1、密碼複雜度配置
SELECT limit FROM dba_profiles WHERE resource_name = 'PASSWORD_VERIFY_FUNCTION' AND profile IN (SELECT profile FROM dba_users WHERE account_status = 'OPEN');
解決方案:
alter system set resource_limit = true;
@$ORACLE_HOME/rdbms/admin/utlpwdmg.sql
alter profile default limit password_verify_function verify_function;
2、未對登入失敗門檻值進行控制(設定為10分鐘)
SELECT limit FROM dba_profiles WHERE resource_name = 'PASSWORD_LOCK_TIME' AND profile IN (SELECT profile FROM dba_users WHERE account_status = 'OPEN');
解決方案:
alter profile default limit PASSWORD_LOCK_TIME 10/24/60;因為預設是一天,需要換算為分鐘)
3、修改預設使用者的密碼
SELECT USERNAME FROM DBA_USERS_WITH_DEFPWD WHERE USERNAME NOT LIKE '%XS$NULL%';
解決方案:将所有查詢到的使用者修改密碼
alter user SCOTT identified by oracle
4、檢查查詢結果中是否存在過期賬号
SELECT USERNAME,EXPIRY_DATE FROM dba_users WHERE account_status = 'OPEN';
解決方案:将過期的使用者修改密碼
alter user SYS identified by oracle
5、權限控制,不應該含有public權限,傳回值應不包含DBMS_ADVISOR、DBMS_CRYPTO、DBMS_JAVA、DBMS_JAVA_TEST等
SELECT TABLE_NAME FROM DBA_TAB_PRIVS WHERE GRANTEE='PUBLIC'
AND PRIVILEGE='EXECUTE'
AND (
TABLE_NAME='DBMS_ADVISOR'
OR TABLE_NAME='DBMS_CRYPTO'
OR TABLE_NAME='DBMS_JAVA'
OR TABLE_NAME='DBMS_JAVA_TEST'
OR TABLE_NAME='DBMS_JOB'
OR TABLE_NAME='DBMS_LDAP'
OR TABLE_NAME='DBMS_LOB'
OR TABLE_NAME='DBMS_OBFUSCATION_TOOLKIT'
OR TABLE_NAME='DBMS_RANDOM'
OR TABLE_NAME='DBMS_SCHEDULER'
OR TABLE_NAME='DBMS_SQL'
OR TABLE_NAME='DBMS_XMLGEN'
OR TABLE_NAME='DBMS_XMLQUERY'
OR TABLE_NAME='UTL_FILE'
OR TABLE_NAME='UTL_INADDR'
OR TABLE_NAME='UTL_TCP'
OR TABLE_NAME='UTL_MAIL'
OR TABLE_NAME='UTL_SMTP'
OR TABLE_NAME='UTL_DBWS'
OR TABLE_NAME='UTL_ORAMTS'
OR TABLE_NAME='UTL_HTTP'
OR TABLE_NAME='HTTPURITYPE'
OR TABLE_NAME='DBMS_SYS_SQL'
OR TABLE_NAME='DBMS_BACKUP_RESTORE'
OR TABLE_NAME='DBMS_AQADM_SYSCALLS'
OR TABLE_NAME='DBMS_REPCAT_SQL_UTL'
OR TABLE_NAME='INITJVMAUX'
OR TABLE_NAME='DBMS_STREAMS_ADM_UTL'
OR TABLE_NAME='DBMS_AQADM_SYS'
OR TABLE_NAME='DBMS_STREAMS_RPC'
OR TABLE_NAME='DBMS_PRVTAQIM'
OR TABLE_NAME='LTADM'
OR TABLE_NAME='WWV_DBMS_SQL'
OR TABLE_NAME='WWV_EXECUTE_IMMEDIATE'
OR TABLE_NAME='DBMS_IJOB'
OR TABLE_NAME='DBMS_FILE_TRANSFER'
);
解決方案:去掉pulic的該權限
revoke execute on DBMS_ADVISOR from public;
6、權限控制,傳回值應為空
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='SELECT ANY TABLE' AND GRANTEE NOT IN ('DBA','MDSYS','SYS','IMP_FULL_DATABASE','EXP_FULL_DATABASE','DATAPUMP_IMP_FULL_DATABASE','WMSYS','SYSTEM','OLAP_DBA','DV_REALM_OWNER');
解決方案:
去掉該使用者的對應權限
revoke SELECT ANY TABLE from OLAPSYS;
7、權限控制,傳回值應為空
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='CREATE LIBRARY' AND GRANTEE NOT IN ('SYS','SYSTEM','DBA','MDSYS','SPATIAL_WFS_ADMIN_USR','SPATIAL_CSW_ADMIN_USR','DVSYS','GSMADMIN_INTERNAL','XDB');
解決方案:
去掉該使用者的對應權限
revoke CREATE LIBRARY from EXFSYS;
7、權限控制,傳回值為0
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE PRIVILEGE='GRANT ANY PRIVILEGE' AND GRANTEE NOT IN ('DBA','SYS','IMP_FULL_DATABASE','DATAPUMP_IMP_FULL_DATABASE''DV_REALM_OWNER', 'EM_EXPRESS_ALL');
解決方案:
去掉該使用者的對應權限
revoke GRANT ANY PRIVILEGE from DATAPUMP_IMP_FULL_DATABASE;
7、資料庫加強,sec_protocol_error_further_action加強為delay,3或者drop,3
解決方案:
将該值修改為drop,3,修改後需要重新開機資料庫才會生效
alter system set SEC_PROTOCOL_ERROR_FURTHER_ACTION='DROP,3' scope=spfile;
8、資料庫加強,SEC_PROTOCOL_ERROR_TRACE_ACTION為log
SELECT UPPER(VALUE) FROM V$PARAMETER WHERE UPPER(NAME)='SEC_PROTOCOL_ERROR_TRACE_ACTION';
解決方案:
将該值修改為log,修改後需要重新開機資料庫才會生效
alter system set SEC_PROTOCOL_ERROR_TRACE_ACTION='log' scope=spfile;