Oracle漏洞扫描安全加固

1、OraCIe日常维护：数据库启动、关闭介绍关于操作系统和数据库合规检查漏洞的解决方案OraCIe数据库分册适用软件版本OraCleIog 11g适用硬件版本主题关于操作系统和数据库合规检查漏洞的解决方案OraCle数据库分册1、问题描述与原因：OraCIe数据库在合规检查时被扫描出漏洞，要求对这些漏洞进行解决。2、应对措施：对存在漏洞进行定制的安全加固操作。3、执行条件/注意事项：加固前确保服务器、数据库、网管运行均正常。最好重启下服务器、数 据库和网管查看重启后网管是否能运行正常。如果加固前服务器本身有问题， 加固后服务器运行异常会加大排查难度。本解决方案执行完成后，需要重启 OraCIe数

2、据库来生效某些操作。本解决方案不必完全执行，请根据系统扫描出的漏洞选择对应的漏洞条 目进行操作。如无特殊说明，本文中的执行用户均为OraCIe4、操作步骤：漏洞清单（单击可跳转）：（注：漏洞名称与配置项信息中的配置项名称对应。）漏洞1.检查是否对用户的属性进行控制（5）漏洞2.检查是否配置OraCIe软件账户的安全策略（2）漏洞3.检查是否启用数据字典保护漏洞4.检查是否在数据库对象上设置了 VPD和OLS（ 6）漏洞5.检查是否存在 dvsys用户dbms macadm寸象（14）漏洞6.检查是否数据库应配置日志功能（11漏洞7.检查是否记录操作日志 （13漏洞8.检杳是否记录安全事件日志

3、（7）漏洞9.检查是否根据业务要求制定数据库审计策略漏洞10.检查是否为监听设置密码漏洞11.检查是否限制可以访问数据库的地址（1）漏洞12.检查是否使用加密传输（4）漏洞13.检查是否设置超时时间（15）漏洞14.检查是否设置DBA组用户数量限制 （3）漏洞15.检查是否删除或者锁定无关帐号漏洞16.检查是否限制具备数据库超级管理员（ SYSDBA权限的用户远程登录（10）漏洞仃.检查口令强度设置 （17）漏洞18.检查帐户口令生存周期（12）漏洞19. 检查是否设置记住历史密码次数（8）漏洞20. 检查是否配置最大认证失败次数漏洞21.检查是否在配置用户所需的最小权限（9）漏洞22.检查是

4、否使用数据库角色（RoLE来管理对象的权限（16）漏洞23.检查是否更改数据库默认帐号的密码执行OraCle安全加固操作前备份文件：bash-3.2$ CP $ORACLE_HOME/network/admi n/liste ner.ora $ORACLE_HOME/networkSIIi/admi n/liste IIibash-3.2$ CP $ORACLE_HOME/network/admi n/sql net.ora $ORACLE_HOME/network/i-iII Iadmi n/sql OraCIe数据库漏洞的解决方案全部执行完成后，

5、需要重启OraCle实例来生效某些操作。漏洞1.检查是否对用户的属性进行控制类型：OraCIe数据库类'MONI问题：SQL>seiectcount(username) from dba_USerStWhere- PrOfiTen6tn('DEFATORlNGPROFILE');iIi:COUNT(T.USERNAME)-I!I解决方案：暂时不处理。漏洞2. 检查是否配置OraCle软件账户的安全策略类型：OraCIe数据库类问题：略解决方案：暂时不处理漏洞3.检查是否启用数据字典保护类型：OraCIe数据库类问题：SQL>'seTecfVaTUe7

6、rdm_V$parameterwhere'name'TikeT%07_DrCTrONARY_ACCESSIBILIITy%'III!ISelect value from v$Parameter Where name like '%O7_DICTIONARY_ACCESSI 引 LITY%'IIIiII*IIiIIiERROR at li ne 1:iIIORA-01034: ORACLE not availableIIIiiPrOCeSS ID: 0iIItSeSSi on ID: 0 SeriaI nu mber: 0IiI*«n！-r m

7、r v H ! ："!*! upfl：« kt 0 Ta LK Ti: r Fis解决方案：在数据库启动的情况下，通过下面的命令检查o7_dictio nary_acceSSibiIity的参数值：15 i r WlV bb air w r srw a r b HrB a f a r B r hLBWB ib aes wMWBB r bBHIeB V air maB hsawba Wb h, FB av fSaq ! 9 B!m B r e a vE a 9 v0BaB hb TrV HK B19MVBer ULB"WHzIbaSh-3.2$ sqlplus Sy

8、Stem/oracle<SID>IIiSSQL*Plus: ReIeaSe .0 - PrOdUCtiOn on ThU Jan 9 11:33:56 2014ISIiCopyright (C) 1982, 2007, OraCle. All RightS Reserved.IIIiiIIIIIIiiConn ected to:OraCIe DatabaSe 10g En terprise Editi On ReIeaSe 102040 - PrOduCtiOnI1I1:IWith the Partitioning, OLA Data Mining and Real

9、 APPIiCation TeSting optionsIIIS:iI-ii；ISQL> show Parameter o7_dicti on ary_accessibility;NAMEITYPEVALUEO7 DlCTIONARY ACCESSIBILITY boolean FALSEI检查出默认的结果是FALS后，使用下面的命令退出SQL*PLUSIISQL> exitIii64bitISDiSConnected from OraCIe DatabaSe 11g Enterprise Edition ReIeaSe 1120.3.0 - iiiPrOdUCti oniIIii

10、With the Partitioning, OLAData Mining and ReaI APPIiCation TeSting optionsIiBJl BaBiBBBBM-BBa & _> “!£ BrB ! B-UB W4BjB !& BUB-« U _漏洞4.检查是否在数据库对象上设置了 VPD和OLS类型：OraCIe数据库类问题：SQL> SeIeCt coun t(*) from v$vpd_policy;IJ；COUNT(*)0Ilai!BBa*BB a>EBaB *BBaa-Ii a*BB a BHa*BBaBBSAB

11、Haa>BBB a*BBB* a*BBB*B BaULHBJBBB a*BB*SB解决方案：暂时不处理。漏洞5. 检查是否存在 dvsys用户dbms_macadm寸象类型：OraCIe数据库类问题： H !& _ = = *.|&1. _ BMBiSBMB _ 4 + SQL> SeIeCt COun t(*) from dba_USerS Where USer name='DVSYS'I1 COUNT(*)0Ii解决方案：暂时不处理。漏洞6.检查是否数据库应配置日志功能类型：OraCIe数据库类问题：SQL> SeIeCt coun t(*

12、) from dba_triggers t Where trim(t.triggeri ng_eve nt) = trim('ON');i!II COUNT(*)页脚内容42问题：SQL> SeIeCt COun t(*) from dba_triggers t Where trim(t.triggeri ng_eve nt) = trim('L ON');iI-Ii CoUNT(*)0VBBB H IlTB B B-B 解决方案：暂时不处理。漏洞9.检查是否根据业务要求制定数据库审计策略类型：OraCIe数据库类问题：SQL> SeIeCt val

13、ue from v$Parameter t Where t.n ame = 'audit_trail'ii:iSelect value from v$Parameter t Where t.n ame = 'audit_trail'*!IERROR at li ne 1:ji；1iORA-01034: ORACLE not availableIiPrOCeSS ID: 0jSeSSiOn ID: 0 SeriaI nu mber: 0解决方案：暂时不处理。漏洞10.检查是否为监听设置密码类型：OraCIe数据库类问题：$ Cat find $ORACLE_HOM

14、E -n ame sql net.ora' | grep -V "#"|grep -V "八$"!ifind: 0652-081 CannOt Cha nge directory to voracleappOraCle/dbhome_1/sysman : _con fig/pref>:iI:The file access PermiSSiOnS do not allow the SPeCified action.!Iii$ Cat 'find $ORACLE_HOME -name listener.ora' | grep -

15、V "#"|grep -V "$"iIjfind: 0652-081 CannOt Cha nge directory to voracleappOraCle/dbhome_1/sysmaIiIcon figpref>:iIICiiIS:The file access PermiSSions do not allow the SPeCified action.!jiISID LIST LlSTENER = IIIIII(SID_LIST=iIIIKiiII(SID_DESC =iIIiIIKi (SID_NAME = PLSEXtPrOC)iIEI

16、jE(ORACLE_HOME = /oracle/app/oracle/dbhome_1)IEIIKI(PROGRAM = extproc)i )III (SID_DESC =BIi(GLOBAL_DBNAME = minos)III(ORACLE_HOME = oracleappOraCle/dbhome_1)IiII(SID_NAME = minos)II:i )IiI )ISIiLlSTENER =:I!II (DESCRIPTION_LIST =IiII (DESCRIPTION =8I:II (ADDRESS = (PROTOCOL = TCP)(HOST = 100.92.255.

17、141)(PoRT = 15：ISIiI)IIiI1 )IADR_BASE_LISTENER = oracleappOraCleII解决方案：bash-3.2$ls nrctlIIIi:I!I-JAN-20LSNRCTL for IBM/AIX RISC SyStem/6000: VerSiO n .0 - PrOdUCtiOn Oni14 15:11:21COPyright (C) 1991,2011, Oracle. All rights reserved.IIIkiIIIIIIiIIIIIIIIiWelcome to LSNRCTL, type "help&qu

18、ot; for in formatio n.IIIiIiEIiIiILSNRCTlCha nge_paSSWOrdIKIiOld PaSSWord:如果之前没有密码则这里不填，直接按En ter键>iiIENeW PaSSWord:IIEIICIRee nter new PaSSWord:i IISIICo nn ect ing to (DESCRlPTloN=(ADDRESS=(PRoToCoL=TCP)(HoST=2)(PoRTiFi=1521)iIIIEIPaSSWOrd Chan ged for LISTENERiiIiiiIThe comma nd com

19、pleted SUCCeSSfullyiiSIILSNRCTL>ave_c onfigISIIEICo nn ect ing to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=2)(PORTI=1521)IIIS!Saved LISTENER con figurati on ParameterS.IjLiSte ner Parameter File /oracle/app/oracle//dbhome_1/ netWork/adm in/IRIIIiSte ner.oraiiIkiIEIjjQld Parame

20、ter File /oracle/app/oracle//dbhome_1/netWork/admi n/l iste:n er.bakIIEIThe comma nd completed SUCCeSSfullyIIILSNRCTLXitIIIII!Ibash-3.2$IIEIj:设置完成后通过下面的命令检查：IIiDS"bash-3.2$ Cat $ORACLE_HOME/network/admi n/l iste ner.ora | grep "PASSWRII有输出则说明已经设置成功了。EIIBJB U M « Bd H « KB

21、 B BlB KB B N M-B B4 £ » U B « K-B B BiB B _ B BS漏洞11.检查是否限制可以访问数据库的地址类型：OraCIe数据库类问题：$ Cat 'find $ORACLE_HQME -n ame sql net.ora' j grep -V "#"|grep -V "$"IIIIifind: 0652-081 CannOt Change directory to voracleappOraCle/dbhome_1/sysmaiIj/con fig/pref>:II

22、!Iji:The file access PermiSSi OnS do not allow the SPeCified acti on.IIII$ Cat 'find $ORACLE_HOME -n ame liste ner.ora' grep -V "#"|grep -V "$"IIISIIBIjfind: 0652-081 CannOt Cha nge directory to </oracle/app/oracle/dbhome_1/sysmaii IIScon fig/pref>:II:The file acces

23、s PermiSSi ons do not allow the SPeCified acti on.SID LIST LISTENER =ji (SlDjjST =IEIIEII (SIDJDESC =IHIiSI(SIDJNAME = PLSEXtPrOC)IIII(ORACLEJHOME= oracleappOraCle/dbhome_1)IIiI(PRoGRAM = extproc)IiiIIii )IISIII!I (SIDJDESC =iII!IIiiI (GLOBALJDBNAME = min os)!iIiI(ORACLEJHOME = /oracle/app/oracle/db

24、home_1)? II!Ii(SIDJNAME = minos)IIIi )IiLISTENER =IiI (DESCRIPTIONJLIST =jiii (DESCRIPTION =IIiI(ADDRESS = (PROTOCOL = TCP)(HOST = 41)(PoRT = 1521)IIIiii )iIIIiIiI )iIIADR_BASE_LISTENER = oracleappOraCIeIl>iiBBa*BB a*BBj a*BB- aa*saa* aBi a*BB a解决方案： 检査 $oRACLE_HOMEnetwrkdminSqinet.o文

25、件中是否有以下行：:IiITCPALlDNoDE CHECKING = YESIi；TCFTNVITED_NODES = (VhOSt_1>, VhOSt_2>,)其中<host x>是允许访问本数据库的IP地址。jI如果没有，则根据需要在文件中添加，随后重启数据库。i!重启完成后，则数据库只允许 TCFTNVITED_NOD列出的IP来访问。I;IIIISII如果不存在sqlnet.ora文件，请使用以下命令创建此文件后再实施上面的操I作：IIIbash-3.2$touch $ORACLE_HOME/network/admi n/sql net.oraI!漏洞12.检

26、查是否使用加密传输类型：OraCIe数据库类问题:$ Cat 'find $ORACLE_HOME -n ame sql net.ora' grep -V "#"|grep -V "八$"!iI!find: 0652-081 CannOt Change directory to </oracle/app/oracle/dbhome_1/sysmacon fig/pref>:The file access PermiSSi OnS do not allow the SPeCified acti on.IIiI$ Cat '

27、;find $ORACLE_HOME -n ame Iiste ner.ora' grep -V "#"|grep -V "$"IIIiifind: 0652-081 CannOt Cha nge directory to </oracle/app/oracle/dbhome_1/sysmaIIIcon fig/pref>:II；:The file access PermiSSi ons do not allow the SPeCified acti on.iISID LIST LlSTENER =!-iiIII(SID_LIST =

28、iIIIiI(SID_DESC =II(SID_NAME= PLSEXtPrOC)iiIIii(ORACLE_HOME = /oracle/app/oracle/dbhome_1)iIiEII(PROGRAM= extproc)IIKIiS)IiI(SID_DESC =I(GLOBAL_DBNAME=min os)IIi(ORACLE_HOME = /oracle/app/oracle/dbhome_1)IiEIIiI (SID_NAME = minos)IiS1 )IIIE1 )SII!IiLISTENER =Ii (DESCRIPTloNjJST =IIIEI(DESCRIPTION =I

29、II (ADDRESS = (PROTOCOL = TCP)(HOST = 41)(PORT = 1521)I丨SII!iI )丨IIEIiEIIIIi )IIADRJBASEJLISTENER = oracleappOraCIe|IEII0 Hn wk «*! r* n Tc i"B *!« kt 0i : The file access PermiSSions do not allow the SPeCified action.H wev m Ta LK TU hr f-K"KH » *! !解决方案：暂时不处理。漏

30、洞13.检查是否设置超时时间类型：OraCIe数据库类问题：J B an an an a « . nn * B an an Kn :B an na mu * n an .$ Cat 'find $ORACLEJHOME -n ame sql net.ora' grep -V "#"|grep -V "$"iII II:Ifind: 0652-081 CannOt Cha nge directory to voracleappOraCle/dbhome_1/SySman iiIiIcon figpref>:IIIIiEi :

31、 The file access PermiSSiOnS do not allow the SPeCified action.IIIISIIBI$ Cat 'find $ORACLEJHOME -n ame liSte ner.ora' grep -V "#"|grep -V "$"IIIEIiEifind: 0652-081 CannOt Cha nge directory to </oracle/app/oracle/dbhome_1/SySmaniIi con figpref>:SlDJJSTJJSTENER =IKII

32、EII(SIDJLIST =IHIiSI(SIDJDESC =iIIiiI (SIDJNAME = PLSEXtPrOC)!IiI(ORACLEJHOME = oracleappOraCle/dbhome_1)IiiII (PROGRAM = extproc)II!i)丨II!Iii(SID DESC =IIIII(GLOBALJDBNAME= min os)II!Ii(ORACLEJHOME= /oracle/app/oracle/dbhome_1)IIISII(SIDJNAME = minos)jIIIIIi)iji )iIIiLISTENER=jiii (DESCRIPTIONJLIST

33、 =IIiI(DESCRIPTION =III (ADDRESS = (PROTOCOL = TCP)(HOST = 41)(PoRT = 152")IIIiIiI )丨IIi )IIADR_BASE_LISTENER = oracleappOraCIe:IB 、,如果不存在sqlnet.ora文件，请使用以下命令创建此文件后再实施上面的操II作：II:bash-3.2$ touch $0RACLEJHOME/network/admi n/sql net.ora: 漏洞14.检查是否设置DBA组用户数量限制类型：OraCIe数据库类问题:略解决方案:VB*&#

34、187;* ! +！*:*« K丁！TV!«TE! m解决方案： 通过下面的命令检查是否 设置了 SQLNET.EXPIRE的参黴值为10:In et.or|bash-3.2$ grep -i "SQLNET.EXPIRE_TIME" $0RACLEjHoME/network/admi n如果没有设置，在 $0RACLEJHOME/network/admin/sqlnet.ora文件中添加一行JI-IISQLNET.EXPIREJTIME=101II随后重新启动监听和数据库。II手动将其他非OraCIe的用户从dba组中删除，将OraCIe用户从root

35、或SySteml 组中删除。查询用户所属组的命令是groups VuSername>。改变用户所属组的命令是 USermOd -G VgrOUP name1> , VgrOUP name2> VUSer name>漏洞15.检查是否删除或者锁定无关帐号类型：OraCIe数据库类问题： W « *!*!！（"! M WW !« !（PT！（ LHTM"!丁！（乍 SQL> SeIeCt t.user name from dba_USerS t Where t.acco Un t_StatUS = 'OPEN'S

36、elect t.uSername from dba USerS t Where t.account StatUS = 'OPEN': 一 一iIi*II!iIERROR at Ii ne 1:IIIiIRORA-01034: ORACLE not availablePrOCeSS ID: 0iIiSeSSi on ID: 0 SeriaI nu mber: 0IIi解决方案：暂时不处理。漏洞16.检查是否限制具备数据库超级管理员（SYSDBA权限的用户远程登 录类型：OraCIe数据库类问题：_LOGINSQL> SeIeCt t.VALUE from v$Paramet

37、er t Where upper(t.NAME) like '%REMOTPasswordfile%'；j:IVALUEii:iBJ-iI:II:IEXCLUSIVEi-II B BrB B IlrB B BTB B B B-B » VB ! BTB KB BrB B W BTB B » BTB »! B-B B » n B BIK BBBBfBBB B BTB B » BTB P B 解决方案：在数据库启动时，通过下面的命令检查remote_login_PaSSWOrdfiIe的参数j值：!bash-3.2$ sqlplus

38、sys/oracle<SID> as SySdbaiSQL*Plus: ReIeaSe 10.2.040 - PrOdUCtiOn on ThU Jan 9 11:33:56 2014IiJ-COPyright (C) 1982, 2007, Oracle. All RightS Reserved.iriI:iiCOnn ected to:II:II'-IiI'OraCIe DatabaSe 10g En terprise Editi On ReIeaSe .0 - PrOdUCtiOniJ-With the Partitioning, OLADat

39、a Mining and Real APPIiCation TeSting optionsIB!IBiaiIiSQL>show ParameterS remote_logi n_pasSWOrdfile;NAMETYPE VALUEIIi:i-Ii:IremOte_lOg in _PaSSWOrdfiIeStri ng EXCLUSIVEi-III:I如果参数值为NoNE则默认满足安全要求。否则，通过下面的SQL语句修I:；改参数值为NONEIBI-SQL>alter SyStem Set remoteOgi n_passwordfile=NONE SCOPe=SPfile;:i；

40、ISyStem altered.i:I'-IBII:Ii修改后重启数据库：IIiSQL> ShUtdOW n immediateIISIiiiDatabaSe closed.I:II-IiSDatabaSe dism Oun ted.:II:IIORACLE in Sta nce ShUt dow n.IinI:iIbaSh-3.2$ export ORACLE_SID=<SID>1II-I:IIbash-3.2$ sqlplus /no IOgII:IIiIIiiiiQL*Plus: ReIeaSe .0 - PrOdUCtiOn on TUe Ma

41、y 20 11:01:55 2014COPyright (C) 1982, 2010, Oracle. All RightS Reserved.IIjiJiI:SQL> COnn / as SySdbaiIiCOnn ected to an idle in Sta nce.IIIISQL> StartUPII!IORACLE in Sta nce started.i:SIijITotal SyStem Global Area 8589934592 bytesFiXed SiZeI2065744 bytesIi'IVariabIe SiZeII-F3238009520 byt

42、esiIDatabaSe BUfferSIIa5301600256 bytes-IiRedo BUfferSr48259072 bytesDatabaSe moun ted.I:I:IDatabaSe ope ned.ISISql>:IiI【检查参数值是否修改成功：II:IISQL> show ParameterS remote_log in _PaSSWOrdfile;NAMETYPEVALUEIremOte_lOg in _PaSSWOrdfiIeStri ngNONE:-II；修改成功后退出SQL*PLUSI»-IK:SQL> exitiDiSC Onn ec

43、ted from OraCIe DatabaSe 10g En terprise Editi On ReIeaSe 102040IICtiOn!iIIWith the Partitioning, OLAData Mining and Real APPIiCation TeSting optionsj 漏洞17.检查口令强度设置类型：OraCIe数据库类问题：SQL>seIect cou nt(*) from dba_profiles Where resource_name = 'PASSWORD, I-:FUNCTlON' and limit = 'NULL

44、9;iI COUNT(*)ProduERIFY_1解决方案：暂时不处理。漏洞18.检查帐户口令生存周期类型：OraCIe数据库类问题：SQL>seieCf Timit from dba_pr6files t 一 Where - resourCe_name 三 'PASSWORD_LTFE_TIMEL一一一I ;IIiIiSLlMIT!:ZIIIIII!I!iUNLIMITEDIIIiIDEFAULTIiIiDEFAULTIB WBTBBBra B B B VB BBIB BBTB B WB arBWB B * B!BB B HB m WB B nB BEBB ra V Bn H

45、BTBB KBB VB解决方案：暂时不处理。漏洞19.检查是否设置记住历史密码次数类型：OraCIe数据库类问题：I LK Bnr！B*u bn m !*!哙01! m «f0-B » sr m ！FK!* : BTB ！-B!ir n:W TB n v n nr«n TB n 0 ,SQL> SeIeCt limit from dba profiles t Where resource name = 'PASSWORD REJSE MAI!X'；i, JICIIEILIMITjIIUNLIMlTEDIIDEFAULTI!IIDEFAULTIJI解决方案：暂时不处理。漏洞20.检查是否配置最大认证失败次数类型：OraCIe数据库类问题:SQL> SeIeCt limit from dba profiles t Where resource name = 'FAILED LOGlNLIPts'；IIiIKIPTS'Select limit from dba profiles t Where resource name = 'FAILED LOGIN ATTEMSLEICiIK