Oracle database security policy analysis (part 1)

The ORACLE tutorial you are looking at is :Oracle database security policy analysis (1).

Database security problem 1 is a nightmare around the database administrator, the loss of database data and the database was invaded by illegal users make the database administrator physically and mentally exhausted. This paper proposes some security policies around the security of the database, hoping to be helpful to the database administrator. For the security of database data, the database administrator can refer to the information about the dual-machine hot backup function of the system and the backup and recovery of the database.

1. Group and security:

Setting up user groups under the operating system is also an effective way to ensure the security of the database. The Oracle program is generally divided into two categories for security purposes: category 1, which all users can execute, and category 1, which only DBA can execute. The configuration file for group Settings in the Unix environment is /etc/group. Please refer to the Unix manual for how to configure this file.

Several ways to ensure security:

(1) before installing OracleServer, create the database administrator group (DBA) and assign ID to the users of root and Oracle software owners. The program DBA can execute has only 710 permissions. The SQL*DBA system permission command is automatically assigned to the DBA group during installation.

(2) allow 1 part of Unix users limited access to the Oracle server system, add an Oracle group by an authorized user group, and make sure to give Oracle server utility routines Oracle group ID, common executable programs, such as SQL*Plus, SQL*Fo
rms et al., should be able to be executed by this group, and then this utility routine has permissions of 710, which will allow users in the same group to execute, while other users cannot.

(3) change the permissions of those programs that will not affect the security of the database to 711. Note: for the convenience of installation and debugging in our system, the default passwords of Oracle database are manager for the two users with DBA permissions, Sys and System. For the security of your database system, we strongly recommend that you drop the passwords of these two users. The specific actions are as follows:
Type under SQL*DBA:

alter user sys indentified by password;
alter user system indentified by password;

Where password is the password you set for the user. Security of Oracle server utility routines:

Here are some tips for protecting the Oracle server from unauthorized users:

(1) ensure that all programs in the $ORACLE_HOME/bin directory are owned by the Oracle software owner;

(2) to all users and practical then cheng (sqiplus sqiforms, exp, imp) 711 permissions, make all users can access on the server Oracle server;

(3) give 700 permissions to all DBA utility routines (such as SQL*DBA). Oracle server and Unix group when accessing a local server, you can use Unix to manage the security of the server by mapping the Oracle server's role to Unix's group under the operating system, which is suitable for local access.

The format for specifying the Oracle server role in Unix is as follows:

ora_sid_role [_dla]

Where sid is oracle_sid of your Oracle database;

role is the name of the role in the Oracle server;

d (optional) means that this role is the default;

a (optional) means that the role has the WITH ADMIN option,

You can only grant this role to other roles, not other users.

Here is an example set in the /etc/group file:

ora_test_osoper_d: NONE: 1: jim narry, scott
ora_test_osdba_a: NONE: 3: pat
ora_test_role1: NONE: 4: bob jane, tom, mary, jim
bin: NONE: 5: root oracle, dba
root: NONE: 7: root

The phrase "ora_test_osoper_d" means the name of the group; The phrase "NONE" means the password for the group; The number 1 represents ID for this group; Next up are the members of this group. The first two lines are examples of Oracle server roles, using test as sid, osoper and osdba as the names of Oracle server roles. osoper is the default role assigned to the user, osdba with the WITHADMIN option. In order for these database roles to work, you must shutdown your database system, set Oracle database parameter file initORACLE_SID.ora os_roles to True, and then restart your database. If you want these roles to have connectinternal permissions, run orapwd to set the password for these roles. When you try connect internal, the password you type represents the permissions for the role.