Detailed Oracle Database Security

Source: Internet
Author: User
Tags dba readable account security oracle database

With the popularization of the computer and the development of the network, the database is no longer just the topic of the programmer, but also is familiar to many people, data security is no longer the old "long talk", and more than the previous books on those "impossible" rules. At the same time, the security issue is the most popular topic, but also the concern of enterprises, the importance of security issues, then we together to explore the Oracle database security issues.

The following is a further elaboration on the issue of database systems not being hacked by illegal users.

First, group and security:

The establishment of user groups under the operating system is also an effective way to ensure database security. Oracle programs are generally divided into two categories for security purposes: one for all users and the other for DBA execution. The configuration file for the group settings in the UNIX environment is/etc/group, and for how this file is configured, refer to the UNIX manual, and here are a few ways to ensure security:

(1) Before installing Oracle server, create the Database Administrators group (DBA) and assign the user ID of root and Oracle software owners to this group. The program that the DBA can execute has only 710 permissions. SQL*DBA System permission commands are automatically assigned to the DBA group during the installation process.

(2) Allow some UNIX users limited access to the Oracle Server system, add an Oracle group from the authorized user group, ensure the Oracle Server utility routine Oracle group ID, common executable programs, such as Sql*plus,sql*forms, Should be able to be executed by this group, and then the permission for this utility routine is 710, which will allow users of the same group to execute, while other users cannot.

(3) Change the permissions of programs that do not affect database security to 711. (Note: For the convenience of installation and debugging in our system, the default password for two user sys and system with DBA authority in the Oracle database is manager.) For your database system security, we strongly recommend that you should drop the password of these two users, the following actions:

Under Sql*dba type:

ALTER user sys indentified by password;

Alter user system indentified by password;

Where password is the password that you set for the user.

II. Security for Oracle Server utility routines:

Here are a few suggestions for protecting an Oracle server from being used by illegal users:

(1) To ensure that all the programs under the $oracle_home/bin directory are owned by the ORACLE software owner;

(2) Give all users a practical access (SQIPLUS,SQIFORMS,EXP,IMP, etc.) 711 permissions, so that all users on the server can visit the Oracle server;

(3) Give all DBA utility routines (such as SQL*DBA) 700 permissions. Oracle Servers and UNIX groups when accessing a local service, you can use the security of the UNIX Management Server by mapping the role of the Oracle server to the UNIX group under the operating system, which is adapted for local access.

1. Specify the Oracle server role in UNIX in the following format:

Ora_sid_role[_dla]

Where Sid is the ORACLE_SID of your Oracle database;

Role is the name of the roles in the Oracle server;

D (optional) indicates that the role is the default value; A (optional) indicates that the role has the WITH admin option, and you can only grant this role to other roles, not other users.

2, the following is the example set in the/etc/group file:

Ora_test_osoper_d:none:1:jim,narry,scott

Ora_test_osdba_a:none:3:pat

Ora_test_role1:none:4:bob,jane,tom,mary,jim

Bin:none:5:root,oracle,dba

Root:none:7:root

The phrase "Ora_test_osoper_d" denotes the name of the group; the phrase "NONE" denotes the group's password; The number 1 represents the ID of the group, followed by the members of the group. The first two lines are examples of Oracle server roles, using test as the name for Sid,osoper and OSDBA as Oracle server roles. Osoper is the default role assigned to the user, osdba with the WITH admin option. To make these database roles work, you must shutdown your database system, set the Os_roles parameter to true in the Oracle database parameter file Initoracle_sid.ora, and then restart your database. If you want these roles to have connect internal permissions, run orapwd to set the password for those roles. When you try to connect internal, the password that you type represents the permissions that the role corresponds to.

3, the security of the SQL*DBA command:

If you do not have a sql*plus application, you can also use SQL*DBA to do SQL check permissions, which can only be assigned to users of the Oracle software owner and the DBA group, because these commands are granted special system permissions.

(1) Startup

(2) Shutdown

(3) Connect internal

4, the security of the database file:

ORACLE software owners should use these database files ($ORACLE _home/dbs/*.dbf) to set the permissions for these files to 0600: The owner of the file is readable and writable, and users of the same group and other groups do not have permission to write.

The owner of the Oracle software should have a directory containing the database files, and for added security, it is recommended to reclaim the readable permissions of the same group and other groups of users for these files.

5, network security:

Here are a few additional questions to consider when dealing with network security.

(1) The use of passwords on the network in the remote users can be encrypted or unencrypted way to type the password, when you use unencrypted way to type the password, your password is likely to be intercepted by illegal users, resulting in the destruction of the system security.

(2) DBA Authority control on the network you can control DBA authority on your network in the following two ways:

A is set to deny remote DBA access;

B set a special password for the DBA via ORAPWD. [NextPage]

Third, the establishment of security policy:

1. System security Policy

(1) Managing Database Users: Database users are the way to access Oracle database information, so it is important to maintain the security of management database users. According to the size of the database system and the amount of work required to manage the database users, the database Security Manager may only have create,alter, or a special user of the drop database user, or a group of users with these permissions, and it should be noted that Only those individuals who are trustworthy should have permission to administer database users.

(2) User identification: Database users can through the operating system, network services, or databases for identity verification, through the host operating system for user authentication advantages:

A users can be faster and more easily linked to the database;

B centralized control of user identity through the operating system: if the operating system is consistent with database user information, Oracle does not need to store and manage user names and passwords;

C users enter the database and operating system audit information consistent.

(3) Operating system security

A database administrator must have the operating system permissions of the Create and delete files;

B General database users should not have create or delete the database files related to the operating system permissions;

C if the operating system can assign roles to database users, the security manager must have operating system permissions to modify the operating system account security zone.

2, the Data security policy:

Data should be considered based on the importance of data. If the data is not very important, then the security policy of the data can be slightly relaxed. However, if data is important, there should be a cautious security policy that maintains effective control over access to data objects.

3. User Security Policy:

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.