1. components contained in Oracle:

In Oracle, a database refers to the entire OracleRDBMS environment, which includes the following components:

· Oracle Database process and buffer (instance ).

· The SYSTEM tablespace contains a centralized SYSTEM category, which can be composed of one or more data files.

· Other tablespaces defined by the database administrator (DBA) (Optional). Each tablespace consists of one or more data files.

· More than two online recovery logs.

· Archive recovery logs (optional ).

· Other files (control files, Init. ora, Config. ora, etc ).

Each Oracle database runs on a central SYSTEM category and data dictionary. It is located in the SYSTEM tablespace.

2. About "logs ":

Oracle databases use several structures to protect data: database backup, logs, rollback segments, and control files. Here we will take a general look at the "log" as one of the main structures ":

Each Oracle database instance provides logs to record all modifications made in the database. Each running Oracle database instance has an online log, which works with the Oracle background process LGWR and immediately records all modifications made to the instance. Archive (offline) logs are optional. Once an Oracle database instance is filled with online logs, an online log archive file can be formed. Archived online log files are uniquely identified and merged into archived logs.

· Online logs: each instance of an Oracle database has an associated online log. An online log consists of multiple online log files. The online log file (onlineredologfile) is filled with the log entry. The data recorded in the log entry is used to reconstruct all the modifications made to the database.

· Archive logs: Archive logs (archivedredolog) must be created when Oracle wants to archive all online Log File groups ). It is useful for database backup and recovery:

<1> database backup and online and archive log files Ensure that all submitted items can be recovered in case of an operating system or disk failure.

<2> online backup can be used if the archived logs are permanently saved when the database is enabled and normally used by the system.

Databases can run in NOARCHIVELOG or ARCHIVELOG modes. When a database is used in NOARCHIVELOG mode, online logs cannot be archived. If the database runs in ARCHIVELOG mode, you can archive online logs.

3. physical and logical storage structure:

OracleRDBMS is composed of tablespaces, and tablespaces are composed of data files. The tablespace data file is formatted as an internal block unit. The block size is set by DBA when Oracle was first created. It can be changed within the range of 512 to 8192 bytes. When an object is created in an Oracle tablespace, the user uses a unit called the length (initial length (initialextent), the next length (nextextent), and the minimum length (minextents) and the maximum length (maxextents) to indicate the size of the object space. The length of an Oracle database can be changed, but it must contain a chain consisting of at least five consecutive blocks.

(2) Oracle Data Security Maintenance

I remember a philosopher saying, "The changes of things are inseparable from internal and external causes ." Therefore, Oracle data security is also divided into "internal" and "external. Well, let's start with "inner:

1. Starting from the Oracle system itself:

Let's take a look at our database without worrying about the "hacker" and other external reasons. What disk damage, what software damage, what operations ...... A series of system problems caused by our "negligence" can completely let the data in the database we have worked hard to build go forever. Then, let's look for reasons from ourselves.

[1] solutions to system problems-database backup and recovery:

· Database backup:

There are three methods for Oracle Database Backup: Export/Import, cold backup, and hot backup. Exporting backup is a logical backup, while cold backup and hot backup are physical backup.

<1> Export/Import (Export/Import)

The Export can be used to extract data from the database, and the Import can be used to send the extracted data back to the Oracle database.

A. Simple Export of data (Export) and Import data (Import)

Oracle supports three types of output:

(1) the data of the specified table is exported in the T mode.

(2) user mode (U mode), which exports all objects and data of the specified user.

(3) Full database mode (Full mode) to export all objects in the database.

The data Export process is the inverse process of the data Import (Export). Their data flows are different.

B. incremental export/import:

Incremental export is a common data backup method. It can only be implemented for the entire database and must be exported as a SYSTEM. During this export, the system does not require any answers. The default export file name is export. dmp. If you do not want your output file to be named export. dmp, you must specify the file name to use in the command line.

Incremental export includes three types:

(1) "Complete" incremental Export (Complete)

 

Back up the entire database, for example, $ expsystem/managerinctype = completefile = 990702.dmp.