Up to this point, we have discussed a fair portion of Sybase's functionality, though we have barely scratched the surface in terms of the various ways that Sybase can be configured. Many issues become relevant only when an enterprise-level database infrastructure is involved.
Here's a quick reference checklist for the points that are discussed in this chapter.
Read the Sybase security documentation.
Regularly check the Sybase update page.
Periodically search for alternative security documentation.
Periodically search vulnerability databases.
Apply host- and network-based packet filters.
Use a low-privileged account to run Sybase.
Run Sybase in a chroot jail.
Restrict Sybase access to the filesystem.
Restrict other users' access to the Sybase directory.
Enforce account password complexity and lockout.
Remove privileges from the default sa account.
Use (at least) one user per web application.
Do not give users unnecessary privileges.
Enable auditing.
Disable xp_cmdshell.
Disable Java if possible.
Disable filesystem proxy table support if possible.
Don't install test databases/clear test data.
Use strong authentication.
The recommendations in this section are divided into four categories: Background, Operating System, Sybase Users, and Sybase configuration.