Database Security Policy

Database Security Policy

Database security issues have always been a nightmare for database administrators, database data loss and database
The intrusion by illegal users makes the database administrator physically and mentally exhausted. This article raises questions about database security.
Some security policies hope to be helpful to the database administrator.

Database security issues should include two parts:

I. Database Data Security
It should ensure that when the database system is downtime, when the database data storage media is damaged and when the data
Database Data is not lost due to database user misoperations.

2. database systems should not be infiltrated by illegal users
It should try its best to block various potential vulnerabilities and prevent illegal users from using them to intrude into the database system.
For database data security issues, the database administrator can refer to the system's dual-machine hot backup function and
Database backup and recovery data.
The following is a further explanation of the problem that the database system is not infiltrated by illegal users.
Group and security
Creating user groups in the operating system is also an effective way to ensure database security. Oracle program for security
The general purpose is generally divided into two categories: one class that all users can execute, and the other class that only DBA can execute. Group in UNIX environment
The configured configuration file is/etc/group. For details about how to configure this file, see the relevant Unix manual. The following is
Several methods to ensure security:
(1) Before installing ORACLE Server, create a database administrator group (DBA) and assign root and Oracle software
The User ID of the owner. Only 710 of the programs that DBA can execute are permitted. SQL * DBA
The system permission command is automatically assigned to the DBA group.
(2) Some Unix users are allowed to access the Oracle server with restrictions. Add an authorized user group
To ensure that the Oracle group ID, common executable programs, and
Such as SQL * Plus, SQL * forms, and so on, should be executed by this group, and then the permission of this utility routine is
710, it will allow users in the same group to execute, while other users cannot.
(3) change the permissions of programs that do not affect database security to 711.
NOTE: For the convenience of installation and debugging in our system, two Oracle databases with DBA Permissions
The default password for sys and system is Manager. For the security of your database system, we strongly
We recommend that you delete the passwords of these two users as follows:
In SQL * dBA, type:
Alter user SYS indentified by password;
Alter user system indentified by password;
Here, password is the password you set for the user.

Security of ORACLE Server utilities
The following are some suggestions to protect the Oracle server from being used by illegal users:
(1) ensure that all programs under the $ ORACLE_HOME/bin directory are owned by the Oracle software owner;
(2) grant permissions to all users (sqiplus, sqiforms, exp, IMP, etc.) 711 so that all
Users can access the Oracle server;
(3) grant all DBA Utility Routines (such as SQL * dBA) 700 permissions.

Oracle server and Unix group
When accessing a local server, you can map the role of the Oracle server to Unix in the operating system.
To use Unix to Manage Server Security. This method is applicable to local access.
The format of specifying an ORACLE Server role in UNIX is as follows:
Ora_sid_role [_ DLA]
Where
Sid is the oracle_sid of your Oracle database;
Role is the role name on the Oracle server;
D (optional) indicates that this role is the default value;
A (optional) indicates that this role has the with admin option. You can assign this role to other roles rather than other users.
The following example is set in the/etc/group file:
Ora_test_osoper_d: None: 1: Jim, narry, Scott
Ora_test_osdba_a: None: 3: Pat
Ora_test_role1: None: 4: Bob, Jane, Tom, Mary, Jim
Bin: None: 5: Root, Oracle, DBA
Root: None: 7: Root
The phrase "ora_test_osoper_d" indicates the group name; the phrase "NONE" indicates the group password; Number 1
The ID of the Group. The following is the member of the group. The first two rows are examples of ORACLE Server roles.
Use test as Sid, osoper and osdba as the name of the Oracle server role. Osoper is assigned to the user
Osdba has the with admin option.
To enable these database roles to work, you must shutdown your database system and set up an Oracle database
The OS _roles parameter in the parameter file initoracle_sid.ora is true, and then restart your database. For example
If you want these roles to have the connect internal permission, run orapwd to set a password for these roles. When you
When you try connect internal, the password you typed indicates the permissions of the role.

SQL * DBA command security
If you do not have an SQL * Plus application, you can use SQL * dBA for SQL query permission-related commands.
Assigned to the Oracle software owner and DBA group users because these commands are granted special system permissions.
(1) Startup
(2) Shutdown
(3) connect internal

Database file security
The owner of Oracle software should have these database files ($ ORACLE_HOME/dbs/*. DBF)
Set the permission to use these files to 0600: The file owner is readable and writable, and users in the same group and other groups do not
Write Permission.
The owner of Oracle software should have a directory containing database files. To increase security, it is recommended that
Group and other group users have the permission to read these files.

Network Security
When dealing with network security, the following are additional considerations.
(1) Use the password on the network
Remote users on the internet can enter a password encrypted or unencrypted.
Your password may be intercepted by illegal users, which may damage the security of the system.
(2) DBA permission control on the network
You can control DBA permissions on the network in two ways:
A is set to deny remote DBA access;
B uses orapwd to set a special password for the DBA.

Establish security policies

System Security Policy
(1) manage database users
Database users access Oracle database information. Therefore, database users should be well maintained and managed.
Security. According to the size of the database system and the workload required to manage database users, database security management
The Administrator may be a special user who owns create, alter, or drop database users, or has
A group of users with these permissions should note that only those who are trustworthy should be used for database management.
User permissions.
(2) user identity confirmation
Database users can perform identity confirmation through the operating system, network service, or database, and operate the system through the host
User identity authentication has the following advantages:
A users can join the database more quickly and conveniently;
B. Centralized Control of user identity confirmation through the operating system: If the operating system and database user information are consistent,
Therefore, Oracle does not need to store and manage user names and passwords;
C. The audit information of the user accessing the database is consistent with that of the operating system.
(3) Operating System Security
Database A administrators must have the operating system permissions for the create and delete files;
B generally, database users should not have the operating system permissions for create or delete database-related files;
C. If the operating system can assign roles to database users, the security administrator must modify the operating system account.
Operating system permissions in the user security area.

Data security policy
Data Generation considerations should be based on the importance of data. If the data is not very important, the data security policy can be
To relax a little. However, if the data is very important, you should have a careful security policy to use it.
Maintain effective control over data object access.

User security policy
(1) Security of general users
A password security
If the user confirms the user identity through the database, it is recommended to use password encryption.
Connect to the database. The method for setting this method is as follows:
Set ora_encrypt_login to true in the Oracle. ini file of the client;
Set dbling_encypt_login to true in the initoracle_sid.ora file on the server.
B permission management
For databases with many users and rich applications and data objects, make full use of the role
This mechanism allows you to effectively manage permissions. For complex system environments, "Roles" can be greatly simplified
Manage permissions.
(2) terminal user security
You must develop security policies for end users. For example, for a large-scale database with many users,
Security administrators can determine the user group categories, create user roles for these user groups, and assign the required permissions and permissions
Assign a program role to each user role and assign corresponding user roles to the user. When handling special requests
Security administrators must also explicitly grant specific permission requirements to users.
You can use the role to manage the permissions of end users.

Database Manager Security Policy
(1) Protect the connection between sys and system users
After the database is created, change the password of the sys and system users with administrative permissions to prevent unauthorized users.
Access the database. After a user connects to the database as sys and system, the user has powerful permissions
Modify the database. For more information about how to change the passwords of SYS and system users, see the previous section.
(2) Protect the connection between managers and databases
Only the database manager can use the management permission to connect to the database. When sysdba or startup, shutdown,
And recover or database objects (such as create, drop, and delete.
(3) Use roles to manage administrator permissions

Security policies of application developers
(1) application developers and Their Permissions
Database application developers are the only type of database users who require special permission groups to complete their work. Development
Such as create table and create procedure.
Database operations should only grant certain system permissions to developers.
(2) Application Developer Environment
Program a developers should not compete with end users for database resources;
B application developers cannot damage other database application products.
(3) Free and controlled application development
Application developers have two permissions:
A free development
Application developers can create new schema objects, including tables, indexes, procedure, and packages,
It allows application developers to develop applications independent from other objects.
B controlled development
Application developers are not allowed to create new mode objects. All tables and INDES procedure
Created by the database manager to ensure that the database manager has full control over the use and access of data spaces
Database information.
However, application developers sometimes need to combine these two permissions.
(4) Roles and permissions of application developers
Database Security administrators can create roles to manage the permissions required by typical application developers.
A create system permissions are often granted to application developers so that they can create their own
.
B Data Object roles are almost never assigned to the roles used by application developers.
(5) Enhance the space limitations of application developers
As a database security manager, you should set the following restrictions for each application developer:
A developers can create table or index tablespaces;
B's Space share of developers in each tablespace. Application Manager Security
In a database system with many database applications, you may need an application manager and Application
The manager is responsible for the following tasks:
C. Create roles for each application and manage the roles of each application;
D. create and manage data objects used by database applications;
E. Maintain and update the application code and the stored procedures and packages of oracle.