1. Profiles and UsersOnly one profile can be assigned to a user at a time. Profile:? Control resource consumption? Manage account status and password invalidation Note: The profile can enforce resource throttling only if Resource_limit is set to true. A profile is a named set of resource restrictions that are used to restrict database usage and instance resources. Profiles also manage account status and limit the user's password (length, expiration time, and so on). Each user is assigned a profile, andthe user belongs to only one profile at a specified time。 If the user is logged on when the user profile is changed, the changes take effect only the next time the user logs on. The default profile is used as the basis for all other profiles. As shown, you can implicitly specify the limitations of the profile, such as in Cpu/session (cpu/session), you can cancel the restriction, such as "Cpu/call (cpu/Call)", or you can reference any setting in the default profile, such as "Connect Time" ”。unless the Resource_limit initialization parameter is set to True, the user's resource limit cannot be forcibly set through the profile. if Resource_limit uses the default value of FALSE, the profile resource limit is ignored. Always enforce profile password settings. Administrators use profiles to control the following system resources:? CPU: Can limit CPU resources by session or call. Limiting Cpu/session (cpu/session) to 1,000 means that if any session using this profile consumes more than 10 seconds of CPU time (CPU time limit in 1% seconds), the session receives an error message and is logged off: ORA-02392: Exceeded session limit on CPU usage, the role of beinglogged off per call limit is the same, but it is not to limit the user's entire session, but to prevent any command from consuming too much CPU. If the Cpu/call (cpu/call) is restricted and the user exceeds the limit, the command is aborted. The user receives an error message that resembles the following: ora-02393:exceeded call limit on CPU usage? Network/Memory: Each database session consumes system memory resources and network resources (if the session is from a non-local user of the server). You can specify the following parameters:-Connection time:Indicates the number of minutes the user can remain connected before automatic logoff.-Idle time:Indicates the number of minutes that a user's session can remain idle before it is automatically logged off. Only the idle time of the server process is calculated. Application activity is not considered in idle time. Idle_time restrictions are not affected by long-running queries and other operations.-Parallel Session:Indicates how many parallel sessions can be created using the database user account.-Dedicated SGA:Limits the amount of space that is used to perform operations such as sorting, merging bitmaps, and so on in the system global region (SGA). This limit is valid only if the session uses a shared server. Disk I/O: Limits the amount of data that users can read at each session level or at each call level. Read/session and read/Invoke limit the total number of reads to memory and disk. Doing so ensures that statements that perform a large number of I/O operations do not overuse memory and disk. A profile can also provide a combination limit. The combination limit is based on a weighted combination of "cpu/session", "read/session", "Connection Time", and "dedicated SGA". To create a profile, click the Server tab, and then, under the Security heading, click Profiles (Profile). On the Profiles (profile) page, click the Create button. Note: The resource manager can override many profile settings.
2. Implement password security functionOracle password management is achieved by using user profiles. Profiles provide many standard security features. Note: Do not use profiles that cause sys, Sysman, and dbsnmp passwords to expire and the corresponding account is locked. View the configuration of the default profile. [Email protected]> select * from Dba_profiles where profile= ' DEFAULT '; Profile resource_name RESOURCE LIMIT----------------------------------------------------------------------------- ---------------------------------DEFAULT composite_limit KERNEL unlimiteddefault sessions_per_user KERNEL Unlimiteddefault cpu_per_session KERNEL unlimiteddefault cpu_per_call KERNEL unlimiteddefault LOGICAL_READS_PER_ SESSION KERNEL unlimiteddefault logical_reads_per_call KERNEL unlimiteddefault idle_time KERNEL unlimiteddefault Connect_time KERNEL unlimiteddefault PRIVATE_SGA KERNEL unlimiteddefaultfailed_login_attemptsPASSWORD 10DEFAULTPassword_life_timePASSWORD 180DEFAULTPassword_reuse_timePASSWORD UnlimiteddefaultPassword_reuse_maxPASSWORD Unlimiteddefaultpassword_verify_functionPASSWORD NulldefaultPassword_lock_timePASSWORD 1DEFAULTPassword_grace_timePASSWORD 7 rows selected.
Account lockout:If a user attempts to log on to the system within a specified number of times, the system automatically locks the account for the duration of the set? Failed_login_attempts:Specify the number of failed attempts to log in before the account is locked? Password_lock_time:Specifies the number of days to lock an account after a specified number of failed logon attempts
Password expiration and expiration:With the lifetime of the account order, the password expires after this lifetime and must be changed. Password_life_time: Determines the password lifetime (days), after which the password will expire? Password_grace_time: Specifies the grace period (days) between the first successful logon and the password that must be changed, after which the password is invalidated. Note: Locking the SYS, Sysman, and DBSNMP accounts and invalidating their passwords will prevent enterprise Manager from running properly. The application must capture a "password invalidation" warning message and process the password change; otherwise, the grace period expires and the user is locked without notifying the cause.Password history:Checking the new password ensures that the password is not reused for a specified period of time or within the specified number of password changes. Check by using one of the following:?Password_reuse_time:Specifies that users cannot reuse passwords within a specified number of days? Password_reuse_max:Specifies the number of password changes to be reached before the current password can be reused note: The value of the profile parameter is set in the default profile or inherited from the profile. If the two password history parameters have a value of unlimited, then Oracle DB ignores both. Users can reuse any password at any time, but this is not an effective security practice. If all two parameters are set, password reuse is allowed, but both conditions must be met: The user must change the password a specified number of times, and the specified number of days has elapsed since the last time the old password was used. For example, suppose that the user Alfred's profile Password_reuse_max set to 10,password_reuse_time is set to 30, then the user Alfred only has reset the password 10 times, And after 30 days since the last time the password was used, the password can be reused. If one parameter is set to a number and the other parameter is specified as unlimited, the user cannot reuse the password.Password Complexity verification:The password is checked for complexity to verify that the password conforms to a specific rule. This check must ensure that the password is complex enough to prevent intruders from attempting to break into the system by guessing the password. The password_verify_function parameter specifies a PL/SQL function that performs a password complexity check before assigning a password. The password verification function must be owned by the SYS user and must return a Boolean value (True or false). The Utlpwdmg.sql script in the following directory provides the model password validation function:? Unix and Linux platforms: $ORACLE _home/rdbms/admin? Windows Platform:%oracle_home%\rdbms\admin
3. Create Password Profile To create a password profile, click the Server tab, and then under the Security heading, click Profiles (Profile). On the Profiles (profile) page, click the Create button. Click the Password (Password) tab to set the password limit. You can select a value from the list of values (click the flashlight icon to browse), or you can enter a custom value. All periods are expressed as "days", but can also be expressed as fractions. There are 1,440 minutes in a day, so the 5/1,440 is 5 minutes. You can also edit an existing password profile by using Enterprise Manager. create profile using SQL as follows: [email protected]> Create profile Grace_5 limit2 failed_login_attempts 33 Password_lock_time unlimited4 password_reuse_time 305 password_life_time 306 Password_grace_time 5; Profile created. can also use alter profile to modify:[email protected]> alter profile grace_5 Limit2 failed_login_attempts 23 Password_life_time 204 password_grace_time/ profile altered. If Utlpwdmg.sql script is already running, Verify_ The function and VERIFY_FUNCTION_11G functions will be available. If you create your own complexity function, you can enter the name of the function. The function name does not appear in the select list. If the function generates a run-time error, the user cannot change the password. Delete password profile in Enterprise Manager, the profile used by the user cannot be deleted. However, if you delete a profile that has the CASCADE option (for example, in Sql*plus), the default profile is automatically assigned to all users who have the profile. &nBsp
4. Password verification function provided: verify_function_11gThe Oracle server provides two password complexity validation functions named Verify_function and verify_function_11g, respectively. These functions are created using the <oracle_home>/rdbms/admin/utlpwdmg.sql script. Verify_function is provided for users who prefer the password function provided by previous versions. The password complexity validation function must be created in the SYS scenario. This function can be used as a template for custom password validation. In addition to creating verify_function, the default profile is changed in the utlpwdmg script by using the following alter-profiles: Alter's default Limitpassword_life_time 180password_grace_time 7password_reuse_time Unlimitedpassword_reuse_max unlimitedfailed_login_attempts 10PASSWORD_ Lock_time 1password_verify_function verify_function_11g; Note that when you create a user, the default profile is assigned to the user unless other profiles are specified.
5. Assigning quotas to usersQuota is the space that is allowed for the specified tablespace. By default, no table space user has a limit. Use the following three options to provide a table space limit for users.? Unlimited:Allows the user to maximize the available space in the tablespace.? Value:The amount of space (in kilobytes or megabytes) that the user can use. This does not guarantee that the space will be reserved for the user. Because, this value may be greater than or less than the current free space in the table space.? UNLIMITED tablespace system permissions:Overrides all individual tablespace quotas, providing unlimited limits for all tablespaces, including system and Sysaux. You must be cautious when granting this permission. AttentionThis permission is included when the resource role is granted. For system or Sysaux table spaces, you must not provide a limit for users。 Typically, only sys and system users can create objects in the system or Sysaux table space. You do not need to have a quota for an allocated temporary tablespace or for any restore table space. When a user creates or expands a segment, the Oracle instance checks the quota. For activities that are assigned to a user scenario, only those activities that use space in the tablespace are counted in the limit. Activities that do not use space in the allocated tablespace, such as creating views or using temporal tablespace, do not affect quotas. Quotas are added when you use the purge clause to delete objects owned by a user, or when objects owned by users are automatically purged in the Recycle Bin.
6. Apply the principle of least privilege
? Protect data dictionary: O7_dictionary_accessibility=false? Revoke unnecessary public permissions.? Use Access control lists (ACLs) to control network access. Restrict the directories that users can access. Restrict the users who have administrative rights.
? Restricting remote database validation: Remote_os_authent=falseApplying the least privilege principle means that the user must be granted only the permissions that are required to perform the task effectively. This reduces the chance that users will modify or view (unintentionally or maliciously) the data they are not authorized to modify or view.
Protect data dictionary:By default,
o7_dictionary_accessibility parameter set to False。 If there is no good reason, do not change this setting,
because this prevents users with any table system permissions from accessing the base table of the data dictionary. This parameter setting also ensures that the SYS user can only log on as SYSDBA.to revoke unnecessary public permissions:There are several packages that are useful for applications that require these packages, but need the correct configuration to use them securely. Public has been granted execute permissions on the following packages: Utl_smtp, utl_tcp, Utl_http, and Utl_file. In Oracle Database 11g,network access is controlled by access control lists (ACLs),ACLs can be configured to allow certain users to access specific network services。 By default, access to the network is denied. To allow access to the network, you must create ACLs. Access to files via Utl_file can be controlled at two levels: permissions to use files and directories at the operating system level, and directory objects in the database to allow access to specific file system directories. The user can be granted read or read or write access to the directory object. You should carefully control the execution permissions on other PL/SQL packages. Some of the more powerful packages may be misused, including:? UTL_SMTP:Allows the database to be used as a Simple Mail Transfer Protocol (SMTP) mail server to send arbitrary e-mail messages. Use ACLs to control which users can access which computers.? UTL_TCP:Allows the database server to establish an out-of-office network connection with any network services that are being received or waiting. As a result, arbitrary data is sent between the database server and any waiting network services. Use ACLs to control access rights.? Utl_http:Allows the database server to request and retrieve data over HTTP. If you grant this package to a user, you may be able to allow data to be sent to a malicious Web site in HTML form. Access rights can be restricted using ACLs.? Utl_file:If configured improperly, access to any text file on the host operating system may be allowed. When configured correctly, this package restricts users to access to specific directory locations only. Restrict access to operating system directories: Through the directory objects in the database, DBAs can map directories to operating system paths, thereby granting permissions to individual users for those directories.to restrict users with administrative privileges:Do not provide the database user with unnecessary permissions. You must not grant a DBA role to a non-administrator. To enforce minimal permissions, limit the grant of the following types of permissions:? Grant permissions to systems and objects? SYS permissions to connect to the database, such as SYSDBA and Sysoper? Other DBA-type permissions, such as drop any TABLE
restricting remote database validation:By default,
the Remote_os_authent parameter is set to False. Do not change this setting unless you are sure that all clients will be able to verify the user appropriately. After the introduction of secure external password storage (provided in Oracle Database 10g Release 2), there is a compelling reason to allow remote operating system validation. During the remote authentication process:? Does the database user authenticate externally? Remote system authentication user? Users log into the database without having to accept additional validation Note: If you revoke some permissions, be sure to test your application thoroughly.
7. Protection of Authorized accountsHow to protect the authorized account:? Use password-sensitive password file? Enable strict authentication methods for the Administrator role set up database administrator authentication any time a user with SYSDBA, Sysoper, or sysasm permissions must be authenticated. When you connect locally, verify that the user is a member of the authorized operating system group through the local operating system. If it is a remote connection, use a password file to authenticate the authorized user. If the password file is configured, the file is checked first. In Oracle Database 11g, these passwords are case-sensitive. Oracle Database 11g provides a number of other ways to make remote administrator authentication more secure and centrally manage these authorized users. Password files are case-sensitive when you use database Configuration Assistant to create databases. If you are upgrading from an earlier database version, make sure that the password file used for the remote connection is case sensitive: orapwd FILE=ORAPWORCL entries=5 ignorecase=n It can be very difficult to worry about password files being attacked or maintaining many password files. You can implement rigorous validation. If you want to use a rigorous authentication method, you need advanced security options. related views:dba_usersdba_profiles Source: http://blog.csdn.net/rlhua/article/details/12277557
