Oracle数据库安全配置手册

合集下载

Oracle数据库安全配置手册

Oracle数据库安全配置手册Version 1.0版本控制目录第一章目的与范围 (1)1.1目的 (1)1.2适用范围 (1)1.3数据库类型 (1)第二章数据库安全规范 (1)2.1操作系统安全 (1)2.2帐户安全 (2)2.3密码安全 (2)2.4访问权限安全 (2)2.5日志记录 (3)2.6加密 (3)2.7管理员客户端安全 (3)2.8安全补丁 (3)2.9审计 (3)第三章数据库安全配置手册 (4)3.1O RACLE数据库安全配置方法 (4)3.1.1 基本漏洞加固方法 (4)3.1.2 特定漏洞加固方法 (12)第一章目的与范围1.1 目的为了加强宝付的数据安全管理，全面提高宝付各业务系统的数据安全水平，保证业务系统的正常运营，提高业务服务质量，特制定本方法。

本文档旨在于规范宝付对各业务系统的Oracle数据库进行安全加固处理。

1.2适用范围本手册适用于对宝付公司的各业务系统的数据库系统加固进行指导。

1.3数据库类型数据库类型为Oracle 11g。

第二章数据库安全规范2.1 操作系统安全要使数据库安全，首先要使其所在的平台和网络安全。

然后就要考虑操作系统的安全性。

Oracle使用大量用户不需要直接访问的文件。

例如，数据文件和联机重做日志文件只能通过Oracle的后台进程进行读写。

因此，只有要创建和删除这些文件的数据库管理员才需要在操作系统级直接访问它们。

导出转储文件和其他备份文件也必须受到保护。

可以把数据复制到其他数据库上，或者是作为复制模式的一部分，或者是提供一个开发数据库。

若要保护数据的安全，就要对数据所驻留的每一个数据库及这些数据库的备份进行保护。

如果某人能从含有你的数据备份的数据库中带走备份磁带，那么你在数据库中所做的全部保密工作就失去意义。

必须防止对全部数据备份的非法访问。

2.2 帐户安全为了避免数据库帐户大量耗费系统资源，影响其它用户的正常访问，可以根据应用的实际需要，对数据库帐户所使用的资源（如CPU等）进行限制。

ORACLE安全设置

目录一、保护ORACLE数据库的安全 (1)二、ORACLE高效分页存储过程代码 (7)一、保护ORA CLE数据库的安全1、调整默认的安全设置最小权限原则1.1默认的用户查询用户及用户账号状态Select username, account_status from dba_users;SYS, SYSTEM, DBSNMP, SYSMAN这四个默认账号一般为可用，其他都不可用。

1.2Public权限Public是oracle的伪用户。

只要为public授予权限，那么所有的用户都会被授予此权限。

取消权限：Revoke execute on utl_file from public;1.3危险的程序包。

UTL_FILE:允许用户读写操作系统用户可访问的，运行oracle进程的任何文件和目录。

UTL_TCP：允许用户为了连接网络中所有可访问的地址而打开服务器机器上的tcp端。

UTL_SMTP：允许用户发送邮件信息。

UTL_HTTP：允许用户发送http消息和接收响应。

2、实例参数2.1 UTL_FILE_DIR(default: null)：允许PLSQL通过UTL_FILE来访问服务器的系统。

2.2 REMOTE_OS_AUTHENT(default: false) AND OS_AUTHENT_PREFIX(default: ops$) REMOTE_OS_AUTHENT：控制某个用户是否能够在不需要给出口令的情况下从远程计算机上连接数据库。

这个已过时了。

OS_AUTHENT_PREFIX：操作系统名被映射为oracle用户名之前必须应用这个前缀。

2.3 O7_DICTIONARY_ACCESSIBILITY(default: false)：控制使用ANY关键字授予对象权限的效果。

2.4 REMOTE_LOGIN_PASSWORDFILE：控制具有SYSDBA权限的用户是否能够通过网络连接实例。

oracle安全策略配置指引-V1.0

oracle安全策略配置指引-V1.0ORACLE安全配置规范1.概述本规范适用于核心系统中运行的ORACLE数据库的安全配置（注册登记系统、客户服务系统、投资管理系统、网站系统、直销网上交易系统）；非核心系统所用的ORACLE数据库可根据实际需要参照进行配置。

2.版本时间版本修订人2012-09-14 1.0 陈兆荣3.ORACLE数据库安全配置要求3.1.身份鉴别3.1.1.账号配置A.冗余账号清理要求内容是否锁定多余的账户配置操作（参考）启动Oracle Enterprise Manager Console连接数据库，选择“安全性”->“用户”，鼠标右键将用户“锁定”；用system用户执行：alter user *** account lock;检查方法启动Oracle Enterprise Manager Console连接数据库，选择“安全性”->“用户”，查看列表检查；or拥有select any table权限用户执行查询语句：Select username,account_status from dba_users;B.是否启用口令复杂性函数要求内容所有用户启用口令复杂函数配置操作（参考）要求：用户名密码须不一致；密码最少长度12位（自定）；筛选简单密码（默认）；密码必须包含1个数字1个字母1个特殊字符；和前次密码最少n个字母不一致（可选）1）从数据库服务器$ROACLE_HOME/rdbms/admin/utlpwdmg.sql文件下载到本地；2）对文件verify_function函数中对应项进行修改（可请求熟悉同事支援）；3）用sysdba身份登陆并执行脚本中函数；4）登陆Oracle Enterprise Manager Console连接数据库，选择“安全性”->“概要文件”，对每个profile分别选择“口令”->“启用口令复杂性函数”；检查方法登陆Oracle Enterprise Manager Console连接数据库，选择“安全性”->“概要文件”，对每个profile分别选择“口令”检查是否启用口令复杂性函数；or拥有select any table权限用户执行查询语句：select * fromdba_profiles where resource_name='PASSWORD_VERIFY_FUNCTION';C.账户资源限制要求内容用户资源使用限制配置操作（参考）登陆Oracle Enterprise Manager Console连接数据库，选择“安全性”->“概要文件”，根据系统实际情况对每个profile中“一般信息”选项卡的进行设置，其中“并行会话数”须限制，非生产用户对“连接时间”与“空闲时间”应给予限制，其他结合系统情况进行合适配置。

Oracle数据库安全配置基线

Oracle数据库安全配置基线
Oracle数据库安全配置基线
第1章
1.1
本文规定了Oracle数据库应当遵循的安全性设置标准，本文档旨在指导系统管理人员或安全检查人员进行Oracle数据库的安全合规性检查和配置。
1.2
本配置标准的使用者包括：服务器系统管理员、安全管理员和相关使用人员。
本配置标准适用的范围包括：Oracle数据库服务器。
3.使用showparameter命令来检查参数audit_trail是否设置；
4.检查dba_audit_trail视图中或$ORACLE_BASE/admin/adump目录下是否有数据。
基线符合性判定依据
参数audit_trail不能设置为NONE。
备注
第5章
5.1
5.1.1
安全基线项目名称
数据库管理系统Oracle监听器安全基线要求项
基线符合性判定依据
查询结果中FAILED_LOGIN_ATTEMPTS等于6。
备注
3.1.4
安全基线项目名称
数据库管理系统Oracle默认账户口令策略安全基线要求项
安全基线项说明
更改数据库默认帐号的密码。
检测操作步骤
1.以Oracle用户登陆到系统中；
2.以system/system、system/manager、sys/sys、sys/cHAnge_on_install、scott/scott、scott/tiger、dbsnmp/dbsnmp、rman/rman、xdb/xdb登陆sqlplus环境。
基线符合性判定依据
对重要的数据库系统，要求正确设置参数sqlnet.encryption；
通过网络层捕获的数据库传输包为加密包。

Oracle数据库安全配置基线

Oracle数据库安全配置基线
简介
本文档旨在提供Oracle数据库的安全配置基线指南，以帮助确保数据库的安全性。

通过按照以下步骤进行配置，可以减少潜在的安全威胁和风险。

配置步骤
以下是Oracle数据库安全配置的基线步骤：
1. 安装最新的数据库补丁：确保在安装数据库之前，先安装最新的补丁程序，以修复已知的安全漏洞。

2. 禁用默认的系统帐户：在部署数据库之前，禁用默认的系统帐户（如SYSTEM、SYS、SYSMAN等），并创建自定义的管理员帐户。

3. 启用密码复杂性检查：使用强密码策略，确保数据库用户的密码具备足够的复杂性和强度。

4. 实施账户锁定策略：设置账户锁定策略，限制登录失败的次数，以防止暴力。

5. 限制数据库访问权限：核实数据库用户的访问权限，仅赋予他们所需的最低权限，以限制潜在的恶意操作。

6. 启用审计功能：启用Oracle数据库的审计功能，记录和监控数据库的所有活动，便于发现潜在的安全威胁。

7. 启用网络加密：使用SSL/TLS等加密协议，确保数据库与客户端之间的通信是安全和加密的。

8. 实施备份和恢复策略：定期备份数据库，并测试恢复过程，以防止数据丢失和灾难恢复。

9. 定期审查和更新安全配置：定期审查数据库的安全配置，并根据最新的安全标准和最佳实践的推荐，更新配置以提高安全性。

总结
通过遵循以上基线配置步骤，可以帮助提高Oracle数据库的安全性。

然而，在实际应用中，还应根据具体情况进行定制化的安全配置，并持续关注新的安全威胁和漏洞，及时进行更新和升级。

ORACLE数据库安全规范

数据库安全规范1概述1.1适用范围本规范明确了Oracle数据库安全配置方面的基本要求。

1.2符号和缩略语2 ORACLE安全配置要求本规范所指的设备为ORACLE数据库。

本规范提出的安全配置要求，在未特别说明的情况下，均适用于ORACLE数据库。

本规范从ORACLE数据库的认证授权功能和其它自身安全配置功能提出安全要求。

2.1账号ORACLE应提供账号管理及认证授权功能，并应满足以下各项要求。

2.1.1按用户分配帐号2.1.2删除或锁定无关帐号2.1.3用户权限最小化要求内容在数据库权限配置能力内，根据用户的业务需要，配置其所需的最小权限。

grant 权限to user name; revoke 权限 from user name;2、补充操作说明用第一条命令给用户赋相应的最小权限用第二条命令收回用户多余的权限业务测试正常4、检测操作业务测试正常5、补充说明2.1.4使用ROLE 管理对象的权限1. 使用Create Role 命令创建角色。

2.使用用Grant 命令将相应的系统、对象或 Role 的权限赋予应用用户。

2、补充操作说明对应用用户不要赋予 DBA Role 或不必要的权限。

4、检测操作 1.以DBA 用户登陆到 sqlplus 中。

2.通过查询 dba_role_privs 、dba_sys_privs 和 dba_tab_privs 等视图来检查是否使用ROLE 来管理对象权限。

5、补充说明操作指南1、参考配置操作检测方法3、判定条件要求内容使用数据库角色（ROLE ）来管理对象的权限。

操作指南1、参考配置操作检测方法 3、判定条件2.1.5控制用户属性可通过下面类似命令来创建 Profile ，并把它赋予一个用户CREATE P ROFILE <p rofile_name>LIMIT FAILED_LOGIN_ATTE MPTS 6PASSWORD REUSE TIME 60P ASSWORD_REUSE_MAX 5P ASSWORD_VERIFY_FUNCTIONvenfy_fu nctionP ASSWORD_LOCK_TIME 1/24;ALTER USER<user_name> P ROFILE <p rofile_ name 〉; 2、补充操作说明4、检测操作2.查询视图dba_profiles 和dba_usres 来检查profile 是否创建。

详细版oracle配置手册.doc.doc

1 安装oracle1.1安装服务1)双击oracle安装程序，开始安装，单击下一步2)选择安装路径，单击下一步3)选择安装的产品（此处选Oracle Database 9.2.0.1.0），单击下一步4)选择安装的版本（默认选企业版），单击下一步5)选择数据库配置（默认选择通用），单击下一步6)设置端口号（默认2030），单击下一步7)设置数据库名及SID名称，单击下一步(sywebserver)8)选择数据库文件目录的路径，单击下一步9)设置数据库字符集（默认），单击下一步10)单击“安装”，开始安装数据库11)安装过程中会提示插入磁盘2，选择磁盘2的路径，单击“确定”继续安装12)之后还会提示插入磁盘3，选择磁盘3的路径，单击“确定”继续安装13)安装程序对数据库进行配置并创建数据库14)设置数据库的管理员SYS、System的密码，此处分别设为sys、system。

1.2创建用户及数据库1)在开始－>程序－>Ora92－>Enterprise Manager Console打开oracle的管理界面2)选择独立启动，单击确定3)打开数据库，输入用户名、口令（system、system）登陆4)打开安全性－>用户，右键单击，在菜单中选择创建5)在弹出的窗口输入名称及口令（syportal、syportal）6)切换到角色选项卡，选择DBA角色，单击下箭头添加7)将DBA的管理选项勾选，单击创建8)提示用户创建成功9)重复步骤4）～8），分别创建用户syprivilege（用户/密码：syprivilege/syprivilege）、usm（用户/密码：usm/usm）1.3 导入数据1）开始菜单——运行——cmd2）进入到数据文件的存放路径3）执行数据恢复语句imp syportal/syportal fromuser=hljportal touser=syportal file=portaldata0115.dmp (imp 登陆用户/密码fromuser=原数据库用户名touser=现数据库用户file=数据数据文件名log=log.text)4）执行imp syprivilege/syprivilege fromuser=hljsyprivilege touser=sysyprivilege file=portaldata0115.dmp5）执行imp ums/ums fromuser=ums touser=ums file=portaldata0115.dmp。

Oracle安全配置基线

Oracle数据库系统平安配置基线中国移动通信管理信息系统部2023年 4月1.假设此文档须要日后更新，请创立人填写版本限制表格，否那么删除版本限制表格。

目录第1章概述 (4)目的 (4)适用范围 (4)适用版本 (4)实施 (4)例外条款 (4)第2章帐号 (5)帐号平安 (5)删除不必要帐号* (5)限制超级管理员远程登录* (5)用户属性限制 (6)数据字典访问权限 (6)TNS登录IP限制* (7)第3章口令 (8)口令平安 (8)帐号口令的生存期 (8)重复口令运用 (8)认证限制* (9)更改默认帐号密码 (9)密码更改策略 (10)密码困难度策略 (10)第4章日志 (12)日志审计 (12)数据库审计谋略* (12)第5章其他 (13)其他配置 (13)设置监听器密码 (13)加密数据* (13)第6章评审与修订 (14)第1章概述1.1目的本文档规定了中国移动管理信息系统部所维护管理的ORACLE数据库系统应当遵循的数据库平安性设置标准，本文档旨在指导数据库管理人员进展ORACLE数据库系统的平安配置。

1.2适用范围本配置标准的运用者包括：数据库管理员、应用管理员、网络平安管理员。

本配置标准适用的范围包括：中国移动总部和各省公司信息化部门维护管理的ORACLE数据库系统。

1.3适用版本ORACLE数据库系统。

1.4实施本标准的说明权和修改权属于中国移动集团管理信息系统部，在本标准的执行过程中假设有任何疑问或建议，应刚好反应。

本标准发布之日起生效。

1.5例外条款欲申请本标准的例外条款，申请人必需打算书面申请文件，说明业务需求和缘由，送交中国移动通信管理信息系统部进展审批备案。

第2章帐号2.1帐号平安2.1.1删除不必要帐号*平安基线工程名称数据库管理系统Oracle删除不必要帐号平安基线要求项平安基线编号SBL-Oracle-02-01-01平安基线项说明应删除或锁定与数据库运行、维护等工作无关的帐号。

Oracle数据库安全配置标准

XX公司Oracle数据库安全配置标准（试行）1 目的为保证公司应用系统的信息安全，规范数据库层面的安全配置操作，制定本标准。

2 范围本标准适用于公司各个业务系统中使用的Oracle 10g及以上数据库系统。

3 安全配置标准3.1安装数据库的主机要求●主机应当专门用于数据库的安装和使用；●数据库主机避免安装在域控制器上；●硬件要求请参考Oracle 10g及以上各发行版自带的发行说明；●主机操作系统层面应当保证安全：Oracle数据库可以安装在Windows Server,Linux,及各类Unix系统上，数据库软件安装之前，应当保证主机操作系统层面的安全，需要对主机进行安全设置，补丁更新，防病毒软件安装等。

3.2数据库补丁安装标准日常运行维护中如果Oracle推出新的补丁，则应按照《基础平台运维管理办法》的相关规定，在进行评估、验证之后，升级相关补丁。

3.3数据库口令安全配置标准3.3.1 密码复杂性配置要求1.密码长度至少为8位2.必须为DBA帐户和普通帐户提供复杂的口令，需要包含以下字符：⏹英语大写字母 A, B, C, … Z⏹英语小写字母 a, b, c, … z⏹西方阿拉伯数字 0, 1, 2, (9)⏹非字母数字字符，如标点符号，@, #, $, %, &, *等⏹为用户建profile，调整PASSWORD_VERIFY_FUNCTION，对密码负载度进行设置：3.3.2 创建应用账号并授权创建用户：SQL>create user username identified by password;基本授权：SQL>grant connect,resource to username;创建表空间：SQL>create tablespace tablespace_name datafile ‘/home/oracle/tablespace_name.dbf’size 500m;用户与表空间对应：SQL>alter user username default tablespace tablespace_name;3.3.3 禁用不必要的数据库帐户针对每个数据库里的数据库帐号，确保没有测试帐号和无用的帐号存在。

4、oracle数据库安全配置操作手册

XXXXX
Oracle数据库安全配置操作手册
文档修订摘要
目录
1概述 (1)
1.1目的 (1)
1.2适用范围 (1)
2身份鉴别 (1)
2.1确保用户标识唯一 (1)
2.2禁用或删除无意义账号 (1)
2.3设置密码复杂度策略 (2)
2.4修改默认账号的密码 (2)
3用户授权 (3)
3.1为不同用户设置相应权限 (3)
4访问控制 (3)
4.1登陆失败锁定 (3)
4.2限制用户远程访问 (3)
4.3远程链接数设置 (4)
4.4连接超时设置 (4)
5日志审计 (4)
5.1设置日志审计策略 (4)
Oracle数据库安全配置操作手册
1概述
1.1目的
本文档规定了XXXXX的Oracle 操作系统的主机应当遵循的操作系统安全性设置标准，本文档旨在指导系统管理人员或安全检查人员进行Oracle 操作系统的安全合规性检查和配置。

1.2适用范围
本配置标准的使用者包括：服务器系统管理员、应用管理员。

本配置标准适用的范围包括：XXXXX的Oracle服务器系统。

2身份鉴别
2.1确保用户标识唯一
2.2禁用或删除无意义账号
2.3设置密码复杂度策略
2.4修改默认账号的密码
3用户授权
3.1为不同用户设置相应权限
4访问控制
4.1登陆失败锁定
4.2限制用户远程访问
4.3远程链接数设置
4.4连接超时设置
5日志审计
5.1设置日志审计策略。

Oracle数据库安全配置规范【华为】

目录1概述 (2)1.1适用范围 (2)1.2内部适用性说明 .......................................................................................................... 错误！未定义书签。

1.3外部引用说明 .............................................................................................................. 错误！未定义书签。

1.4术语和定义 .................................................................................................................. 错误！未定义书签。

1.5符号和缩略语 (2)2ORACLE安全配置要求 (2)2.1账号 (2)2.2口令 (7)2.3日志 (11)2.4其他 (13)1概述1.1适用范围本规范明确了Oracle数据库安全配置方面的基本要求。

1.2符号和缩略语2ORACLE安全配置要求本规范所指的设备为ORACLE数据库。

本规范提出的安全配置要求，在未特别说明的情况下，均适用于ORACLE数据库。

本规范从ORACLE数据库的认证授权功能、安全日志功能，和其他自身安全配置功能提出安全要求。

2.1账号ORACLE应提供账号管理及认证授权功能，并应满足以下各项要求。

2.1.1按用户分配帐号2.1.2删除或锁定无关帐号2.1.3限制SYSDBA用户的远程登录2.1.4用户权限最小化2.1.5使用ROLE管理对象的权限2.1.6控制用户属性2.1.7启用数据库字典保护2.2口令2.2.1静态口令认证的密码复杂度控制2.2.2静态口令认证的密码生命周期2.2.3静态口令认证的密码重复使用限制2.2.4景泰口令认证的连续登录失败的帐号锁定策略2.2.5更改数据库默认帐号的密码2.2.6操作系统级的帐户安全策略2.3日志2.3.1登录日志功能2.3.2DDL日志2.3.3数据库审记2.4其他2.4.1VPD与OLS2.4.2Data Vault2.4.3Listener设定密码保护2.4.4设定信任IP集2.4.5加密网络传输2.4.6断开超时的空闲远程连接2.4.7限制DBA组中的操作系统用户数量。

Oracle数据库系统安全配置手册(整理)

附件四：Oracle数据库系统安全配置本标准适用于Unix/Linux操作系统下的Oracle数据库系统，版本为8i、9i、10g.1安全补丁的更新2$ORACLE_HOME/bin目录权限保护3Oracle 数据字典的保护4加强访问控制5监听程序的管理6关闭Extproc功能7密码文件管理8用户账号管理9最小权限使用规则10DBSNMP用户的保护11SYS用户12密码策略13数据库操作审计14本地缓存区溢出防护15监听listener作ip访问限制修改（需重启监听）$ORACLE_HOME/network/admin/sqlnet.ora :tcp.validnode_checking=yestcp.invited_nodes=(localhost, 本机ip, 应用服务器ip，管理机ip等)注：对二层结构的应用，不需设置该选项.16修改默认的监听端口修改（需重启监听）$ORACLE_HOME/network/admin/listener.ora:(ADDRESS = (PROTOCOL = TCP)(HOST = 127.0.0.1)(PORT = 1521))修改PORT的值为新的监听端口->(ADDRESS = (PROTOCOL = TCP)(HOST = 127.0.0.1)(PORT = 3521))确认：lsnrctl status17日志目录SQL> show parameter dumpNAME TYPE VALUE---------------------- ----------- ------------------------------background_core_dump string partialbackground_dump_dest string /opt/oracle/admin/portaldb/bdump core_dump_dest string /opt/oracle/admin/portaldb/cdump max_dump_file_size string UNLIMITEDshadow_core_dump string partialuser_dump_dest string /opt/oracle/admin/portaldb/udumpSQL> show parameter auditNAME TYPE VALUE---------------------- ----------- ------------------------------audit_file_dest string /opt/oracle/admin/portaldb/adump18启用资源限制Profile 分两部分(资源参数和密码参数)，resource_limit为 TRUE 限定资源参数（resource parameters）设置有效；不管 resource_limit 的值为 TRUE 或 FALSE密码参数（password parameters）设置始终有效.alter system set resource_limit=true scope=both。

Oracle Argus Safety 8.2 最小安全配置指南说明书

Oracle® Argus SafetyMinimum Security Configuration GuideRelease 8.2E97685-01August 2018This guide describes essential security management options for the followingapplication:■Oracle Argus Safety 8.21IntroductionThis document outlines the steps that help strengthen application security. Note thatthis document is not a replacement for the Argus Safety Installation Guide. TheInstallation Guide should be referred for Argus Safety installation instructions.This document has been created to act as a step-by-step Guide for Minimum SecurityConfigurations on Argus Safety Web and Report Servers.This guide presents the following security guidelines and recommendations:■Post Installation Security Configurations■Configuring Folder Access to Web User Account■Configuring Log Folders, SQLTimes Path, and Access Permissions■Configuring HTTPS■Configuring Password Complexity■Configuring Case Intake Folders and Security■Configuring Security for Interface Web Service■Configuring Security for ESM■Configuring Security for AG Service■Configuring X-Content-Type-Options in IIS■Documentation Accessibility2Post Installation Security ConfigurationsThis document lists the various security configurations required after installing ArgusSafety:2.1Configuring Argusvr2/Argusvr2a PermissionsExecute the following steps to configure Argusvr2/Argusvr2a permissions:1.Create a domain user which has access to web-servers and all network services that will be configured in Argus such as shared network paths for Intake.■In the steps mentioned below, we have used a sample user called ’Safety_User’, throughout this section of the Guide.2.Go to every web server and configure the following:■Go to Control Panel > Administrative Tools .■Open Component Services .■Go to Console Root > Component Services > Computers > My Computer .■Select DCOM Config :■Change Permissions for Argusvr2 by doing the following:■Right-click on Argusvr2 and select Properties.■Select the Security tab.■Select Customize for these options: Launch and Active Permissions , and Access Permissions .Note:This section needs to be applied to each Web and ReportServer.■Click Edit under Launch and Activation Permissions.■Add Domain User for Launch and Activation Permissions with Local Launch and Local Activation permission selected. Select Deny for R emoteLaunch and Remote Activation.■Click OK.■Click Yes when you receive the following Windows Security message, regarding Deny permissions:■Click Edit for Access Permissions.■Add Domain User for Access Permissions with Local Access permission selected. Select Deny for Remote Access.■Click OK.■Click Yes when you receive the following Windows Security message, regarding Deny permissions:■Click Edit for Configuration Permissions.■Add a domain user for Change Configuration Permission, with Full Control and Read permissions selected.■Click OK.■Click OK on the Argusvr2 Properties dialog to save the changes.■Repeat step 2 for Argusvr2a.3.Run the Registry tool in Windows, as shown below:4.Browse to the HKEY_USERS\S-1-5-20 folder:5.Right-click the folder and select Permissions.6.Add a Safety Domain User with Full Control permission.7.Give permission to Access IIS Metabase to Safety_User by running followingcommand from the command prompt as administrator:C:\WINDOWS\\Framework64\v2.0.50727\aspnet_regiis.exe -ga "Safety_ User"3Configuring Folder Access to Web User AccountWe should have a Domain server and all the servers should be configured in that domain.■On every Web Server/Report Server, Anonymous access should be configured as follows:■Go to IIS Configuration Manager > Authentication:■Edit Anonymous Authentication:■Set user credentials to the Safety domain user (Safety_User):■On every Web Server:Integrations, GHP , ArgusNet, and Argus Console virtual directory should beconfigured to connect as Safety Domain User [Safety_User] as follows:■Select virtual directory and click on Basic Settings.■Select Connect as > Set Path Credentials > Enter Safety Domain User [Safety_User] and PasswordNote:If Webgate is configured, then the webgate, oamsso, andoamsso-bin virtual directories require the same configuration.■Give full access on the following folders or files to Safety_User:■C:\Temp\ or Configured Root Folder for temp files ■<ArgusInstallPath>■<Documentum Installation Path> and C:\Documentum ■<Windows>\AGService.ini ■Configure Application Pools.Configure and Argus Web pool to run under the Safety_User identity.■Restart the Web Server.Note:If OAM is installed, give full control permission to everyoneon Webgate folder.Argus Web Pool has the same settings as defined for Argus ConsolePool and Argus NET Pool.4Configuring Log Folders, SQLTimes Path, and Access Permissions4.1Configuring Log FoldersThe various modules of Argus Safety Web log information to Log files in the configured folders. The configuration for logging can be found in the <logConfig> section in the following files:<ArgusInstallPath>\ArgusConsole\logger.config<ArgusInstallPath>\\logger.config<ArgusInstallPath>\\Bin\RelsysWindowsService.exe.config<ArgusInstallPath>\web.config<ArgusInstallPath>\..\Bin\Argusvr2.config<ArgusInstallPath>\..\Bin\Argusvr2a.configArgus Safety\Agproc.config (on the AG Service Box)By default, the log level is set as ’Error’:<add userid="--All--" Enterprise="--All--" logLevel="Error" />This means that the application logs only errors encountered by it on the web server. The log level can be configured to any of the following values:OffErrorWarningInformationVerboseIf a higher level log needs to be configured for a specific user or a specific Enterprise, an additional line can be added in the <LoggerConfigs> section as shown below:<add userid="thomas" Enterprise="ESN1" logLevel="Verbose" />The above example enables verbose logging for the user "thomas" who belongs to the Enterprise with the EnterpriseShortName "ESN1".The folder where the log files are generated can be found in the following configuration in the same .config file:<appender name="RollingLogFileAppender"type="log4net.Appender.RollingFileAppender"><param name="File"value="C:\Temp\ArgusLogs\ArgusNet\RelsysWindowsService.log" />Different modules of the application should have different log file names (or paths). By default, the logs are configured to be generated under C:\Temp\ArgusLogs or a subfolder under it.This folder needs to have Read/Write/Modify permissions to the Domain user with which the Argus Safety Website has been configured to run as.4.2Configuring SQLTimes PathThe folder where SQLTimes logs are generated is configurable. The configuration needs to be made in argus.ini (present in the Windows folder).The following example illustrates this configuration:[Workstation]SqlTimesPath=C:\Temp\ArgusLogs\SqlTimesThis folder needs to have Read/Write/Modify permissions to the Domain user with which the Argus Safety Website has been configured to run.5Configuring HTTPSExecute the following steps to configure HTTPS:1.Login to each Web Server and Report Server and perform the following steps toconfigure HTTPS.unch the Internet Information Services (IIS) Manager.3.Select the server node as shown in the diagram below and then open the ServerCertificates under the IIS section.4.Create/import your SSL certificate.5.After the certificate is created, select Argus Safety Web under the Sites option andgo to Actions > Bindings.certificate in the SSL Certificate drop-down list that was created previously.7.Click OK.8.HTTPS is now enabled for Argus Safety. To ensure that the SSL connection isrequired, select SSL Settings under the Argus Safety Web node.9.Select Require SSL and click Apply.To disable insecure SSL protocols, follow the steps to disable:■SSL 1.0■SSL 2.0■SSL 3.0■TLS 1.0■TLS 1.1as per following article: https:///en-us/kb/245030.6Configuring Password ComplexityExecute the following steps to configure password complexity:1.Log in to Argus Safety with access to Argus Console.2.Open Argus Console.3.Go to System Configuration > System Management.4.Select Security from the left-hand pane.5.Configure the following options to control password complexity:6.Number of non-alpha characters in password: The number entered here willensure that the users enter that many non alpha characters during passwordupdates. Setting this value to a 0 will not require a non-alpha character.7.Minimum number of characters in the password: This defines the minimumlength of a password.8.Number of previous passwords that cannot be repeated: This will prevent usersfrom using the same password again after the number entered in this field.7Configuring Case Intake Folders and SecurityThe Argus Intake service should be configured to run under a Domain user, who has read-write access onto the IN and OUT folder paths. There are no other security guidelines for Intake.8Configuring Security for Interface Web ServiceThe PSL Web Service has been built on top of Microsoft Windows Communication Foundation. The following gives a very detailed understanding of the concepts of WCF Security and the various configurations that are possible to configure security on the WCF Web Service.Execute the following steps to configure the PSL Web Service to use Transport and Message Security:■Locate the <system.serviceModel> section in the<ArgusInstallPath>\Integrations\web.config file.■By default, the bindingConfiguration used by the Service Endpoint is wsHttpUnsecure.■Security can be configured in the same binding Configuration or a new configuration can be created. The steps mentioned in this section uses a newbinding configuration called wsHttpSecure.■To achieve this, modify the endpoint configuration to use the new bindingConfiguration:<services><servicebehaviorConfiguration="Relsys.InterfaceLibrary.RelsysServiceBehavior"name="Relsys.InterfaceLibrary.RelsysService"><endpoint address="" binding="wsHttpBinding"contract="Relsys.InterfaceComponents.IRelsysService"bindingConfiguration="wsHttpSecure"/></service></services>■Create a new binding configuration under the hierarchy<bindings><wsHttpBinding>, as shown below:<bindings><wsHttpBinding><binding name="wsHttpSecure"><security mode="TransportWithMessageCredential"><transport clientCredentialType="Certificate"/><message clientCredentialType="Certificate" /></security></binding></wsHttpBinding></bindings>The different values available for the clientCredentialType for transport andmessage elements can be found in the WCF documentation mentioned at thebeginning of this section.■Modify the Service Behavior configuration as follows:<behaviors><serviceBehaviors><behavior name="Relsys.InterfaceLibrary.RelsysServiceBehavior"> <serviceCredentials><clientCertificate findValue="00 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00 00 00" x509FindType="FindByThumbprint" ></clientCertificate><serviceCertificate findValue="00 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00 00 00" x509FindType="FindByThumbprint"/></serviceCredentials></behavior></serviceBehaviors></behaviors>In the above configuration, configure the findValue and x509FindType according to the Server Certificate and the Client Certificate.9Configuring Security for ESMThe Argus Interchange service should be configured to run under a Domain user. This domain user should have appropriate privileges to some Interchange related folders, as given below:<Interchange Service Install Path>\DTDFiles - Full ControlOutgoing Folder - Full ControlAttachment Outgoing Folder - Full ControlIncoming Folder - Full ControlLog Folder - Full ControlFor E2B Viewer, the folder referred to as the Template path in Argus.ini(<ArgusInstallPath>\E2BViewer\Templates\) needs to be given Full Access. This folder is used for CIOMS and MedWatch views.These changes must be validated at the box placed at the following location:<ArgusInstallPath>\E2BViewer\Templates\10Configuring Security for AG ServiceFor AG Service to correctly show the status of all the processes on AG Service Configuration screen, the Safety_User needs R/W access to AGService.INI file. 11Configuring X-Content-Type-Options in IIS1.Open Internet Information Services (IIS) Manager.2.In the Connections pane, go to the site, application, or directory for which youwant to set a custom HTTP header.3.In the Home pane, double-click HTTP Response Headers.4.In the HTTP Response Headers pane, in the Actions pane, click Add...5.In the Add Custom HTTP Response Header dialog box, set the Name to"X-Content-Type-Options" and the Value to "nosniff", then click OK.12Documentation AccessibilityFor information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at/pls/topic/lookup?ctx=acc&id=docacc.Access to Oracle SupportOracle customers that have purchased support have access to electronic support through My Oracle Support. For information, visit/pls/topic/lookup?ctx=acc&id=info or visit/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.Oracle Argus Safety Minimum Security Configuration Guide Release 8.1.1E97685-01Copyright © 2016, 2018 Oracle and/or its affiliates. All rights reserved.This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable:U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government.This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.This software or hardware and documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services, except as set forth in an applicable agreement between you and Oracle.。

oracle数据库参数设置技术手册

数据库参数设置技术手册密级:绝密数据库参数设置技术手册版本：1.0文件质量等级：A拟制标准化批准中国上海1 前言 (3)2 目的 (3)3 ORACLE内存结构概述 (3)4 常用参数说明 (3)4.1 BUFFER_POOL_KEEP (4)4.2 CPU_COUNT (4)4.3 DB_BLOCK_BUFFERS (4)4.4 DB_BLOCK_SIZE (5)4.5 DB_FILE_MULTIBLOCK_READ_COUNT (5)4.6 GLOBAL_NAMES (5)4.7 INSTANCE_NAME (5)4.8 LICENSE_MAX_SESSIONS (5)4.9 LICENSE_MAX_USERS (6)4.10 LOG_BUFFER (6)4.11 OPEN_CURSORS (6)4.12 SERVICE_NAMES (6)4.13 SHARED_POOL_SIZE (6)4.14 SORT_AREA_SIZE (7)4.15 JAVA_POOL_SIZE (7)4.16 LARGE_POOL_SIZE (7)4.17 HASH_POOL_SIZE (7)4.18 SHARED_POOL_RESERVED_SIZE (7)4.19 SESSION_CACHED_CURSORS (7)4.20 CURSOR_SPACE_FOR_TIME (8)4.21 SGA_MAX_SIZE (8)4.22 SORT_AREA_RETAINED_SIZE (8)4.23 PGA_AGGREGATE_TARGET (8)4.24 WORKAREA_SIZE_POLICY (8)4.25 SQL_TRACE (9)4.26 TIMED_STATISTICS (9)4.27 DB_CACHE_SIZE (9)4.28 DB_KEEP_CACHE_SIZE (9)4.29 DB_RECYCLE_CACHE_SIZE (9)4.30 DB_FILE_MULTIBLOCK_READ_COUNT (9)4.31 DB_WRITER_PROCESSES (10)5 参数设置原则 (10)5.1 SGA系统全局区 (10)5.1.1 数据缓冲区（DB_BLOCK_BUFFERS） (10)5.1.2 共享池（SHARED_POOL_SIZE） (10)5.1.3 日志缓冲区（LOG_BUFFER） (10)5.1.4 JAVA池（JAVA_POOL_SIZE） (10)5.1.5 大池（LARGE_POOL_SIZE） (11)5.2 PGA程序全局区 (11)5.2.1 分类区（SORT_AREA_SIZE）与哈希区(HASH_AREA_SIZE) (11)6 参数设置实例 (11)1 前言2 目的3 ORACLE内存结构概述内存结构=SGA（系统全局区）+PGA（程序全局区）SGA就是我们所说的内存调优的主要对象。

oracle安全配置

Oracle安全配置操作系统：window server 2008 x64 oracle：oracle 11.2.0.1.0oracle权限介绍1.oracle一个实例就是一个数据库，创建一个新的数据库会产生一个新的实例，并且一个实例独立运行一个进程。

2.一个用户对应一个方案，当用户新建一个数据对象（比如表）之后会在此方案下面。

自己访问可以直接访问，其他用户访问需通过“方案名.对象名”的方式。

3.用户默认拥有自己方案下面的数据对象的权限，其他用户无相应权限。

sys，system默认拥有所有方案的权限。

4.当一个用户登录oracle实例时，首先需要判断用户是有否登录权限，如果没有，直接不能登录，如果有，则登录成功。

登录成功之后，会根据用户拥有的权限来决定能做的事情，在进行一项操作时，如果有权限，则操作成功，如果没有权限，则操作失败。

5.oracle主要有两个核心进程，一个是oracle的服务进程，一个是监听进程，当外部连接oracle时，首先是访问的监听进程，由监听进程根据你访问的数据库实例来转发到相应的oracle实例进程处理。

oracle系统服务在window server 2008中安装的oracle 11g总共会有七个服务，这七个服务的含义分别为：a. Oracle ORCL VSS Writer Service：Oracle卷映射拷贝写入服务，VSS（Volume Shadow Copy Service）能够让存储基础设备（比如磁盘，阵列等）创建高保真的时间点映像，即映射拷贝（shadow copy）。

它可以在多卷或者单个卷上创建映射拷贝，同时不会影响到系统的系统能。

（非必须启动）b. OracleDBConsoleorcl：Oracle数据库控制台服务，orcl是Oracle的实例标识，默认的实例为orcl。

在运行Enterprise Manager（企业管理器OEM）的时候，需要启动这个服务。

数据库安全性配置与管理手册

数据库安全性配置与管理手册一、引言在当今信息时代，数据库扮演着重要的角色，承载着企业和个人的关键数据。

然而，数据库的安全性常常面临各种潜在威胁和攻击。

为了确保数据库的机密性、完整性和可用性，正确的安全性配置与管理是至关重要的。

本手册将介绍数据库安全性的配置与管理的关键准则和最佳实践。

二、物理访问控制1. 数据库服务器的安全保障a) 放置数据库服务器在闲置区域，远离潜在物理破坏的威胁。

b) 限制物理访问权限：只有经过身份验证且授权的人员才可接触数据库服务器。

c) 定期审查访问日志，监控任何可疑的物理访问行为。

2. 数据库备份与恢复策略a) 定期进行数据库备份，并将备份数据存储在安全的地方。

b) 测试和验证数据库备份的完整性和可用性。

c) 存储备份数据的介质应采用加密技术以确保数据的机密性。

三、逻辑访问控制1. 身份验证与授权a) 使用强密码策略，包括密码复杂性要求和密码更改周期。

b) 实施账户锁定机制，限制密码错误次数。

c) 为每个用户分配独立的账户，并根据需要授予最低权限原则。

d) 定期审查用户的权限，及时回收不再需要的权限。

2. 数据加密a) 对敏感数据进行加密，并确保数据库通信过程中的数据传输加密。

b) 使用加密算法和加密密钥管理策略。

四、网络安全配置1. 防火墙与网络隔离a) 通过配置有效的防火墙规则，限制数据库服务器与外部网络的连接。

b) 将数据库服务器放置在安全区域内，与其他不相关的服务器进行隔离。

2. 数据库连接安全a) 使用安全传输协议（如SSL/TLS）加密数据库连接。

b) 启用双向身份验证以确保连接的安全性。

五、漏洞管理与安全审计1. 及时升级与安装安全补丁a) 定期监控数据库软件的安全补丁和更新，尽快安装以修补已知漏洞。

b) 实施漏洞扫描，发现并解决潜在的安全风险。

2. 安全审计与监控a) 启用安全审计功能，记录数据库的访问和操作活动。

b) 实施实时监控和警报机制，发现异常活动并及时采取相应的措施。

Oracle Argus Safety 7.0.5最低安全配置指南说明书

Oracle® Argus SafetyMinimum Security Configuration GuideRelease 7.0.5E61139-01February 2015This guide describes essential security management options for the followingapplication:■Oracle Argus Safety 7.0.51IntroductionThis document outlines the steps that help strengthen application security. Note thatthis document is not a replacement for the Argus Safety Installation Guide. TheInstallation Guide should be referred for Argus Safety installation instructions.This document has been created to act as a step-by-step Guide for Minimum SecurityConfigurations on Argus Safety Web and Report Servers.This guide presents the following security guidelines and recommendations:■Post Installation Security Configurations■Configuring Folder Access to Web User Account■Configuring Log Folders, SQLTimes Path, and Access Permissions■Configuring HTTPS■Configuring Password Complexity■Configuring Case Intake Folders and Security■Configuring Security for Interface Web Service■Configuring Security for ESM■Configuring Security for AG Service■Documentation Accessibility2Post Installation Security ConfigurationsThis document lists the various security configurations required after installing Argus Safety:2.1Configuring Argusvr2/Argusvr2a PermissionsExecute the following steps to configure Argusvr2/Argusvr2a permissions:1.Create a domain user which has access to web-servers and all network services that will be configured in Argus such as shared network paths for Intake.■In the steps mentioned below, we have used a sample user called ’Safety_User’, throughout this section of the Guide.2.Go to every web server and configure the following:a.Go to Control Panel > Administrative Tools .b.Open Component Services .c.Go to Console Root > Component Services > Computers > My Computer .d.Select DCOM Config :e.Change Permissions for Argusvr2 by doing the following:–Right-click on Argusvr2 and select Properties.–Select the Security tab.–Select Customize for these options: Launch and Active Permissions , and Access Permissions .Note:This section needs to be applied to each Web and ReportServer.–Click Edit under Launch and Activation Permissions.–Add Domain User for Launch and Activation Permissions with Local Launch and Local Activation permission selected. Select Deny for R emoteLaunch and Remote Activation.–Click OK.–Click Yes when you receive the following Windows Security message, regarding Deny permissions:–Click Edit for Access Permissions.–Add Domain User for Access Permissions with Local Access permission selected. Select Deny for Remote Access.–Click OK.–Click Yes when you receive the following Windows Security message, regarding Deny permissions:–Click Edit for Configuration Permissions.–Add a domain user for Change Configuration Permission, with Full Control and Read permissions selected.–Click OK.–Click OK on the Argusvr2 Properties dialog to save the changes.f.Perform the same changes from Step 2C for Argusvr2a and BCL EasyPDF(BCL easyPDF SDK 7 (or 6) Loader, bclprnmso).3.Run the Registry tool in Windows, as shown below:a.Browse to the HKEY_USERS\S-1-5-20 folder:b.Right-click the folder and select Permissions.c.Add a Safety Domain User with Full Control permission.d.Give permission to Access IIS Metabase to Safety_User with the followingcommand:C:\WINDOWS\\Framework\v2.0.50727\aspnet_regiis.exe -ga "Safety_ User"2.2Configuring BCL easyPDF PermissionsExecute the following steps to configure BCL easyPDF permissions:1.Go to every web server and configure the following:a.Go to Control Panel > Administrative Tools.b.Open Services.c.Select and right-click BCL easyPDF SDK 7 (or 6) Loader.d.Click Properties.e.Click the Log On tab and:■Click the This account radio button.■Set user credentials to the Safety domain user (Safety_User) and click OK.f.When the General tab opens:–Select Automatic from the Startup type drop-down list.–Click OK to close the Properties dialog box.g.When the system returns to the main Services window, start the BCL easyPDFSDK 7 (or 6) Loader.h.Close the Services window.3Configuring Folder Access to Web User AccountWe should have a Domain server and all the servers should be configured in that domain.1.On every Web Server/Report Server, Anonymous access should be configured asfollows:a.Go to IIS Configuration Manager > Authentication:b.Edit Anonymous Authentication:c.Set user credentials to the Safety domain user (Safety_User):2.On every Web Server: PDFReports, UploadedLetters, Integrations, GHP , ArgusNet, Argus Console, and Scanned_Images virtual directory should be configured to connect as Safety Domain User [Safety_User] as follows:a.Select virtual directory and click on Basic Settings.b.Select Connect as > Set Path Credentials > Enter Safety Domain User [Safety_User] and Password3.Give full access on the following folders or files to Safety_User:■C:\Temp\ or Configured Root Folder for temp files■<ArgusInstallPath>■<Documentum Installation Path> and C:\Documentum■<Windows>\AGService.ini4.Configure Application Pools.Configure and Argus Console pool to run under the Safety_User identity.5.Restart the Web Server.4Configuring Log Folders, SQLTimes Path, and Access Permissions4.1Configuring Log FoldersThe various modules of Argus Safety Web log information to Log files in the configured folders. The configuration for logging can be found in the <logConfig> section in the following files:<ArgusInstallPath>\ArgusConsole\logger.config<ArgusInstallPath>\\logger.config<ArgusInstallPath>\\Bin\RelsysWindowsService.exe.config<ArgusInstallPath>\web.config<ArgusInstallPath>\..\Bin\Argusvr2.config<ArgusInstallPath>\..\Bin\Argusvr2a.configArgus Safety\Agproc.config (on the AG Service Box)By default, the log level is set as ’Error’:<add userid="--All--" Enterprise="--All--" logLevel="Error" />This means that the application logs only errors encountered by it on the web server. The log level can be configured to any of the following values:■Off■Error■Warning■Information■VerboseIf a higher level log needs to be configured for a specific user or a specific Enterprise, an additional line can be added in the <LoggerConfigs> section as shown below:<add userid="thomas" Enterprise="ESN1" logLevel="Verbose" />The above example enables verbose logging for the user "thomas" who belongs to the Enterprise with the EnterpriseShortName "ESN1".The folder where the log files are generated can be found in the following configuration in the same .config file:<appender name="RollingLogFileAppender"type="log4net.Appender.RollingFileAppender"><param name="File"value="C:\Temp\ArgusLogs\ArgusNet\RelsysWindowsService.log" />Different modules of the application should have different log file names (or paths). By default, the logs are configured to be generated under C:\Temp\ArgusLogs or a subfolder under it.This folder needs to have Read/Write/Modify permissions to the Domain user with which the Argus Safety Website has been configured to run as.4.2Configuring SQLTimes PathThe folder where SQLTimes logs are generated is configurable. The configuration needs to be made in argus.ini (present in the Windows folder).The following example illustrates this configuration:[Workstation]SqlTimesPath=C:\Temp\ArgusLogs\SqlTimesThis folder needs to have Read/Write/Modify permissions to the Domain user with which the Argus Safety Website has been configured to run.5Configuring HTTPSExecute the following steps to configure HTTPS:1.Login to each Web Server and Report Server and perform the following steps toconfigure HTTPS.unch the Internet Information Services (IIS) Manager.3.Select the server node as shown in the diagram below and then open the ServerCertificates under the IIS section.4.Create/import your SSL certificate.5.After the certificate is created, select Argus Safety Web under the Sites option andgo to Actions > Bindings.6.Add a new Binding for the SSL Port. Select https as the port to bind and the SSLcertificate in the SSL Certificate drop-down list that was created previously.7.Click OK.8.HTTPS is now enabled for Argus Safety. To ensure that the SSL connection isrequired, select SSL Settings under the Argus Safety Web node.9.Select Require SSL and click Apply.6Configuring Password ComplexityExecute the following steps to configure password complexity:1.Log in to Argus Safety with access to Argus Console.2.Open Argus Console.3.Go to System Configuration > System Management.4.Select Security from the left-hand pane.5.Configure the following options to control password complexity:a.Number of non-alpha characters in password: The number entered here willensure that the users enter that many non alpha characters during password updates. Setting this value to a 0 will not require a non-alpha character.b.Minimum number of characters in the password: This defines the minimumlength of a password.c.Number of previous passwords that cannot be repeated: This will preventusers from using the same password again after the number entered in thisfield.7Configuring Case Intake Folders and SecurityThe Argus Intake service should be configured to run under a Domain user, who has read-write access onto the IN and OUT folder paths. There are no other security guidelines for Intake.8Configuring Security for Interface Web ServiceThe PSL Web Service has been built on top of Microsoft Windows CommunicationFoundation. The following gives a very detailed understanding of the concepts ofWCF Security and the various configurations that are possible to configure security on the WCF Web Service.Execute the following steps to configure the PSL Web Service to use Transport and Message Security:1.Locate the <system.serviceModel> section in the<ArgusInstallPath>\Integrations\web.config file.2.By default, the bindingConfiguration used by the Service Endpoint iswsHttpUnsecure.3.Security can be configured in the same binding Configuration or a newconfiguration can be created. The steps mentioned in this section uses a newbinding configuration called wsHttpSecure.4.To achieve this, modify the endpoint configuration to use the newbindingConfiguration:<services><servicebehaviorConfiguration="Relsys.InterfaceLibrary.RelsysServiceBehavior"name="Relsys.InterfaceLibrary.RelsysService"><endpoint address="" binding="wsHttpBinding"contract="Relsys.InterfaceComponents.IRelsysService"bindingConfiguration="wsHttpSecure"/></service></services>5.Create a new binding configuration under the hierarchy<bindings><wsHttpBinding>, as shown below:<bindings><wsHttpBinding><binding name="wsHttpSecure"><security mode="TransportWithMessageCredential"><transport clientCredentialType="Certificate"/><message clientCredentialType="Certificate" /></security></binding></wsHttpBinding></bindings>The different values available for the clientCredentialType for transport andmessage elements can be found in the WCF documentation mentioned at thebeginning of this section.6.Modify the Service Behavior configuration as follows:<behaviors><serviceBehaviors><behavior name="Relsys.InterfaceLibrary.RelsysServiceBehavior"><serviceCredentials><clientCertificate findValue="00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" x509FindType="FindByThumbprint" ></clientCertificate><serviceCertificate findValue="00 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00" x509FindType="FindByThumbprint"/></serviceCredentials></behavior></serviceBehaviors></behaviors>In the above configuration, configure the findValue and x509FindType according to the Server Certificate and the Client Certificate.9Configuring Security for ESMThe Argus Interchange service should be configured to run under a Domain user. This domain user should have appropriate privileges to some Interchange related folders, as given below:■<Interchange Service Install Path>\DTDFiles - Full Control■Outgoing Folder - Full Control■Attachment Outgoing Folder - Full Control■Incoming Folder - Full Control■Log Folder - Full ControlFor E2B Viewer, the folder referred to as the Template path in Argus.ini(<ArgusInstallPath>\E2BViewer\Templates\) needs to be given Full Access. This folder is used for CIOMS and MedWatch views.These changes must be validated at the box placed at the following location:<ArgusInstallPath>\E2BViewer\Templates\10Configuring Security for AG ServiceFor AG Service to correctly show the status of all the processes on AG Service Configuration screen, the Safety_User needs R/W access to AGService.INI file.11Configuring Security for BCL easyPDF SDK 7 (or 6) Loader Minimum Security User configuration should be performed on BCL easyPDF SDK 7 (or 6) Loader service for Login.This ensures that if the user configures the Report Server and attaches the attachment to the Expedited Report, the Expedited Report will generate the PDF without any failure.12Documentation AccessibilityFor information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at/pls/topic/lookup?ctx=acc&id=docacc.Access to Oracle SupportOracle customers have access to electronic support through My Oracle Support. For information, visit /pls/topic/lookup?ctx=acc&id=info orvisit /pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.Oracle Argus Safety Minimum Security Configuration Guide Release 7.0.5E61139-01Copyright © 2015 Oracle and/or its affiliates. All rights reserved.This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable:U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government.This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.This software or hardware and documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services, except as set forth in an applicable agreement between you and Oracle.。

Oracle Argus Safety 8.1.1 最小安全配置指南说明书

Oracle® Argus SafetyMinimum Security Configuration GuideRelease 8.1.1E90744-01September 2017This guide describes essential security management options for the followingapplication:■Oracle Argus Safety 8.1.11IntroductionThis document outlines the steps that help strengthen application security. Note thatthis document is not a replacement for the Argus Safety Installation Guide. TheInstallation Guide should be referred for Argus Safety installation instructions.This document has been created to act as a step-by-step Guide for Minimum SecurityConfigurations on Argus Safety Web and Report Servers.This guide presents the following security guidelines and recommendations:■Post Installation Security Configurations■Configuring Folder Access to Web User Account■Configuring Log Folders, SQLTimes Path, and Access Permissions■Configuring HTTPS■Configuring Password Complexity■Configuring Case Intake Folders and Security■Configuring Security for Interface Web Service■Configuring Security for ESM■Configuring Security for AG Service■Documentation Accessibility2Post Installation Security ConfigurationsThis document lists the various security configurations required after installing ArgusSafety:2.1Configuring Argusvr2/Argusvr2a PermissionsNote:This section needs to be applied to each Web and ReportServer.Execute the following steps to configure Argusvr2/Argusvr2a permissions:1.Create a domain user which has access to web-servers and all network servicesthat will be configured in Argus such as shared network paths for Intake.■In the steps mentioned below, we have used a sample user called ’Safety_ User’, throughout this section of the Guide.2.Go to every web server and configure the following:■Go to Control Panel > Administrative Tools.■Open Component Services.■Go to Console Root > Component Services > Computers > My Computer.■Select DCOM Config:■Change Permissions for Argusvr2 by doing the following:■Right-click on Argusvr2 and select Properties.■Select the Security tab.■Select Customize for these options: Launch and Active Permissions, and Access Permissions.■Click Edit under Launch and Activation Permissions.■Add Domain User for Launch and Activation Permissions with Local Launch and Local Activation permission selected. Select Deny for R emoteLaunch and Remote Activation.■Click OK.■Click Yes when you receive the following Windows Security message, regarding Deny permissions:■Click Edit for Access Permissions.■Add Domain User for Access Permissions with Local Access permission selected. Select Deny for Remote Access.■Click OK.■Click Yes when you receive the following Windows Security message, regarding Deny permissions:■Click Edit for Configuration Permissions.■Add a domain user for Change Configuration Permission, with Full Control and Read permissions selected.■Click OK.■Click OK on the Argusvr2 Properties dialog to save the changes.■Perform the same changes from Step 2C for Argusvr2a and BCL EasyPDF (BCL easyPDF SDK 7 (or 6) Loader, bclprnmso).3.Run the Registry tool in Windows, as shown below:4.Browse to the HKEY_USERS\S-1-5-20 folder:5.Right-click the folder and select Permissions.6.Add a Safety Domain User with Full Control permission.7.Give permission to Access IIS Metabase to Safety_User with the followingcommand:C:\WINDOWS\\Framework\v2.0.50727\aspnet_regiis.exe -ga "Safety_ User"2.2Configuring BCL easyPDF PermissionsExecute the following steps to configure BCL easyPDF permissions:1.Go to every web server and configure the following:■Go to Control Panel > Administrative Tools.■Open Services.■Select and right-click BCL easyPDF SDK 7 (or 6) Loader.■Click Properties.■Click the Log On tab and:■Click the This account radio button.■Set user credentials to the Safety domain user (Safety_User) and click OK.■When the General tab opens:–Select Automatic from the Startup type drop-down list.–Click OK to close the Properties dialog box.■When the system returns to the main Services window, start the BCL easyPDF SDK 7 (or 6) Loader.■Close the Services window.3Configuring Folder Access to Web User AccountWe should have a Domain server and all the servers should be configured in that domain.■On every Web Server/Report Server, Anonymous access should be configured as follows:■Go to IIS Configuration Manager > Authentication:■Edit Anonymous Authentication:■Set user credentials to the Safety domain user (Safety_User):■On every Web Server: PDFReports, UploadedLetters, Integrations, GHP , ArgusNet, Argus Console, and Scanned_Images virtual directory should be configured to connect as Safety Domain User [Safety_User] as follows:■Select virtual directory and click on Basic Settings.■Select Connect as > Set Path Credentials > Enter Safety Domain User [Safety_User] and Password■Give full access on the following folders or files to Safety_User:■C:\Temp\ or Configured Root Folder for temp files ■<ArgusInstallPath>■<Documentum Installation Path> and C:\Documentum ■<Windows>\AGService.ini ■Configure Application Pools.Configure and Argus Web pool to run under the Safety_User identity.■Restart the Web Server.Note:If OAM is installed, give full control permission to everyoneon Webgate folder.Argus Web Pool has the same settings as defined for Argus ConsolePool and Argus NET Pool.4Configuring Log Folders, SQLTimes Path, and Access Permissions4.1Configuring Log FoldersThe various modules of Argus Safety Web log information to Log files in the configured folders. The configuration for logging can be found in the <logConfig> section in the following files:<ArgusInstallPath>\ArgusConsole\logger.config<ArgusInstallPath>\\logger.config<ArgusInstallPath>\\Bin\RelsysWindowsService.exe.config<ArgusInstallPath>\web.config<ArgusInstallPath>\..\Bin\Argusvr2.config<ArgusInstallPath>\..\Bin\Argusvr2a.configArgus Safety\Agproc.config (on the AG Service Box)By default, the log level is set as ’Error’:<add userid="--All--" Enterprise="--All--" logLevel="Error" />This means that the application logs only errors encountered by it on the web server. The log level can be configured to any of the following values:OffErrorWarningInformationVerboseIf a higher level log needs to be configured for a specific user or a specific Enterprise, an additional line can be added in the <LoggerConfigs> section as shown below:<add userid="thomas" Enterprise="ESN1" logLevel="Verbose" />The above example enables verbose logging for the user "thomas" who belongs to the Enterprise with the EnterpriseShortName "ESN1".The folder where the log files are generated can be found in the following configuration in the same .config file:<appender name="RollingLogFileAppender"type="log4net.Appender.RollingFileAppender"><param name="File"value="C:\Temp\ArgusLogs\ArgusNet\RelsysWindowsService.log" />Different modules of the application should have different log file names (or paths). By default, the logs are configured to be generated under C:\Temp\ArgusLogs or a subfolder under it.This folder needs to have Read/Write/Modify permissions to the Domain user with which the Argus Safety Website has been configured to run as.4.2Configuring SQLTimes PathThe folder where SQLTimes logs are generated is configurable. The configuration needs to be made in argus.ini (present in the Windows folder).The following example illustrates this configuration:[Workstation]SqlTimesPath=C:\Temp\ArgusLogs\SqlTimesThis folder needs to have Read/Write/Modify permissions to the Domain user with which the Argus Safety Website has been configured to run.5Configuring HTTPSExecute the following steps to configure HTTPS:1.Login to each Web Server and Report Server and perform the following steps toconfigure HTTPS.unch the Internet Information Services (IIS) Manager.3.Select the server node as shown in the diagram below and then open the ServerCertificates under the IIS section.4.Create/import your SSL certificate.5.After the certificate is created, select Argus Safety Web under the Sites option andgo to Actions > Bindings.certificate in the SSL Certificate drop-down list that was created previously.7.Click OK.8.HTTPS is now enabled for Argus Safety. To ensure that the SSL connection isrequired, select SSL Settings under the Argus Safety Web node.9.Select Require SSL and click Apply.To disable insecure SSL protocols, follow the steps to disable:■SSL 1.0■SSL 2.0■SSL 3.0■TLS 1.0■TLS 1.1as per following article: https:///en-us/kb/245030.6Configuring Password ComplexityExecute the following steps to configure password complexity:1.Log in to Argus Safety with access to Argus Console.2.Open Argus Console.3.Go to System Configuration > System Management.4.Select Security from the left-hand pane.5.Configure the following options to control password complexity:6.Number of non-alpha characters in password: The number entered here willensure that the users enter that many non alpha characters during passwordupdates. Setting this value to a 0 will not require a non-alpha character.7.Minimum number of characters in the password: This defines the minimumlength of a password.8.Number of previous passwords that cannot be repeated: This will prevent usersfrom using the same password again after the number entered in this field.7Configuring Case Intake Folders and SecurityThe Argus Intake service should be configured to run under a Domain user, who has read-write access onto the IN and OUT folder paths. There are no other security guidelines for Intake.8Configuring Security for Interface Web ServiceThe PSL Web Service has been built on top of Microsoft Windows Communication Foundation. The following gives a very detailed understanding of the concepts of WCF Security and the various configurations that are possible to configure security on the WCF Web Service.Execute the following steps to configure the PSL Web Service to use Transport and Message Security:■Locate the <system.serviceModel> section in the<ArgusInstallPath>\Integrations\web.config file.■By default, the bindingConfiguration used by the Service Endpoint is wsHttpUnsecure.■Security can be configured in the same binding Configuration or a new configuration can be created. The steps mentioned in this section uses a newbinding configuration called wsHttpSecure.■To achieve this, modify the endpoint configuration to use the new bindingConfiguration:<services><servicebehaviorConfiguration="Relsys.InterfaceLibrary.RelsysServiceBehavior"name="Relsys.InterfaceLibrary.RelsysService"><endpoint address="" binding="wsHttpBinding"contract="Relsys.InterfaceComponents.IRelsysService"bindingConfiguration="wsHttpSecure"/></service></services>■Create a new binding configuration under the hierarchy<bindings><wsHttpBinding>, as shown below:<bindings><wsHttpBinding><binding name="wsHttpSecure"><security mode="TransportWithMessageCredential"><transport clientCredentialType="Certificate"/><message clientCredentialType="Certificate" /></security></binding></wsHttpBinding></bindings>The different values available for the clientCredentialType for transport andmessage elements can be found in the WCF documentation mentioned at thebeginning of this section.■Modify the Service Behavior configuration as follows:<behaviors><serviceBehaviors><behavior name="Relsys.InterfaceLibrary.RelsysServiceBehavior"><serviceCredentials><clientCertificate findValue="00 00 00 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00" x509FindType="FindByThumbprint" ></clientCertificate><serviceCertificate findValue="00 00 00 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00" x509FindType="FindByThumbprint"/></serviceCredentials></behavior></serviceBehaviors></behaviors>In the above configuration, configure the findValue and x509FindType according to the Server Certificate and the Client Certificate.9Configuring Security for ESMThe Argus Interchange service should be configured to run under a Domain user. This domain user should have appropriate privileges to some Interchange related folders, as given below:<Interchange Service Install Path>\DTDFiles - Full ControlOutgoing Folder - Full ControlAttachment Outgoing Folder - Full ControlIncoming Folder - Full ControlLog Folder - Full ControlFor E2B Viewer, the folder referred to as the Template path in Argus.ini(<ArgusInstallPath>\E2BViewer\Templates\) needs to be given Full Access. This folder is used for CIOMS and MedWatch views.These changes must be validated at the box placed at the following location:<ArgusInstallPath>\E2BViewer\Templates\10Configuring Security for AG ServiceFor AG Service to correctly show the status of all the processes on AG Service Configuration screen, the Safety_User needs R/W access to AGService.INI file.11Configuring Security for BCL easyPDF SDK 7 (or 6) Loader Minimum Security User configuration should be performed on BCL easyPDF SDK 7 (or 6) Loader service for Login.This ensures that if the user configures the Report Server and attaches the attachment to the Expedited Report, the Expedited Report will generate the PDF without any failure.12Documentation AccessibilityFor information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at/pls/topic/lookup?ctx=acc&id=docacc.Access to Oracle SupportOracle customers that have purchased support have access to electronic support through My Oracle Support. For information, visit/pls/topic/lookup?ctx=acc&id=info or visit/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.Oracle Argus Safety Minimum Security Configuration Guide Release 8.1.1E90744-01Copyright © 2016, 2017 Oracle and/or its affiliates. All rights reserved.This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable:U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government.This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.This software or hardware and documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services, except as set forth in an applicable agreement between you and Oracle.。