这期内容当中小编将会给大家带来有关oracle策略安全加固的示例分析,文章内容丰富且以专业的角度为大家分析和叙述,阅读完这篇文章希望大家可以有所收获。
alter profile default limit password_verify_function null;
alter profile default limit PASSWORD_LIFE_TIME unlimited;
alter profile default limit FAILED_LOGIN_ATTEMPTS 6;
alter profile default limit PASSWORD_REUSE_MAX 5;
alter profile default limit PASSWORD_GRACE_TIME 7;
账号管理:
一、口令生存期
(1).oracle用户登录系统。
(2).sqlplus / as sysdba登陆数据库.
(3).查看当前开启用户及其profile
sql>select username,profile from dba_users where account_status='OPEN';
(4).将所有开启用户的profile中的PASSWORD_LIFE_TIME设置为期望数值
sql>alter profile default limit PASSWORD_LIFE_TIME 90; #<profile_name>为步骤3输出的profile名称,默认有两种DEFAULT和MONITORING_PROFILE
二、避免账号共享
select count(username) from dba_users t where t.account_status = 'OPEN' and default_tablespace not in('SYSTEM','SYSAUX');
(1).创建用户:
sql>create user <username> identified by <password>;
保证系统中存在两个以上能够登录数据库的账号.
三、检查是否配置最大认证失败次数
(1).oracle用户登录系统。
(2).sqlplus / as sysdba登陆数据库.
(3).查看当前开启用户及其profile
sql>select username,profile from dba_users where account_status='OPEN';
(4).将所有开启用户的profile中的FAILED_LOGIN_ATTEMPTS设置为期望数值
sql>alter profile default limit FAILED_LOGIN_ATTEMPTS 6; #<profile_name>为步骤3输出的profile名称,默认有两种DEFAULT和MONITORING_PROFILE
四、限制SYSDBA权限类用户远程登录
(1).oracle用户登录系统。
(2).sqlplus / as sysdba登陆数据库。
(3).执行alter system set REMOTE_LOGIN_PASSWORDFILE=NONE SCOPE=SPFILE;
(4).shutdown immediate.
(5).startup.
补充说明
此配置影响远程以Sql*Net方式对数据库的管理
此配置也可能使某些第三方ORACLE管理工具不正常
五、检查是否设置记住历史密码次数
(1).oracle用户登录系统。
(2).sqlplus / as sysdba登陆数据库.
(3).查看当前开启用户及其profile
sql>select username,profile from dba_users where account_status='OPEN';
(4).将所有开启用户的profile中的PASSWORD_REUSE_MAX设置为期望数值
sql>alter profile default limit PASSWORD_REUSE_MAX 5; #<profile_name>为步骤3输出的profile名称,默认有两种DEFAULT和MONITORING_PROFILE
六、检查口令强度设置
(1).oracle用户登录系统
(2).修改Oracle自带的默认文件$ORACLE_HOME/rdbms/admin/utlpwdmg.sql创建verify_function函数
(注:utlpwdmg.sql中已经对口令长度,是否包含字母、数字、特殊字符验证)。
1)#vi $ORACLE_HOME/rdbms/admin/utlpwdmg.sql
将以下内容:
IF length(password) < 4 THEN
raise_application_error(-20002, 'Password length less than 4');
END IF;
修改为
IF length(password) < 8 THEN
raise_application_error(-20002, 'Password length less than 8');
END IF;
2)修改utlpwdmg.sql里面最后面的部分配置:
ALTER PROFILE DEFAULT LIMIT
PASSWORD_LIFE_TIME 60
PASSWORD_GRACE_TIME 10
PASSWORD_REUSE_TIME 1800
PASSWORD_REUSE_MAX UNLIMITED
FAILED_LOGIN_ATTEMPTS 3
PASSWORD_LOCK_TIME 1/1440
PASSWORD_VERIFY_FUNCTION verify_function;
为
ALTER PROFILE DEFAULT LIMIT
PASSWORD_VERIFY_FUNCTION verify_function;
注:oracle10g口令不区分大小写,oracle11g口令区分大小写。
utlpwdmg.sql设置完毕
(3).conn / as sysdba登陆数据库后,执行
sql>@$ORACLE_HOME/rdbms/admin/utlpwdmg.sql
alter profile default limit password_verify_function verify_function_11G;
alter profile default limit password_verify_function null;
七、检查是否记录安全事件日志
(1).登录数据库。
(2).建表LOGON_TABLE
CREATE TABLE LOGON_TABLE(LOG_CONTEXT varchar(4000),LOG_DATE timestamp);
(3).建触发器
CREATE TRIGGER TRI_LOGON AFTER LOGON ON DATABASE BEGIN INSERT INTO LOGON_TABLE VALUES (SYS_CONTEXT('USERENV', 'SESSION_USER'), SYSDATE); END;
/
(注意:最后必须要输入斜杠)
八、检查是否设置DBA组用户数量限制-LINUX
(1).使用 userdel 命令删除多余的DBA组中的操作系统用户,DBA组中只留一个Oracle安装用户
九、修改默认账户的密码-oracle11g
SELECT * FROM DBA_USERS_WITH_DEFPWD;
alter user dip identified by dip1;
alter user mdsys identified by mdsys1;
alter user spatial_wfs_admin_usr identified by spatial_wfs_admin_usr1;
alter user ctxsys identified by ctxsys1;
alter user olapsys identified by olapsys1;
alter user outln identified by outln1;
alter user spatial_csw_admin_usr identified by spatial_csw_admin_usr1;
alter user exfsys identified by exfsys1;
alter user oracle_ocm identified by oracle_ocm1;
alter user scott identified by scott1;
alter user mddata identified by mddata1;
alter user username identified by username1;
alter user ordplugins identified by ordplugins1;
alter user ordsys identified by ordsys1;
alter user appqossys identified by appqossys1;
alter user orddata identified by orddata1;
alter user xdb identified by xdb1;
alter user si_informtn_schema identified by si_informtn_schema1;
alter user wmsys identified by wmsys1;
===============
alter user dip identified by dip1;
alter user mdsys identified by mdsys1;
alter user spatial_wfs_admin_usr identified by spatial_wfs_admin_usr1;
alter user ctxsys identified by ctxsys1;
alter user olapsys identified by olapsys1;
alter user outln identified by outln1;
alter user spatial_csw_admin_usr identified by spatial_csw_admin_usr1;
alter user exfsys identified by exfsys1;
alter user oracle_ocm identified by oracle_ocm1;
alter user dbsnmp identified by dbsnmp1;
alter user mddata identified by mddata1;
alter user ordplugins identified by ordplugins1;
alter user ordsys identified by ordsys1;
alter user appqossys identified by appqossys1;
alter user orddata identified by orddata1;
alter user xdb identified by xdb1;
alter user si_informtn_schema identified by si_informtn_schema1;
alter user wmsys identified by wmsys1;
十、口令到达终止时间后的宽限天数
(1).oracle用户登录系统。
(2).sqlplus / as sysdba登陆数据库.
(3).查看当前开启用户及其profile
sql>select username,profile from dba_users where account_status='OPEN';
(4).将所有开启用户的profile中的PASSWORD_GRACE_TIME设置为期望数值
sql>alter profile default limit PASSWORD_GRACE_TIME 7; #<profile_name>为步骤3输出的profile名称,默认有两种DEFAULT和MONITORING_PROFILE
========
口令策略
一、配置账户最小授权
select grantee,owner,table_name from dba_tab_privs where grantee='PUBLIC' and privilege='EXECUTE' and table_name in ('UTL_FILE','UTL_TCP','UTL_HTTP','UTL_SMTP','DBMS_LOB','DBMS_SYS_SQL','DBMS_JOB');
(1)以DBA身份登录sqlplus,执行:
set pagesize 500 linesize 500
select table_name from dba_tab_privs where grantee='PUBLIC' and privilege='EXECUTE' and table_name in ('UTL_FILE','UTL_TCP','UTL_HTTP','UTL_SMTP','DBMS_LOB','DBMS_SYS_SQL','DBMS_JOB');
(2)如撤销不必要的public角色包执行权限,执行:
SQL>revoke execute on <程序包名称> from public; #程序包名称为步骤1的输出
revoke execute on DBMS_LOB from public;
revoke execute on UTL_TCP from public;
revoke execute on UTL_HTTP from public;
revoke execute on UTL_FILE from public;
revoke execute on UTL_SMTP from public;
revoke execute on DBMS_JOB from public;
select grantee,granted_role from dba_role_privs where grantee='RPTUSER';
============
认证授权
一、检查是否记录操作日志
(1).登录数据库。
(2).建表LOGON_TABLE
CREATE TABLE LOGON_TABLE(LOG_CONTEXT varchar(4000),LOG_DATE timestamp);
(3).建触发器
CREATE TRIGGER TRI_LOGON AFTER LOGON ON DATABASE BEGIN INSERT INTO LOGON_TABLE VALUES (SYS_CONTEXT('USERENV', 'SESSION_USER'), SYSDATE); END;
/
(注意:最后必须要输入斜杠)
二、检查是否配置日志功能
(1).登录数据库。
(2).建表LOGON_TABLE
CREATE TABLE LOGON_TABLE(LOG_CONTEXT varchar(4000),LOG_DATE timestamp);
(3).建触发器
CREATE TRIGGER TRI_LOGON AFTER LOGON ON DATABASE BEGIN INSERT INTO LOGON_TABLE VALUES (SYS_CONTEXT('USERENV', 'SESSION_USER'), SYSDATE); END;
/
(注意:最后必须要输入斜杠)
============
文件权限
一、 检查是否为监听设置密码-LINUX
PASSWORDS_LISTENER = 1DF5C2FD0FE9CFA2
(1).oracle用户登录系统。
(2).lsnrctl。
(3).change_password。
(4).set password
(5).save_config.(注意10g需要listener.ora中加入
LOCAL_OS_AUTHENTICATION_LISTENER = OFF)
上述就是小编为大家分享的oracle策略安全加固的示例分析了,如果刚好有类似的疑惑,不妨参照上述分析进行理解。如果想知道更多相关知识,欢迎关注亿速云行业资讯频道。
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。
