Les08 user security management) [2080312], les082080312

Les08 user security management) [2080312], les082080312
Purpose: To create and manage a Database User Account-authenticate a user-allocate a default storage zone (tablespace) grant and revoke permissions to create and manage roles create and manage profiles-implement the standard password security function-control user resource usage Terminology Database User Account: it is a method password for organizing the ownership and access permissions of database objects: it is a verification method role used by Oracle DB: it is a specified group with relevant permissions, A user or other role profile is a set of specified resource restrictions used to restrict database usage and instance resources, and manages the account status and password management rule limits: is the space allowed for a given tablespace. This method can be used to control the user's data usage. Each database user account contains the following items:-a unique user name cannot exceed 30 bytes, cannot contain special characters, and must start with a letter. -Password is the most common verification method, but the Oracle Database 11g supports password/global and external verification methods (e.g. biometric verification/certificate verification and tag verification ). -By default, if you do not specify other tablespaces, you can create objects at this location. Note that using a default tablespace does not mean that you have the permission to create objects in the tablespace, nor does it mean that you have a space limit for creating objects in the tablespace. These two items require additional authorization. -Temporary tablespace is the location where the instance represents the creation of temporary objects (such as sorting and temporary tables. The temporary tablespace has no limit. -A group of resources and password restrictions that a user profile is allocated to a user. -The initial user group is used by the Resource Manager-account status Open/Lock/expiration (Expired) solution: it is a collection of database objects owned by database users and has the same name as the user account. Solution objects include tables, views, sequences, stored procedures, synonyms, indexes, clusters, database links, and other structures. note: database users are not necessarily personnel users. A common practice is to create a user with a database object for a specific application. A database user can be a device/application or a method for grouping database objects for security purposes. Database users do not need personal identity information. Pre-defined management account SYS account: -The DBA role and several other roles are granted-all permissions with admin option-use this account to execute startup/shutdown and some maintenance commands-have a data dictionary and an automatic workload Archive (AWR) -The as sysdba clause must be used to connect to the database. Connect to the ASM instance, you must use the as sysasm clause SYSTEM account to be granted DBA/MGMT_USER and AQ_ADMINISTRATOR_ROLE roles DBSNMP account to be granted OEM_MONITOR role SYSMAN account to be granted MGMT_USER/RESOURCE and SELECT_CATALOG_ROLE role to create users. verify the user, when creating a user, you must determine the authentication method to be used. You can modify this method later. -Each user created for password verification (Oracle DB verification) has an associated password. This password is required when a user attempts to establish a connection. All passwords created in Oracle Database 11g are case sensitive. The password can contain multiple characters, but its length is limited to 30 bytes. Each password created in the Database upgraded to Oracle Database 11g is case-insensitive until the password is changed. The Advanced Encryption Standard (AES) algorithm is used to automatically and transparently encrypt passwords and then send these passwords over the network. -External verification uses the External Database (Operating System/Kerberos or Radius) method for verification. Kerberos or Radius requires advanced security options. You can connect to Oracle DB without specifying a user name or password. The system can identify users by using Biostatistics/x509 certificates and marking devices. The database depends on the basic operating system/network verification service or external verification service to restrict access to the database account. OS verification OS _AUTHENT_PREFIX initialize the parameter (default value OPS $), and use this prefix in the Oracle user name. -When the Oracle Advanced security option is used for global authentication, you can use Oracle Internet Directory to identify users through global authentication. The administrator verifies the Operating System Security. DBAs must have the operating system permission to create or delete files. Common database users should not have the operating system permission to create or delete database files. Administrator security for SYSDBA/SYSOPER and SYSASM connection- for password files and strict verification methods, audit DBA users by name-for operating system verification, Audit Operating System Account name-for authorized users, operating system authentication takes precedence over Password File Authentication-password files use case-sensitive password permissions user permissions have two types of system permissions: allow users to perform specific operations in the database. Has over 170 different system permissions. Object permission: allows users to access and operate on specific objects (such as tables, views, sequences, procedures, functions, or packages). without specific authorization, users can only access their own objects. The object permission can be granted by the owner or administrator of the object, or by the person who is displayed and assigned permissions to an object. System permission: For security reasons, some system permissions can only be granted TO the Administrator Syntax: GRANT <system_privilege> TO <grant clause> [with admin option] restricted session: the database can also be accessed in restricted mode. SYSDAB and SYSOPER: These two permissions can be executed in the database to close/start/recover and other management tasks. SYSOPER can perform basic operation tasks, however, you cannot query user data. It contains system permissions-STARTUP and SHUTDOWN-create spfile-alter database open/MOUNT/BACKUP-alter database archivelog-alter database recover (only for full recovery. Incomplete recovery in any form, such as until time | CHANG | CANCEL | CONTROLFILE, must be connected by SYSDAB ). -Restricted session sysasm: You can use this permission to start/close and manage the ASM instance drop any object: You can use the drop any permission to delete objects owned by other users. CREATE/MANAGE/DROP and alter tablespace: these permissions run to MANAGE tablespaces/include creating/deleting and changing tablespaces. Create library: Oracle DB allows developers to CREATE and call external code (such as library c) in PL \ SQL ). This LIBRARY must be specified by the LIBRARY object in the database. Create any directory: as a security measure, the operating system DIRECTORY of the Code must be linked to a virtual Oracle DIRECTORY object. When you use the create any directory permission, Insecure code objects may be called. You can use the create any directory permission to create directory objects (with read and write permissions) in any directory accessible to the Oracle software owner ). Grant any object privilege: You can use this permission to grant object permissions to objects owned by others. Alter database and alter system: these permissions are powerful and can be used to modify databases and Oracle instances, such as re-command data files or refresh the buffer cache. Object permission: Type syntax for granting object permissions to users: GRANT <object_privilege> ON <object> TO <grantee clause> [with grant option] revokes system permissions with admin option. If you have permission to grant this permission TO other users, REVOKE does not cascade the permission revocation. REVOKE <system_privilege> FROM <grantee clause>; revoking the permission of an object with the grant option and revoking the system permission related to the data manipulation language (DML) operation may have cascade impact. REVOKE <object_privilege> FROM <grantee clause>; Removes the advantages of object permission roles in cascade mode-simplifies permission management and simplifies permission management using roles, you can grant a group of permissions to a role, and then grant the role to each user, instead of granting the same group of permissions to multiple users. -Perform dynamic permission management. If the permissions associated with a role are modified, all users granted the role will immediately obtain the modified permissions. -Selectively grant permissions. You can enable or disable a role to temporarily enable or disable permissions. In this way, the user's permissions can be controlled under the specified circumstances. A role is like a user who can grant or revoke a role permission. A role is like a system permission. It can be granted to a user or another role, or revoked from a user or another role. A role can be composed of system permissions and object permissions. You can enable or disable a role for each user assigned a role. You may need a password to enable the role. Roles are not owned by any users or any solution. Create role <role_name>; protects the ROLE-the ROLE can be non-default and enabled as needed. Set role vacationdba;-The ROLE can be protected by verification. None/Password/External/Global-you can also edit the protection role create role secure_application_role identified using <security_procedure_name>; A set of specified resource restrictions that restrict database usage and instance resources. The profile also allows you to manage the account status and restrict the user's password (length, expiration time, and so on ). Each user is assigned a profile, and the user belongs to only one profile at a specified time. If the user is logged on when the user profile is changed, the change takes effect only when the user is logged on next time. The DEFAULT profile is the basis of all other profiles. System resource controlled by the profile:-CPU: CPU resources can be restricted by session or call. -Network/memory: each database session occupies system memory resources and network resources (if the session is not a local user from the server)-connection time, indicates the number of minutes that the user can keep the connection idle before the automatic logout, and indicates that the user session can be kept idle for minutes before the automatic logout. Only the idle time of the server process is calculated. -Parallel sessions: the number of parallel sessions that a user can create. -Dedicated SGA: limits the space occupied by operations such as sorting and merging bitmaps in the global SGA. This limit is valid only when a Shared Server is used for a session. -Disk I/O: limits the amount of data that can be read at each session or call level. "Read/session" and "Read/call" can limit the total read times of memory and disk. This ensures that the statements that execute a large number of I/O operations do not overuse the memory and disk. Implement password security function-account locking-FAILED_LOGIN_ATTEMPTS: specifies the number of failed attempts to log on before the account is locked-PASSWORD_LOCK_TIME: specify the number of days after logon attempts fail to reach the specified number of times the password for the account is locked expires and expires-PASSWORD_LIFE_TIME: Determine the password survival period (days), then the password will expire-PASSWORD_GRACE_TIME: specify the grace period (days) for changing the password after the first successful logon. The password will expire after that. Note: Use the SYS/SYSMAN and DBSNMP account passwords to expire and lock these accounts, oracle Enterprise Manager cannot run normally. Password history-PASSWORD_REUSE_TIME: specifies the number of times that a user cannot reuse the password-PASSWORD_REUSE_MAX within the specified number of days. Password Complexity verification-PASSWORD_VERIFY_FUNCTION: The parameter specifies a PL \ SQL function to perform the Password Complexity check before the password is assigned. Password verification functions must be owned by SYS users and must return a Boolean value (TRUE or FALASE ). The utlpwdmg. SQL script provides the model password verification function. Password verification function: VERIFY_FUNCTION_11G-contains at least eight characters-with the user name, the username with one digit and the username in reverse order are different-different from the database and the database name with one digit-a string containing at least one letter and one digit-there must be at least three passwords different letters use this function to create your own custom password verification

create profile profile_test_0312 limitpassword_life_time 180failed_login_attempts 7password_lock_time 1password_grace_time 7password_reuse_time unlimitedpassword_reuse_max unlimitedpassword_verify_function verify_function_11g;

　　

 

Assigning a quota to a user quota is the space available for a given tablespace. By default, there is no limit for any tablespace users. -Unrestricted, unlimited allows you to use the available space in the tablespace to the maximum extent. -Value: Space Available to Users-unlimited tablespace system permissions: cover all individual tablespaces, and provide UNLIMITED limits for all tablespaces (including SYSTEM and SYSAUX. The RESOURCE role includes this system permission. When a user creates or extends a segment, the Oracle instance checks the quota for the activities assigned to the user scheme. Only those activities that use the space in the tablespace are billed as the quota. (Such as views and temporary tablespace) does not affect the quota. When you use the purge clause to delete objects owned by users or automatically clear objects owned by users in the recycle bin, the limit is added. Apply the minimum permission principle-protect the data dictionary 07_DICTIONARY_ACCESSIBILITY = FALSE-Revoke unnecessary PUBLIC permissions-use the access control list (ACL) to control network access UTL_SMTP, allow the database to use the simple transport protocol SMTP mail server to send arbitrary email UTL_TCP, and allow the database server to establish outbound network connections with any network services that are receiving or waiting. UTL_HTTP: allows the database server to send HTTP requests and retrieve data. UTL_FILE: allows access to files on the host operating system. -Restrict accessible directories to users-restrict users with administrative permissions-Restrict remote database Authentication REMOTE_ OS _AUTHENT = FALSE Remote Authentication process database users perform external Authentication Remote System verification user users log on to the database, there is no need to accept additional authentication to protect the authorized account from using password case-sensitive password files to enable strict authentication methods for administrator roles orapwd file = orapw + <sid> entries = 5 ignorecase = N conclusion creation and manage Database User Account verify that the user assigns default tablespace Grant and revoke permissions to create and manage roles create and manage profiles implement standard password security function to control user resource usage