Oracle漏洞掃描安全系統(tǒng)加固_第1頁(yè)
Oracle漏洞掃描安全系統(tǒng)加固_第2頁(yè)
Oracle漏洞掃描安全系統(tǒng)加固_第3頁(yè)
Oracle漏洞掃描安全系統(tǒng)加固_第4頁(yè)
Oracle漏洞掃描安全系統(tǒng)加固_第5頁(yè)
免費(fèi)預(yù)覽已結(jié)束,剩余11頁(yè)可下載查看

下載本文檔

版權(quán)說(shuō)明:本文檔由用戶(hù)提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請(qǐng)進(jìn)行舉報(bào)或認(rèn)領(lǐng)

文檔簡(jiǎn)介

1、實(shí)用文檔關(guān)于操作系統(tǒng)和數(shù)據(jù)庫(kù)合規(guī)檢查漏洞的解決方案Oracle數(shù)據(jù)庫(kù)分冊(cè)適用軟件版 本Oracle10g、11g適用硬件版 本主題關(guān)于操作系統(tǒng)和數(shù)據(jù)庫(kù)合規(guī)檢查漏洞的解決方案Oracle數(shù)據(jù)庫(kù)分冊(cè)1、問(wèn)題描述與原因:Oracle數(shù)據(jù)庫(kù)在合規(guī)檢查時(shí)被掃描出漏洞,要求對(duì)這些漏洞進(jìn)行解決2、應(yīng)對(duì)措施:對(duì)存在漏洞進(jìn)行定制的安全加固操作。3、執(zhí)行條件/注意事項(xiàng):?加固前確保服務(wù)器、數(shù)據(jù)庫(kù)、網(wǎng)管運(yùn)行均正常。最好重啟下服務(wù)器、數(shù)據(jù)庫(kù)和網(wǎng)管查看重啟后網(wǎng)管是否能運(yùn)行正常。如果加固前服務(wù)器本身有問(wèn)題,加固后服務(wù)器運(yùn)行異常會(huì)加大 排查難度。?本解決方案執(zhí)行完成后,需要重啟Oracle數(shù)據(jù)庫(kù)來(lái)生效某些操作。?本解決方案

2、不必完全執(zhí)行,請(qǐng)根據(jù)系統(tǒng)掃描出的漏洞選擇對(duì)應(yīng)的漏洞條目進(jìn)行操作。?如無(wú)特殊說(shuō)明,本文中的執(zhí)行用戶(hù)均為oracle4、操作步驟:漏洞清單(單擊可跳轉(zhuǎn)):(注:漏洞名稱(chēng)與配置項(xiàng)信息中的配置項(xiàng)名稱(chēng)對(duì)應(yīng)。)漏洞1.檢查是否對(duì)用戶(hù)的屬性進(jìn)行控制(5)漏洞2.檢查是否配置 Oracle軟件賬戶(hù)的安全策略(2)漏洞3.檢查是否啟用數(shù)據(jù)字典保護(hù)漏洞4.檢查是否在數(shù)據(jù)庫(kù)對(duì)象上設(shè)置了VPD和OLS (6)漏洞5.檢查是否存在 dvsys用戶(hù)dbms macadm 對(duì)象(14)漏洞6.檢查是否數(shù)據(jù)庫(kù)應(yīng)配置日志功能(11)漏洞7.檢查是否記錄操作日志(13)漏洞8.檢查是否記錄安全事件日志(7)漏洞9.檢杳是否根據(jù)業(yè)

3、務(wù)要求制定數(shù)據(jù)庫(kù)審計(jì)策略漏洞10.檢杳是否為監(jiān)聽(tīng)設(shè)置密碼漏洞11.檢杳是否限制可以訪(fǎng)問(wèn)數(shù)據(jù)庫(kù)的地址(1)漏洞12.槍杳是否使用加密傳輸(4)漏洞13.槍杳是否設(shè)置超時(shí)時(shí)間(15)漏洞14.檢查是否設(shè)置 DBA組用戶(hù)數(shù)量限制(3)漏洞15.檢查是否刪除或者鎖定無(wú)關(guān)帳號(hào)漏洞16.檢查是否限制具備數(shù)據(jù)庫(kù)超級(jí)管理員( SYSDBA )權(quán)限的用戶(hù)遠(yuǎn)程登錄(10)漏洞17.檢查口令強(qiáng)度設(shè)置 (17)漏洞18.檢查帳戶(hù)口令生存周期(12)漏洞19.檢查是否設(shè)置記住歷史密碼次數(shù)(8)漏洞20.檢查是否配置最大認(rèn)證失敗次數(shù)漏洞21.檢查是否在配置用戶(hù)所需的最小權(quán)限(9)漏洞22.檢查是否使用數(shù)據(jù)庫(kù)角色( ROL

4、E )來(lái)管理對(duì)象的權(quán)限(16)漏洞23.檢查是否更改數(shù)據(jù)庫(kù)默認(rèn)帳號(hào)的密碼執(zhí)行Oracle安全加固操作前備份文件:ibash-3.2$ cp $ORACLE_HOME/network/admin/listener.ora $ORACLE_HOME7network/admin亓ibash-3.2$ cp $ORACLE_HOME/network/admin/sqlnet.ora $ORACLE_HOME/network/admin/sqlnet.or i:I a u士 sad aa di a a w- baa -aasad ad -aaad 44 s msad

5、.-aa A& aaad 44 s a *4 sad -aa = B a a w,4 had 41- s asad -aa 4& a a wj hadaad -a-&baa &=> bads a u- > a-斗4 a S jj. had aa s aa - &-aa 44 a abs-Oracle數(shù)據(jù)庫(kù)漏洞的解決方案全部執(zhí)行完成后,需要重啟Oracle實(shí)例來(lái)生效某些操作。漏洞1.檢查是否對(duì)用戶(hù)的屬性進(jìn)行控制類(lèi)型:Oracle數(shù)據(jù)庫(kù)類(lèi)問(wèn)題:10F !- UF !0F F一* n r , W H h* H UF 一 H! /!-!:F0F !一

6、 n H 一 H iSQL> select count(t.username) from dba_users t where profile not in ('DEFAULT','MONITOR!ING_PROFILE');:I !匕OUNT(T.USERNAME):0I KF VB STB F » n « H -F B- F bl! k F h h 9-B n H 1: ITB «TI 解決方案:暫時(shí)不處理。漏洞2.檢查是否配置 Oracle軟件賬戶(hù)的安全策略類(lèi)型:Oracle數(shù)據(jù)庫(kù)類(lèi)問(wèn)題:略解決方案:暫時(shí)不處理漏洞3.檢查

7、是否啟用數(shù)據(jù)字典保護(hù)類(lèi)型:Oracle數(shù)據(jù)庫(kù)類(lèi)問(wèn)題:SQL> select value from v$parameter where name like '%O7_DICTIONARY_ACCeSSIBILITY%'iselect value from v$parameter where name like '%O7_DICTIONARY_ACCESSIBILITY%' i :* I:ERROR at line 1:IORA-01034: ORACLE not availableIprocess ID: 0ISession ID: 0 Serial num

8、ber: 0I vrw m ni: m m MW iB-r!« im vrw 9-n 口 h 9-h im !B-n vm n . we vv * im h-kw a-i解決方案:在數(shù)據(jù)庫(kù)啟動(dòng)的情況下,通過(guò)下面的命令檢查o7_dictionary_accessibility 的參數(shù)值:1 n , h .n nra .an qra n n vara wrn h n m n » m n nh n nn n n 一 na :a-a n an arn nra rw * - an ;bash-3.2$ sqlplus system/oracle<SID>衿QL*Plus:

9、 Release .0 - Production on Thu Jan 9 11:33:56 2014Copyright (c) 1982, 2007, Oracle. All Rights Reserved.Connected to:Oracle Database 10g Enterprise Edition Release .0 - Production!With the Partitioning, OLAP, Data Mining and Real Application Testing options:SQL> show parameter o7

10、_dictionary_accessibility;Rametype valueO7_DICTIONARY_ACCESSIBILITY boolean FALSEj檢查出默認(rèn)的結(jié)果是 false后,使用下面的命令退出sql*plus:SQL> exit Disconnected from Oracle Database 11g Enterprise Edition Release .0 - 64bit Pro jduction:With the Partitioning, OLAP, Data Mining and Real Application Testing opt

11、ionsI m tb h n0 -n n = h h 一 h nin r w-ara f= h -n - sis 一* byb h n :*漏洞4.檢查是否在數(shù)據(jù)庫(kù)對(duì)象上設(shè)置了VPD和OLS類(lèi)型:Oracle數(shù)據(jù)庫(kù)類(lèi)問(wèn)題:|SQL> select count(*) from v$vpd policy;«i COUNT(*) : :0解決方案: 暫時(shí)不處理。漏洞5.檢查是否存在 dvsys用戶(hù)dbms_macadm 對(duì)象類(lèi)型:Oracle數(shù)據(jù)庫(kù)類(lèi) 問(wèn)題:論QL> select count(*) from dba_users where username='DVsYS

12、' i一;COUNT(*) -;0解決方案:暫時(shí)不處理。漏洞6.檢查是否數(shù)據(jù)庫(kù)應(yīng)配置日志功能類(lèi)型:Oracle數(shù)據(jù)庫(kù)類(lèi)問(wèn)題:SQL> select count(*) from dba_triggers t where trim(t.triggering_event) = trim('LOGON:');I:COUNT(*)I解決方案:暫時(shí)不處理。漏洞7.檢查是否記錄操作日志類(lèi)型:Oracle數(shù)據(jù)庫(kù)類(lèi)問(wèn)題:;SQL> select value from v$parameter t where = 'audit_trail' isel

13、ect value from v$parameter t where = 'audit_trail';*TERROR at line 1:IORA-01034: ORACLE not availableIProcess ID: 0ISession ID: 0 Serial number: 0解決方案:暫時(shí)不處理。漏洞8.檢查是否記錄安全事件日志類(lèi)型:Oracle數(shù)據(jù)庫(kù)類(lèi)問(wèn)題:iSQL> 'select EOUntCrfrom- dba_triggers T where - trim(t/tfiggering_eventy = trim(1LOGON

14、I');i:COUNT(*) ;0解決方案:暫時(shí)不處理。漏洞9.檢查是否根據(jù)業(yè)務(wù)要求制定數(shù)據(jù)庫(kù)審計(jì)策略類(lèi)型:Oracle數(shù)據(jù)庫(kù)類(lèi)問(wèn)題:;SQL> select value from v$parameter t where = 'audit_trail' 一iselect value from v$parameter t where = 'audit_trail'I I :* ITERROR at line 1: ORA-01034: ORACLE not availableIProcess ID: 0I I iSessi

15、on ID: 0 Serial number: 0解決方案:暫時(shí)不處理。漏洞10.檢查是否為監(jiān)聽(tīng)設(shè)置密碼類(lèi)型:Oracle數(shù)據(jù)庫(kù)類(lèi)問(wèn)題:|$ cat 'find $ORACLE_HOME -name sqlnet.ora' | grep -v "#"|grep -v "A$"find: 0652-081 cannot change directory to </oracle/app/oracle/dbhome_1/sysman/config/pr ;ef>:!:The file access permissions do no

16、t allow the specified action.!$ cat 'find $ORACLE_HOME -name listener.ora' | grep -v "#"|grep -v "a$" i一find: 0652-081 cannot change directory to </oracle/app/oracle/dbhome_1/sysman/config/pr ;ef>:The file access permissions do not allow the specified action. SID_LI

17、ST_LISTENER =| (SID LIST =(SID_DESC =(SID_NAME = PLSExtProc)I(ORACLE_HOME = /oracle/app/oracle/dbhome_1)I(PROGRAM = extproc)i1)I! (SID_DESC =(GLOBAL_DBNAME = minos)I(ORACLE_HOME = /oracle/app/oracle/dbhome_1)(SID_NAME = minos)I:)I;)Listener = I (DESCRIPTION_LIST =i一:(DESCRIPTION =I(ADDRESS = (PROTOC

18、OL = TCP)(HOST = 41)(PORT = 1521)1)!)IADR_BASE_LISTENER = /oracle/app/oracleI "n mH * kb : ar w ! an ar ar ra 解決方案:bash-3.2$ lsnrctl :ILSNRCTL for IBM/AIX RISC System/6000: Version .0 - Production on 08-JAN-2014 18:11:21i : iCopyright (c) 1991,2011, Oracle. All rights reserv

19、ed. !Welcome to LSNRCTL, type "help" for information.i |LSNRCTL>change_passwordOld password: < 如果之前沒(méi)有密碼則這里不填,直接按 Enter鍵>:New password:Reenter new password:Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=2)(PORT=1521)IPassword changed for LISTENERI:The command co

20、mpleted successfully!LSNRCTL>save_configConnecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=2)(PORT=1521):Saved LISTENER configuration parameters.Listener Parameter File /oracle/app/oracle//dbhome_1/network/admin/listener.o力Old Parameter File /oracle/app/oracle//dbh

21、ome_1/network/admin/listener.bak 汗he command completed successfully1sNRCTL>exit 他ash-3.2$ ;設(shè)置完成后通過(guò)下面的命令檢查: Ibash-3.2$ cat $ORACLE_HOME/network/admin/listener.ora | grep "PASSWORDS"漏洞11.檢查是否限制可以訪(fǎng)問(wèn)數(shù)據(jù)庫(kù)的地址類(lèi)型:Oracle數(shù)據(jù)庫(kù)類(lèi)問(wèn)題:$ cat 'find $OraCle_HOME -name sqlnet.ora' | grep -v "#”|

22、grep -v "A$" find: 0652-081 cannot change directory to </oracle/app/oracle/dbhome_1/sysman/config/pr i-;ef>:I:The file access permissions do not allow the specified action. I|$ cat 'find $ORACLE_HOME -name listener.ora' | grep -v "#"|grep -v "a$"find: 0652

23、-081 cannot change directory to </oracle/app/oracle/dbhome_1/sysman/config/pr I-;ef>: i I:The file access permissions do not allow the specified action. blD_LIST_LISTENER = !:(SID_LIST = Ii (SID_DESC = i(SID_NAME = PLSExtProc) I-(ORACLE_HOME = /oracle/app/oracle/dbhome_1) i! (PROGRAM = extproc

24、) !) I (SID_DESC = (GLOBAL_DBNAME = minos) I(ORACLE_HOME = /oracle/app/oracle/dbhome_1)(SID_NAME = minos)i一! ;) ?) I Listener =| (DESCRIPTION_LIST = ;(DESCRIPTION =;(ADDRESS = (PROTOCOL = TCP)(HOST = 41)(PORT = 1521);)D!ADR_BASE_LISTENER = /oracle/app/oracle解決方案:| 檢查 $ORACLE_HOME/network

25、/admin/sqlnet.ora 文件中是否有以下行: Tcp.validnode_checking = YES I!TCP.INVITED_NODES = (<host_1>, <host_2>,) :其中<host x>是允許訪(fǎng)問(wèn)本數(shù)據(jù)庫(kù)的IP地址。;如果沒(méi)有,則根據(jù)需要在文件中添加,隨后重啟數(shù)據(jù)庫(kù)。重啟完成后,則數(shù)據(jù)庫(kù)只允許TCP.INVITED_NODESJ出的IP來(lái)訪(fǎng)問(wèn)。儀口果不存在sqlnet.ora 文件,請(qǐng)使用以下命令創(chuàng)建此文件后再實(shí)施上面的操作:!bash-3.2$ touch $ORACLE_HOME/network/admin/sql

26、net.ora漏洞12.檢查是否使用加密傳輸類(lèi)型:Oracle數(shù)據(jù)庫(kù)類(lèi)問(wèn)題:$ cat 'find $OraCle_HOME -name sqlnet.ora' | grep -v "#"|grep -v "A$" i一Ifind: 0652-081 cannot change directory to </oracle/app/oracle/dbhome_1/sysman/config/pr i-:ef>:I:The file access permissions do not allow the specified act

27、ion. Ii$ cat 'find $ORACLE_HOME -name listener.ora' | grep -v "#"|grep -v "a$"Ifind: 0652-081 cannot change directory to </oracle/app/oracle/dbhome_1/sysman/config/prI-哈:i:The file access permissions do not allow the specified action. i|SID_LIST_LISTENER =Ii (SID_LIST

28、=i (SID_DESC =i(SID_NAME = PLSExtProc) j一(ORACLE_HOME = /oracle/app/oracle/dbhome_1) i! (PROGRAM = extproc) !) I (SID_DESC =(GLOBAL_DBNAME = minos)(ORACLE_HOME = /oracle/app/oracle/dbhome_1)(SID_NAME = minos)I-1)I!)IListener =Ii (DESCRIPTION_LIST =;(DESCRIPTION =;(ADDRESS = (PROTOCOL = TCP)(HOST = 1

29、041)(PORT = 1521) !)i ):ADR_BASE_LISTENER = /oracle/app/oracle解決方案:暫時(shí)不處理。漏洞13.檢查是否設(shè)置超時(shí)時(shí)間類(lèi)型:Oracle數(shù)據(jù)庫(kù)類(lèi)問(wèn)題:!$ cat 'f-i'nd -$O'RACLE_HOME- -name -sql-net.Ora'' ' grep ' -v ' "#"grep '-v'"A$"-"find: 0652-081 cannot change director

30、y to </oracle/app/oracle/dbhome_1/sysman/config/pr 沿f>:The file access permissions do not allow the specified action.|$ cat 'find $ORACLE_HOME -name listener.ora' | grep -v "#"|grep -v "a$"find: 0652-081 cannot change directory to </oracle/app/oracle/dbhome_1/sys

31、man/config/pr: 一:ef>:The file access permissions do not allow the specified action.|sid_list_listener =i (SID_LIST =(SID_DESC =(SID_NAME = PLSExtProc)(ORACLE_HOME = /oracle/app/oracle/dbhome_1)(PROGRAM = extproc);)I (SID_DESC =(GLOBAL_DBNAME = minos)i(ORACLE_HOME = /oracle/app/oracle/dbhome_1)(SI

32、D_NAME = minos)ij )DListener =ii (DESCRIPTION_LIST =i (description =ij (ADDRESS = (PROTOCOL = TCP)(HOST = 41)(PORT = 1521)j );)|ADR_BASE_LISTENER = /oracle/app/oracle I a-EM h-m ija-a -u aui b-m um w u-a s-km u* u-a a-sa b-m bju u 解決方案:I hf : n-B bnn »»h : rr s-b : btb - n !i通過(guò)

33、下面的命令檢查是否 設(shè)置了 SQLNET.EXPIRE_TIM的參數(shù)值為10:bash-3.2$ grep -i "SQLNET.EXPIRE_TIME" $ORACLE_HOME/network/admin/sqlnet.ora 視果沒(méi)有設(shè)置,在 $ORACLE_HOME/network/admin/sqlnet.ora 文件中添加一行: |SQLNET.EXPIRE_TIME=10;隨后重新啟動(dòng)監(jiān)聽(tīng)和數(shù)據(jù)庫(kù)。i故口果不存在sqlnet.ora 文件,請(qǐng)使用以下命令創(chuàng)建此文件后再實(shí)施上面的操作:ibash-3.2$ touch $ORACLE HOME/network/a

34、dmin/sqlnet.ora漏洞14.檢查是否設(shè)置DBA組用戶(hù)數(shù)量限制標(biāo)準(zhǔn)類(lèi)型:Oracle數(shù)據(jù)庫(kù)類(lèi)問(wèn)題:略解決方案:手動(dòng)將其他非oracle的用戶(hù)從dba組中刪除,將oracle用戶(hù)從root或system組中刪 除。查詢(xún)用戶(hù)所屬組的命令是groups <username> 。改變用戶(hù)所屬組的命令是usermod -G <groupname1> , <groupname2> <username> 。漏洞15.檢查是否刪除或者鎖定無(wú)關(guān)帳號(hào)類(lèi)型:Oracle數(shù)據(jù)庫(kù)類(lèi)問(wèn)題:| SB KB Ba BJB BUB 1 KB ! KB ! U MLB a

35、JB SQL> select t.username from dba_users t where t.account_status = 'OPEN'i'select t.username from dba_users t where t.account_status = 'OPEN'i一一產(chǎn)ITerror at line 1:ORA-01034: ORACLE not availableIIProcess ID: 0Session ID: 0 Serial number: 0解決方案:暫時(shí)不處理。漏洞16.檢查是否限制具備數(shù)據(jù)庫(kù)超級(jí)管理員( SYS

36、DBA )權(quán)限的用戶(hù)遠(yuǎn)程登錄類(lèi)型:Oracle數(shù)據(jù)庫(kù)類(lèi)問(wèn)題:$QL> select t.VALUE from v$parameter t where upper(t.NAME) like '%REMOTE_LOGIN_PASSWOR bFILE%;IVALUE;IEXCLUSIVEI a 占z 上 a a ma bBabaa aa1 9 上# aa b a a- aad Afaaa asad A>aa a* a a 且4 bad 4d amu4M且4 上=上 Ah « aadAKaa&faBia bada a uh e a tasa baaa a aa a

37、解決方案:IUF * n ! hUF n ! FF , H F bF 加 bF H !:!T n - hF b0 hF h 一F j在數(shù)據(jù)庫(kù)啟動(dòng)時(shí),通過(guò)下面的命令檢查remote_login_passwordfile的參數(shù)值:;bash-3.2$ sqlplus sys/oracle<SID> as sysdba a:SQL*Plus: Release .0 - Production on Thu Jan 9 11:33:56 2014Copyright (c) 1982, 2007, Oracle. All Rights Reserved.iConnected t

38、o:Oracle Database 10g Enterprise Edition Release .0 - Production1 :With the Partitioning, OLAP, Data Mining and Real Application Testing options ! !SQL> show parameters remote_login_passwordfile; ! I1 1NAMETYPE VALUE 1remote_login_passwordfilestring EXCLUSIVE如果參數(shù)值為 NONE則默認(rèn)滿(mǎn)足安全要求。否則,通過(guò)下面的S

39、QL語(yǔ)句修改參數(shù)值為 NONESQL> alter system set remote_login_passwordfile=NONE scope=spfile;i System altered.1修改后重啟數(shù)據(jù)庫(kù):iSQL> shutdown immediateDatabase closed.!Database dismounted. ORACLE instance shut down.ibash-3.2$ export ORACLE_SID=<SID>1bash-3.2$ sqlplus /nologi1 sSQL*Plus: Release .0

40、- Production on Tue May 20 11:01:55 2014 g1Copyright (c) 1982, 2010, Oracle. All Rights Reserved.iSQL> conn / as sysdbaIConnected to an idle instance.SQL> startupORACLE instance started.11 si £ Total System Global Area 8589934592 bytesFixed Size2065744 bytesVariable Size3238009520 bytesDa

41、tabase Buffers5301600256 bytesRedo Buffers48259072 bytesDatabase mounted.ilDatabase opened.SQL>檢查參數(shù)值是否修改成功:1SQL> show parameters remote_login_passwordfile;INAMETYPE VALUE j Iremote_login_passwordfilestring NONE;修改成功后退出SQL*PLUS I:SQL> exitDisconnected from Oracle Database 10g Enterprise Edit

42、ion Release .0 - Productio:nI iWith the Partitioning, OLAP, Data Mining and Real Application Testing options漏洞17.檢查口令強(qiáng)度設(shè)置類(lèi)型:Oracle數(shù)據(jù)庫(kù)類(lèi)問(wèn)題: 1 1 1 : n : btb h ! ar r 1 n 1 ra > ar ra :SQL> select count(*) from dba_profiles where resource_name = 'PASSWORD_VERIFY_FUNCTION':and limit

43、 = 'NULL'Ij COUNT(*)I i :i 11解決方案:暫時(shí)不處理。漏洞18.檢查帳戶(hù)口令生存周期類(lèi)型:Oracle數(shù)據(jù)庫(kù)類(lèi)問(wèn)題:SQL> select limit from dba_profiles t where resource_name = 'PASSWORD_LIFE_TiME'I一一 一!limiti:!UnlimitedIjDEFAULTDefaultIMF !"WV 干IF ,一,加,加一千,!(F ,!"!,"! MF , MF :,一,!: !F,H 解決方案:暫時(shí)不處理。漏洞19.檢查是否設(shè)置

44、記住歷史密碼次數(shù)類(lèi)型:Oracle數(shù)據(jù)庫(kù)類(lèi)問(wèn)題: 工) n 一 ar aia m ma ar kb na n : ar h ar :SQL> select limit from dba_profiles t where resource_name = 'PASSWORD_REUSE_MAX'1IMIT l:UNLIMITEDIDEFAULTDefaultI *4 !上*匹*0 )! *4 * *4HH4RiB.K,上H-iI4.>;ii*Ia4R*.li, - H-a41國(guó) *4 a A B A K a B 11 AEHB *4士 !,*,! 4, !1 *4 解決

45、方案:暫時(shí)不處理。漏洞20.檢查是否配置最大認(rèn)證失敗次數(shù)類(lèi)型:Oracle數(shù)據(jù)庫(kù)類(lèi) 問(wèn)題:iSQL>-SeieCTlimitfrOm dba_profiles-f where resource_name-= 1FAlLE'D_LOGiN_ATTEM-PTS7''1iselect limit from dba_profiles t where resource_name = 'FAILED_LOGIN_ATTEMPTS' iIIi* IIIerror at line 1:Ora-01034: ORACLE not availableI!i Proce

46、ss ID: 0 iiiSession ID: 0 Serial number: 0解決方案:容數(shù)據(jù)庫(kù)啟動(dòng)的情猊卞通迂下面的命令檢查一一FAiLED_LOGiN_ATTEMPTS值:” 1ibash-3.2$ sqlplus system/oracle<SID> I|sQL*Plus: Release .0 - Production on Thu Jan 9 11:33:56 2014 IiICopyright (c) 1982, 2007, Oracle. All Rights Reserved. IIIIII|iConnected to:Oracle Datab

47、ase 10g Enterprise Edition Release .0 - Production IWith the Partitioning, OLAP, Data Mining and Real Application Testing options j I;|SQL> SELECT RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME='FAILED_LOGIN_AT!TEMPTS' AND PROFILE='DEFAULT' iIi|resource_namelim

48、it I !1 |failed_login_attempts unlimited IIE妝口果LIMIT的值為6,則符合安全要求。否則,通過(guò)下面的SQL語(yǔ)句修改參數(shù)值:II|sql> alter profile DEFAULT LIMIT FAILED_LOGIN_ATTEMPTS 6; IProfile altered. jri;)I檢查參數(shù)值是否修改成功:|sql> select resource_name, limit from DBA_PROFILES WHERE RESOURCE_NAME='FAILED_LOGIN_AT 卜EMPTS' AND PROF

49、ILE='DEFAULT' i:iRESOURCE_NAMELIMIT干AILED LOGIN ATTEMPTS6;修改成功后退出SQL*PLUSI過(guò)QL> exitDisconnected from Oracle Database 10g Enterprise Edition Release .0 - ProductioII汕IIWith the Partitioning, OLAP, Data Mining and Real Application Testing options漏洞21.檢查是否在配置用戶(hù)所需的最小權(quán)限類(lèi)型:Oracle數(shù)據(jù)庫(kù)類(lèi)問(wèn)題:

50、 » h > n nr h »» : h - : in «u » ara - - n : h h h nt:SQL> select count(a.username) from dba_users a left join dba_role_privs b on a.usernam i一一 一ie = b.grantee where granted_role = 'DBA' and a.username not in ('SYS','SYSMAN','SYSTEM i-i:

51、9;,'WKSYS','CTXSYS,);iCOUNT(A.USERNAME)!iI :19I ! M ! 士 ! >! KB * ! ! KB ! KB KB 工1解決方案:暫時(shí)不處理。漏洞22.檢查是否使用數(shù)據(jù)庫(kù)角色(ROLE )來(lái)管理對(duì)象的權(quán)限類(lèi)型:Oracle數(shù)據(jù)庫(kù)類(lèi)問(wèn)題:I a0a » a 44*_! & 4 4 - a!4 0a 4 ks 通 K - a 4L 上 0a4a- a 4L - a0a « &ais*上工- a 4L ! & &a 工4上一上- a第4 a 工 a0m -上石 a- a u-aa 1* &*>4 m -上上工 a- a ui ma « & 工上上事工=iSQL> select count(a.username) from dba_users a left join dba_role_privs b on a.usernamie = b.grantee where granted_role = 'DBA' and

溫馨提示

  • 1. 本站所有資源如無(wú)特殊說(shuō)明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請(qǐng)下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請(qǐng)聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶(hù)所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁(yè)內(nèi)容里面會(huì)有圖紙預(yù)覽,若沒(méi)有圖紙預(yù)覽就沒(méi)有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫(kù)網(wǎng)僅提供信息存儲(chǔ)空間,僅對(duì)用戶(hù)上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對(duì)用戶(hù)上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對(duì)任何下載內(nèi)容負(fù)責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請(qǐng)與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時(shí)也不承擔(dān)用戶(hù)因使用這些下載資源對(duì)自己和他人造成任何形式的傷害或損失。

評(píng)論

0/150

提交評(píng)論