Security management policy solution for Oracle databases

It can be said that Oracle database security issues have been plagued by Oracle Database administrators. We all know the loss of some data in the database and the intrusion of the database, make the poor database administrator physically and mentally exhausted.

Some security policies are put forward around the security issues of the database, hoping to help the database administrator. For database data security issues, the database administrator can refer to the system's dual-machine hot backup function and database backup and recovery information.

I. Group and security:

Creating user groups in the operating system is also an effective way to ensure the security of Oracle databases. Oracle programs are generally divided into two categories for security purpose: one class can be executed by all users, and the other class can only be executed by DBA. In Unix, the configuration file set for the group is/etc/group. For details about how to configure this file, see the relevant Unix manual.

Several methods to ensure security:

(1) Before installing OracleServer, create a database administrator group (DBA) and assign the user IDs of the root and Oracle software owner to this group. Only 710 of the programs that DBA can execute are permitted. During the installation process, the SQL * DBA system permission command is automatically assigned to the DBA group.

(2) allow some Unix users to access the Oracle server system with restrictions, add an Oracle group of authorized user groups, and ensure that the Oracle group ID and common executable programs are assigned to the Oracle server utility routine, for example, SQL * Plus and SQL * Fo

Rms and so on should be executed by this group, and the permission of this utility routine is 710, it will allow users in the same group to execute, while other users cannot.

(3) change the permissions of those programs that do not affect the security of the Oracle database to 711. NOTE: For the convenience of installation and debugging in our System, the default password of Sys and System for two users with DBA permissions in Oracle Database is manager. To ensure the security of your database system, we strongly recommend that you delete the passwords of these two users as follows:

In SQL * DBA, type:

 
 

  
  
alter user sys indentified by password;  
  
  
alter user system indentified by password;  
 
 

Here, password is the password you set for the user.

Security of Oracle Server Utility Routines:

The following are some suggestions to protect the Oracle server from being used by illegal users:

(1) ensure that all programs under the $ ORACLE_HOME/bin directory are owned by the Oracle software owner;

(2) grant 711 permissions to all users (sqiplus, sqiforms, exp, imp, etc.) so that all users on the server can access the Oracle server;

(3) grant all DBA Utility Routines (such as SQL * DBA) 700 permissions. When an Oracle server and a Unix group access a local server, you can map the role of an Oracle server to a Unix group in the operating system to use the security of the Unix management server, this method is applicable to local access.

The format of specifying an Oracle Server role in Unix is as follows:

 
 

  
  
ora_sid_role[_dla] 
 
 

The sid is the oracle_sid of your Oracle database;

Role is the role name on the Oracle server;

D (optional) indicates that this role is the default value;

A (optional) indicates that this role has the with admin option,

You can only assign this role to other roles, not other users.

The following example is set in the/etc/group file:

 
 

  
  
ora_test_osoper_d:NONE:1:jim,narry,scott  
  
  
ora_test_osdba_a:NONE:3:pat  
  
  
ora_test_role1:NONE:4:bob,jane,tom,mary,jim  
  
  
bin: NONE:5:root,oracle,dba  
  
  
root:NONE:7:root  
 
 

The phrase "ora_test_osoper_d" indicates the group name; the phrase "NONE" indicates the password of the group; the number 1 indicates the ID of the group; and the next part is the members of the group. The first two rows are examples of Oracle Server roles. test is used as sid, and osoper and osdba are used as the names of Oracle Server roles.

Osoper is the default role assigned to the user. osdba has the WITHADMIN option. To enable these database roles to work, you must shutdown your database system, set the OS _roles parameter in the Oracle database parameter file initORACLE_SID.ora to True, and then restart your Oracle database. If you want these roles to have the connectinternal permission, run orapwd to set a password for these roles. When you try connect internal, the password you typed indicates the permissions of the role.

SQL * DBA command security:

If you do not have an SQL * PLUS application, you can also use SQL * DBA for SQL query permission-related commands that can only be assigned to the Oracle software owner and DBA group users, these commands are granted special system permissions.

(1) startup

(2) shutdown

(3) connect internal

Database file security:

The owner of Oracle software should use these Oracle database files ($ ORACLE_HOME/dbs /*. dbf) set the permission to use these files to 0600: The file owner is readable and writable. users in the same group and other groups do not have the write permission. The owner of Oracle software should have a directory containing database files. To increase security, it is recommended that users in the same group and other groups have the permission to read these files.

Network Security:

When dealing with network security, the following are additional considerations.

(1) remote users who use passwords on the internet can enter the password in encrypted or unencrypted mode. When you enter the password in unencrypted mode, your password may be intercepted by illegal users, which may damage the security of the system.

(2) DBA permission control on the network you can control DBA permissions on the network in two ways:

A is set to deny remote DBA access;

B uses orapwd to set a special password for the DBA.