Shulou(Shulou.com)05/31 Report--

This article focuses on "what is the method of baseline verification in Oracle database". Interested friends may wish to have a look at it. The method introduced in this paper is simple, fast and practical. Next, let the editor take you to learn "what is the method of baseline verification of Oracle database"?

I. identity authentication 1.1 should provide the functions of unique user identity and complexity check of authentication information to ensure that there is no duplicate user identity in the application system, and the identity authentication information is not easy to be used falsely.

A) users of the database system should be identified and authenticated

Evaluation methods and steps:

1) try to log in to the database with a default or common password to see if it is successful, to see if a password is required and if an empty password exists

$sqlplus/nolog

SQL > connuser/password as sysdba

2) or log in using the Oracle client Management console (Enterprise Manager Console)

3) default passwords include sys/change_on_install;system/manager,scott/tiger, and common passwords include oracle:admin/oracle;sys:admin:oracle. (change user password alter user user_name identified by password), or use select * from dba_users; to view account password

B) the identity of the user managed by the database system should not be easily used, and the password should be complex and changed regularly.

Evaluation methods and steps:

1) select username,profile fromdba_user; understands the profile used by users

2) what are the configuration parameters for select * from dba_profiles whereprofile='default'; to view the profile of the system itself?

The PASSWORD_VERIFY_FUNCTIONverify_function verification function for password complexity has been enabled. The oracle default verify_function () function requires the password to be at least 4 in length, not the same as the user name, at least one letter, number, and special letter, and at least three different digits between the old password and the new password.

3) check the "length (password)" in the "--Check for the minimum length of the password" section of utlpwdmg.sql.

1.2 the login failure handling function should be enabled, and measures can be taken to end the session, limit the number of illegal logins and automatically exit.

Evaluation methods and steps:

1) select limitfrom dba_profiles where resource_name='FAILED_LOGIN_ATTEMPTS

FAILED_LOGIN_ATTEMPTS: maximum number of error logins

PASSWORD_GRACE_TIME: lock time after password expiration

PASSWORD_LIFE_TIME: password validity time

PASSWORD_LOCK_TIME: login exceeds the lock time of valid times

Check to see if there are any settings and restrictions on the time / times of each item

1.3 when managing the server remotely, necessary measures should be taken to prevent authentication information from being eavesdropped during network transmission.

Evaluation methods and steps:

1) ask the administrator whether to take encryption measures to ensure that the access information of the database will not be eavesdropped.

2) check the REMOTE_OS_AUTHENT assignment in\ admin\ DB_NAME\ pfile\ initSID.ora under the database installation directory to confirm whether administrators are allowed to remotely connect and manage the database. Other versions use the command "SHOW PARAMETERS AUTH;" to record whether remote access is allowed.

3) or view the graphical interface management to open the Oracle client management console (Enterprise Manager Console); add the connection information of the evaluated database and log in to the database using sys or system users; open "routines" in the left menu bar, select the "configuration" bar, select the "General Information" page, and click "all initialization parameters" In the pop-up interface, check the settings of the "remote_os_authent" parameter line to record the original data or copy the screen truthfully in order to allow remote connection.

4) check lsnrctl status to see if there is a TCPS protocol

1.4 different user names should be assigned to different users of the database system to ensure that the user name is unique

Evaluation methods and steps:

1) ask the administrator if different accounts are assigned to different users. You can retrieve the account "selectusername,account_status from dba_users" and ask if a system is in place to ensure that different people use different users to log in to the database system.

Second, access control 2.1 should provide access control function to control user access to files, database tables and other objects according to security policies.

A) access control should be enabled to control user access to resources in accordance with security policies

Evaluation methods and steps:

1) under linux, open the $ORACLE_HOME\ bin directory in the operating system of the database and find the executable program Oracle

Run the command in the operating system: ls-al oracle; to view its run, read and write permissions

2) interview the administrator whether there are other ways (such as firewall, ACL, IPsec, etc.) to restrict port / IP access, or other ways to control database access, and verify

2.2 permissions should be assigned according to the role of the administrative user, so that the rights of the administrative user should be separated, and only the minimum permissions required by the administrative user should be granted.

Evaluation methods and steps:

1) check whether the application account belongs to the DBA group permission

2) select grantee from dba_role_privs where grante_role='DBA' and grante not in ('SYS','SYSTEM','CTXSYS','WmSYS','SYSMAN')

2.3 the privilege separation of privileged users of the operating system and the database system should be realized.

Evaluation methods and steps:

Ask the administrator whether different employees act as operating system administrator and database administrator respectively.

Log in to the operating system to see if you can operate on the database system

2.4 access to default accounts should be restricted, system default accounts should be renamed, and default passwords for these accounts should be modified.

Evaluation methods and steps:

Ask the administrator: try to rename the default accounts of the database system. If some accounts cannot be renamed, the password strength of these accounts should be strengthened to ensure that these accounts are not authorized to use.

2.5 redundant and expired accounts should be deleted in time to avoid the existence of shared accounts.

Evaluation methods and steps:

1. Execute commands in sqlplus

Desc dba_users

Selectusername,account_status from dba_users where account_status='OPEN'

2. Check whether scott, outln, ordsys and other sample database accounts exist in the returned results. Find security in windows or use the graphical user interface to check user status to check whether expired or shared accounts exist.

2.6 sensitive marks should be set for important information resources

Evaluation methods and steps:

1) check whether the oracle label security module is installed (if not, the following steps can be omitted) select username from dba_users; to check whether there is a lbacsys user, if not, no Oracle Label Security module installed

2) check whether to create a policy: select policy_name,statusfrom DBA_SA_POLICIES

3) check the tag creation: select * fromdba_sa_lables

2.7 the operation of users to sensitive marked important information resources should be strictly controlled in accordance with security policies.

Evaluation methods and steps:

Log in to sqlplus to view the user's label

Select * fromdba_sa_lables

Select * fromdba_sa_tables_policies; allows administrators to demonstrate whether the sensitive tag function is correct by selecting specific users and tables

Security audit 3.1 should provide a security audit function covering each user to audit important security events in the application system.

A) the scope of the audit should cover every database user on the server and important clients

Evaluation methods and steps:

Check and record the configuration policy for database operation audit

Show parametersaudit; checks the directory of the database audit and whether the audit is enabled and the audit level

Open the Oracle client Management console (Enterprise Manager Console) in 1.windows

2. Add the connection information of the evaluated database and log in to the database using sys or system users

3. Open "routines" in the left menu bar, select the "configuration" bar, select the "General Information" page, and click "all initialization parameters"

4. In the pop-up interface, view the settings of the "audit_trail" parameter line and truthfully record the original data or copy the screen. If you execute show parameters audit_trail; for the linux system to see if the audit function is enabled

5. Log in and log out of administrators and general users to see if the audit log can be recorded correctly

6. If the above conditions are not met, ask the administrator whether there is a third-party database audit software.

B) the audit content should include important security-related events in the system, such as important user behavior, abnormal use of system resources and use of important system commands.

Evaluation methods and steps:

Check that the value of AUDIT_TRAIL is NONE to disable the audit function, and audit_sys_operations is an important operation of the YES audit system.

3.2 the audit record shall include the date, time, type, subject identification, object identification and result of the event.

Evaluation methods and steps:

Select * fromsys.aud$,select * fromdba_audit_trail records the date, time, type, subject identification, object identification and results of events in the audit record

3.3 should be able to analyze based on recorded data and produce audit statements

Evaluation methods and steps:

Ask the administrator whether he has installed and used log analysis tools such as oracle audit vault and viewed the relevant reports, or whether he has adopted third-party database audit software and has the report function and generates reports regularly.

3.4 the audit process should be protected from unexpected disruptions

Evaluation methods and steps:

Ask whether database administrator permissions are strictly restricted and whether system administrators can perform audit-related operations. Users can check whether it is successful through alter system set audit_trail='NONE' scope=spfile;,.

3.5 Audit records shall be protected from unexpected deletions, modifications or overwrites, etc.

Evaluation methods and steps:

Ask the database administrator whether to strictly restrict users' access to audit records, such as using audit vault, or a third-party audit system, and check whether regular backup of audit logs is made.

IV. Malicious code prevention 4.1 We should install anti-malicious code software or reinforce software with corresponding functions, and upgrade and update the anti-malicious code base regularly.

Install the latest patches to ensure that the system has the latest security patches installed.

Note: under the premise of ensuring business and network security, and after compatibility testing, install the update patch.

5. Resource control 5.1 should restrict terminal login by setting terminal access mode, network address range and other conditions.

Evaluation methods and steps:

1. As a text file, open the database service configuration file "SQLNET.ORA" in the operating system (NETWORK\ ADMIN\ in the database directory)

Check to see if the following exists

Tcp.validnode_checking=YES

Tcp.excluded_nodes=

Tcp.invited_nodes=, restricts IP addresses if they exist

two。 Truthfully record the original data or copy screen

3. If it is not configured on the database system, ask if it is configured on a firewall or other network device / security device

5.2 the operation timeout lock of the login terminal should be set according to the security policy

Evaluation methods and steps:

View idle timeout settings, selectlimit from dba_profiles where resource_name='IDLE_TIME'. View timeout settings and record or view system profiles

5.3 the maximum or minimum use of system resources by a single user should be limited

Evaluation methods and steps:

Execute the command to view the profile,select username,profile fromdba_users used by the user, to view its restrictions, set lines 300

View the number of parallel sessions and CPU usage time of the default user

Settings such as select limitfrom dba_profiles where profile='DEFAULT';, or CPU_PER_SESSION,IDLE_TIME,'SESSIONS_PER_USER'

Here are all the available parameters:

Number of parallel sessions allowed per user name in SESSIONS_PER_USER

CPU_PER_SESSION the total CPU time available for a session (in 1% seconds)

CPU_PER_CALL the CPU time allowed for a SQL call (parsing, executing, and fetching)

CONNECT_TIME limits session connection time (in minutes)

The amount of time in minutes that IDLE_TIME allows idle sessions

LOGICAL_READS_PER_SESSION restricts the read of data blocks by the session, in blocks

LOGICAL_READS_PER_CALL restricts SQL calls to read data blocks in blocks

COMPOSITE_LIMIT "combinatorial play"

PRIVATE_SGA restricts the allocation of private space for sessions in SGA and Shared Pool

VI. Data backup and recovery 6.1 should provide local data backup and recovery functions for important data

Check to see if there are backup files, and understand the backup and recovery mechanisms

If not, you need to establish backup files and implement a daily incremental and weekly backup strategy.

6.2 remote data backup function should be provided, and important data should be transmitted to the standby site in batches using the communication network.

Store backup files in remote locations and ensure their effectiveness to avoid the risk of recovery after a single point of failure.

At this point, I believe you have a deeper understanding of "what is the method of baseline verification of Oracle database". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.