本文内容来自 YashanDB 官网,原文内容请见 https://www.yashandb.com/newsinfo/7281303.html?templateId=1718516
设置密码复杂度
密码复杂度开关打开,打开后密码必须满足:①至少八位长度 ② 数字+大小写+特殊字符
alter system set _CHECK_PASSWORD_COMPLEXITY=true;
示例:
SQL> alter system set _CHECK_PASSWORD_COMPLEXITY=true;
Succeed.
SQL> create user user1 identified by simple1;
YAS-02317 failed to check password complexity for password must contain at least 8 characters
SQL> create user user1 identified by Short1_;
YAS-02317 failed to check password complexity for password must contain at least 8 characters
SQL> create user user1 identified by Complex1;
YAS-02317 failed to check password complexity for password must contain at least 1 special character
SQL> create user user1 identified by Complex1_;
Succeed.
SQL> drop user user1;
复制代码
备注:对于存储在数据库表中的密码,YashanDB 提供_CHECK_PASSWORD_COMPLEXITY(隐藏参数,默认值 FALSE)用于控制是否开启密码强度控制,该参数默认为 false 不开启。弱密码对于系统安全有严重危害性,建议生产环境打开开关。开启密码强度控制后,YashanDB 将在密码设置时进行强度校验,输入的密码需要满足 ①至少八位长度 ② 数字+大小写+特殊字符组合的条件后才能设置成功。
所有账号(包括 SYS 账号)的密码符合复杂度要求
所有账号(包括 SYS 账号)的密码需要满足 ①至少八位长度 ② 数字+大小写+特殊字符
示例:
SYS/Abc123_2yP=y)
USER1/O1001ZGAfaes_0UP2
复制代码
设置密码策略
所有的 profile(尤其是默认策略 - default),都需要设置:
FAILED_LOGIN_ATTEMPTS 3 –- 登录失败锁定次数
PASSWORD_LIFE_TIME 90 –- 密码过期天数
PASSWORD_REUSE_TIME 1800 –- 密码复用间隔最小天数
PASSWORD_REUSE_MAX 6 –- 密码复用次数最大次数
PASSWORD_LOCK_TIME 1 –- 密码锁定天数
PASSWORD_GRACE_TIME 7 –- 密码过期前宽限天数
示例:
alter profile default limit
FAILED_LOGIN_ATTEMPTS 3
PASSWORD_LIFE_TIME 90
PASSWORD_REUSE_TIME 1800
PASSWORD_REUSE_MAX 6
PASSWORD_LOCK_TIME 1
PASSWORD_GRACE_TIME 7;
SQL> alter profile default limit FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LIFE_TIME 90 PASSWORD_REUSE_TIME 1800 PASSWORD_REUSE_MAX 6 PASSWORD_LOCK_TIME 1 PASSWORD_GRACE_TIME 7;
Succeed.
SQL> select * from dba_profiles;
PROFILE RESOURCE_NAME RESOURCE_TYPE LIMIT
---------------------------------------------------------------- ---------------------------------------------------------------- ------------- ---------------------------------------------
DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD 3
DEFAULT PASSWORD_LIFE_TIME PASSWORD 90
DEFAULT PASSWORD_REUSE_TIME PASSWORD 1800
DEFAULT PASSWORD_REUSE_MAX PASSWORD 6
DEFAULT PASSWORD_LOCK_TIME PASSWORD 1
DEFAULT PASSWORD_GRACE_TIME PASSWORD 7
6 rows fetched.
SQL> select username, profile from dba_users;
USERNAME PROFILE
---------------------------------------------------------------- ----------------------------------------------------------------
SYS DEFAULT
DBBAK DEFAULT
DBMGR PROF_SYS
USER1 DEFAULT
USER2 DEFAULT
5 rows fetched.
复制代码
无实际使用用途且非管理员的账号处于锁定状态
无实际使用用途且非管理员的账号(例如:MDSYS)处于锁定状态
示例:
SQL> select username, account_status from dba_users;
USERNAME ACCOUNT_STATUS
---------------------------------------------------------------- ---------------------------------
SYS OPEN
MDSYS LOCKED
2 rows fetched.
复制代码
禁用免密登录
对于崖山,禁止用户免密登录是检查 $YASDB_DATA/config/yasdb_net.ini,应有配置 ENABLE_LOCAL_OSAUTH = off
禁用默认密码
检查崖山默认密码是 Cod-2022 或者 yasdb_123,无法登录用户
示例:
[yashan@host-10-76-249-193 ~]$ yasql sys/Cod-2022
YashanDB SQL Release 22.2.12.100 aarch64
YAS-02143 invalid username/password, login denied
please input user name:
YASQL-00007 invalid username/password; logon denied
please input user name:
YASQL-00007 invalid username/password; logon denied
YASQL-00007 unable to CONNECT to Server after 3 attempts
[yashan@host-10-76-249-193 ~]$ yasql sys/yasdb_123
YashanDB SQL Release 22.2.12.100 aarch64
YAS-02143 invalid username/password, login denied
please input user name:
YASQL-00007 invalid username/password; logon denied
please input user name:
YASQL-00007 invalid username/password; logon denied
YASQL-00007 unable to CONNECT to Server after 3 attempts
复制代码
加密存储
根据实际情况调整。
1**、**如果客户无加密要求,则跳过此项设置。
2**、**如果只对某些表存在加密要求,则建表 DDL 需要使用加密表空间。
示例:
CREATE TABLESPACE USER1_SECURITY_DATA DATAFILE '?/dbfiles/USER1_SECURITY_DATA1.dbf' SIZE 2G AUTOEXTEND ON MAXSIZE UNLIMITED ENCRYPTION ENCRYPT;
CREATE TABLE USER1.TABLE1(COL1 INT PRIMRARY KEY, COL2 VARCHAR(100), xxx) TABLESPACE USER1_SECURITY_DATA;
复制代码
3**、如果用于所有表都存在加密要求,则不仅建表需要使用加密表空间,且用户的默认表空间****也需要设置为加密表空间。**
示例:
CREATE TABLESPACE USER1_SECURITY_DATA DATAFILE '?/dbfiles/USER1_SECURITY_DATA1.dbf' SIZE 2G AUTOEXTEND ON MAXSIZE UNLIMITED ENCRYPTION ENCRYPT;
CREATE TABLE USER1.TABLE1(COL1 INT PRIMARY KEY, COL2 VARCHAR(100), xxx) TABLESPACE USER1_SECURITY_DATA;
ALTER USER USER1 DEFAULT TABLESPACE USER1;
复制代码
设置审计策略
已开启审计:日志功能,审计内容覆盖到每个用户,能够记录重要用户行为和重要安全事件。用户登录系统、自主访问控制的所有操作记录、重要用户行为(如增加/删除用户,删除库表)等。注意:对仅对 DBA 权限用户设置 LOGON/LOGOFF 审计(如果有多个 DBA 账号,都需要审计)
alter system set UNIFIED_AUDITING=true;
CREATE AUDIT POLICY UP1 PRIVILEGES CREATE ANY TABLE, CREATE TABLE, ALTER ANY TABLE, DROP ANY TABLE, GRANT ANY PRIVILEGE, GRANT ANY OBJECT PRIVILEGE, GRANT ANY ROLE, CREATE USER, ALTER USER, DROP USER, DROP ANY ROLE, AUDIT SYSTEM;
CREATE AUDIT POLICY UP2 ACTIONS DROP TABLE, DROP ROLE, CREATE AUDIT POLICY, ALTER AUDIT POLICY, DROP AUDIT POLICY, AUDIT, NOAUDIT;
CREATE AUDIT POLICY UP3 ACTIONS LOGON, LOGOFF;
AUDIT POLICY UP3 BY SYS;
AUDIT POLICY UP1;
AUDIT POLICY UP2;
复制代码
示例:
设置审计清理策略
设置审计日志保留 270 天,每天清理一次过期的审计日志
BEGIN
DBMS_SCHEDULER.CREATE_JOB (
'update_audit_archive_time',
'PLSQL_BLOCK',
'BEGIN DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP(DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, sysdate-270);END;' ,
0,
SYSDATE,
'sysdate+1',
NULL,
'DEFAULT_JOB_CLASS',
TRUE,
FALSE,
'update audit archive time');
END;
/
BEGIN
DBMS_AUDIT_MGMT.CREATE_PURGE_JOB (
DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,
SYSDATE + 5/24,
'sysdate + 1',
'audit_job',
TRUE);
END;
/
复制代码
示例:
SQL> BEGIN
2 DBMS_SCHEDULER.CREATE_JOB (
3 'update_audit_archive_time',
4 'PLSQL_BLOCK',
5 'BEGIN DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP(DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, sysdate-270);END;' ,
6 0,
7 SYSDATE,
8 'sysdate+1',
9 NULL,
10 'DEFAULT_JOB_CLASS',
11 TRUE,
12 FALSE,
13 'update audit archive time');
14 END;
15 /
PL/SQL Succeed.
SQL> select job_name, REPEAT_INTERVAL from DBA_SCHEDULER_JOBS;
JOB_NAME REPEAT_INTERVAL
---------------------------------------------------------------- ----------------------------------------------------------------
GATHER_STATS_JOB cast(TRUNC(SYSDATE+1) + 2/24 as timestamp)
UPDATE_AUDIT_ARCHIVE_TIME sysdate+1
2 rows fetched.
SQL> select job_name, JOB_ACTION from DBA_SCHEDULER_JOBS;
JOB_NAME JOB_ACTION
---------------------------------------------------------------- ----------------------------------------------------------------
GATHER_STATS_JOB begin DBMS_STATS.GATHER_DATABASE_STATS('GATHER AUTO', 0, 8, 'FOR ALL COLUMNS SIZE AUTO', 'GLOBAL', TRUE, TRUE); end;
UPDATE_AUDIT_ARCHIVE_TIME BEGIN DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP(DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, sysdate-270);END;
2 rows fetched.
SQL> BEGIN
2 DBMS_AUDIT_MGMT.CREATE_PURGE_JOB (
3 DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,
4 SYSDATE + 5/24,
5 'sysdate + 1',
6 'audit_job',
7 TRUE);
8 END;
9 /
PL/SQL Succeed.
SQL> select job_name, REPEAT_INTERVAL from DBA_SCHEDULER_JOBS;
JOB_NAME REPEAT_INTERVAL
---------------------------------------------------------------- ----------------------------------------------------------------
GATHER_STATS_JOB cast(TRUNC(SYSDATE+1) + 2/24 as timestamp)
UPDATE_AUDIT_ARCHIVE_TIME sysdate+1
AUDIT_JOB sysdate + 1
3 rows fetched.
SQL> select job_name, JOB_ACTION from DBA_SCHEDULER_JOBS;
JOB_NAME JOB_ACTION
---------------------------------------------------------------- ----------------------------------------------------------------
GATHER_STATS_JOB begin DBMS_STATS.GATHER_DATABASE_STATS('GATHER AUTO', 0, 8, 'FOR ALL COLUMNS SIZE AUTO', 'GLOBAL', TRUE, TRUE); end;
UPDATE_AUDIT_ARCHIVE_TIME BEGIN DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP(DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, sysdate-270);END;
AUDIT_JOB BEGIN DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL(DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, true); END;
3 rows fetched.
复制代码
收尾
包含但不限于:
评论