Shulou(Shulou.com)06/01 Report--

I. data dictionary protection

Enable data dictionary protection, and only SYSDBA users can access the basic data dictionary table

Use the show parameters command to check whether the parameter O7_DICTIONARY_ACCESSIBILITY is FALSE.

II. Account security management

1. Configure minimum permissions according to the business needs of users

Use the following SQL to query users with DBA privileges

Select grantee as usern from dba_role_privswhere granted_role = 'DBA' intersect select username from dba_users

Use the following SQL to query roles with DBA permissions

Select grantee as usern from dba_role_privswhere granted_role = 'DBA' minus (select grantee as usern from dba_role_privswhere granted_role =' DBA' intersect select username from dba_users)

2. Use database roles (ROLE) to manage the permissions of objects

Use select* from dba_role_privs or dba_tab_privs; select* from user_role_privs; to view account roles and determine whether the account permissions are clearly defined.

3. Control the attributes of users, including password policies, resource restrictions, etc.

Create different profile for different business users, set database password complexity, validity period and lock configuration, etc. The Profile parameters are explained as follows:

A. restrict database resources

Number of parallel sessions allowed per user name in SESSIONS_PER_USER

CPU_PER_SESSION the total CPU time available for a session (in 1% seconds)

CPU_PER_CALL the CPU time allowed for a SQL call (parsing, executing, and fetching)

CONNECT_TIME limits session connection time (in minutes)

The amount of time in minutes that IDLE_TIME allows idle sessions

LOGICAL_READS_PER_SESSION restricts the read of data blocks by the session, in blocks

LOGICAL_READS_PER_CALL restricts SQL calls to read data blocks in blocks

COMPOSITE_LIMIT specifies the total resource consumption of a session, expressed in serviceunits units

PRIVATE_SGA restricts the allocation of private space for sessions in SGA and Shared Pool

B. restrict passwords

The number of wrong attempts that can be made before the FAILED_LOGIN_ATTEMPTS account is locked out

The number of days that the PASSWORD_LIFE_TIME password can be used (in days). The default is 180 days.

Interval between reusable PASSWORD_REUSE_TIME passwords (in combination with PASSWORD_REUSE_MAX)

Maximum number of PASSWORD_REUSE_MAX password changes (combined with PASSWORD_REUSE_TIME)

The number of days that a user is locked out after PASSWORD_LOCK_TIME exceeds the number of error attempts. Default is 1 day.

PASSWORD_GRACE_TIME, how many days after the password expires can you use the original password?

PASSWORD_VERIFY_FUNCTION password complexity setting, at least 8 characters uppercase letters + lowercase letters + numbers + special symbols

Examples of specific usage:

Alter profile profile_name limitPASSWORD_VERIFY_FUNCTION verify_function_11g;-set database password complexity alter profile profile_name limit FAILED_LOGIN_ATTEMPTS5-set database password misentered 5 times locked

4. Remote login for users with database super administrator (SYSDBA) privileges according to business restrictions

Use the show parameters command to check whether the parameter REMOTE_LOGIN_PASSWORDFILE is NONE. (administrator permissions are required to build DG,RMAN backups, according to business settings)

5. Limit the number of operating system users in the DBA group

Restrict operating system users other than oracle,grid from being in the dba group to prevent their users from stringing or deleting the contents of oracle software files.

Third, trusted IP address access control

Only trusted IP addresses can access the database through the listener due to the restrictions of the operating system or firewall where the database resides. This can be achieved by setting the parameters tcp.validnode_checking and tcp.invited_nodes in the $ORACLE_HOME/network/admin/sqlnet.ora file, and the listening needs to be restarted.

IV. Default port and instance name modification

For the default port 1521, the default listening port should be modified; for Oracle TNS Listener SID, it can be guessed that the default SID (ORCL) when installing Oracle should not be used, and the more complex SID should be set.

Fifth, record operation events

1. Create a trigger to log the user login

Build table LOGIN_CHECK_LOG

Create table login_check_log (session_idnumber (8. 0) not null,login_on_time date,user_in_db varchar (50), ip_addressvarchar (20))

Build trigger LOGIN_CHECK

Create trigger login_checkafter logon on databasebegin insert into login_check_log (session_id,login_on_time,user_in_db,ip_address) select audsid,sysdate,sys.login_user,sys_context ('userenv','ip_address') from v$session where audsid=userenv (' sessionid'); end;/

You can also use related triggers by creating a database connection, for example, restricting clients whose IP is xxx to use PL/SQL to connect to the database

2. The database should configure the log function to record the user's operations to the database.

By recording the operation log, the record needs to include the user account number, operation time, operation content, operation result and so on. Such as opening the listener log.

LSNRCTL > set log_directory $ORACLE_HOME/diag/tnslsnr//listener/alert/LSNRCTL > set log_file log.xmlLSNRCTL > set log_status onLSNRCTL > save_config

3. Formulate database audit strategy according to business requirements.

Use the show parameter command to check whether the parameter audit_trail is set, with the following parameters:

None: is the default value and disables database auditing.

Os: enable auditing and direct database audit records to OS audit records.

Db: enable auditing and direct database audit records to the database's SYS.AUD$ table 11g this parameter defaults to db.

Db_extended: enable auditing and direct all database audit records to the database's SYS.AUD$ table, including the SQLBIND and SQLTEXTCLOB columns of the SYS.AUD$ table. In this way, the result of the audit contains not only the connection information but also the specific statements executed at that time.

Xml: enable database auditing and write all records to OS system files in XML format.

Xml_extended: enables database auditing to output all columns of the audit record, including sqltext and sqlbind.

Interested children's shoes can also learn about ORACLE's security audit product: Oracle Audit Vault and Database Firewall (AVDF)

VI. Database vulnerability management

Use mainstream vulnerability scanning tools for scanning, for medium-and high-risk vulnerabilities, timely repair, check the detailed version number of the system, and timely update the medium-and high-risk patches released by ORACLE; for vulnerabilities that do not have repair means for the time being, risk avoidance should be carried out through other technical means. For details, please refer to the authoritative CVE leak library at home and abroad.

CVE Chinese vulnerability Information Base-SCAP Chinese Community: http://cve.scap.org.cn/

CVE-Common Vulnerabilities and Exposures (CVE): http://cve.mitre.org/

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.