oracle安全策略配置指引-V1.0

Oracle数据库系统平安配置基线中国移动通信管理信息系统部2021年 4月备注：1.假设此文档需要日后更新，请创立人填写版本控制表格，否那么删除版本控制表格。

目录第1章概述 (4)目的 (4)适用范围 (4)适用版本 (4)实施 (4)例外条款 (4)第2章帐号 (5)帐号平安 (5)删除不必要帐号* (5)限制超级管理员远程登录* (5)用户属性控制 (6)数据字典访问权限 (6)TNS登录IP限制* (7)第3章口令 (8)口令平安 (8)帐号口令的生存期 (8)重复口令使用 (8)认证控制* (9)更改默认帐号密码 (9)密码更改策略 (10)密码复杂度策略 (10)第4章日志 (12)日志审计 (12)数据库审计谋略* (12)第5章其他 (13)其他配置 (13)设置监听器密码 (13)加密数据* (13)第6章评审与修订 (14)第1章概述1.1 目的本文档规定了中国移动管理信息系统部所维护管理的ORACLE数据库系统应当遵循的数据库平安性设置标准，本文档旨在指导数据库管理人员进展ORACLE数据库系统的平安配置。

1.2 适用范围本配置标准的使用者包括：数据库管理员、应用管理员、网络平安管理员。

本配置标准适用的范围包括：中国移动总部和各省公司信息化部门维护管理的ORACLE数据库系统。

1.3 适用版本ORACLE数据库系统。

1.4 实施本标准的解释权和修改权属于中国移动集团管理信息系统部，在本标准的执行过程中假设有任何疑问或建议，应及时反应。

本标准发布之日起生效。

1.5 例外条款欲申请本标准的例外条款，申请人必须准备书面申请文件，说明业务需求和原因，送交中国移动通信管理信息系统部进展审批备案。

第2章帐号2.1 帐号平安2.1.1删除不必要帐号*2.1.2限制超级管理员远程登录*2.1.3用户属性控制2.1.4数据字典访问权限2.1.5TNS登录IP限制*第3章口令3.1 口令平安3.1.1帐号口令的生存期3.1.2重复口令使用3.1.3认证控制*3.1.4更改默认帐号密码3.1.5密码更改策略3.1.6密码复杂度策略第4章日志4.1 日志审计4.1.1数据库审计谋略*第5章其他5.1 其他配置5.1.1设置监听器密码5.1.2加密数据*第6章评审与修订本标准由中国移动通信管理信息系统部定期进展审查，根据审视结果修订标准，并颁发执行。

Oracle数据库安全配置手册Version 1.0版本控制目录第一章目的与范围 (1)1.1目的 (1)1.2适用范围 (1)1.3数据库类型 (1)第二章数据库安全规范 (1)2.1操作系统安全 (1)2.2帐户安全 (2)2.3密码安全 (2)2.4访问权限安全 (2)2.5日志记录 (3)2.6加密 (3)2.7管理员客户端安全 (3)2.8安全补丁 (3)2.9审计 (3)第三章数据库安全配置手册 (4)3.1O RACLE数据库安全配置方法 (4)3.1.1 基本漏洞加固方法 (4)3.1.2 特定漏洞加固方法 (12)第一章目的与范围1.1 目的为了加强宝付的数据安全管理，全面提高宝付各业务系统的数据安全水平，保证业务系统的正常运营，提高业务服务质量，特制定本方法。

本文档旨在于规范宝付对各业务系统的Oracle数据库进行安全加固处理。

1.2适用范围本手册适用于对宝付公司的各业务系统的数据库系统加固进行指导。

1.3数据库类型数据库类型为Oracle 11g。

第二章数据库安全规范2.1 操作系统安全要使数据库安全，首先要使其所在的平台和网络安全。

然后就要考虑操作系统的安全性。

Oracle使用大量用户不需要直接访问的文件。

例如，数据文件和联机重做日志文件只能通过Oracle的后台进程进行读写。

因此，只有要创建和删除这些文件的数据库管理员才需要在操作系统级直接访问它们。

导出转储文件和其他备份文件也必须受到保护。

可以把数据复制到其他数据库上，或者是作为复制模式的一部分，或者是提供一个开发数据库。

若要保护数据的安全，就要对数据所驻留的每一个数据库及这些数据库的备份进行保护。

如果某人能从含有你的数据备份的数据库中带走备份磁带，那么你在数据库中所做的全部保密工作就失去意义。

必须防止对全部数据备份的非法访问。

2.2 帐户安全为了避免数据库帐户大量耗费系统资源，影响其它用户的正常访问，可以根据应用的实际需要，对数据库帐户所使用的资源（如CPU等）进行限制。

Services Cloud InfrastructureReference Architecture and Use CasesTo help retail organizations achieve optimal performance and security in OCI, Fortinet and Oracle have published a security reference architecture.Based on this reference architecture, retailers can deploy secure solutions on OCI for a variety of use cases, including terraform templates in OCI for High Availability implementations. Two common use cases are providing an omnichannel shopping experience for customers and maintaining PCI DSS compliance for distributed company networks.1. Omnichannel experienceAs retail locations work to provide an omnichannel shopping experience for customers, a move from on-premises infrastructure to OCI is a logical choice.OCI provides the flexibility and scalability required to support an optimalshopping experience for customers in-store and online.Fortinet provides solutions to help retailers provide secure omnichannelshopping experiences:nn Optimized routing. FortiGate next-generation firewalls (NGFWs) includesecure software-defined wide-area networking (SD-WAN) functionality toprovide a secure cloud on-ramp to resources hosted on ponents of a Secure EBS Solution in OCInn FortiGate NGFWnn FortiADC load balancernn FortiWeb webapplication firewallnn FortiManager centralized management platformnn FortiAnalyzer centralized logging and reporting solutionnn FortiNAC network access control on-premisesnn FortiAuthenticator access management and single sign-onnn Secure branch networking. Secure SD-Branch solutions enable retailers to offer secure guest wireless access segmented from business networks.nn Security integration. Secure SD-WAN and SD-Branch provide security integration via the Fortinet Security Fabric, allowing centralized monitoring and management from a single pane of glass.By combining these on-site solutions with infrastructure hosted in Oracle cloud, retailers can provide an omnichannel customer experience without sacrificing security.2. PCI DSS complianceAWhile engaging in efforts to provide omnichannel shopping experiences and improve operational efficiency by leveraging cloud-based infrastructure, regulatory compliance is still a concern. Retailers must maintain PCI DSS compliance across their rapidly expanding and evolving networks.The centralized visibility provided by the Fortinet Security Fabric is a major asset for organizations attempting to maintain regulatory compliance in sprawling networks because it enables centralized monitoring and security of protected data. In addition to this, Fortinet offers targeted solutions for many of retailers’ regulatory needs:nn Secure communications. Secure SD-WAN, integrated into all FortiGate NGFWs, ensures that sensitive data is encrypted as it travels outside the corporate network.nn Policy enforcement. FortiNAC network access control solutions, deployed as part of Secure SD-Branch, enforcecompliance with security policies before devices are permitted to access the network.nn Web application firewall (WAFs). FortiWeb WAFs, deployed on OCI, enable compliance with PCI DSS Requirement 6.6, which mandates use of a WAF or comprehensive security reviews for web applications.Securely Making the Move to OCIShifting Oracle applications, such as EBS, to OCI is the ideal choice for retailers already using these applications. By securing these applications with Fortinet solutions, available in cloud-native form factors on OCI and as physical appliances, organizations can transition from on-premises to OCI while ensuring security and compliance with PCI DSS.Security is a shared responsibility between the customer and OCI. Fortinet provides security products to protect EBS applications from security threats outside and within tiers by deploying a zero-trust environment. The Oracle EBS and Fortinet security solution blueprint is a hub-spoke design where EBS tiers can be implemented.Fortinet OCI—Deploying Oracle EBS in Multiple Availability DomainsFigure 3: Oracle EBS and Fortinet security solution blueprint.Each spoke virtual cloud network (VCN) and the hub includes a FortiGate NGFW. FortiGate NGFWs protect application environments from north-south traffic (e.g., internet connectivity, on-premises to OCI virtual private network (VPN)/FastConnect connectivity, outbound network address translation (NAT) internet connectivity, etc.). Also, FortiGate NGFWs provide east-west traffic monitoring between EBS tier spokes.FortiADC (application delivery controller) load balancers act as a reverse-proxy that inspects all traffic flows before they arrive at the original web application. FortiADC comes predefined with OWASP Top 10 and compliance rules.1 “EBS on Oracle Cloud Infrastructure Validated Solution Guide,” Oracle, October 24, 2019.2 Based on Oracle internal calculations. Copyright © 2021 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and FortiGuard, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.August 10, 2021 1:23 AM622490-A-0-EN。

oracle安全策略配置指引-V1.0ORACLE安全配置规范1.概述本规范适用于核心系统中运行的ORACLE数据库的安全配置（注册登记系统、客户服务系统、投资管理系统、网站系统、直销网上交易系统）；非核心系统所用的ORACLE数据库可根据实际需要参照进行配置。

2.版本时间版本修订人2012-09-14 1.0 陈兆荣3.ORACLE数据库安全配置要求3.1.身份鉴别3.1.1.账号配置A.冗余账号清理要求内容是否锁定多余的账户配置操作（参考）启动Oracle Enterprise Manager Console连接数据库，选择“安全性”->“用户”，鼠标右键将用户“锁定”；用system用户执行：alter user *** account lock;检查方法启动Oracle Enterprise Manager Console连接数据库，选择“安全性”->“用户”，查看列表检查；or拥有select any table权限用户执行查询语句：Select username,account_status from dba_users;B.是否启用口令复杂性函数要求内容所有用户启用口令复杂函数配置操作（参考）要求：用户名密码须不一致；密码最少长度12位（自定）；筛选简单密码（默认）；密码必须包含1个数字1个字母1个特殊字符；和前次密码最少n个字母不一致（可选）1）从数据库服务器$ROACLE_HOME/rdbms/admin/utlpwdmg.sql文件下载到本地；2）对文件verify_function函数中对应项进行修改（可请求熟悉同事支援）；3）用sysdba身份登陆并执行脚本中函数；4）登陆Oracle Enterprise Manager Console连接数据库，选择“安全性”->“概要文件”，对每个profile分别选择“口令”->“启用口令复杂性函数”；检查方法登陆Oracle Enterprise Manager Console连接数据库，选择“安全性”->“概要文件”，对每个profile分别选择“口令”检查是否启用口令复杂性函数；or拥有select any table权限用户执行查询语句：select * fromdba_profiles where resource_name='PASSWORD_VERIFY_FUNCTION';C.账户资源限制要求内容用户资源使用限制配置操作（参考）登陆Oracle Enterprise Manager Console连接数据库，选择“安全性”->“概要文件”，根据系统实际情况对每个profile中“一般信息”选项卡的进行设置，其中“并行会话数”须限制，非生产用户对“连接时间”与“空闲时间”应给予限制，其他结合系统情况进行合适配置。

Oracle数据库安全配置基线
简介
本文档旨在提供Oracle数据库的安全配置基线指南，以帮助确保数据库的安全性。

通过按照以下步骤进行配置，可以减少潜在的安全威胁和风险。

配置步骤
以下是Oracle数据库安全配置的基线步骤：
1. 安装最新的数据库补丁：确保在安装数据库之前，先安装最新的补丁程序，以修复已知的安全漏洞。

2. 禁用默认的系统帐户：在部署数据库之前，禁用默认的系统帐户（如SYSTEM、SYS、SYSMAN等），并创建自定义的管理员帐户。

3. 启用密码复杂性检查：使用强密码策略，确保数据库用户的密码具备足够的复杂性和强度。

4. 实施账户锁定策略：设置账户锁定策略，限制登录失败的次数，以防止暴力。

5. 限制数据库访问权限：核实数据库用户的访问权限，仅赋予他们所需的最低权限，以限制潜在的恶意操作。

6. 启用审计功能：启用Oracle数据库的审计功能，记录和监控数据库的所有活动，便于发现潜在的安全威胁。

7. 启用网络加密：使用SSL/TLS等加密协议，确保数据库与客户端之间的通信是安全和加密的。

8. 实施备份和恢复策略：定期备份数据库，并测试恢复过程，以防止数据丢失和灾难恢复。

9. 定期审查和更新安全配置：定期审查数据库的安全配置，并根据最新的安全标准和最佳实践的推荐，更新配置以提高安全性。

总结
通过遵循以上基线配置步骤，可以帮助提高Oracle数据库的安全性。

然而，在实际应用中，还应根据具体情况进行定制化的安全配置，并持续关注新的安全威胁和漏洞，及时进行更新和升级。

NEC ExpressCluster1.0windows for oracle的安装配置文档●环境的搭建●NEC软件的安装。

1.双击nec1.0的安装程序。

2．选择nec要安装的版本3．选择nec需要安装的版本号与操作系统。

4.点击“next”。

5. 点击“next”。

6. 点击“next”。

7. 点击“next”。

29003是nec远程管理的端口。

8. 是否对磁盘过滤，选择“是”。

点击“next”。

9. 登陆license。

10.使用license文件进行登陆。

11.选择相应license所在的文件位置。

12.安装好之后重启服务器。

在ie上输入http：//本地ip：29003打开nec的远程管理配置界面。

点击“start builder”开始构建器。

按照弹出窗口进行设置（在“开始”菜单的“运行”处执行）启动配置向导页面。

添加集群1、为集群命名，在[Language]输入域中选择使用WebManager 的机器OS 所使用的语言。

2、显示管理IP 的输入画面。

选择管理IP 的类型(浮动IP)，在[IP Address]中输入管理IP 地址(192.168.0.11)。

点击[Next]。

添加服务器（主服务器win03-01）1、在“服务器定义列表”点击“添加”。

2、在“服务器定义”对话框。

输入主服务器的信息，在“名称”输入主服务器的主机名。

3、设置私网。

点击“添加”在“ip地址”输入私网（心跳）ip地址，（专用10.10.10.113）。

3.1设置私网。

点击“添加”在“ip地址”输入私网（public）ip地址，（备用217.156.7.113）。

添加好的私网定义的列表。

4.设置公网I/F列表。

默认就好，直接“下一步”。

5、默认。

下一步6、默认。

下一步。

7、默认。

下一步。

8、默认。

下一步。

9、配置镜像磁盘连接，点击“添加”，输入IP 地址(10.10.10.113)。

配置为共享磁盘时，不进行任何设置，点击“下一步”。

Guardium Oracle OCI Deployment Guide Steps to Launch a Guardium instance in Oracle OCIGuardium Collector and Aggregator images are available from the OCI Marketplace: https:///marketplace/ociI.Create Virtual Cloud Network1. Access the Compute Service Console. Go to Networking > Virtual Cloud Networks.2. Click Create Virtual Cloud Network3. Enter the name for the VCN, the name of compartment in which the VCN will becreated, and the CIDR block (ex: 10.0.0.0/16). Select “Use host name in this VCN”, and then click the “Create Virtual Cloud Network” button.4. Click Create Subnet5. Enter the Subnet name, and the CIDR block. Select Default Route Table, and DefaultSecurity List. Click on “Create Subnet”6. Modify the Default Security Rules and open ports needed by Guardium.6.1. Click the “Security List” link, and then click on the Default Security List.6.2 Click “Add Ingress Rules”6.3. Add Ingress rules for ports 22,3306,8081, 8443-8445,8447, and 16016-16021.6.4 Add Egress Rule Allow all Trafficunch InstanceNavigate to the Oracle OCI Marketplace, and search for Guardium. Select the Guardium version (ex: 10.6), Type either “Collector” or “Aggregator”. Select the OCI Compartment in which the instance will be created, and then click “Launch Instance”1) Enter the name of the instance, then select the instance shape.Guardium recommends Compute Shapes with at least 8vCPUs and 32GB RAM.Compute Shapes:VM.Standard2.4, VM.Standard2.8, VM.Standard2.16,VM.Standard2.24, VM.Standard.E2.4, VM.Standard.E2.8, VM.DenseIO2.8,VM.DenseIO2.16, VM.DenseIO2.24Choose the SSH public key that is used to connect to the instance.Configure the Networking. Select the VCN and Subnet created in the previous step. Then, click on “Create”.2) Once deployment is ready, status should update to “Running”.III.Connecting to instance1) Connect to the Guardium GUI:In a browser to go the URL: https://<ip-of-gmachine>:8443.*The default password for admin, accessmgr, and Guardium UI users is the last 20characters of the instance OCI ID. After you login, you will be prompted to change thepassword.2) Connect to the CLI. From a terminal, connect via ssh to the cli using the private keycorresponding to the public key selected when launching the instance:IV.Guardium Network Setup1) From the Compute Service Console page, find the values for the private IP, subnetmask, internal gateway IP and Internal FQDN of the instance, then run the CLInetwork commands below to configure the appliance. Answer “yes” to the question“Is it a newly cloned appliance?”. Lastly, run “restart network” for the changes to takeeffect.localhost.localdomain> store network interface ip 10.0.0.30May 16 23:13:08 guard-network[6292]: INFO Sanitizing HostsThis change will take effect after the next network restart.oklocalhost.localdomain> store network interface mask 255.255.0.0This change will take effect after the next network restart.oklocalhost.localdomain> store network route def 10.0.0.1This change will take effect after the next network restart.oklocalhost.localdomain> store system hostname guardium-v10-6-collectorIs it a newly cloned appliance (y/n)?yMay 16 23:35:31 guard-network[15980]: INFO set_hostnameMay 16 23:35:31 guard-network[15980]: INFO Host is currentlylocalhost.localdomainMay 16 23:35:31 guard-network[15980]: INFO Setting hostname to for ip 10.0.0.30May 16 23:35:32 guard-network[15980]: INFO findhosts: Did not find hostname localhostMay 16 23:35:32 guard-network[15980]: ERROR Localhost not in /etc/hosts, adding it.oklocalhost.localdomain> store system domainMay 16 23:36:05 guard-network[24976]: INFO set_hostnameMay 16 23:36:05 guard-network[24976]: INFO Host is currently May 16 23:36:05 guard-network[24976]: INFO Setting hostname to for ip 10.0.0.30oklocalhost.localdomain> restart networkDo you really want to restart network? (Y es/No)yesRestarting networkShutting down interface eth0: RTNETLINK answers: No such file or directory[ OK ]Shutting down loopback interface: [ OK ]Bringing up loopback interface: [ OK ]Bringing up interface eth0:Determining IP information for eth0... done.[ OK ]Network System Restarted.kafka is not runningIn Standalone clauseconntrack is : conntrack on2) Aggregation/CM outside the internal networkIn order to connect to an Aggregator/CM outside the internal networkPasswordAuthentication has to be enabled for that specific IP/network. In order toenable PasswordAuthentication run this CLI command:> store systemssh-match-address ?USAGE: store system ssh-match-address <ADDR EXPR,...>The match patterns may consist of single entries or comma-separatedlists and may use the wildcard and negation operators describedin the PATTERNS section of ssh_config(5)Example: store system ssh-match-address *,!192.168.1.0/24,192.168.3.6ok> store systemssh-match-address 10.0.0.0/8This command will restart the sshd service, your session may get logged outContinue (y/n)? yrestarting ssh serviceStopping sshd: [ OK ]Starting sshd: [ OK ]okIBM Security Guardium Licensed Materials - Property of IBM. © Copyright IBM Corp. 2019. US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.IBM, the IBM logo, and ® are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the w eb at “Copyright and trademark information” (/legal/copytrade.shtml)。