Under Solaris Oracle Services boot startup settings and some security policies
Li Shouliang 2003-05-29
This document is suitable for Oracle 8i, 9i environments under Solari5.8, 5.9, and other UNIX is available for reference.
table of Contents:
I. Some security strategies to build Oracle under Solaris
Second, Solaris Oracle boot self-setting steps
content:
I. Some security strategies to build Oracle under Solaris
Oracle users, OinsTall, and DBA groups are recommended when installing Oracle for UNIX. Since these users and group names are generally known, it is easy to become the entrance to the attack. At the same time, because Oracle users are OWNER of the program and data file, log in to the Database and Directory file as Owner. For servers accessible by WAN, there is more security hazards. Therefore, in addition to the security protection of operating system levels, it is necessary to pay attention to Oracle's own security.
See Document "Oracle 8i, 9i For UNIX Version General Installation Process", this document adds part of the security policy on this, creating users and groups named in Oracle and Oinstall, DBA when installation; installation is disabled or locked the installation account. Create a private administrator account management service; audit Oracle account and program installation account.
Specific steps are as follows:
1. When installing Oracle, the user and groups are replaced by other names, respectively.
E.g:
User Oracle -> ORAOWNER
Primary group Oinstall -> ORAGROUP
Secondary group DBA -> ORADBA
2. Disable the Oracle installation account ORAOWNER after installation, use the adminoft settings.
3. Create a management account separately for Oracle system administrators, such as the three administrators DBAUSER1, DBAUSER2, DBAUSER3, respectively, belong to ORAGROUP, secondary group ORADBA.
4. Copy the environment variable in the ORAOWNER user .Profile file to DBAUSER1, DBAUSER2, DBAUSER3 users. Sample example:
Oracle_base = / space / oracle; export oracle_base
Oracle_home = $ oracle_base / orahome1; export oracle_home
NLS_LANG = "Simplified Chinese_China.zHS16GBK"; Export NLS_LANG
NLS_DATE_FORMAT = "YYY-MM-DD HH24: MI: SS"; Export NLS_DATE_FORMAT
ORA_NLS33 = $ Oracle_Home / Ocommon / NLS / Admin / Data; Export ORA_NLS33
Oracle_sid = newsra9; export oracle_sid
PATH = $ PATH: $ oracle_home / bin; export path
ClassPath = $ oracle_base / jre / 1.1.8: $ oracle_home / jlib; Export ClassPath
5. Check if there is a suspicious group user writes to write permissions, if any, delete can be written;
6. Monitor / VAR / ADM / SULOG and LOGINLOG, check access information that Oracle users log in.
7. This, you can use the management account DBAUSER1, DBAUSER2, DBAUSER3, respectively, to stop the service via DSTART / DBSHUT, and the LSNRCT START / STOP command is not used.
Where: dstart / dbshut command requires Oracle's secondary group permissions
The lsnrctl command requires Oracle main group permissions.
Second, Oracle boot self-setting steps
After installing the Oracle database on Solaris, you can add the startup and closing command to the script of the switchboard. The system is turned off to stop the service.
After the Oracle is installed, follow these steps:
1. Go to the directory / var / opt / oracle directory to edit the ORATAB file. The last line of the file is Oracle_Sid: Oracle_Home: (Y / N), example:
Newsra9: / space / oracle / orahome1: n, please change the last N to Y
2. Verify that the dbstart and dbshut under the $ Oracle_Home / BIN can run normal. If not normal, check if $ Oracle_Home / DBS / Down is a link to init (DBNAME). ORA, if not, you need to be created. Suppose the database is ORADB,
Example:
#su - Oracle
#echo $ Oracle_Base
/ Space / Oracle /
#echo $ Oracle_Home
/ Space / Oracle / Orahome1
#Ln -s /space/oracle/admin/oradb/pfile/initoradb.ora / space / Oracle / Orahome1 / DBS / Initoradb.ra
Note that you must do not use a relative path, such as ln -s ./initoradb.ora ../xxxxx
3. Use the root user to edit the startup script.
#Su root
#CD /ETC/INIT.D
#vi oracle
Enter the following in the new Oracle script:
#! / bin / sh
# Set ora_home to be equivalent to the $ oracle_home
# from which you wish to execute dbstart and dbshut;
# Set ora_owner to the user id of the oowner of there
# Oracle Database IN ORA_HOME.
Oracle_Home = $ oracle_base / orahome1
ORA_OWNER = Oracle
IF [! -f $ ora_home / bin / dbstart]
THEN
Echo "Oracle Startup: Cannot Start"
exit
Fi
Case "$ 1" in
'start')
# Start The Oracle Databases:
# The following command associums That The Oracle Login
# Will NOT Prompt The User for Any Values
Su - $ ora_owner -c $ oracle_home / bin / dbstart &
Su - $ Ora_owner -c "Lsnrctl Start &"
;
'stop')
# Stop the oracle data of DataBases:
# The following command associums That The Oracle Login
# Will NOT Prompt The User for Any Values
Su - $ ora_owner -c $ Oracle_Home / Bin / DBSHUT &
Su - $ ora_owner -c "lsnrctl stop"
;
ESAC Note: ORA_HOME refers to the Oracle's Home path, which can be obtained via Echo $ Oracle_Home; Ora_owner can be a dedicated DBA user, such as DBAUSER1; "Lsnrctl Start &" Do not use absolute path.
The same method can also be added to the script to increase the start-stop statements of services such as WebLogic, HTTP, DB2, WebSphere.
4. Connect the startup script and the specific startup and shutdown script. Pay attention to not use a relative path:
Example:
#LN -s /etc/init.d/racle /etc/rc3.d/s99racle
#LN -s /etc/init.d/racle /etc/rcs.d/k99racle
Li Shouliang
Sthi@founder.com.cn
2003-05-29
