数据库安全审计L03InternalSecurity.ppt

Internal Database Security Objectives After completing this lesson, you should be able to do the following: Apply the principle of least privilege to the database Apply security patches (Critical Patch Update) Lock and expire default user accounts Change default user passwords Create strong passwords Enforce password management Protect the data dictionary Database Security: Checklist Apply the principle of least privilege: Install only what is required. Harden the operating system (OS). Maintain installed products. Manage default user accounts. Enforce password management. Protect the data dictionary. Revoke unnecessary privileges from PUBLIC. Restrict the directories accessible by the user. Limit users with administrative privileges. Restrict remote database authentication. Use other database security features. Reducing Administration Effort Use roles to group users by job function. Enable and disable roles as appropriate. Use single sign-on. Installing Only What Is Required Install only the required products and features. Plan your installation: Determine what needs to be installed. You may require a custom installation. You can always install additional products later. Applying Security Patches Use the Critical Patch Update process. Apply all security patches and workarounds. See the Oracle Security Products Web site. SYS and SYSTEM Accounts The SYS account: Is granted the DBA role Has all privileges with ADMIN OPTION Is required for startup, shutdown, and some maintenance commands Owns the data dictionary The SYSTEM account is granted the DBA role. These accounts are not used normally. SYSOPER and SYSDBA Locking and Expiring Default User Accounts The Database Configuration Assistant (DBCA) expires and locks all accounts, except: SYS SYSTEM SYSMAN DBSNMP For a manual installation, lock and expire accounts by using: Changing Default Account Passwords Default accounts provide easy access to the database. Change the password on any account that has not been lock