(完整版)Oracle漏洞扫描安全加固

1、关于操作系统和数据库合规检查漏洞的解决方案Oracle数据库分册适用软件版 本Oracle10g、11g适用硬件版主题关于操作系统和数据库合规检查漏洞的解决方案Oracle数据库分册1、问题描述与原因：Oracle 数据库在合规检查时被扫描岀漏洞，要求对这些漏洞进行解决。2、应对措施：对存在漏洞进行定制的安全加固操作。3、执仃条件/注意事项：?加固前确保服务器、数据库、网管运行均正常。最好重启下服务器、数据库和网管查看重 启后网管是否能运行正常。如果加固前服务器本身有问题，加固后服务器运行异常会加大 排查难度。?本解决方案执行完成后，需要重启Oracle数据库来生效某些操作。?本解决方案不必完

2、全执行，请根据系统扫描出的漏洞选择对应的漏洞条目进行操作。?如无特殊说明，本文中的执行用户均为oracle4、操作步骤：漏洞清单（单击可跳转）：（注：漏洞名称与配置项信息中的配置项名称对应。）漏洞1.检查是否对用户的属性进行控制（5）漏洞2.检查是否配置Oracle软件账户的安全策略（2）漏洞3.检查是否启用数据字典保护漏洞4.检查是否在数据库对象上设置了VPD和OLS（6）漏洞5.检查是否存在dvsys用户dbms macadn对象（14）漏洞6.检杳是否数据库应配置日志功能（11）漏洞7.检查是否记录操作日志（13）漏洞8.检查是否记录安全事件日志（7）漏洞9.检杳是否根据业务要求制定数据

3、库审计策略漏洞10.检杳是否为监听设置密码漏洞11.检杳是否限制可以访问数据库的地址（1）漏洞12.检杳是否使用加密传输（4）漏洞14.检查是否设置DBA组用户数量限制 （3）漏洞15.检查是否删除或者锁定无关帐号漏洞16.检查是否限制具备数据库超级管理员（SYSDBA权限的用户远程登录（10）漏洞17.检查口令强度设置（17）漏洞18.检查帐户口令生存周期（12）漏洞19.检查是否设置记住历史密码次数（8）漏洞20.检查是否配置最大认证失败次数漏洞21.检查是否在配置用户所需的最小权限（9）漏洞22.检查是否使用数据库角色（ROLE来管理对象的权限（16）漏洞23.检查是否更改数据库默认帐号

4、的密码执行Oracle安全加固操作前备份文件：bash-3.2$ cp $ORACLE_HOME/network/admin/listener.ora $ORACLE_HOME/network/admin/listene Iibash-3.2$ cp $ORACLE_HOME/network/admin/sqlnet.ora $ORACLE_HOME/network/admin/sqlnet.orIIKT n* T* 0F n*TTl! fTIS KT fnp *TH LK IT*TH rOracle数据库漏洞的解决方案全部执行完成后，需要重启Oracle实例来

5、生效某些操作。漏洞1.检查是否对用户的属性进行控制类型：Oracle数据库类问题：;SQL select count(t.username) from dba_users t where profile not in (DEFAUL ,MONl 亍 ORlNG_PROFILE);QOUNT(T.USERNAME)- 0I！IP M!*m ! b!( P * E! -!* m 一* VBF !( H F解决方案：暂时不处理。漏洞2.检查是否配置Oracle软件账户的安全策略类型：Oracle数据库类问题：略解决方案：暂时不处理类型：Oracle数据库类问题：I J-t I a BIB 41B _

6、!11* ：-丄一 _“ BJI, KHBB B K BJB LBHB I j OBJ -I U i U “ SS J JUJ,KUH ! _ Va._H4 I I|SQL select value from v$parameter where name like %O7_DICTIONARY_ACCESSlBILITY%;seleict value from v$parameter where name like %O7_DICTIONARY_ACCESSIBILITY%I:*:ERROR at line 1:i:ORA-01034: ORACLE not availableiProcess

7、 ID: 0I:Session ID: 0 Serial number: 0I解决方案：在数据库启动的情况下，通过下面的命令检查o7_dictio nary_accessibility的参数值：:bash-3.2$ sqlplus system/oracleI:SQL*Plus: Release .0 - Production on Thu Jan 9 11:33:56 2014ICopyright (c) 1982, 2007, Oracle. All Rights Reserved.ii!IConnected to:iOracle Database 10g Enterpri

8、se Edition Release .0 - ProductionIWith the Partitioning, OLAP, Data Mining and Real Application Testing optionsi:iiSQL show parameter o7_dictionary_accessibility;iiiNAMETYPE VALUEiI- -IO7_DICTIONARY_ACCESSIBILITY boolean FALSEI检查出默认的结果是 FALSE 后，使用下面的命令退出SQL*PLUS:SQL exitDisconnected from Or

9、acle Database 11g Enterprise Edition Release .0 - 64bit ProI:ductionIWith the Partitioning, OLAP, Data Mining and Real Application Testing optionsI M M M WiHM ： M N M W W漏洞3.检查是否启用数据字典保护 M M ,漏洞4.检查是否在数据库对象上设置了VPD和OLS类型：Oracle数据库类问题：iSQL select count(*) from v$vpd_policy;i_:COUNT(*)解决方案:暂时不处

10、理。漏洞5.检查是否存在dvsys用户dbms_macadm寸象类型：Oracle数据库类问题： F B-VB HTBT - - - 一 BH VH B-ITB ! = TF- - -g ! n UB 一 HT -! IQQL select count(*) from dba_users where username=DVSYS;| _:COUNT(*)_i0ISTTBEKTB*! I V B1-rSH!l I I R丁*rTBK RFT R I R TFT VVB 9 TVS WEh*niTTB ET TTLT RK=FTH H_T B TT1S HTT S H 1解决方案：暂时不处理。漏洞

11、6.检查是否数据库应配置日志功能类型：Oracle数据库类问题： nra n : an fin nrKF!m* n rai；SQL select count(*) fromdba_triggers t where trim(t.triggering_event) = trim(LOGON b;j1 COUNT(*)h解决方案：暂时不处理。漏洞7.检查是否记录操作日志类型：Oracle数据库类问题：SQL select value from v$parameter t where = audit_trail;: _ iselect value from v$parameter t

12、where = audit_trailI一aI*jERROR at line 1:IQRA-01034: ORACLE not availableProcess ID: 0Session ID: 0 Serial number: 0解决方案：暂时不处理。检查是否记录安全事件日志类型：Oracle数据库类问题：ISQL seleCt count(*)frOm dba_triggers t where - trim(t.triggering_eVent) = trim(LOGONi!); COUNT(*)h解决方案：暂时不处理。漏洞9.检查是否根据业务要求制定数据库审计策略类型：Or

13、acle数据库类问题：| n -n RB wa -n vara HHTB BLa. H ran =n ir m H an nr m BV rara n ! - BtH n n EH I：SQL select value from v$parameter t where = audit_trail;i_iselect value from v$parameter t where = audit_traili如IaIERRORat line 1:IORA-01034: ORACLE not availableIprocess ID: 0:Session ID: 0 Se

14、rial number: 0解决方案：暂时不处理。漏洞10.检查是否为监听设置密码类型：Oracle数据库类问题：$ cat find $ORACLE_HOME -name sqlnet.ora | grep -v #|grep -v A$find: 0652-081 caninot change directory to : : The file aIIiccess permissions do not allow the specified action.:i$ cat find $ORACLE_HOME -name listener.ora | grep -v #|grep -v A$f

15、ind: 0652-081 cIaiannot change directory to : : The fileIi access permissions do not allow the specified action.SID_LIST_LISTENER = (SID_LIST =漏洞8.i (SID_DESC = (SID_NAME = PLSExtProc) (ORACLE_HOME = /oracle/app/oracle/dbhoIme_1)(PROGRAM = extproc) ) (SID_DESC = (GLOBAL_DBNAME = minos) (ORACLE_HOME

16、= /oracle/app/oracle/dbhome_1) (SID_NAME = minos) ) )LISTENER = (D iESCRIPTION_LIST= (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = 100.92.255. |141)(PORT = 1521) )ADR_BASE_LISTENER = /oracle/app/oracle解决方案：;bash-3.2$ lsnrctl【LSNRCTL for IBM/AIX RISC System/6000: Version 1120.3.0 - Production on

17、08-JAN-2014 1I5:11:21IIIiCopyright (c) 1991,2011, Oracle. All rights reserved.Iii:Welcome to LSNRCTL, type help for information.i!I|LSNRCTLchange_passwordIOld password: INew password:Reenter new password:I:Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=2)(PORT=1521)jPassword chan

18、ged for LISTENERIThe command completed successfullyI!LSNRCTLsave_configIConnecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=2)(PORT=1521)ISaved LISTENER configuration parameters.ilistener Parameter File /oracle/app/oracle//dbhome_1/network/admin/listener.oLa一I!Old Parameter Fi

19、le /oracle/app/oracle//dbhome_1/network/admin/listener.bakThe command completed successfullyI:LSNRCTLexitI:bash-3.2$1 设置完成后通过下面的命令检查：Iibash-3.2$ cat $ORACLE_HOME/network/admin/listener.ora | grep PASSWORDS【有输岀则说明已经设置成功了。I 皿! ! B.B J* KB !漏洞11.检查是否限制可以访问数据库的地址类型：Oracle数据库类问题：；$ cat find $ORAC

20、LE_HOME -name sqlnet.ora | grep -v #|grep -v A$find: 0652-081 caninot change directory to : : The file aiiccess permissions do not allow the specified action.|$ cat find $ORACLE_HOME -name listener.ora | grep -v #|grep -v A$find: 0652-081 ciannot change directory to : : The fileIi access permissions

21、 do not allow the specified action.SID_LIST_LISTENER = (SID_LIST =i (SID_DESC = (SID_NAME = PLSExtProc) (ORACLE_HOME = /oracle/app/oracle/dbhoI|me_1)(PROGRAM = extproc) ) (SID_DESC = (GLOBAL_DBNAME = minos) (O|RACLE_HOME = /oracle/app/oracle/dbhome_1) (SID_NAME = minos) ) )LISTENER = (DI|ESCRIPTION_

22、LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = 100.92.255. h41J)(POR匚=521) JJADRnBASEnLlSTENERM/oracle/app/oracle解决方案：检查 $oRACLE_HOME/network7admin7sqihet.or-文件中是否有以下行:.|TCP.VALIDNODE_CHECKING = YESiTCPNVITED_NODES = (, ,)|其中是允许访问本数据库的 IP 地址。如果没有，则根据需要在文件中添加，随后重启数据库。重启完成后，则数据库只允许TCP.INVITE

23、D_NODE 列出的 IP 来访问。I!I如果不存在 sqlnet.ora文件，请使用以下命令创建此文件后再实施上面的操作：Ijbash-3.2$ touch $ORACLE_HOME/network/admin/sqlnet.ora漏洞12.检查是否使用加密传输类型：Oracle数据库类问题：!$ cat find $ORACLE_HOME -name sqlnet.ora | grep -v #|grep -v A$find: 0652-081 canI_inot change directory to v/oracle/app/oracle/dbhome_1/sysman/config/

24、pref: : The file a:ccess permissions do not allow the specified action.Ii$ cat find $ORACLE_HOME -name listener.ora | grep -v #|grep -v A$find: 0652-081 ciIiannot change directory to v/oracle/app/oracle/dbhome_1/sysman/config/pref: : The file:access permissions do not allow the specified action.SID_

25、LIST_LISTENER =i-i (SID_LIST =! (SID_DESC =i(SID_NAME = PLSExtProc)(ORACLE_HOME = /oracle/app/oracle/dbhome_1)(PROGRAM = extproc)I!)I| (SID_DESC =(GLOBAL_DBNAME = minos)i(ORACLE_HOME = /oracle/app/oracle/dbhome_1)(SID_NAME = minos)II!)QILISTENER =! (DESCRIPTION_LIST =| (DESCRIPTION =i (ADDRESS = (PR

26、OTOCOL = TCP)(HOST = 1OO.92.255.141)(PORT = 1521)I )I )AD-R_B-AS-E_L!TE_N-ER_ Poracle/app/oracle-.解决方案：暂时不处理。类型：Oracle数据库类问题：|$ caffind-$ORACLE_HOME -name sqTnet：oraT grep -v 毋grep -v 呗.find: 0652-081 cannot change directory to :I:The file access permissions do not allow the specified action.j$ cat

27、find $ORACLE_HOME -name listener.ora | grep -v #|grep -v A$Ifind: 0652-081 cannot change directory to :II:The file access permissions do not allow the specified action.SID LIST LISTENER =Ii (SID_LIST =II (SID_DESC =(SID_NAME = PLSExtProc)I(ORACLE_HOME = /oracle/app/oracle/dbhome_1) (PROGRAM = extpro

28、c)I:)II (SID_DESC =I一(GLOBAL_DBNAME = minos)I(ORACLE_HOME = /oracle/app/oracle/dbhome_1)(SID_NAME = minos)Ii)ILISTENER=Ii (DESCRIPTION_LIST =i| (DESCRIPTION =(ADDRESS = (PROTOCOL = TCP)(HOST = 41)(PORT = 1521)1 )i)|ADR_BASE_LISTENER = /oracle/app/oracle解决方案：通过下面的命令检查是否设置了 SQLNET.EXPiRE_T

29、iMi 的参数值为10：.|bash-3.2$ grep -i SQLNET.EXPIRE_TIME $ORACLE_HOME/network/admin/sqlnet.ora|如果没有设置，在 $ORACLE_HOME/network/admin/sqlnet.ora 文件中添加一行：iSQLNET.EXPIRE_TIME=10i 随后重新启动监听和数据库。I!:如果不存在 sqlnet.ora 文件，请使用以下命令创建此文件后再实施上面的操作： ibash-3.2$touch $ORACLE HOME/network/admin/sqlnet.ora漏洞13.检查是否设置超时时间类型：Or

30、acle数据库类问题：略解决方案：手动将其他非oracle的用户从dba组中删除，将oracle用户从root或system组中 删除。查询用户所属组的命令是groups 。改变用户所属组的命令是usermod -G vgroup name1 , vgroup name2 select t.username from dba_users t where t.account_status = OPEN;select t.usernaIime from dba users t where t.account status = OPEN*ERROR at line 1:ORA-01034: ORAC

31、LE n!Iot availableProcess ID: OSession ID: 0 Serial number: 0IHF：nKP bB TH 寸 bl： !TH R - KF n丁nbH El kU丁! 1解决方案：暂时不处理。漏洞16.检查是否限制具备数据库超级管理员(SYSDBA权限的用户远程登录类型：Oracle数据库类问题：|SQL select t.VALUE from v$parameter t where upper(t.NAME) like %REMOTE_LOGIN_PASSWOR IDFILE%；IVALUEI_|:EXCLUSIVE解决方案：在数据库启动时，通过下

32、面的命令检查emote_l 亦匚 passWordfiie. 的参数值.i:bash-3.2$ sqlplus sys/oracle as sysdba:SQL*Plus: Release .0 - Production on Thu Jan 9 11:33:56 2014II:Copyright (c) 1982, 2007, Oracle. All Rights Reserved.ii:Connected to:IOracle Database 10g Enterprise Edition Release .0 - ProductionWith the Pa

33、rtitioning, OLAP, Data Mining and Real Application Testing options漏洞14.检查是否设置DBA组用户数量限制iiijSQL show parameters remote login passwordfile;NAMETYPE VALUEIII !i|remote_login_passwordfile string EXCLUSIVEI|如果参数值为 NONE 则默认满足安全要求。否则，通过下面的SQL 语句修改参数值为I；SQL alter system set remote_login_passwordfile=NONE sc

34、ope=spfile;IIiaII:System altered.ii:i【修改后重启数据库：I:SQL shutdown immediateII:Database closed.IDatabase dismounted.iORACLE instance shut down.Ibash-3.2$ export ORACLE_SID=；:bash-3.2$ sqlplus /nologIII;SQL*Plus: Release 1020.5.0 - Production on Tue May 20 11:01:55 2014IIiCopyright (c) 1982, 2010, Oracle.

35、 All Rights Reserved.!I;SQL conn / as sysdba:Connected to an idle instance.i:SQL startupORACLE instance started.II:Total System Global Area 8589934592 bytesFixed Size2065744 bytesIVariable Size3238009520 bytes:Database Buffers5301600256 bytesI:Redo Buffers48259072 bytes:Database mounted.【Database op

36、ened.:SQLI1 检查参数值是否修改成功：SQL show parameters remote_login_passwordfile;:NONEIiNAMETYPE VALUEIIi|remote_login_passwordfile string NONE修改成功后退出 SQL*PLUSIiSQL exitIDisconnected from Oracle Database 10g Enterprise Edition Release .0 - ProductioinWith the Partitioning, OLAP, Data Mining and Real Ap

37、plication Testing optionsII0* *!R ri! mT* n: mbu* !* 0F-CR ir* u-!- n IBT m n LVn nm漏洞17.检查口令强度设置类型：Oracle数据库类问题： *u.：a亠n 4& wa -& AB 4“ a* B-U 亠: UmB亠= u亠口 u. u=:_ u-a wBS ua三三 - 三三f*-；SQL select count(*) from dba_profiles where resource_name = PASSWORD_VERIFY_FUNCTION：and limit = NULL;COUN

38、T(*)li| 1解决方案：暂时不处理。漏洞18.检查帐户口令生存周期类型：Oracle数据库类问题：iSQL select limit from dba_profiles t where resource_name = PASSWORD_LiFE_ TIME;【LIMIT-UNLIMITEDDEFAULTDEFAULT解决方案：暂时不处理。漏洞19.检查是否设置记住历史密码次数类型：Oracle数据库类问题：SQLselect limit from dba_profiles t where resource_name = PASSWORD_REUSE_MAX;LIMITi；iUNLIMITE

39、DIDEFAULTDEFAULTI0T h* *1!m*mm:TH FF H I!* TFF H U! 0 FP W！ U -n寸*I!！Br im n UIB* im fp m解决方案：暂时不处理。漏洞20.检查是否配置最大认证失败次数类型：Oracle数据库类问题:：SQL select limit from dba_profiles t where resource_name =1FAILED_LOGIN_ATTEMPTS;iselect limit from dba profiles t where resource name = FAILED LOGIN ATTEMPTS !*I |

40、ERROR at line 1:i:QRA-01034: ORACLE not availableiiProcess ID: 0IEiSession ID: 0 Serial number: 0解决方案：|在数据库启动的情况卞，通过下面的命令检查FAILED 二 LOGiN_ATTEMPTS 值:1jbash-3.2$ sqlplus system/oraclei|SQL*Plus: Release .0 - Production on Thu Jan 9 11:33:56 2014IiCopyright (c) 1982, 2007, Oracle. All Rights R

41、eserved.IIIIIsIIjiConnected to:iOracle Database 10g Enterprise Edition Release .0 - ProductionIIWith the Partitioning, OLAP, Data Mining and Real Application Testing optionsIIJI!ii;SQL SELECT RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME=FAILEDj_OGIN_ATiiiTEMPTS AND PROFILE=DEFA

42、ULT;IijEi|RESOURCE_NAMEl_l MITiiIp；!FAILED_LOGIN_ATTEMPTS UNLIMITEDi|!II如果 LIMIT 的值为 6,则符合安全要求。否则，通过下面的SQL 语句修改参数值：iSQL ALTER PROFILE DEFAULT LIMIT FAILED_LOGIN_ATTEMPTS 6;IiII:ii|8iiProfile altered.IIii 检查参数值是否修改成功：IiSQL SELECT RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE RESOURCE_NAME=FAILED_L3GIN

43、_ATI：TEMPTS AND PROFILE=DEFAULT：|jiiRESOURCENAMEl_lMIT:i!-j|FAILED_LOGIN_ATTEMPTS6修改成功后退出 SQL*PLUSI:iSQL exitIIIDisconnected from Oracle Database 10g Enterprise Edition Release .0 - ProductioIn!Ii:With the Partitioning, OLAP, Data Mining and Real Application Testing optionsI WW M M ： M M JM

44、M M AB ifali UM M _ M漏洞21.检查是否在配置用户所需的最小权限类型：Oracle数据库类问题：!SQL Select count(a.username) from - dba_userS a left Join dba_rOie_priVs b on a/usernamIie = b.grantee where granted_role = DBA and a.username not in (SYS,SYSMAN,SYSTEM ,WKSYS,CTXSYS);COUNT(A.USERNAME)IaI19I *VB ! n ！9-B VB k m VB srw nr k n

45、 irw n TI解决方案：暂时不处理。漏洞22.检查是否使用数据库角色(ROLE来管理对象的权限类型：Oracle数据库类问题：I U4*- H-B 4* 一0！|4亠*! iU BJK *!*4 ！* il.ll ! &. HABBBiSQL select count(a.username) from dba_users a left Join dba_role_privs b on a.usernam:e = b.grantee where granted_role = DBA and a.username not in (SYS,SYSMAN,SYSTEM；,WKSYS,CTX

46、SYS);I；COUNT(A.USERNAME)M-l- ad adA.-aad.&-ad. - a- ad adA- - adA- -ad-ad亠 4 adA-.-sad-a- .-sa- a- hs-.& - a- ddA-a-. b-sdfaa-.bBadA-a- a_解决方案：暂时不处理。漏洞23.检查是否更改数据库默认帐号的密码类型：Oracle数据库类问题：iSQLselectusername,passwordfromdba_userswherepasswordin(DF02A496267DEE66,2BE6iF80744E08FEB,9793B3777CD3BD1A,CE4A36B8E06CA59C,9C30855E7E0CB02D,6399F3B38EDF328I8)；IIUSERNAMEPASSWORDI-IDIPCE4A36B8E06CA59CIMDDATADF02A496267DEE66IiiSQL select username,password from dba_users where password in(66F4EF5650C20355,BFBAI i5A553FD9E28A,7C9BA362F8314299,71E687F036AD56E5