Oracle database security policy analysis (I)
- 2020-05-07 20:36:45
- OfStack
Database security problem 1 is a nightmare around the database administrator, the loss of database data and database by illegal users of the invasion of the database makes the database administrator physical and mental exhaustion. Some security policies are put forward around the security of database. For database data security issues, the database administrator can refer to the system dual hot backup function and database backup and recovery information.
1. Groups and security:
Setting up user groups under the operating system is also an effective way to ensure database security. Oracle programs are generally divided into two categories for security purposes: one that all users can execute, and one that only DBA can execute. The configuration file for group Settings in the Unix environment is /etc/group. See the Unix manual for how to configure this file.
Several ways can guarantee security:
(1) before installing OracleServer, create the database administrator group (DBA) and assign ID to the users of root and Oracle software owners. The program DBA can execute has only 710 permissions. The SQL*DBA system permission command is automatically assigned to the DBA group during installation.
(2) allow 1 part of Unix users to have restricted access to Oracle server system, add 1 Oracle group by authorized user group, ensure that Oracle group ID is given to Oracle server utility routines Oracle, SQL*Fo, common executable programs, such as SQL*Plus, SQL*Fo
rms, etc., should be able to be executed by this group, and then this utility routine has permissions of 710, which will allow users in the same group to execute, while others cannot.
(3) change the permission of those programs that will not affect the database security to 711. Note: for installation and debugging purposes in our system, the default passwords for Sys and System users with DBA privileges in the Oracle database are manager. For the security of your database system, we strongly suggest that you should drop the password of these two users, the specific operation is as follows:
Under SQL*DBA, type:
alter user sys indentified by password;
alter user system indentified by password;
Where password is the password you set for the user. Security of Oracle server utility routines:
Here are some tips to protect the Oracle server from illegal users:
(1) ensure that all programs in the $ORACLE_HOME/bin directory are owned by the Oracle software owner;
(2) to all users and practical then cheng (sqiplus sqiforms, exp, imp) 711 permissions, make all users can access on the server Oracle server;
(3) give 700 permissions to all DBA utility routines (such as SQL*DBA). Oracle server and Unix group when accessing a local server, you can use Unix to manage server security by mapping the role of the Oracle server to the Unix group under the operating system, which is appropriate for local access.
The format for specifying the Oracle server role in Unix is as follows:
ora_sid_role [_dla]
Where sid is oracle_sid of your Oracle database;
role is the name of the role in the Oracle server;
d (optional) indicates that this role is the default;
a (optional) means that the role has the WITH ADMIN option,
You can only grant this role to other roles, not other users.
The following is an example set in the /etc/group file:
ora_test_osoper_d: NONE: 1: jim narry, scott
ora_test_osdba_a: NONE: 3: pat
ora_test_role1: NONE: 4: bob jane, tom, mary, jim
bin: NONE: 5: root oracle, dba
root: NONE: 7: root
The phrase "ora_test_osoper_d" means the name of the group; The phrase "NONE" denotes the password for the group; The number 1 is ID for this group; Next up are the members of this group. The first two lines are examples of Oracle server roles, using test as sid, osoper and osdba as the names of Oracle server roles. osoper is the default role assigned to the user, and osdba comes with the WITHADMIN option. For these database roles to work, you must shutdown your database system, set Oracle database parameter file initORACLE_SID.ora os_roles parameter to True, and then restart your database. If you want these roles to have connectinternal permissions, run orapwd to set the password for these roles. When you try connect internal, the password you type indicates the permissions for the role.