107 - 13.2 The DBA Toolkit and Security

Team-Fly    

 
Oracle Security
By William Heney, Marlene Theriault
Table of Contents
Chapter 13.  Using the Oracle Enterprise Manager


13.2 The DBA Toolkit and Security

The OEM contains a set of database administration tools you can use to perform the normal, day-to-day tasks required of a DBA. As we said at the beginning of this chapter, the OEM is a GUI tool which will help you perform database administration tasks . Although it communicates with the databases using SQL commands (everything communicates with the database through SQL commands), the OEM is not a replacement for SQL*Plus SQL never goes away.

If you are a new DBA, you will find tools within the OEM toolkit to help you perform your job more efficiently and effectively. If you are a seasoned DBA, you will still find many tools within the product set to help you be a better DBA. We recommend that, if you are a new DBA, you take advantage of the "Show SQL" option available from most of the tool screens to help you learn the SQL commands used to execute the various tasks you will perform with the OEM.

Do not rely solely on the OEM to perform your tasks. If, for whatever reasons, the OEM console becomes unavailable to you, you will have to be able to issue SQL commands explicitly and you'll need a thorough knowledge of those commands so you can administer your databases.

The following sections will examine each utility provided within the DBA toolkit and focus on what options, if any, are provided to aid you in implementing and maintaining database security.

13.2.1 The Oracle Backup Manager

The Backup Manager enables you to perform the backups necessary to protect your system. If you ever have a damaging security breach, sound backups will ensure your ability to recover to an undamaged version of the database.

The latest version of the Oracle Backup Manager provides the ability to:

  • Use the new Recovery Manager option as well as the backup tasks available in earlier versions of the OEM

  • Perform online or offline backups of a database

  • Switch from database to database

  • View the status of your tablespaces and log files

  • Enable roles interactively

  • Perform tablespace, control file, or redo log file backups (a "backup wizard" is provided)

  • Shut down, start up, restrict sessions, and allow all sessions in a database

  • Enable, disable, and examine archive logs

  • Manually archive or switch log files

  • Force checkpointing, add log members, and add group members

  • Keep a log of your actions

  • Quickly check the status of the database to see if it is up or down

  • View the current size of the database's SGA and whether archive logging is enabled

  • See the resource limits in effect for the database

13.2.1.1 The Oracle Data Manager

The Oracle Data Manager enables you to perform exports, imports, and data loads. For exports, you can:

  • List the type of export to perform (tables, users, or full database)

  • List the table names and select which ones you want to export

  • Specify whether you want grants, indexes, rows, and/or constraints exported

Under the "Advanced" option, you are able to:

  • Specify record length, buffer size, whether to generate a log file, and its name

  • Specify whether to export a read-consistent view of the data

  • Designate what export type to perform (Complete, Cumulative, Incremental, or None)

  • Designate a statistics type (Estimate, Compute, or None)

  • Specify whether to "Merge Extents for Import" (compress extents)

For imports, you can specify:

  • The file to import

  • The type of import (tables, users, or full database)

  • Whether you want rows, indexes, and/or grants imported

  • Whether to ignore errors when trying to create objects

Under the "Advanced" option, you can specify:

  • Record length and buffer size

  • Whether to generate a log file and its name

  • Increment type (Restore, System, or None)

  • Whether to write an index creation script to a file and the file name

  • Whether to commit after each array

  • Whether to overwrite existing data files

For the Load option, which invokes SQL*Loader, you can specify the names for the following entities:

  • The control file

  • The data file

  • The log file

  • The bad file

  • The discard file

Under the "Advanced" option, you can specify:

  • Records to skip and records to load

  • Rows per commit and maximum errors

  • Maximum discards

  • Maximum bind array

  • Whether the data path can be conventional or direct

For all of these options, there are areas in which default values have been placed, so if you are going to perform an export, import, or data load, for example, be sure to check the defaults under the "Advanced" option so a parameter that is set very small won't "bite" you.

As with the Backup Manager, the Data Manager helps you establish a fallback position for data recovery so you are prepared if anything happens to damage your database. See Chapter 12 for more information.

13.2.1.2 The Oracle Instance Manager

The Oracle Instance Manager enables you to:

  • View the INIT.ORA parameters, sessions, and in-doubt transactions

  • Start up, shut down, mount, or open a database

  • Disconnect, restrict, or allow all sessions

  • Force commit or rollback of transactions

  • Import initialization parameters from a database or file, and export initialization parameters to a file

Since version 7.3 of the RDBMS, the Instance Manager has provided the ability to change many parameters dynamically. This tool enables you to change parameters interactively.

The ability to perform any of the actions available from the Instance Manager poses a very real security threat to your databases. As we mentioned earlier in this chapter, since you can start up the database both in normal and restricted mode and can shut down the database with this manager, be sure the console is protected from interaction by casual users.

13.2.1.3 The Oracle Replication Manager

The Oracle Replication Manager enables you to:

  • Create database connections for master, snapshot, refresh, destination link, or job

  • Add objects to master groups, snapshot groups, or refresh groups

  • Modify default values for a master group, snapshot group, schedule database links, or refresh group

  • Modify job parameters, show options, date options, row query limits, or fonts

  • Record scripts

Note that under the default option, there are many changeable parameters under each area and many defaults to verify. Before submitting a job or taking an action, be sure to check all default parameters to ensure that what you want is really what you get.

Snapshots provide a way to replicate only a portion of data from one database to another. The use of both simple snapshot replication and more complex symmetric replication can help you implement applications with more secure data access.

13.2.1.4 The Oracle Schema Manager

The Oracle Schema Manager first displays a list of all available objects in the database to which you are connected. These include clusters, database links, functions, indexes, package bodies, packages, procedures, refresh groups, sequences, snapshot logs, snapshots, synonyms, tables, triggers, and views.

This manager enables you to create objects or, once you have selected an existing object, "CREATE objects LIKE" the object you have selected. The beauty of being able to create a new object like an existing one, but with minor modifications, is the speed and ease with which you can perform these tasks. Once you have selected an object, you can:

  • Remove the object

  • Grant privileges to the object

  • Create synonyms for the object

  • Create indexes on the object

Since database security can be enforced through views, triggers, synonyms, snapshots, packages, and procedures, the Schema Manager provides a utility through which these objects can be managed easily.

13.2.1.5 The Oracle Security Manger

Within the Oracle toolkits, there are two different products with very similar names:

  • The Oracle Security Manager, which resides in the OEM

  • The Oracle Security Server (OSS), which exists as a separate utility

The Oracle Security Manager, accessed through the OEM, is used to create and control users, roles, and profiles. The options to create, create like, and remove from each of these types is available. In addition, under users and roles, you can add and revoke privileges. Under profiles, the option to assign a profile to users exists. The Oracle Security Manager lets you administer and enforce basic database security.

The Oracle Security Server, accessed through its own option from the Start Program windows menu, is discussed in detail in Chapter 15. This product is used to provide single sign-on access to databases by users through the generation and tracking of certificates of authority.

The windows displayed for both of these products are very similar, adding to the confusion. For the Oracle Security Manager, the initial window is shown in Figure 13.4.

Figure 13.4. The Oracle Security Manager
figs/osec_1304.gif

The ability to create users, roles, and profiles through the Security Manager will help you implement some of the most powerful Oracle security features available.

13.2.1.6 The Oracle SQL Worksheet

The Oracle SQL Worksheet lets you:

  • Create SQL and PL/SQL scripts

  • Edit SQL and PL/SQL scripts

  • Run SQL and PL/SQL scripts

  • Save SQL and PL/SQL scripts to a file or to disk (when saving the work)

Through the SQL Worksheet, you can test your code easily and quickly, make modifications to the code, and retest it. You can also run Oracle-supplied environment scripts like CATALOG.SQL and CATPROC.SQL from the SQL Worksheet.

For security, you can use the SQL Worksheet option to run SQL statements to enable or disable auditing or to monitor who is currently accessing your database.

13.2.1.7 The Oracle Storage Manager

The Oracle Storage Manager enables the management of tablespaces, datafiles, and rollback segments. For a tablespace, you can:

  • Create, remove, add a datafile to, or add a rollback segment to a tablespace

  • Place a tablespace on or off line

  • Make a tablespace read-only or writeable

  • Use the backup wizard

For a datafile, you can:

  • Create

  • Create like

  • Place online or offline

For a rollback segment, you can:

  • Create

  • Create like

  • Remove

  • Shrink

  • Place online or offline

The interactive ability to shrink a rollback segment became available as of version 7.2. If you are using an earlier version of the database, the command to shrink a rollback segment will not work.

From a security point of view, the only significant feature of the Storage Manager is the ability to back up the database from this option.

13.2.1.8 The Oracle Software Manager

The Oracle Software Manager is an option that seems to change complexion with each new release of the OEM. The tool enables you to manage software and installations from the console for any distribution host in your OEM network. The Software Manager window initially consists of two sections. The first section is the Navigator list, which displays a World folder. Below the World folder are Hosts and a Hosts Folder folders. The second section is a Catalog Software Packages section.

With the current version of the Software Manager, you can:

  • Configure a customized installation of Oracle software from the OEM console

  • Perform the installation across the network to the platform you have specified

  • Easily see which versions of software have been fielded to which platforms

This feature gives you the ability to control and implement several software installations on various machines from a central location. As we mentioned, with any software installation, be sure to protect the operating system files from casual user interactions.


Team-Fly    
Top


Oracle Security
Oracle Security Handbook : Implement a Sound Security Plan in Your Oracle Environment
ISBN: 0072133252
EAN: 2147483647
Year: 1998
Pages: 154

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net