数据库基本加固方案

1、本文所有信息为中兴通讯股份有限公司内部信息，未经允许，不得外传第本文所有信息为中兴通讯股份有限公司内部信息，未经允许，不得外传第 页，共17页技术文件技术文件名称：Oracle数据库基本加固方案技术文件编号：版本：V1.2.1文件质量等级：共17页（包括封面）拟制审核会签标准化批准中兴通讯股份有限公司修改记录文件编号版本号拟制人/修改人拟制/修改日期更改理由主要更改内容（写要点即可）1.0王华刚2009/04/15无无1.1王华刚2009/06/01补充内容补充修改密码有效期90天之前要改密码问题1.2王华刚2009/06/15配置编号配置加固项编号1.2.1王华刚2009/07/02更新配置

2、编号更新配置编号注1:每次更改归档文件（指归档到事业部或公司档案室的文件）时，需填写此表。注2：文件第一次归档时，“更改理由”、“主要更改内容”栏写“无”。Oracle系统基本加固方案目录TOC o 1-5 h z（包括封面）1修改记录2 HYPERLINK l bookmark2 1概述4内部适用性说明4外部引用说明4术语和定义4符号和缩略语4 HYPERLINK l bookmark4 2Oracle安全配置操作指导5ZTE-Oracle-E01Oracle组件安装5ZTE-Oracle-EM01-01Oracle最小组件安装5ZTE-Oracle-E02帐号安全加固操作5ZTE-Orac

3、le-EH02-01删除锁定无用帐号5ZTE-Oracle-EM02-02操作系统dba组只有oracle（或还有oinstall）用户6 HYPERLINK l bookmark15 ZTE-Oracle-EH02-03修改默认密码并使用强密码7 HYPERLINK l bookmark17 ZTE-Oracle-EL02-04设置口令生存期为90天（可选）7 HYPERLINK l bookmark19 ZTE-Oracle-EL02-05禁止重复密码7ZTE-Oracle-EL02-06配置当用户连续认证失败次数超过6次（不含6次），锁定该用户使用的账号（可选）8ZTE-Oracle-E

4、L02-07设置只有sysdba权限的用户才可以访问数据字典8ZTE-Oracle-E03审计要求（可选）8ZTE-Oracle-EL03-01审计方案8 HYPERLINK l bookmark40 ZTE-Oracle-E04数据库连接安全9ZTE-Oracle-EL04-01设定listener密码（可选，确定对双机切换的影响）9 HYPERLINK l bookmark31 ZTE-Oracle-EM04-02配置访问listener的白名单9 HYPERLINK l bookmark33 ZTE-Oracle-EL04-03配置连接超时断开（可选）9 HYPERLINK l book

5、mark35 ZTE-Oracle-EL04-04加密数据库网络连接（可选）10ZTE-Oracle-E05日志配置10ZTE-Oracle-EL05-01打开登录日志10ZTE-Oracle-E06数据库安全组件配置11 HYPERLINK l bookmark42 ZTE-Oracle-EL06-01使用DataVault选件（可选，待补充）11ZTE-Oracle-EL05-02使用虚拟私有数据库和标签安全选件（可选，待补充）112.7ZTE-Oracle-E07安装验证过的数据库补丁11ZTE-Oracle-EH07-01安装经过验证的最新数据库补丁11 HYPERLINK l boo

6、kmark47 3附录11 HYPERLINK l bookmark49 Oracle用户帐号速查11Oracle系统基本加固方案1概述内部适用性说明本方案是在业务研究院网络安全规范中各项要求的基础上，提出Oracle数据库安全配置指南，针对通用规范中所列的配置要求，给出了在0蹊化数据库上的具体配置方法。外部引用说明中国移动设备通用安全功能和配置规范中国移动数据库设备安全功能规范中国移动Oracle数据库安全配置规范术语和定义符号和缩略语缩写英文描述中文描述DBADatabaseAdministrator数据库管理员VPDVirtualPrivateDatabase虚拟专用数据库OLSOrac

7、leLabelSecurityOracle标签安全本文件中的字体标识如下：蓝色斜体在具体执行时需要替换的内容检查/加固项编码意义如下：公司名称-操作系统-条目性质风险级别数字编号-小项数字编号条目性质中：S意为检查；E意为加固风险级别中：H意为高风险；M意为中等风险；L意为低风险，风险级别仅存于具体条目中2Oracle安全配置操作指导ZTE-Oracle-E01Oracle组件安装ZTE-Oracle-EM01-01Oracle最小组件安装项目给出使用到的组件列表：Oracle版本Oracle组件WAP网关彩信短信Oracle9iOracle10gZTE-Oracle-E02帐号安全加固操作Z

8、TE-Oracle-EH02-01删除锁定无用帐号锁定：SQLalteruserusernameaccountlock;删除：SQLdropuserusernamecascade;删除用户WAP网关彩信短信SCOTTANONYMOUSCTXSYSDBSNMP可以锁定/删除DIPDMSYSEXFSYSHRLBACSYSMDDATAMDSYSMGMT_VIEWODMQSWKPROXYWKSYSODM_MTROLAPSYSORDPLUGINSOEORDSYSOUTLN可以锁定/删除SHSI_INFORMTN_SCHEMAWMSYS可以锁定/删除XDBTSMSYSWK_TESTSYSMANRMANQS

9、_WSQS_OSQS_ESQS_CSQS_CBADMQS_CBPMQS_ADMZTE-Orade-EM02-02操作系统dba组只有oracle（或还有oinstall）用户具体操作请参考相关操作系统加固方案ZTE-Orade-EH02-03修改默认密码并使用强密码建立密码验证函数，内容如下verify.pawtLrgql执行脚本不会对原有密码造成影响，因此还需要再修改密码：SQLAlterusersysidentifiedbypasswordSQLAlterusersystemidentifiedbypasswordSQLAlteruser业务用户identifiedbypassword需要

10、修改密码的业务用户列表：业务需要修改口令的用户WAP网关sys、system、其他业务补充，必须修改帐号密码才能进行下一步设定密码生存期的操作彩信sys、system、其他业务补充，必须修改帐号密码才能进行下一步设定密码生存期的操作短信sys、system、其他业务补充，必须修改帐号密码才能进行下一步设定密码生存期的操作修改用户密码后，需要进行的其他操作：业务修改用户密码后的操作说明WAP网关彩信短信如果有双机环境，修改sys/system密码，注意双机切换脚本的有效性。ZTE-Oracle-EL02-04设置口令生存期为90天（可选）SQLalterproLIMITPASSWORD_LIFE

11、_TIME90说明：在修改profile之前，必须进行2.2.3中的修改密码操作，如果不修改，可能在限定密码生存期之后登录失败ZTE-Oracle-EL02-05禁止重复密码SQLalterproLIMITPASSWORD_REUSE_MAX5ZTE-Oracle-EL02-06配置当用户连续认证失败次数超过6次（不含6次），锁定该用户使用的账号（可选）SQLalterproLIMITFAILED_LOGIN_ATTEMPTS6ZTE-Orade-EL02-07设置只有sysdba权限的用户才可以访问数据字典使用pfile的情况：修改pfile文件参数O7_DICTIONARY_ACCESSI

12、BILITY=false配置后重新启动数据库生效使用spfile的情况：SQLAltersystemsetO7_DICTIONARY_ACCESSIBILITY=FALSEscope=spfile配置后重新启动数据库生效说明，pfile文件默认位置如下：Unix：$ORACLE_HOME/dbs/initSID.oraWindows：%ORACLE_HOME%DATABASEinitSID.oraSID为Oracle数据库标识符ZTE-Oracle-E03ZTE-Oracle-EL03-01审计方案aoracle审计功能的使用与注意事项.doc业务需要审计的表需要审计的操作WAP网关ZTE-O

13、racle-E04ZTE-Oracle-EL04-01设定listener密码(可选，确定对双机切换的影响)$lsnrctlLSNRCTLchange_passwordOldpassword:NotdisplayedNewpassword:NotdisplayedReenternewpassword:NotdisplayedConnectingto(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOSTo=raclehost)(PORT=1521)(IP=IPADDR)PasswordchangedforLISTENERThecommandcompletedsucce

14、ssfully注意配置listener对双机切换的影响。ZTE-Oracle-EM04-02配置访问listener的白名单$vi$ORACLE_HOME/network/admin/sqlnet.ora设置或修改参数：tcp.validnode_checking=yestcp.invited_nodes=(ip1,ip2)注意在tcp.invited_nodes参数中，一定要有本机的ip地址或者localhostZTE-Oracle-EL04-03配置连接超时断开(可选)$vi$ORACLE_HOME/network/admin/sqlnet.ora设置或修改参数：SQLNET.EXPIRE

15、_TIME=10ZTE-Orade-EL04-04加密数据库网络连接（可选）Windows环境下，选择开始菜单中的OracleNetManager,Unix环境中，在Oracle用户下，执行：$netmgr.在OracleNetManager中选择“OracleAdvancedSecurity”。.然后选择Encryption。.选择Client或Server选项。.选择加密类型。.输入加密种子（可选）。.选择加密算法（可选）。.保存网络配置，sqlnet.ora被更新。注意，Oracle服务器选择Server，Oracle客户端选择Client，服务器客户端都需要配置。2.5ZTE-Orac

16、le-E052.5.1ZTE-Oracle-EL05-01打开登录日志ZTE-Oracle-E06数据库安全组件配置ZTE-Oracle-EL06-01使用DataVault选件（可选，待补充）ZTE-Oracle-EL05-02使用虚拟私有数据库和标签安全选件（可选，待补充）ZTE-Oracle-E07安装验证过的数据库补丁ZTE-Oracle-EH07-01安装经过验证的最新数据库补丁Oracle数据库版本WAP网关彩信短信Oracle9iOracleOracleOracleOracle10g3附录3.1.1Oracle用户帐号速查用户名默认密码描述syschange_on_install

17、AllofthebasetablesandviewsforthedatabasesdatadictionaryarestoredintheschemaSYS.ThesebasetablesandviewsarecriticalfortheoperationofOracle.Tomaintaintheintegrityofthedatadictionary,tablesintheSYSschemaaremanipulatedonlybyOracle;theyshouldneverbemodifiedbyanyuserordatabaseadministrator,andnooneshouldcr

18、eateanytablesintheschemaoftheuserSYS.TheDBAshouldchangethepasswordforSYSimmediatelyafterdatabasecreation!systemManagerTheSYSTEMusernamecreatesadditionaltablesandviewsthatdisplayadministrativeinformation,andinternaltablesandviewsusedbyOracletools.NevercreateintheSYSTEMschematablesofinteresttoindividu

19、alusers.SYSTEMisalittlebitweakeruserthanSYS,forexample,ithasnoaccesstosocalledX$tables(theveryinternalstructuretablesofOracle).Althoughinreallifeyoumaybeinasituationwhensomeproductorwhateveryouwanttocreateobjectsinabovementionedusersschemas.Beflexible,dontsacrifaceaproductonlybecauseitwillcreatesome

20、objectsinSYSorSYSTEMschemaTheDBAshouldchangethepasswordforSYSTEMimmediatelyafterdatabasecreation!sysmanThedefaultsuperuseraccountusedtosetupandadministerenterprisemanager.Thepasswordissetwhenthedatabaseisinstalled.dbsnmpdbsnmpSupportsOracleSNMP(SimpleNetworkManagementProtocol).TheOracleIntelligentAg

21、entrequiresadatabaselogonforeachSIDthatitmanages.BydefaultthisaccountiscalledDBSNMPandthepasswordisDBSNMP.Theaccountnameand/orpasswordSHOULDbechangedfromthedefaultbutyouwillneedtomakeafewadditionalmodifications.Intheexamplesbelow,youwillneedtoreplaceanyinformationwithbracketswiththeinformationfromyo

22、ursystem.RemoveallJobsandEventscurrentlyregisteredagainstthisdatabase.StoptheIntelligentAgentOracle7-Oracle8i%lsnrctldbsnmp_stopOracle9i%agentctlstopEditthe$ORACLE_HOME/network/admin/snmp_rw.orafile.Addthefollowingparameter:SNMP.CONNECT.NAME=SNMP.CONNECT.PASSWORD=Thevariableistheexactlistingofthedat

23、abasenameasitappearsinthesnmp_ro.orafile.Ifisthedefault(DBSNMP),thereisnoneedtospecifytheuserhere.Onlythepasswordisrequired.OnUNIX,setthefollowingpermissionontheSNMP_RW.ORAfile:%chmod600snmp_rw.oraChangetheDBSNMPpasswordonthedatabase.YoucanuseeitherSecurityManager,Sqlplus,orServerManager.IfyouuseSQL

24、PlusorServerManager,youcanissuethefollowingcommand:SQLalteruserdbsnmpidentifiedby;5.StopandrestarttheIntelligentAgent.outlnoutlnOracle8iaddstheOUTLNuserschematosupportPlanStability.TheOUTLNuseractsasaplacetocentrallymanagemetadataassociatedwithstoredoutlines.ThisuserhasDBArole.Itisusedforplanstabili

25、tyie.tokeepthesameexecutionplansforthesamequeriesevenifyoursystemconfigurationorstatisticschanges.ExecutionplanswillbethesameindifferentOraclereleaseswithdifferentoptimizers.TheDBAshouldeitherlocktheuseraccountorchangethepasswordfortheOUTLNuserimmediatelyafterdatabasecreation!mdsysmdsysSupportsOracl

26、eSpatial.OracleSpatialisanintegratedsetoffunctionsandproceduresthatenablesspatialdatatobestored,accessed,andanalyzedquicklyandefficientlyinanOracle8idatabase.Thespatialattributeofaspatialfeatureisthegeometricrepresentationofitsshapeinsomecoordinatespace.Thisisreferredtoasitsgeometry.TheDBAshouldeith

27、erlocktheuseraccountorchangethepasswordfortheMDSYSuserimmediatelyafterdatabasecreation!ordsysordsysSupportsOracle8iTimeSeries.Oracle8iTimeSeries(inpreviousreleasescalledtheOracle8TimeSeriesCartridge)isanextensiontoOracle8ithatprovidesstorageandretrievaloftimestampeddatathroughobjecttypes.Oracle8iTim

28、eSeriesisabuildingblockforapplicationsratherthanbeinganend-userapplicationinitself.Itconsistsofdatatypesalongwithrelatedfunctionsformanagingandprocessingtimeseriesdata.TheDBAshouldeitherlocktheuseraccountorchangethepasswordfortheORDSYSuserimmediatelyafterdatabasecreation!ordpluginsordpluginsSupports

29、OracleinterMedia.OracleinterMediaisasingleproductthatenablesOracle8itostore,manage,andretrievetext,documents,geographiclocationinformation,images,audio,andvideoinanintegratedfashionwithotherenterpriseinformation.OracleinterMediaextendsOracle8ireliability,availability,anddatamanagementtotextandmultim

30、ediacontentinInternet,electroniccommerce,andmedia-richapplicationsaswellasonlineInternet-basedgeocodingservicesforlocatorapplications.TheDBAshouldeitherlocktheuseraccountorchangethepasswordfortheORDPLUGINSuserimmediatelyafterdatabasecreation!ctxsysctxsysSupportsOracleConTextCartridge.Oracle8ConTextC

31、artridgeprovidespowerfulsearch,retrieval,andviewingcapabilitiesfortextstoredinanOracle8database.Inaddition,ConTextprovidesadvancedlinguisticprocessingofEnglish-languagetext.TheDBAshouldeitherlocktheuseraccountorchangethepasswordfortheCTXSYSuserimmediatelyafterdatabasecreation!dssysdssysDynamicServic

32、esSecuredWebService.DynamicServicesEngine(DSEngine)allowscreation,aggregationanddeploymentofservicesfromavarietyofcontentsources.Atthemoment,DynamicServicessupportscontentaccessfromdatabases(SQL/PLSQL)aswellasInternetapplications(HTTP/HTTPS).DSEnginecaninterpretXMLandHTMLcontentalongwiththeresultset

33、sreturnedfromdatabaseaccess.DSEngineisintegratedwithOraclePortalviaaWebProvidermechanism.ThisintegrationallowsalltheservicesregisteredwithDSEnginetobeaccessibleasportlets.TheDBAshouldeitherlocktheuseraccountorchangethepasswordfortheDSSYSuserimmediatelyafterdatabasecreation!perfstatperfstatOracleStat

34、isticsPackage(STATSPACK)userthatsupersedesUTLBSTAT/UTLESTAT.ThePERFSTATuserwillholdallofthetablesandpackagesfortheperformancediagnostictoolSTATSPACK.CreatedBy:$ORACLE_HOME/rdbms/admin/spcusr.sqlWKPROXYchange_on_installUsedtosupportOraclesUltrasearchoption.Thisfeature(anduser)wasintroducedinOracle9i.

35、TheuseraccountISNOTlockedbydefaultisonlyassignedtheCREATESESSIONprivilege.Nonetheless,thisaccountisnotlockedbydefaultandOraclehighlyrecommendsthatthisdefaultpasswordbechanged.CreatedBy:$ORACLE_HOME/ultrasearch/admin/wk0csys.sqlWKSYSchange_on_installUsedtosupportOraclesUltrasearchoption.Thisfeature(a

36、nduser)wasintroducedinOracle9i.TheuseraccountISNOTlockedbydefaultandasyoucanseebelow,isgrantedthehighlyprivilegedroleofDBA.GiventhatthisuserisgrantedtheDBAroleandisnotlockedbydefault,Oraclehighlyrecommendsthatthisdefaultpasswordbechanged.ThissupportaccountisassignedthefollowingprivilegesinOracle9i:C

37、ONNECTRESOURCEDBAALLPRIVILEGESCTXAPPCREATEPUBLICSYNONYMDROPPUBLICSYNONYMCREATEANYVIEWDROPANYVIEWCREATEANYTABLEDROPANYTABLECREATEANYINDEXDROPANYINDEXCREATEANYSEQUENCEDROPANYSEQUENCECREATEANYTRIGGERDROPANYTRIGGERJAVAUSERPRIVJAVASYSPRIVSELECTONSYS.USER$SELECTONSYS.V_$PARAMETERSELECTONSYS.GV_$INSTANCESE

38、LECTONSYS.V_$DATABASESELECTONSYS.DBA_CONSTRAINTSSELECTONSYS.DBA_JOBSSELECTONSYS.DBA_DB_LINKSSELECTONSYS.DBA_ROLE_PRIVSSELECTONSYS.DBA_LOCKSELECTONSYS.DBMS_LOCK_ALLOCATEDSELECTONSYS.PROCEDURE$SELECTONSYS.DBA_TABLESSELECTONSYS.DBA_VIEWSSELECTONSYS.DBA_TAB_COLUMNSEXECUTEONSYS.DBMS_LOCKEXECUTEONSYS.DBMS

39、_PIPEEXECUTEONSYS.DBMS_REGISTRYThedefaulttablespaceforthisuserwillbeDRSYSwhileitstemporarytablespacewillbeTEMP.CreatedBy:$ORACLE_HOME/ultrasearch/admin/wk0install.sqlwk_proxywk_proxyUsedforultrasearch.wmsyswmsysUsedtostoreallthemetadatainformationforOracleWorkspaceManager.ThisuserwasintroducedinOrac

40、le9iand(likemostOracle9isupportingaccounts)islockedbydefault.TheuseraccountislockedbecausewewantthepasswordtobepublicbutrestrictaccesstotheaccounttotheSYSschema.So,tounlocktheaccount,DBAprivilegesarerequired.CreatedBy:$ORACLE_HOME/rdbms/admin/owmctab.plbmtssysUsedforMicrosofttransactionserversupport

41、.XDBchange_on_installUsedtosupportSQLXMLmanagement:XMLDB.Thisuserisgrantedtworoles:RESOURCEandJAVAUSERPRIV.Oraclerecommendschangingthepasswordforthisuseraftercreation.ThisuserisconfiguredwithadefaulttablespaceofXDBandatemporarytablespaceofTEMP.CreatedBy:$ORACLE_HOME/rdbms/admin/catqm.sqlANONYMOUSIDE

42、NTIFIEDBYVALUESanonymousUsedtosupportSQLXMLmanagement:XMLDB.AllowsHTTPaccesstoOracleXMLDB.ThisusershouldonlybeusedforHTTPlogins.Theaccountislockedneartheendofthecatqm.sqlscript.odmodmUsedtosupportOracleDataMining.InOracle9i,thisuserisgrantedtheroles:SELECT_CATALOG_ROLE,HS_ADMIN_ROLE,AQ_USER_ROLE”.Or

43、aclerecommendschangingthedefaultpasswordastheaccountISNOTlockedaftercreation.ThedefaulttablespaceforthisuserisODMwithtemporarytablespaceTEMP.TheODMtablespaceispopulatedwithsegmentsfromusersODMandODM_MTR.CreatedBy:$ORACLE_HOME/dm/admin/dmcrt.sqlODM_MTRmtrpwUsedtosupportOracleDataMining.InOracle9i,thi

44、suserisgrantedSELECT_CATALOG_ROLEandHS_ADMIN_ROLEOraclerecommendschangingthedefaultpasswordastheaccountISNOTlockedaftercreation.ThedefaulttablespaceforthisuserisODMwithtemporarytablespaceTEMP.TheODMtablespaceispopulatedwithsegmentsfromusersODMandODM_MTR.CreatedBy:$ORACLE_HOME/dm/admin/dmcrt.sqlOLAPS

45、YSmtrpwThisuseriscreateifOLAPoptionisinstalledandisusedtocreateOLAPmetadatastructures.InOracle9i,thisuserisgrantedSELECT_CATALOG_ROLEandHS_ADMIN_ROLE.Oraclerecommendschangingthedefaultpassword.ThedefaulttablespaceforthisuserisODMwithtemporarytablespaceTEMP.TheODMtablespaceispopulatedwithsegmentsfrom

46、usersODMandODM_MTR.CreatedBy:$ORACLE_HOME/dm/admin/dmcrt.sqlTRACESVRtraceOracleTraceserver.SupportsOracleTraceforOEMinOracle7.OracleTraceisusedtocollectawidevarietyofdata,suchasperformancestatistics,diagnosticdata,systemresourceusage,andbusinesstransactiondetails.REPADMINManagedbyDBAwhenuseriscreated.Replicationuser.ThisuserismanuallycreatedbytheDBA