Oracle Database Security reinforcement record

Oracle Database Security reinforcement record

When an application system performs classified protection, it needs to reinforce the database. According to the process, it must first pass the test in the test environment and then apply it to the production environment. Here, the test process is simply recorded, the audit content is an important part of the evaluation, but it is not easy to enable the production environment. Here we will record it and add relevant content later.

1. delete unused accounts 1) view accounts and status

SQL> select username,account_status from dba_users;USERNAME ACCOUNT_STATUS------------------------------ --------------------------------MGMT_VIEW OPENSYS OPENSYSTEM OPENDBSNMP OPENSYSMAN OPENABC OPENB OPENKOU OPENOUTLN EXPIRED & LOCKEDFLOWS_FILES EXPIRED & LOCKEDMDSYS EXPIRED & LOCKEDORDSYS EXPIRED & LOCKEDSQL>

Note: if you do not use EM, you can disable MGMT_VIEW, DBSNMP, and SYSMAN accounts.

2) Delete unnecessary accounts. You can delete some test accounts.

SQL> drop user kou cascade;
User dropped.
SQL>

 

2. Lock unused users. For accounts with unknown purposes, you can lock them for a period of time before deleting them. (1) Locking redundant users

SQL> alter user abc account lock;
User altered.

(2) unlock a user

SQL> alter user abc account unlock;User altered.SQL> select username,account_status from dba_users;USERNAME ACCOUNT_STATUS------------------------------ --------------------------------MGMT_VIEW OPENSYS OPENSYSTEM OPENDBSNMP OPENSYSMAN OPENB OPENABC LOCKEDOUTLN EXPIRED & LOCKEDFLOWS_FILES EXPIRED & LOCKED

Descriptions of other status parameters:
OPEN: normal account
LOCKED: indicates that the account is LOCKED;
EXPIRED: indicates that the account password expires. You are required to change the password at the next logon (the system will prompt you to change the password upon the first login after the account is set to expire)
EXPIRED (GRACE): After grace is set (the number of days after the password expires after the first successful logon, the password can be changed. During this period, the account is reminded to change the password and can be logged on normally. account_status is displayed as EXPIRED (GRACE ).
LOCKED (TIMED): this status indicates that the number of failed logins exceeds FAILED_LOGIN_ATTEMPTS and is automatically LOCKED by the system. Note that the DEFAULT value is 10 in Oracle 10 Gb.
EXPIRED & LOCKED: indicates that the account is set to expire and LOCKED.
EXPIRED (GRACE) & LOCKED (TIMED): When account_stutus is EXPIRED (GRACE), the number of login attempts failed by the user exceeds FAILED_LOGIN_ATTEMPTS, which is automatically LOCKED by the system.
EXPIRED & LOCKED (TIMED): When the account expire is set, the number of logins failed by the user exceeds FAILED_LOGIN_ATTEMPTS, which is automatically LOCKED by the system.
EXPIRED (GRACE) & LOCKED: The status after the user account_status is EXPIRED (GRACE) and the account is manually LOCKED by the DBA

 

3. Restrict the super administrator from logging on remotely. 1) by default, the system administrator can log on remotely as follows.

C: \> sqlplus sys/oracle @ orcl181 as sysdba;

SQL * Plus: Release 11.2.0.1.0 Production on Monday December 8 14:51:18 2014
Copyright (c) 1982,201 0, Oracle. All rights reserved.

Connect:
Oracle Database 10g Enterprise Edition Release 10.2.0.5.0-64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL>

2) Restrict Remote logon to Super Users

Note: Do not log on to the password file for verification during Remote logon.

SQL> alter system set remote_login_passwordfile = none scope = spfile;

SQL> shutdown immediate;
SQL> startup;

3) restrict users from logging on using local operating system authentication

Some security configuration requirements are as follows.

$ Vi/u01/app/oracle/product/10.2.0/db_1/network/admin/sqlnet. ora
SQLNET. AUTHENTICATION_SERVICES = none

4) Test Method

Sqlplus system/oracle @ orcl as sysdba
Sqlplus/as sysdba

Note: if both of the above are enabled, SYSDBA users will not be able to log on and the database will not be able to start. If you want to perform management operations, you need to modify the operations.

 

4. Assign minimum permissions based on the account

Oracle provides three standard roles: connect, resource, and DBA. Users with DBA permission are restricted.

1) system permissions of the account

SQL> select * from dba_sys_privs where grantee='ABC';GRANTEE PRIVILEGE ADM------------------------------ ---------------------------------------- ---ABC UNLIMITED TABLESPACE NO

2) Roles owned by the account

SQL> select * from dba_role_privs where grantee='ABC';GRANTEE GRANTED_ROLE ADM DEF------------------------------ ------------------------------ --- ---ABC CONNECT NO YESABC RESOURCE NO YESSQL>

3) object permissions of the account

SQL> select * from dba_tab_privs where grantee = 'abc ';
No rows selected

4) refer to the configuration operation. For DBA permissions, you must determine whether the DBA permissions are required. Otherwise, you must cancel the dba permissions and reduce them to common permissions. You need to adjust the permissions by the application DBA.

 

5. account password policy configuration 1) initial configuration of Oracle 10g password policy configuration

Note: The password policy is usually used for account management and account maintenance. Business accounts are not subject to policy restrictions. For example, expiration of an application account may affect normal business use. The DEFAULT policy is used by DEFAULT.

SQL> SELECT profile FROM dba_users WHERE username='ABC';PROFILE------------------------------DEFAULTSQL>SQL> SELECT profile,resource_type,resource_name,limit FROM dba_profiles WHERE resource_type='PASSWORD' AND profile='DEFAULT';PROFILE RESOURCE RESOURCE_NAME LIMIT------------------------------ -------- -------------------------------- ----------------------------------------DEFAULT PASSWORD FAILED_LOGIN_ATTEMPTS 10DEFAULT PASSWORD PASSWORD_LIFE_TIME UNLIMITEDDEFAULT PASSWORD PASSWORD_REUSE_TIME UNLIMITEDDEFAULT PASSWORD PASSWORD_REUSE_MAX UNLIMITEDDEFAULT PASSWORD PASSWORD_VERIFY_FUNCTION NULLDEFAULT PASSWORD PASSWORD_LOCK_TIME UNLIMITEDDEFAULT PASSWORD PASSWORD_GRACE_TIME UNLIMITEDSQL>

2) Complexity of modifying and starting the password

Note: The utlpwdmg. SQL script contains the password policy and account policy. This script is followed by the account policy configuration. you can comment it out in advance and enable it one by one later.

SQL> alter system set resource_limit = true;
SQL> @ $ ORACLE_HOME/rdbms/admin/utlpwdmg. SQL

3) Modify Account Policies

SQL> ALTER PROFILE DEFAULT LIMITPASSWORD_LIFE_TIME limit 3PASSWORD_LOCK_TIME 1/1440; PASSWORD_VERIFY_FUNCTION verify_function parameter description: Number of Logon failures allowed PASSWORD_LOCK_TIME: the number of days the account is locked after logon failure, after this day, the account will automatically unlock PASSWORD_LIFE_TIME: Password survival (days) PASSWORD_GRACE_TIME: the grace period (days) for changing the password from the first successful logon after the password expires PASSWORD_REUSE_TIME: the number of days before the password can be re-used PASSWORD_REUSE_MAX: the maximum number of times the password can be re-used PASSWORD_VERIFY_FUNCTION: Check the PL/SQL function set for the password. view the result: SQL> set linesize 200; SQL> SELECT profile, resource_type, resource_name, limit FROM dba_profiles WHERE resource_type = 'Password' AND profile = 'default '; profile resource RESOURCE_NAME LIMIT -------- too many default password limit 3 default password PASSWORD_LIFE_TIME 60 default password PASSWORD_REUSE_TIME 1800 default password PASSWORD_REUSE_MAX unlimiteddefault password limit VERIFY_FUNCTIONDEFAULT PASSWORD PASSWORD_LOCK_TIME. 0006 default password PASSWORD_GRACE_TIME 107 rows selected. SQL>

# Cancel the Oracle Password Complexity check:
SQL> alter profile default limit password_verify_function null;
SQL> ALTER PROFILE DEFAULT LIMIT PASSWORD_LIFE_TIME UNLIMITED;

 

4) policy restrictions can be imposed on individual users.

SQL> CREATE PROFILE ABC_PROFILE LIMITPASSWORD_LIFE_TIME UNLIMITEDPASSWORD_GRACE_TIME 10PASSWORD_REUSE_TIME 1800PASSWORD_REUSE_MAX UNLIMITEDFAILED_LOGIN_ATTEMPTS 3PASSWORD_LOCK_TIME 1/1440;SQL> alter user abc profile ABC_PROFILE;User altered.SQL>SQL> SELECT profile,resource_type,resource_name,limit FROM dba_profiles WHERE resource_type='PASSWORD' AND profile='ABC_PROFILE';PROFILE RESOURCE RESOURCE_NAME LIMIT------------------------------ -------- -------------------------------- ----------------------------------------ABC_PROFILE PASSWORD FAILED_LOGIN_ATTEMPTS 3ABC_PROFILE PASSWORD PASSWORD_LIFE_TIME UNLIMITEDABC_PROFILE PASSWORD PASSWORD_REUSE_TIME 1800ABC_PROFILE PASSWORD PASSWORD_REUSE_MAX UNLIMITEDABC_PROFILE PASSWORD PASSWORD_VERIFY_FUNCTION NULLABC_PROFILE PASSWORD PASSWORD_LOCK_TIME .0006ABC_PROFILE PASSWORD PASSWORD_GRACE_TIME 10

 

6. Enable data dictionary Protection

Only SYSDBA can access the basic data dictionary table. Common users cannot view tables starting with X $.

SQL> show parameter O7_DICTIONARY_ACCESSIBILITYNAME TYPE VALUE------------------------------------ ----------- ------------------------------O7_DICTIONARY_ACCESSIBILITY boolean FALSESQL>SQL> alter system set O7_DICTIONARY_ACCESSIBILITY= TRUE scope = spfile;SQL> shutdown immediate;SQL> startup;

 

7. Database Access Control

Only a trusted IP Address can access the database through the listener. untrusted clients will be rejected. The local IP address must be listed in the trust column.
Generally, the application service and database server are added to the Trust List.

$ Vi $ ORACLE_HOME/network/admin/sqlnet. ora
Tcp. validnode_checking = yes
Tcp. invited_nodes = (192.168.233.150, 192.168.233.151)

# Access is allowed except for the following IP addresses.
Tcp. excluded_nodes = (IP1, IP2 ,...)

Restart the listener.

 

8. Set the idle connection time

$ Vi $ ORACLE_HOME/network/admin/sqlnet. ora
SQLNET. EXPIRE_TIME = 60

Note: after the client is connected, the client will be automatically disconnected if no operation is performed within the set time.

 

9. Limit the number of users in the DBA user group at the operating system level