Kingbasees Security Guide for Jincang database -- 2.2. prevention of kingbasees' threats to database security

Identity counterfeiting

Identity Authentication

Through user identification and identity authentication based on enhanced password , Including complex passwords for database users Check the degree 、 Set the validity period of the account password 、 Account abnormal login lock 、 Account login letter Information display and other security policy management mechanisms .KingbaseES It also supports a variety of third-party authentication services Be sure to enable strong authentication , for example ,Kerberos、ssl、radius etc. . Use autonomous access control （DAC） To subject （ Such as user ） Operation object （ As shown in the table ） Carry out authorization management The reason is , Use mandatory access control (MAC), Assign security marks to the controlled subjects and objects , then According to these marks, access arbitration is carried out to resist the security threat of phishing attacks .

Tampering

Integrity protection

Record the check value for each data block . When reading data , First, complete the consistency verification . If problems are found , Timely error reporting , Prevent errors from spreading , Prevent error escalation . Recalculate the check value of data before writing data to resist the security threat of tampering attacks .

Deny

Audit

Through the audit function , Automatically record all user operations on the database and put them into the audit log , Auditors （sao） You can analyze the audit log , Take effective measures against potential threats in advance Measures to achieve the effect of repudiation .

Information disclosure

encryption / Data desensitization / Object reuse

Through transparent encryption 、 Data desensitization 、 Functions such as object reuse , When the data is written to the disk Line encryption , When the authorized user re reads the data, decrypt it . Control the sensitive information transmitted to the client through policies , Where resources are applied for and released Clear the residual information on the media , To prevent information from leaking .

Denial of service

Resource constraints

By limiting the available resources of users in a database connection application and the address of connection requests Check to resist denial of service security threats .

Elevated privileges

Authorization management

Through the separation of powers, the management privileges are divided into three administrators , Database administrator 、 Security administrator and auditor Account administrator , Each administrator maintains users within their own permission . Yes SQL Injected behavior identifies and blocks the way its services are , Resist security threats such as privilege escalation .