A Free Trial That Lets You Build Big!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
Guidance:With the popularization of computers and the development of networks,DatabaseIt is no longer just a topic dedicated to programmers, but also familiar to many people,Data securityIt is no longer an old growth talk, nor is it a box of "unattainable" in previous books. At the same time, the security issue is also the most popular topic nowadays and also a matter of concern to enterprises. We can see the importance of the security issue. Let's discuss it together.Oracle DatabaseSecurity issues.
The following is a further explanation of the problem that the database system is not infiltrated by illegal users.
I. Group and security:
Creating user groups in the operating system is also an effective way to ensure database security. Oracle programs are generally divided into two categories for security purpose: one class can be executed by all users, and the other class can only be executed by DBA. In Unix, the configuration file set for the group is/etc/group. For details about how to configure this file, refer to the relevant Unix manual. The following are several methods to ensure security:
(1) Before installing Oracle Server, create a database administrator group (DBA) and assign the user IDs of the root and Oracle software owner to this group. Only 710 of the programs that DBA can execute are permitted. During the installation process, the SQL * DBA system permission command is automatically assigned to the DBA group.
(2) allow some Unix users to access the Oracle server system with restrictions, add an Oracle group of authorized user groups, and ensure that the Oracle group ID and common executable programs are assigned to the Oracle server utility routine, for example, SQL * Plus, SQL * forms, and so on should be executed by this group, and the permission of this utility routine is 710, which will allow users in the same group to execute, while other users cannot.
(3) change the permissions of programs that do not affect database security to 711. NOTE: For the convenience of installation and debugging in our System, the default password of Sys and System for two users with DBA permissions in Oracle Database is manager. To ensure the security of your database system, we strongly recommend that you delete the passwords of these two users as follows:
In SQL * DBA, type:
Alter user sys indentified by password;
Alter user system indentified by password;
Here, password is the password you set for the user.
Ii. Security of Oracle Server utilities:
The following are some suggestions to protect the Oracle server from being used by illegal users:
(1) ensure that all programs under the $ ORACLE_HOME/bin directory are owned by the Oracle software owner;
(2) grant 711 permissions to all users (sqiplus, sqiforms, exp, imp, etc.) so that all users on the server can access the Oracle server;
(3) grant all DBA Utility Routines (such as SQL * DBA) 700 permissions. When an Oracle server and a Unix group access a local service, you can map the role of an Oracle server to a Unix group in the operating system to use the security of the Unix management server, this method is applicable to local access.
The format of specifying an Oracle Server role in Unix is as follows:
Ora_sid_role [_ dla]
The sid is the oracle_sid of your Oracle database;
Role is the role name on the Oracle server;
D (optional) indicates that this role is the default value. a (optional) indicates that this role has the with admin option. You can only assign this role to other roles, not other users.
The following example is set in the/etc/group file:
Ora_test_osoper_d: NONE: 1: jim, narry, scott
Ora_test_osdba_a: NONE: 3: pat
Ora_test_role1: NONE: 4: bob, jane, tom, mary, jim
Bin: NONE: 5: root, oracle, dba
Root: NONE: 7: root
The phrase "ora_test_osoper_d" indicates the group name; the phrase "NONE" indicates the password of the group; the number 1 indicates the ID of the group; and the next part is the members of the group. The first two rows are examples of Oracle Server roles. test is used as sid, and osoper and osdba are used as the names of Oracle Server roles. Osoper is the default role assigned to the user. osdba has the with admin option. To enable these database roles to work, you must shutdown your database system, set the OS _roles parameter in the Oracle database parameter file initORACLE_SID.ora to True, and then restart your database. If you want these roles to have the connect internal permission, run orapwd to set a password for these roles. When you try connect internal, the password you typed indicates the permissions of the role.
SQL * DBA command security:
If you do not have an SQL * PLUS application, you can also use SQL * DBA for SQL query permission-related commands that can only be assigned to the Oracle software owner and DBA group users, these commands are granted special system permissions.
(3) connect internal
Database file security:
The owner of Oracle software should have these database files ($ ORACLE_HOME/dbs /*. dbf) set the permission to use these files to 0600: The file owner is readable and writable. users in the same group and other groups do not have the write permission.
The owner of Oracle software should have a directory containing database files. To increase security, it is recommended that users in the same group and other groups have the permission to read these files.
When dealing with network security, the following are additional considerations.
(1) remote users who use passwords on the internet can enter the password in encrypted or unencrypted mode. When you enter the password in unencrypted mode, your password may be intercepted by illegal users, which may damage the security of the system.
(2) DBA permission control on the network you can control DBA permissions on the network in two ways:
A is set to deny remote DBA access;
B uses orapwd to set a special password for the DBA.
3. Establish security policies:
System Security Policy
(1) database management users: database users access Oracle database information. Therefore, the security of database management users should be well maintained. According to the size of the database system and the workload required to manage the database users, the database security manager may only have a special user for create, alter, or drop database users, or a group of users with these permissions, it should be noted that only those who are trustworthy should have the permissions to manage database users.
(2) user identity confirmation: database users can perform identity authentication through the operating system, network service, or database. The advantages of user identity authentication through the host operating system include:
A users can join the database more quickly and conveniently;
B. Centralized Control of user identity confirmation through the operating system: If the operating system and database user information are consistent, Oracle does not need to store and manage user names and passwords;
C. The audit information of the user accessing the database is consistent with that of the operating system.
(3) Operating System Security
Database A administrators must have the operating system permissions for the create and delete files;
B generally, database users should not have the operating system permissions for create or delete database-related files;
C. If the operating system can assign roles to database users, the security administrator must have the operating system permission to modify the security zone of the operating system account.
Data security policy:
Data Generation considerations should be based on the importance of data. If data is not important, the data security policy can be relaxed. However, if data is very important, you should have a careful security policy to use it to maintain effective control over access to data objects.
User security policy:
(1) General user security:
Password A security: if the user confirms the identity of the user through the database, we recommend that you use the password encryption method to connect to the database. The method for setting this method is as follows:
Set ora_encrypt_login to true in the oracle. ini file of the client;
Set dbling_encypt_login to true in the initORACLE_SID.ora file on the server.
B. permission management: for databases with many users and rich applications and data objects, the "role" mechanism should be used to effectively manage permissions. For complex system environments, roles can greatly simplify permission management.
(2) terminal user security:
You must develop security policies for end users. For example, for a large-scale database with many users, the security manager can decide the user groups to classify these user groups to create user roles and grant the required permissions and application roles to each user role, and assign corresponding user roles to users. When handling special application requirements, security managers must also explicitly grant specific permission requirements to users. You can use the role to manage the permissions of end users.
Database Manager security policy:
(1) Protect the connection between sys and system users:
After the database is created, change the password of the sys and system users with administrative permissions to prevent unauthorized users from accessing the database. After a user connects to the database as sys and system, the user has powerful permissions to modify the database in various ways.
(2) Protect the connection between managers and databases:
Only the database manager can connect to the database with management permissions. When sysdba or startup, shutdown, and recover or database objects (such as create, drop, and delete) to perform operations without any restrictions.
(3) Use roles to manage administrator permissions
Security policies of application developers:
(1) application developers and their permission database application developers are the only type of database users who need special permission groups to complete their work. Developers need system permissions such as create table, create, and procedure. However, to restrict developers' operations on the database, developers only need to grant certain system permissions to developers.
(2) application developer environment:
Program A developers should not compete with end users for database resources;
B application developers cannot damage other database application products.
(3) free and controlled application developers have two permissions:
A free development
Application developers are allowed to create new schema objects, including tables, indexes, procedure, and packages. This allows application developers to develop applications independent of other objects.
B controlled development
Application developers are not allowed to create new mode objects. All tables and indes procedure required are created by the database manager. This ensures that the database manager has full control over the use of data space and access to database information. However, application developers sometimes need to combine these two permissions.
(4) application developer roles and permissions database security managers can create roles to manage typical application developers' permission requirements.
A create system permissions are often granted to application developers so that they can create their data objects.
B Data Object roles are almost never assigned to the roles used by application developers.
(5) Enhance the space restrictions of application developers as database security managers. You should set the following restrictions for each application developer:
A developers can create table or index tablespaces;
B's Space share of developers in each tablespace. Application Manager security in database systems with many database applications, you may need an application manager who is responsible for the following tasks:
A) Create roles for each application and manage the roles of each application;
B) create and manage data objects used by database applications;
C) Maintain and update the application code and the stored procedures and packages of Oracle.
I believe that with the above suggestions, an Oracle manager can do his job well. However, we always have to face the fact that Oracle is developed by others, but we are using it. So, how many vulnerabilities Does Oracle have? I don't think this can be solved by you and me. However, as an article about Oracle data security, I think it is necessary to write the vulnerability. After all, this is an essential part of "security. Haha!
Oracle vulnerability example:
In a word, "Oracle data security is a broad and profound topic. If you have no patience, you will never get the essence of it ." I hope you can study this article in depth. If you have learned this article well, it will not be harmful.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service