设置密码复杂度
密码复杂度开关打开,打开后密码必须满足:①至少八位长度 ② 数字+大小写+特殊字符
alter system set _CHECK_PASSWORD_COMPLEXITY=true;
示例:
SQL> alter system set _CHECK_PASSWORDCOMPLEXITY=true; Succeed. SQL> create user user1 identified by simple1; YAS-02317 failed to check password complexity for password must contain at least 8 characters SQL> create user user1 identified by Short1; YAS-02317 failed to check password complexity for password must contain at least 8 characters SQL> create user user1 identified by Complex1; YAS-02317 failed to check password complexity for password must contain at least 1 special character SQL> create user user1 identified by Complex1_; Succeed. SQL> drop user user1; |
备注:对于存储在数据库表中的密码,YashanDB提供_CHECK_PASSWORD_COMPLEXITY(隐藏参数,默认值FALSE)用于控制是否开启密码强度控制,该参数默认为false不开启。弱密码对于系统安全有严重危害性,建议生产环境打开开关。开启密码强度控制后,YashanDB将在密码设置时进行强度校验,输入的密码需要满足 ①至少八位长度 ② 数字+大小写+特殊字符组合的条件后才能设置成功。
所有账号(包括SYS账号)的密码符合复杂度要求
所有账号(包括SYS账号)的密码需要满足 ①至少八位长度 ② 数字+大小写+特殊字符
示例:
SYS/Abc123_2yP=y) USER1/O1001ZGAfaes_0UP2 |
设置密码策略
所有的profile(尤其是默认策略 - default),都需要设置:
FAILED_LOGIN_ATTEMPTS 3 –- 登录失败锁定次数
PASSWORD_LIFE_TIME 90 –- 密码过期天数
PASSWORD_REUSE_TIME 1800 –- 密码复用间隔最小天数
PASSWORD_REUSE_MAX 6 –- 密码复用次数最大次数
PASSWORD_LOCK_TIME 1 –- 密码锁定天数
PASSWORD_GRACE_TIME 7 –- 密码过期前宽限天数
示例:
alter profile default limit FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LIFE_TIME 90 PASSWORD_REUSE_TIME 1800 PASSWORD_REUSE_MAX 6 PASSWORD_LOCK_TIME 1 PASSWORD_GRACE_TIME 7; SQL> alter profile default limit FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LIFE_TIME 90 PASSWORD_REUSE_TIME 1800 PASSWORD_REUSE_MAX 6 PASSWORD_LOCK_TIME 1 PASSWORD_GRACE_TIME 7; Succeed. SQL> select * from dba_profiles; PROFILE RESOURCE_NAME RESOURCE_TYPE LIMIT ---------------------------------------------------------------- ---------------------------------------------------------------- ------------- --------------------------------------------- DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD 3 DEFAULT PASSWORD_LIFE_TIME PASSWORD 90 DEFAULT PASSWORD_REUSE_TIME PASSWORD 1800 DEFAULT PASSWORD_REUSE_MAX PASSWORD 6 DEFAULT PASSWORD_LOCK_TIME PASSWORD 1 DEFAULT PASSWORD_GRACE_TIME PASSWORD 7 6 rows fetched. SQL> select username, profile from dba_users; USERNAME PROFILE ---------------------------------------------------------------- ---------------------------------------------------------------- SYS DEFAULT DBBAK DEFAULT DBMGR PROF_SYS USER1 DEFAULT USER2 DEFAULT 5 rows fetched. |
无实际使用用途且非管理员的账号处于锁定状态
无实际使用用途且非管理员的账号(例如:MDSYS)处于锁定状态
示例:
SQL> select username, account_status from dba_users; USERNAME ACCOUNT_STATUS ---------------------------------------------------------------- --------------------------------- SYS OPEN MDSYS LOCKED 2 rows fetched. |
禁用免密登录
对于崖山,禁止用户免密登录是检查$YASDB_DATA/config/yasdb_net.ini,应有配置ENABLE_LOCAL_OSAUTH = off
禁用默认密码
检查崖山默认密码是Cod-2022或者yasdb_123,无法登录用户
示例:
[yashan@host-10-76-249-193 ~]$ yasql sys/Cod-2022 YashanDB SQL Release 22.2.12.100 aarch64 YAS-02143 invalid username/password, login denied please input user name: YASQL-00007 invalid username/password; logon denied please input user name: YASQL-00007 invalid username/password; logon denied YASQL-00007 unable to CONNECT to Server after 3 attempts [yashan@host-10-76-249-193 ~]$ yasql sys/yasdb_123 YashanDB SQL Release 22.2.12.100 aarch64 YAS-02143 invalid username/password, login denied please input user name: YASQL-00007 invalid username/password; logon denied please input user name: YASQL-00007 invalid username/password; logon denied YASQL-00007 unable to CONNECT to Server after 3 attempts |
加密存储
根据实际情况调整。
1**、**如果客户无加密要求,则跳过此项设置。
2**、如果只对某些表存在加密要求,则建表**DDL需要使用加密表空间。
示例:
CREATE TABLESPACE USER1_SECURITY_DATA DATAFILE '?/dbfiles/USER1_SECURITY_DATA1.dbf' SIZE 2G AUTOEXTEND ON MAXSIZE UNLIMITED ENCRYPTION ENCRYPT; CREATE TABLE USER1.TABLE1(COL1 INT PRIMRARY KEY, COL2 VARCHAR(100), xxx) TABLESPACE USER1_SECURITY_DATA; |
3**、如果用于所有表都存在加密要求,则不仅建表需要使用加密表空间,且用户的默认表空间**也需要设置为加密表空间。
示例:
CREATE TABLESPACE USER1_SECURITY_DATA DATAFILE '?/dbfiles/USER1_SECURITY_DATA1.dbf' SIZE 2G AUTOEXTEND ON MAXSIZE UNLIMITED ENCRYPTION ENCRYPT; CREATE TABLE USER1.TABLE1(COL1 INT PRIMARY KEY, COL2 VARCHAR(100), xxx) TABLESPACE USER1_SECURITY_DATA; ALTER USER USER1 DEFAULT TABLESPACE USER1; |
设置审计策略
已开启审计:日志功能,审计内容覆盖到每个用户,能够记录重要用户行为和重要安全事件。用户登录系统、自主访问控制的所有操作记录、重要用户行为(如增加/删除用户,删除库表)等。注意:对仅对DBA权限用户设置LOGON/LOGOFF审计(如果有多个DBA账号,都需要审计)
alter system set UNIFIED_AUDITING=true; CREATE AUDIT POLICY UP1 PRIVILEGES CREATE ANY TABLE, CREATE TABLE, ALTER ANY TABLE, DROP ANY TABLE, GRANT ANY PRIVILEGE, GRANT ANY OBJECT PRIVILEGE, GRANT ANY ROLE, CREATE USER, ALTER USER, DROP USER, DROP ANY ROLE, AUDIT SYSTEM; CREATE AUDIT POLICY UP2 ACTIONS DROP TABLE, DROP ROLE, CREATE AUDIT POLICY, ALTER AUDIT POLICY, DROP AUDIT POLICY, AUDIT, NOAUDIT; CREATE AUDIT POLICY UP3 ACTIONS LOGON, LOGOFF; AUDIT POLICY UP3 BY SYS; AUDIT POLICY UP1; AUDIT POLICY UP2; |
示例:
设置审计清理策略
设置审计日志保留270天,每天清理一次过期的审计日志
BEGIN DBMS_SCHEDULER.CREATE_JOB ( 'update_audit_archive_time', 'PLSQL_BLOCK', 'BEGIN DBMS_AUDIT_MGMT.SET_LASTARCHIVETIMESTAMP(DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, sysdate-270);END;' , 0, SYSDATE, 'sysdate+1', NULL, 'DEFAULT_JOB_CLASS', TRUE, FALSE, 'update audit archive time'); END; / BEGIN DBMS_AUDIT_MGMT.CREATE_PURGE_JOB ( DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, SYSDATE + 5/24, 'sysdate + 1', 'audit_job', TRUE); END; / |
示例:
SQL> BEGIN 2 DBMS_SCHEDULER.CREATE_JOB ( 3 'update_audit_archive_time', 4 'PLSQL_BLOCK', 5 'BEGIN DBMS_AUDIT_MGMT.SET_LASTARCHIVETIMESTAMP(DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, sysdate-270);END;' , 6 0, 7 SYSDATE, 8 'sysdate+1', 9 NULL, 10 'DEFAULT_JOB_CLASS', 11 TRUE, 12 FALSE, 13 'update audit archive time'); 14 END; 15 / PL/SQL Succeed. SQL> select job_name, REPEAT_INTERVAL from DBA_SCHEDULER_JOBS; JOB_NAME REPEAT_INTERVAL ---------------------------------------------------------------- ---------------------------------------------------------------- GATHER_STATS_JOB cast(TRUNC(SYSDATE+1) + 2/24 as timestamp) UPDATE_AUDIT_ARCHIVE_TIME sysdate+1 2 rows fetched. SQL> select job_name, JOB_ACTION from DBA_SCHEDULER_JOBS; JOB_NAME JOB_ACTION ---------------------------------------------------------------- ---------------------------------------------------------------- GATHER_STATS_JOB begin DBMS_STATS.GATHERDATABASESTATS('GATHER AUTO', 0, 8, 'FOR ALL COLUMNS SIZE AUTO', 'GLOBAL', TRUE, TRUE); end; UPDATE_AUDIT_ARCHIVE_TIME BEGIN DBMS_AUDIT_MGMT.SET_LASTARCHIVETIMESTAMP(DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, sysdate-270);END; 2 rows fetched. SQL> BEGIN 2 DBMS_AUDIT_MGMT.CREATE_PURGE_JOB ( 3 DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, 4 SYSDATE + 5/24, 5 'sysdate + 1', 6 'audit_job', 7 TRUE); 8 END; 9 / PL/SQL Succeed. SQL> select job_name, REPEAT_INTERVAL from DBA_SCHEDULER_JOBS; JOB_NAME REPEAT_INTERVAL ---------------------------------------------------------------- ---------------------------------------------------------------- GATHER_STATS_JOB cast(TRUNC(SYSDATE+1) + 2/24 as timestamp) UPDATE_AUDIT_ARCHIVE_TIME sysdate+1 AUDIT_JOB sysdate + 1 3 rows fetched. SQL> select job_name, JOB_ACTION from DBA_SCHEDULER_JOBS; JOB_NAME JOB_ACTION ---------------------------------------------------------------- ---------------------------------------------------------------- GATHER_STATS_JOB begin DBMS_STATS.GATHERDATABASESTATS('GATHER AUTO', 0, 8, 'FOR ALL COLUMNS SIZE AUTO', 'GLOBAL', TRUE, TRUE); end; UPDATE_AUDIT_ARCHIVE_TIME BEGIN DBMS_AUDIT_MGMT.SET_LASTARCHIVETIMESTAMP(DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, sysdate-270);END; AUDIT_JOB BEGIN DBMS_AUDIT_MGMT.CLEANAUDITTRAIL(DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, true); END; 3 rows fetched. |
收尾
包含但不限于:
序号 |
事项 |
详情 |
1 |
用户密码90天过期 |
所有用户(包括业务用户、SYS用户、其他DBA用户、备份目的用户例如DBBAK)的密码都会90天内定期过期,需要同步给客户定期修改; |
