Shulou(Shulou.com)06/01 Report--

In this issue, the editor will bring you an example analysis of oracle policy security reinforcement. The article is rich in content and analyzed and described from a professional point of view. I hope you can get something after reading this article.

Alter profile default limit password_verify_function null

Alter profile default limit PASSWORD_LIFE_TIME unlimited

Alter profile default limit FAILED_LOGIN_ATTEMPTS 6

Alter profile default limit PASSWORD_REUSE_MAX 5

Alter profile default limit PASSWORD_GRACE_TIME 7

Account management:

I. password lifetime

(1). Oracle users log in to the system.

(2). Sqlplus / as sysdba login database.

(3)。 View the currently enabled users and their profile

Sql > select username,profile from dba_users where account_status='OPEN'

(4)。 Set the PASSWORD_LIFE_TIME in the profile of all enabled users to the desired value

Sql > alter profile default limit PASSWORD_LIFE_TIME 90; # is the profile name output from step 3. There are two types of DEFAULT and MONITORING_PROFILE by default.

Second, avoid account sharing

Select count (username) from dba_users t where t.account_status = 'OPEN' and default_tablespace not in (' SYSTEM','SYSAUX')

(1)。 Create a user:

Sql > create user identified by

Ensure that there are more than two accounts in the system that can log on to the database.

Check whether the maximum number of authentication failures is configured

(1). Oracle users log in to the system.

(2). Sqlplus / as sysdba login database.

(3)。 View the currently enabled users and their profile

Sql > select username,profile from dba_users where account_status='OPEN'

(4)。 Set the FAILED_LOGIN_ATTEMPTS in the profile of all enabled users to the desired value

Sql > alter profile default limit FAILED_LOGIN_ATTEMPTS 6; # is the profile name output from step 3. There are two types of DEFAULT and MONITORING_PROFILE by default.

Fourth, restrict remote login of SYSDBA users

(1). Oracle users log in to the system.

(2). Sqlplus / as sysdba login database.

(3)。 Execute alter system set REMOTE_LOGIN_PASSWORDFILE=NONE SCOPE=SPFILE

(4) shutdown immediate

(5) startup.

Supplementary explanation

This configuration affects the remote management of the database by Sql*Net

This configuration may also make some third-party ORACLE management tools abnormal

Check whether to set the number of times to remember historical passwords

(1). Oracle users log in to the system.

(2). Sqlplus / as sysdba login database.

(3)。 View the currently enabled users and their profile

Sql > select username,profile from dba_users where account_status='OPEN'

(4)。 Set the PASSWORD_REUSE_MAX in the profile of all enabled users to the desired value

Sql > alter profile default limit PASSWORD_REUSE_MAX 5; # is the profile name output from step 3. There are two types of DEFAULT and MONITORING_PROFILE by default.

Check the password strength setting

(1). Oracle users log in to the system

(2)。 Modify the default file $ORACLE_HOME/rdbms/admin/utlpwdmg.sql that comes with Oracle to create the verify_function function

(note: utlpwdmg.sql has verified the password length, whether it contains letters, numbers, and special characters.)

1) # vi $ORACLE_HOME/rdbms/admin/utlpwdmg.sql

Put the following:

IF length (password)

< 4 THEN raise_application_error(-20002, 'Password length less than 4'); END IF; 修改为 IF length(password) < 8 THEN raise_application_error(-20002, 'Password length less than 8'); END IF; 2)修改utlpwdmg.sql里面最后面的部分配置: ALTER PROFILE DEFAULT LIMIT PASSWORD_LIFE_TIME 60 PASSWORD_GRACE_TIME 10 PASSWORD_REUSE_TIME 1800 PASSWORD_REUSE_MAX UNLIMITED FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LOCK_TIME 1/1440 PASSWORD_VERIFY_FUNCTION verify_function; 为 ALTER PROFILE DEFAULT LIMIT PASSWORD_VERIFY_FUNCTION verify_function; 注:oracle10g口令不区分大小写,oracle11g口令区分大小写。 utlpwdmg.sql设置完毕 (3).conn / as sysdba登陆数据库后,执行 sql>

@ $ORACLE_HOME/rdbms/admin/utlpwdmg.sql

Alter profile default limit password_verify_function verify_function_11G

Alter profile default limit password_verify_function null

Check whether the security event log is recorded

(1)。 Log into the database.

(2)。 Build table LOGON_TABLE

CREATE TABLE LOGON_TABLE (LOG_CONTEXT varchar (4000), LOG_DATE timestamp)

(3)。 Build trigger

CREATE TRIGGER TRI_LOGON AFTER LOGON ON DATABASE BEGIN INSERT INTO LOGON_TABLE VALUES (SYS_CONTEXT ('USERENV',' SESSION_USER'), SYSDATE); END

/

(note: finally, you must enter a slash.)

8. Check whether the limit on the number of DBA group users is set-LINUX

(1)。 Use the userdel command to delete the operating system user in the redundant DBA group, leaving only one Oracle installation user in the DBA group

Change the password of the default account-oracle11g

SELECT * FROM DBA_USERS_WITH_DEFPWD

Alter user dip identified by dip1

Alter user mdsys identified by mdsys1

Alter user spatial_wfs_admin_usr identified by spatial_wfs_admin_usr1

Alter user ctxsys identified by ctxsys1

Alter user olapsys identified by olapsys1

Alter user outln identified by outln1

Alter user spatial_csw_admin_usr identified by spatial_csw_admin_usr1

Alter user exfsys identified by exfsys1

Alter user oracle_ocm identified by oracle_ocm1

Alter user scott identified by scott1

Alter user mddata identified by mddata1

Alter user username identified by username1

Alter user ordplugins identified by ordplugins1

Alter user ordsys identified by ordsys1

Alter user appqossys identified by appqossys1

Alter user orddata identified by orddata1

Alter user xdb identified by xdb1

Alter user si_informtn_schema identified by si_informtn_schema1

Alter user wmsys identified by wmsys1

=

Alter user dip identified by dip1

Alter user mdsys identified by mdsys1

Alter user spatial_wfs_admin_usr identified by spatial_wfs_admin_usr1

Alter user ctxsys identified by ctxsys1

Alter user olapsys identified by olapsys1

Alter user outln identified by outln1

Alter user spatial_csw_admin_usr identified by spatial_csw_admin_usr1

Alter user exfsys identified by exfsys1

Alter user oracle_ocm identified by oracle_ocm1

Alter user dbsnmp identified by dbsnmp1

Alter user mddata identified by mddata1

Alter user ordplugins identified by ordplugins1

Alter user ordsys identified by ordsys1

Alter user appqossys identified by appqossys1

Alter user orddata identified by orddata1

Alter user xdb identified by xdb1

Alter user si_informtn_schema identified by si_informtn_schema1

Alter user wmsys identified by wmsys1

10. The number of days after the password reaches the termination time

(1). Oracle users log in to the system.

(2). Sqlplus / as sysdba login database.

(3)。 View the currently enabled users and their profile

Sql > select username,profile from dba_users where account_status='OPEN'

(4)。 Set the PASSWORD_GRACE_TIME in the profile of all enabled users to the desired value

Sql > alter profile default limit PASSWORD_GRACE_TIME 7; # is the profile name output from step 3. There are two types of DEFAULT and MONITORING_PROFILE by default.

=

Password policy

Configure the minimum authorization of the account

Select grantee,owner,table_name from dba_tab_privs where grantee='PUBLIC' and privilege='EXECUTE' and table_name in ('UTL_FILE','UTL_TCP','UTL_HTTP','UTL_SMTP','DBMS_LOB','DBMS_SYS_SQL','DBMS_JOB')

(1) Log in to sqlplus as DBA, and execute:

Set pagesize 500 linesize 500

Select table_name from dba_tab_privs where grantee='PUBLIC' and privilege='EXECUTE' and table_name in ('UTL_FILE','UTL_TCP','UTL_HTTP','UTL_SMTP','DBMS_LOB','DBMS_SYS_SQL','DBMS_JOB')

(2) if the unnecessary public role package execution permission is revoked, execute:

SQL > revoke execute on from public; # output of package name called step 1

Revoke execute on DBMS_LOB from public

Revoke execute on UTL_TCP from public

Revoke execute on UTL_HTTP from public

Revoke execute on UTL_FILE from public

Revoke execute on UTL_SMTP from public

Revoke execute on DBMS_JOB from public

Select grantee,granted_role from dba_role_privs where grantee='RPTUSER'

=

Authentication authorization

Check whether the operation log is recorded.

(1)。 Log into the database.

(2)。 Build table LOGON_TABLE

CREATE TABLE LOGON_TABLE (LOG_CONTEXT varchar (4000), LOG_DATE timestamp)

(3)。 Build trigger

CREATE TRIGGER TRI_LOGON AFTER LOGON ON DATABASE BEGIN INSERT INTO LOGON_TABLE VALUES (SYS_CONTEXT ('USERENV',' SESSION_USER'), SYSDATE); END

/

(note: finally, you must enter a slash.)

Second, check whether the log function is configured

(1)。 Log into the database.

(2)。 Build table LOGON_TABLE

CREATE TABLE LOGON_TABLE (LOG_CONTEXT varchar (4000), LOG_DATE timestamp)

(3)。 Build trigger

CREATE TRIGGER TRI_LOGON AFTER LOGON ON DATABASE BEGIN INSERT INTO LOGON_TABLE VALUES (SYS_CONTEXT ('USERENV',' SESSION_USER'), SYSDATE); END

/

(note: finally, you must enter a slash.)

=

File permissions

1. Check whether the password is set for monitoring-LINUX

PASSWORDS_LISTENER = 1DF5C2FD0FE9CFA2

(1). Oracle users log in to the system.

(2) .lsnrctl.

(3) change_password

(4) set password

(5) save_config. (note that 10g needs to be added to listener.ora

LOCAL_OS_AUTHENTICATION_LISTENER = OFF)

The above is the example of security reinforcement of oracle policy shared by Xiaobian. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.