Database Security Policy

Source: Internet
Author: User
Keywords Security
Database security Policy Database security issues have been around the database administrator's nightmare, the loss of database data and the database by illegal user intrusion makes the database administrator physically and mentally exhausted. This paper puts forward some security policies around the security of the database, hoping to help the database administrator, no longer nightmares every night. Database security issues should include two parts: first, the security of database data it should ensure that when the database system is downtime, the database data information is not lost when the database data storage media is destroyed and when the database user is mistakenly operated. Second, the database system is not invaded by illegal users it should be as close as possible to the various potential vulnerabilities to prevent illegal users to use them to invade the database system. For database data security issues, database administrators can refer to the system dual-Computer hot backup function, as well as database backup and recovery data. The following is a further elaboration on the issue of database systems not being hacked by illegal users. Group and security setting up user groups under the operating system is also an effective way to ensure database security. Oracle programs are generally divided into two categories for security purposes: one for all users and the other for DBA execution. The configuration file for the group settings in the UNIX environment is/etc/group, and for how this file is configured, refer to the UNIX manual, and here are several ways to ensure security: (1) Create a Database Administrators group (DBA) before installing Oracle Server and assign the user ID of root and Oracle software owners to this group. The program that the DBA can execute has only 710 permissions. SQL*DBA System permission commands are automatically assigned to the DBA group during the installation process. (2) Allow some UNIX users limited access to the Oracle Server system, add an Oracle group composed of authorized users, ensure to Oracle Server utility routines Oracle Group IDs, common executable programs, such as Sql*plus,sql*forms, Should be able to be executed by this group, and then the permission for this utility routine is 710, which will allow users of the same group to execute, while other users cannot. (3) Change the permissions for programs that do not affect database security to 711. Note: For the convenience of installation and debugging in our system, the default password for two user sys and system with DBA authority in the Oracle database is manager. For your database system security, we strongly recommend that you should drop the password of these two users, the following actions: Under SQL*DBA type: Alter user sys indentified by password; Alter user system indentified by password; Where password is your userThe password that is set. Security for Oracle Server utilities The following are several recommendations for protecting Oracle servers from being used by illegal users: (1) Ensure that all programs under the $oracle_home/bin directory are owned by the Oracle software owner, and (2) give all users a practical ride ( SQIPLUS,SQIFORMS,EXP,IMP, etc.) 711 permissions, so that all users on the server can access the Oracle server, (3) to all DBA utility routines (such as SQL*DBA) 700 permissions. Oracle Servers and UNIX groups when accessing a local server, you can use the security of the UNIX Management Server by mapping the role of the Oracle server to the UNIX group under the operating system, which is adapted for local access. The format for specifying the Oracle server role in UNIX is as follows: Ora_sid_role[_dla] where the SID is the ORACLE_SID of your Oracle database, role is the name of the roles in the Oracle server, and D (optional) indicates that the role is the default; Optionally, this role has the WITH admin option, which you can only grant to other roles, not other users. The following is an example set in the/etc/group file: Ora_test_osoper_d:none:1:jim,narry,scott ora_test_osdba_a:none:3:pat Ora_test_role1:NONE : 4:bob,jane,tom,mary,jim bin:none:5:root,oracle,dba root:none:7:root phrase "Ora_test_osoper_d" the name of a group discussion topic: Database Security Policy Setting up the SSL protocol in Oracle Web server 1998/6/18 to generate security authentication requests in Oracle Web server%genreq/* runs under Oracle_home path */certificate request Gene Rator/* Prompt information */g-generate key pair and certificate requestq-quit> enter choice:g/* input G, the key to generate security applications */> enter P Assword (at least 8 characters) for creating a private key or PRESS to cancel:/* the password to create a private key */> Confirm the password:/* duplicate key password */> Specify the public exponent used to generate key Pair [f4]:> Enter modulus size [768]:> Choose How do you want to generate a random seed for the key pair. F-random filek-random Key Sequencesb-bothenter choice:b/* Input B, select the random number generation method that produces the key pair */> Enter the name of file to use As a source of random seed information:/* Enter any file name under Oracle_home path */type random characters (about) loop you hear ep:/* enter 400 random characters */..................................................................................> Stop Typing.> Accept? [y]> Enter the name of the distinguished name file [Servname.der]: > Enter the name of the private key file [Privkey .der]:> Enter the name of the certificate request file [certreq.pkc]:> Enter the identification information for the Certificate you are requesting:> enter your Common name (1 to chars):/* Enter your server's domain name */> enter your from T Name (1 to chars):/* InputYour department name */> enter your from name (1 to $ chars):/* Enter your company name */> Enter your Locality name (1 to 128 chars):/ * Enter your location */> enter your state or province (1 to 128 chars) [default:illinois]:/* Enter your province or city */> entry your Name (2 chars) [DEFAULT:US]:CN/* Enter your country for short */> enter your Web Master ' s name (1 to $ chars):/* Enter the name of your Web site administrator */> Enter your Web Master's e-mail address (1 to 128 chars):/* Enter your Web site administrator e-mail addresses */> Enter the name and version number O F applicationfor abound you are getting the certificate (1 to chars) [Spyglass Server Version 2.11]:thank You.........don E/* Security Application key to successfully generate */g-generate key pair and certificate requestq-quit> Enter choice:q/* Exit Request * * Send security certification request to the security certification body VE Risign, Inc. copies the security certification request file CERTREQ.PKC from the first step, pastes it into the Certification Body VeriSign, Inc. (or other Certification body) application box, and then enters your contact address, telephone number and so on to submit your application. Receive a certificate to wait for an email from the certification Authority VeriSign, Inc. (or other accrediting agency). The message contains a security authentication code. To install a certificate use a text editor to delete the contents of the---BEGIN certificate---The previous content and the contents of the---End certificate---in the mail sent to you by the certification Authority VeriSign, Inc. (or other certification body)The suffix is in the Der file (for example: Cert.der). Create a 443 (default HTTPS) port or other port in an Oracle Web server to enter 443 lisenter Configure select Security, configure secure Sockets Layer Cert label T1/* Certificate label , optionally enter a string */cert file/oracle_home/cert.der/* Certificate stored physical path */dist Name FILE/ORACLE_HOME/CERTREQ.PKC/* Authentication request file Storage physical path */pri Vate Key file/oracle_home/privkey.der/* Physical path stored by private key */CA dir/oracle_home/* After the physical path of the valid certificate is stored */crl dir/oracle_home * Valid certificate store physical path/modify Lisenter Select receptacle, modify port security properties, from the original norm to SSL to start this port, in the user's browser input https://host name: port number/, that is, start the implementation of the SSL protocol, More secure information is transmitted over the Internet. Responsible Editor Zhao Zhaoyi#51cto.com TEL: (010) 68476636-8001 to force (0 Votes) Tempted (0 Votes) nonsense (0 Votes) Professional (0 Votes) The title party (0 Votes) passed (0 Votes) The original text: Database security policy return to network security home

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.