Sybase ASE Secure Landing Linux

Linux is popular in a variety of operating systems. As a result, a growing number of mainstream database vendors are porting their products to Linux operating system platforms, such as Sybase, Oracle, and IBM. In addition, more and more free software can be used. The Free Software library already includes Sybase ASE for Linux, Oracle for Linux, Informix for Linux, database software, and many other software.

In the database products on the above Linux platforms, Sybase ASE has a good performance, a compact program distribution package contains all the documentation, database backup and monitoring tools, and it is not high on the system (the system is configured to 32MB memory, the full installation of the document requires 200MB hard drive, Otherwise, a 120MB hard drive is required. Its installation and configuration process is simple compared to other products. These advantages, along with the original user base of Sybase database products, make it an excellent database software on the Linux platform.

However, after the normal installation of Sybase ASE, the database Superuser account does not have a password set. This way, every user who knows the server's port number on the Internet, or all the logged-in users on this computer, can manipulate the database as Superuser. This should be said to be a very large security loophole. The following step-by-step describes the installation process of Sybase ASE for Linux, as well as the security configuration and more secure systems that need to be taken after the installation is complete.

first, the installation of Sybase ASE

First download the Sybase ASE for Linux package, which makes it easy to find the binary release package in RPM format, including sybase-ase-11.0.3.3-1.i386.rpm (main package), SYBASE-DOC-11.0.3.3-1.I386.RPM (document package). RPM is the Redhat Company's package management program, which makes it easy to install and uninstall packages and maintain dependencies between them.

Then, type the command as Superuser:
#rpm-I. sybase-ase-11.0.3.3-1.i386.rpm

The screen displays the copyright description for Sybase, and you type "yes" to agree. Then the installer prompts you to create a user Sybase and the appropriate group in the system and asks for the password to be set for that account. The default directory for Sybase database installation is/opt/sybase. Note that the disk partition has enough space (greater than 200MB) to install.

The next step is to resume the configuration with Sybase login, or you can continue to install Sybase by using #su-sybase to change your identity to Sybase. The screen will appear:

1.Release Directory:/opt/sybase
2.edit/view Interfaces File
3.Configure a Server product
4.Configure an Open client/server product
ctrl-a Accept and Continue, ctrl-x Exit screen,? Help.
Enter the number of your choice and press RETURN:

Select the 3来 configuration server, which will configure the server listening port together. In each of the following screen prompts, the number represents the specific options, Ctrl-a said has been configured to proceed to the next step, Ctrl-x said to give up the choice, back to the previous steps, the following omitted the same hint. When you select 3, the following prompts appear:
Product Date installeddate configured
1.SQL Server11 SEP 1998 06:47
2.Backup Server One SEP 1998 06:47

First select 1 to configure the SQL Server, and the following prompts appear:
1.Configure a new SQL Server
2.Configure an existing SQL Server
3.Upgrade an existing SQL Server

Then select one to configure a new SQL Server. Configure the backup server to come back after the SQL Server configuration is complete. Since this is the first installation, choose to configure a new server, and the following 2 options provide the ability to reconfigure or upgrade the original server, respectively

The following prompts require the name of the server to be selected, as follows:
ADD NEW SQL SERVER
1.SQL Server name:sybase
the default is Sybase. This is consistent with the default server name for Sybase's interactive access tool isql.

After you complete the configuration above, the following display appears:
SQL SERVER CONFIGURATION
1.CONFIGURE SERVER ' S interfaces FILE ENTRY incomplete
2.MASTER DEVICE CONFIGURATION incomplete 3.SYBSYSTEMPROCS DATABASE CONFIGURATION incomplete
4.SET ERRORLOG LOCATION incomplete 5.CONFIGURE DEFAULT BACKUP SERVER Incomplete
6.CONFIGURE LANGUAGES Incomplete 7.CONFIGURE CHARACTER SETS incomplete
8.CONFIGURE SORT Order incomplete 9.ACTIVATE auditing incomplete

The above concerns the specific contents of the database, including port number, equipment, language and character set, etc. The following assumes that the default name is not changed and is accepted directly by CTRL-A.

The 1th item configures the server port, and the following prompt screen appears after selecting:
SERVER Interfaces FILE ENTRY screen
Server name:sybase
1.Retry count:0
2.Retry delay:0
3.ADD A new listener service

Choose to add a listening port with the following screen configured for the TCP port:
EDIT TCP SERVICE
1.hostname/address:localhost.localdomain
2.Port:
3.Name Alias:
4.Delete This service from the interfaces entry

The hostname in general is automatically extracted from the environment by the installer, and usually does not need to be changed. However, if the user is configured with a remote server, this should be modified to the appropriate server address. The port number of the second item is free to choose from, usually over 1024. Similarly, if you are configuring a remote server, the port number should be modified to the correct port address. These 2 parameters are recorded in the/opt/sybase/interfaces file, which means that after the configuration is complete, the user can also modify the file manually to change the parameters of the machine port.

The 2nd configuration database main device. The database master can be a new physical device, or it can be a file on a disk that can be sized to fit your needs and the space size of your storage device.

The configuration of the following items is generally not required to modify the default values under normal application. Follow the prompts to continue, in order to configure the Sybase system process database, error log, default backup server, character set, database sorting and activation audit, and so on. The default backup server and activation audit configuration are important for database security.

When an administrator wants to back up a database, it needs to back up the server's functionality by listening to the backup request on a specific port (which must be separate from the previous database port number) to back up the database data to a specified device (for example, "/tmp/ sybase.mybackup.19990909 "). When the item is selected, it appears as follows:
SET The SQL Server ' S BACKUP server
1.SQL Server Backup server Name:syb_backup
The audit function is not opened by default. If the administrator deems it necessary, you can create a separate database to store the system audit information by referencing the screen below.

ACTIVATE Auditing
1.Install Auditing:no
2.sybsecurity Database Size (MEG): 5
3.sybsecurity Logical Device name:sybsecurity
4.create new device for the sybsecurity database:no

second, after the installation of security issues and the corresponding configuration

According to the DOD52.00.28-STD Trust computer System Evaluation standard, commonly referred to as the Orange paper, Sybase ASE Design standards for the C2 level, it provides 4 security mechanisms, respectively, access control, authentication control, Role division and database audit. Access control refers to the right of an object owner to grant or revoke certain accesses to different logged-in users. Authentication control means that only authorized users can log in to the system. The division of roles allows the system administrator to assign some special rights of the system to a particular user, enabling them to perform certain key tasks individually. Specifically, the Sybase database system has 3 main roles: System administrator (Sa_role), System security Officer (Sso_role), and System Operator (Oper_role). The database audit system can record and review the system login, exit, database startup, remote procedure call, role change and access to various objects.

The database application uses the client/server architecture, and the server listens for network connection requests on one port. The client requests a connection, enters a valid username and corresponding password, enters the server, and then runs the command required. In this way, if there are security vulnerabilities in the configuration management of database users, the system and data will be greatly threatened. However, after the normal installation of Sybase ASE, the database Superuser account does not have a password set. This way, every user who knows the server's port number on the Internet, or all the logged-in users on this computer, can manipulate the database as Superuser. This should be said to be a very large security loophole. The following, through the analysis of the role, gives a solution to this problem.

1. The main rights and tasks of the three types of roles

(1) sa_role
Manage disk usage, vary system operating parameters, diagnose problems with the system, back up and restore databases, assign or cancel Sa_role to other users, create user databases and grant them the right owners, set up user groups, and so on.

(2) Sso_role
Create login account and initialize password, change password of all other accounts, assign or cancel Sso_role and Oper_role to other users, set password time limit and manage audit system etc.

(3) Oper_role
Backup and restore various databases.

2. Change the sa password

Sybase ASE creates a user SA in the system when the installation completes, and it has two roles for both Sa_role and Sso_role. At this point the user "sa" has unlimited rights in the server, equivalent to a UNIX system with no password root. This allows any deliberate networked user to have full control of the SQL Server. This cannot be said to be a major security flaw in Sybase ASE. For this reason, it is highly recommended that you do not access the server to the network until you complete the following security configuration.

First, connect the server with the interactive Access tool provided by Sybase isql. Type the following command:
$/opt/sybase/bin/isql-usa-p-smysybase

Indicates that the server mysybase is connected with a user SA and a null password. Change the password for the SA,
>sp_password NULL, "newpasswd"
>go

Change the original null password (NULL) to the current "newpasswd". The password here is at least 6 characters long and can be made up of any printable characters, letters, and numbers.

3. Close the SA account

The division of roles can be said to be the improvement of Sybase database in terms of security system relative to ordinary Unix system. But, as you know, superuser with unlimited power is the protector of the system, but more often it poses a great security threat to the security of the system. Simply put, a low-level misoperation by a superuser could destroy the entire server. From the point of view of the attack, an attacker who acquired the identity of a superuser showed that he had completely conquered the system. For a system with privileged partition security, an attacker would have to crack a number of privileged users to fully control the system. It can be said that the existence of super rights users is a distinction between C-class and B-level security system is an important symbol.

After you set the password for the SA account, you can further enhance the security of the server by creating a new user and distinguishing the role of the SA by shutting down the SA. SYBASRE provides several corresponding commands sp_addlogin and sp_role to complete the above operation.
>sp_addlogin sa_user, "sa,passwd"
>sp_addlogin sso_user, "SSO,PASSW"
>sp_role "Grant", Sa_role,sa_user
>sp_role "Grant", Sso_role,sso_user
>sp_locklogin SA, "lock"

The above command created two user sa_user,sso_user and set the password "SA,PASSW" and "Sso,pass" respectively, set the role Sa_role and Sso_role, and then shut down the account Sa.