Oracle漏洞掃描安全加固Word版

1、傳播優(yōu)秀word版文檔 ，希望對您有幫助，可雙擊去除！關(guān)于操作系統(tǒng)和數(shù)據(jù)庫合規(guī)檢查漏洞的解決方案oracle數(shù)據(jù)庫分冊適用軟件版本oracle10g、11g適用硬件版本主題關(guān)于操作系統(tǒng)和數(shù)據(jù)庫合規(guī)檢查漏洞的解決方案oracle數(shù)據(jù)庫分冊1、 問題描述與原因：oracle數(shù)據(jù)庫在合規(guī)檢查時(shí)被掃描出漏洞，要求對這些漏洞進(jìn)行解決。2、 應(yīng)對措施：對存在漏洞進(jìn)行定制的安全加固操作。 3、 執(zhí)行條件/注意事項(xiàng)：Ø 加固前確保服務(wù)器、數(shù)據(jù)庫、網(wǎng)管運(yùn)行均正常。最好重啟下服務(wù)器、數(shù)據(jù)庫和網(wǎng)管查看重啟后網(wǎng)管是否能運(yùn)行正常。如果加固前服務(wù)器本身有問題，加固后服務(wù)器運(yùn)行異常會(huì)加大排查難度。Ø 本

2、解決方案執(zhí)行完成后，需要重啟oracle數(shù)據(jù)庫來生效某些操作。Ø 本解決方案不必完全執(zhí)行，請根據(jù)系統(tǒng)掃描出的漏洞選擇對應(yīng)的漏洞條目進(jìn)行操作。Ø 如無特殊說明，本文中的執(zhí)行用戶均為oracle 4、 操作步驟：漏洞清單（單擊可跳轉(zhuǎn)）：（注：漏洞名稱與配置項(xiàng)信息中的配置項(xiàng)名稱對應(yīng)。）漏洞1. 檢查是否對用戶的屬性進(jìn)行控制（5）漏洞2. 檢查是否配置oracle軟件賬戶的安全策略（2）漏洞3. 檢查是否啟用數(shù)據(jù)字典保護(hù)漏洞4. 檢查是否在數(shù)據(jù)庫對象上設(shè)置了vpd和ols（6）漏洞5. 檢查是否存在dvsys用戶dbms_macadm對象（14）漏洞6. 檢查是否數(shù)據(jù)庫應(yīng)配置日志功

3、能（11）漏洞7. 檢查是否記錄操作日志（13）漏洞8. 檢查是否記錄安全事件日志（7）漏洞9. 檢查是否根據(jù)業(yè)務(wù)要求制定數(shù)據(jù)庫審計(jì)策略漏洞10. 檢查是否為監(jiān)聽設(shè)置密碼漏洞11. 檢查是否限制可以訪問數(shù)據(jù)庫的地址（1）漏洞12. 檢查是否使用加密傳輸（4）漏洞13. 檢查是否設(shè)置超時(shí)時(shí)間（15）傳播優(yōu)秀word版文檔 ，希望對您有幫助，可雙擊去除！漏洞14. 檢查是否設(shè)置dba組用戶數(shù)量限制（3）漏洞15. 檢查是否刪除或者鎖定無關(guān)帳號漏洞16. 檢查是否限制具備數(shù)據(jù)庫超級管理員（sysdba）權(quán)限的用戶遠(yuǎn)程登錄（10）漏洞17. 檢查口令強(qiáng)度設(shè)置（17）漏洞18. 檢查帳戶口令生存周期（1

4、2）漏洞19. 檢查是否設(shè)置記住歷史密碼次數(shù)（8）漏洞20. 檢查是否配置最大認(rèn)證失敗次數(shù)漏洞21. 檢查是否在配置用戶所需的最小權(quán)限（9）漏洞22. 檢查是否使用數(shù)據(jù)庫角色（role）來管理對象的權(quán)限(16)漏洞23. 檢查是否更改數(shù)據(jù)庫默認(rèn)帳號的密碼執(zhí)行oracle安全加固操作前備份文件：bash-3.2$ cp $oracle_home/network/admin/listener.ora $oracle_home/network/admin/bash-3.2$ cp $oracle_home/network/admin/sqlnet.ora $oracl

5、e_home/network/admin/oracle數(shù)據(jù)庫漏洞的解決方案全部執(zhí)行完成后，需要重啟oracle實(shí)例來生效某些操作。漏洞1. 檢查是否對用戶的屬性進(jìn)行控制類型：oracle數(shù)據(jù)庫類問題：sql> select count(t.username) from dba_users t where profile not in ('default','monitoring_profile');count(t.username)- 0解決方案：暫時(shí)不處理。漏洞2. 檢查是否配置oracle軟件賬戶的安全策略類型：oracle

6、數(shù)據(jù)庫類問題：傳播優(yōu)秀word版文檔 ，希望對您有幫助，可雙擊去除！略解決方案：暫時(shí)不處理漏洞3. 檢查是否啟用數(shù)據(jù)字典保護(hù)類型：oracle數(shù)據(jù)庫類問題：sql> select value from v$parameter where name like '%o7_dictionary_accessibility%'select value from v$parameter where name like '%o7_dictionary_accessibility%'*error at line 1:ora-01034: oracle not avail

7、ableprocess id: 0session id: 0 serial number: 0解決方案：在數(shù)據(jù)庫啟動(dòng)的情況下，通過下面的命令檢查o7_dictionary_accessibility的參數(shù)值:bash-3.2$ sqlplus system/oracle<sid>sql*plus: release .0 - production on thu jan 9 11:33:56 2014copyright (c) 1982, 2007, oracle. all rights reserved.connected to:oracle database 10g

8、 enterprise edition release .0 - productionwith the partitioning, olap, data mining and real application testing optionssql> show parameter o7_dictionary_accessibility;name type value- - -o7_dictionary_accessibility boolean false檢查出默認(rèn)的結(jié)果是false后，使用下面的命令退出sql*plus：sql> exitdisconnected f

9、rom oracle database 11g enterprise edition release .0 - 64bit productionwith the partitioning, olap, data mining and real application testing options漏洞4. 檢查是否在數(shù)據(jù)庫對象上設(shè)置了vpd和ols類型：oracle數(shù)據(jù)庫類問題：sql> select count(*) from v$vpd_policy; count(*)傳播優(yōu)秀word版文檔 ，希望對您有幫助，可雙擊去除！- 0解決方案：暫時(shí)不處理。漏洞5. 檢查是否

10、存在dvsys用戶dbms_macadm對象類型：oracle數(shù)據(jù)庫類問題：sql> select count(*) from dba_users where username='dvsys' count(*)- 0解決方案：暫時(shí)不處理。漏洞6. 檢查是否數(shù)據(jù)庫應(yīng)配置日志功能類型：oracle數(shù)據(jù)庫類問題：sql> select count(*) from dba_triggers t where trim(t.triggering_event) = trim('logon'); count(*)- 0解決方案：暫時(shí)不處理。漏洞7. 檢查是否記錄操作

11、日志類型：oracle數(shù)據(jù)庫類問題：sql> select value from v$parameter t where = 'audit_trail'select value from v$parameter t where = 'audit_trail'*error at line 1:ora-01034: oracle not availableprocess id: 0session id: 0 serial number: 0解決方案：暫時(shí)不處理。傳播優(yōu)秀word版文檔 ，希望對您有幫助，可雙擊去除！漏洞8. 檢查是否

12、記錄安全事件日志類型：oracle數(shù)據(jù)庫類問題：sql> select count(*) from dba_triggers t where trim(t.triggering_event) = trim('logon'); count(*)- 0解決方案：暫時(shí)不處理。漏洞9. 檢查是否根據(jù)業(yè)務(wù)要求制定數(shù)據(jù)庫審計(jì)策略類型：oracle數(shù)據(jù)庫類問題：sql> select value from v$parameter t where = 'audit_trail'select value from v$parameter t where

13、 = 'audit_trail'*error at line 1:ora-01034: oracle not availableprocess id: 0session id: 0 serial number: 0解決方案：暫時(shí)不處理。漏洞10. 檢查是否為監(jiān)聽設(shè)置密碼類型：oracle數(shù)據(jù)庫類問題：$ cat find $oracle_home -name sqlnet.ora | grep -v "#"|grep -v "$"find: 0652-081 cannot change directory to </or

14、acle/app/oracle/dbhome_1/sysman/config/pref>: : the file access permissions do not allow the specified action.$ cat find $oracle_home -name listener.ora | grep -v "#"|grep -v "$"find: 0652-081 cannot change directory to </oracle/app/oracle/dbhome_1/sysman/config/pref>: :

15、 the file access permissions do not allow the specified action.sid_list_listener = (sid_list = (sid_desc = (sid_name = plsextproc) (oracle_home = /oracle/app/oracle/dbhome_1) (program = extproc) ) (sid_desc = (global_dbname = minos) (oracle_home = /oracle/app/oracle/dbhome_1) (sid_name = minos) ) )l

16、istener = (description_list = (description = (address = (protocol = tcp)(host = 41)(port = 1521) ) )adr_base_listener = /oracle/app/oracle傳播優(yōu)秀word版文檔 ，希望對您有幫助，可雙擊去除！解決方案：bash-3.2$ lsnrctllsnrctl for ibm/aix risc system/6000: version .0 - production on 08-jan-2014 15:11:21copyrigh

17、t (c) 1991, 2011, oracle. all rights reserved.welcome to lsnrctl, type "help" for information.lsnrctl> change_passwordold password: <如果之前沒有密碼則這里不填，直接按enter鍵>new password: reenter new password: connecting to (description=(address=(protocol=tcp)(host=2)(port=1521)password

18、 changed for listenerthe command completed successfullylsnrctl> save_configconnecting to (description=(address=(protocol=tcp)(host=2)(port=1521)saved listener configuration parameters.listener parameter file /oracle/app/oracle//dbhome_1/network/admin/listener.oraold parameter f

19、ile /oracle/app/oracle//dbhome_1/network/admin/listener.bakthe command completed successfullylsnrctl> exitbash-3.2$ 設(shè)置完成后通過下面的命令檢查：bash-3.2$ cat $oracle_home/network/admin/listener.ora | grep "passwords"有輸出則說明已經(jīng)設(shè)置成功了。漏洞11. 檢查是否限制可以訪問數(shù)據(jù)庫的地址傳播優(yōu)秀word版文檔 ，希望對您有幫助，可雙擊去除！類型：oracle數(shù)據(jù)庫類

20、問題：$ cat find $oracle_home -name sqlnet.ora | grep -v "#"|grep -v "$"find: 0652-081 cannot change directory to </oracle/app/oracle/dbhome_1/sysman/config/pref>: : the file access permissions do not allow the specified action.$ cat find $oracle_home -name listener.ora | grep

21、 -v "#"|grep -v "$"find: 0652-081 cannot change directory to </oracle/app/oracle/dbhome_1/sysman/config/pref>: : the file access permissions do not allow the specified action.sid_list_listener = (sid_list = (sid_desc = (sid_name = plsextproc) (oracle_home = /oracle/app/orac

22、le/dbhome_1) (program = extproc) ) (sid_desc = (global_dbname = minos) (oracle_home = /oracle/app/oracle/dbhome_1) (sid_name = minos) ) )listener = (description_list = (description = (address = (protocol = tcp)(host = 41)(port = 1521) ) )adr_base_listener = /oracle/app/oracle解決方案：檢查$orac

23、le_home/network/admin/sqlnet.ora文件中是否有以下行：tcp.validnode_checking = yestcp.invited_nodes = (<host_1>, <host_2>, )其中<host_x>是允許訪問本數(shù)據(jù)庫的ip地址。如果沒有，則根據(jù)需要在文件中添加，隨后重啟數(shù)據(jù)庫。重啟完成后，則數(shù)據(jù)庫只允許tcp.invited_nodes列出的ip來訪問。如果不存在sqlnet.ora文件，請使用以下命令創(chuàng)建此文件后再實(shí)施上面的操作：bash-3.2$ touch $oracle_home/network/admi

24、n/sqlnet.ora漏洞12. 檢查是否使用加密傳輸類型：oracle數(shù)據(jù)庫類傳播優(yōu)秀word版文檔 ，希望對您有幫助，可雙擊去除！問題：$ cat find $oracle_home -name sqlnet.ora | grep -v "#"|grep -v "$"find: 0652-081 cannot change directory to </oracle/app/oracle/dbhome_1/sysman/config/pref>: : the file access permissions do not allow th

25、e specified action.$ cat find $oracle_home -name listener.ora | grep -v "#"|grep -v "$"find: 0652-081 cannot change directory to </oracle/app/oracle/dbhome_1/sysman/config/pref>: : the file access permissions do not allow the specified action.sid_list_listener = (sid_list =

26、 (sid_desc = (sid_name = plsextproc) (oracle_home = /oracle/app/oracle/dbhome_1) (program = extproc) ) (sid_desc = (global_dbname = minos) (oracle_home = /oracle/app/oracle/dbhome_1) (sid_name = minos) ) )listener = (description_list = (description = (address = (protocol = tcp)(host = 41

27、)(port = 1521) ) )adr_base_listener = /oracle/app/oracle解決方案：暫時(shí)不處理。漏洞13. 檢查是否設(shè)置超時(shí)時(shí)間類型：oracle數(shù)據(jù)庫類問題：$ cat find $oracle_home -name sqlnet.ora | grep -v "#"|grep -v "$"find: 0652-081 cannot change directory to </oracle/app/oracle/dbhome_1/sysman/config/pref>: : the file access

28、 permissions do not allow the specified action.$ cat find $oracle_home -name listener.ora | grep -v "#"|grep -v "$"find: 0652-081 cannot change directory to </oracle/app/oracle/dbhome_1/sysman/config/pref>: : the file access permissions do not allow the specified action.sid

29、_list_listener = (sid_list =傳播優(yōu)秀word版文檔 ，希望對您有幫助，可雙擊去除！ (sid_desc = (sid_name = plsextproc) (oracle_home = /oracle/app/oracle/dbhome_1) (program = extproc) ) (sid_desc = (global_dbname = minos) (oracle_home = /oracle/app/oracle/dbhome_1) (sid_name = minos) ) )listener = (description_list = (descript

30、ion = (address = (protocol = tcp)(host = 41)(port = 1521) ) )adr_base_listener = /oracle/app/oracle解決方案：通過下面的命令檢查是否設(shè)置了sqlnet.expire_time的參數(shù)值為10：bash-3.2$ grep -i "sqlnet.expire_time" $oracle_home/network/admin/sqlnet.ora如果沒有設(shè)置，在$oracle_home/network/admin/sqlnet.ora文件中添加一行：sqlne

31、t.expire_time=10隨后重新啟動(dòng)監(jiān)聽和數(shù)據(jù)庫。如果不存在sqlnet.ora文件，請使用以下命令創(chuàng)建此文件后再實(shí)施上面的操作：bash-3.2$ touch $oracle_home/network/admin/sqlnet.ora漏洞14. 檢查是否設(shè)置dba組用戶數(shù)量限制類型：oracle數(shù)據(jù)庫類問題：略解決方案：手動(dòng)將其他非oracle的用戶從dba組中刪除，將oracle用戶從root或system組中刪除。查詢用戶所屬組的命令是groups <username>。改變用戶所屬組的命令是 usermod -g <groupname1> , <g

32、roupname2> <username>。漏洞15. 檢查是否刪除或者鎖定無關(guān)帳號類型：oracle數(shù)據(jù)庫類傳播優(yōu)秀word版文檔 ，希望對您有幫助，可雙擊去除！問題：sql> select t.username from dba_users t where t.account_status = 'open'select t.username from dba_users t where t.account_status = 'open'*error at line 1:ora-01034: oracle not availablepr

33、ocess id: 0session id: 0 serial number: 0解決方案：暫時(shí)不處理。漏洞16. 檢查是否限制具備數(shù)據(jù)庫超級管理員（sysdba）權(quán)限的用戶遠(yuǎn)程登錄類型：oracle數(shù)據(jù)庫類問題：sql> select t.value from v$parameter t where upper(t.name) like '%remote_login_passwordfile%'value-exclusive解決方案：在數(shù)據(jù)庫啟動(dòng)時(shí)，通過下面的命令檢查remote_login_passwordfile的參數(shù)值：bash-3.2$ sqlplus sys/

34、oracle<sid> as sysdbasql*plus: release .0 - production on thu jan 9 11:33:56 2014copyright (c) 1982, 2007, oracle. all rights reserved.connected to:oracle database 10g enterprise edition release .0 - productionwith the partitioning, olap, data mining and real application testin

35、g optionssql> show parameters remote_login_passwordfile;name type value- - -remote_login_passwordfile string exclusive如果參數(shù)值為none，則默認(rèn)滿足安全要求。否則，通過下面的sql語句修改參數(shù)值為none：sql> alter system set remote_login_passwordfile=none scope=spfile;system altered.修改后重啟數(shù)據(jù)庫：傳播優(yōu)秀word版文檔 ，希望對您有幫助，可雙擊去除！sql> shutdo

36、wn immediatedatabase closed.database dismounted.oracle instance shut down.bash-3.2$ export oracle_sid=<sid>bash-3.2$ sqlplus /nologsql*plus: release .0 - production on tue may 20 11:01:55 2014copyright (c) 1982, 2010, oracle. all rights reserved.sql> conn / as sysdbaconnected to an

37、idle instance.sql> startuporacle instance started.total system global area 8589934592 bytesfixed size 2065744 bytesvariable size 3238009520 bytesdatabase buffers 5301600256 bytesredo buffers 48259072 bytesdatabase mounted.database opened.sql>檢查參數(shù)值是否修改成功：sql> show parameters remote_login_pas

38、swordfile;name type value- - -remote_login_passwordfile string none修改成功后退出sql*plus：sql> exitdisconnected from oracle database 10g enterprise edition release .0 - productionwith the partitioning, olap, data mining and real application testing options漏洞17. 檢查口令強(qiáng)度設(shè)置類型：oracle數(shù)據(jù)庫類問題：sql> se

39、lect count(*) from dba_profiles where resource_name = 'password_verify_function' and limit = 'null' count(*)-傳播優(yōu)秀word版文檔 ，希望對您有幫助，可雙擊去除！ 1解決方案：暫時(shí)不處理。漏洞18. 檢查帳戶口令生存周期類型：oracle數(shù)據(jù)庫類問題：sql> select limit from dba_profiles t where resource_name = 'password_life_time'limit-unlimi

40、teddefaultdefault解決方案：暫時(shí)不處理。漏洞19. 檢查是否設(shè)置記住歷史密碼次數(shù)類型：oracle數(shù)據(jù)庫類問題：sql> select limit from dba_profiles t where resource_name = 'password_reuse_max'limit-unlimiteddefaultdefault解決方案：暫時(shí)不處理。漏洞20. 檢查是否配置最大認(rèn)證失敗次數(shù)類型：oracle數(shù)據(jù)庫類問題：sql> select limit from dba_profiles t where resource_name = 'f

41、ailed_login_attempts'select limit from dba_profiles t where resource_name = 'failed_login_attempts'*error at line 1:ora-01034: oracle not availableprocess id: 0session id: 0 serial number: 0傳播優(yōu)秀word版文檔 ，希望對您有幫助，可雙擊去除！解決方案：在數(shù)據(jù)庫啟動(dòng)的情況下，通過下面的命令檢查failed_login_attempts的值:bash-3.2$ sqlplus syst

42、em/oracle<sid>sql*plus: release .0 - production on thu jan 9 11:33:56 2014copyright (c) 1982, 2007, oracle. all rights reserved.connected to:oracle database 10g enterprise edition release .0 - productionwith the partitioning, olap, data mining and real application testing optio

43、nssql> select resource_name, limit from dba_profiles where resource_name='failed_login_attempts' and profile='default'resource_name limit- -failed_login_attempts unlimited如果limit的值為6，則符合安全要求。否則，通過下面的sql語句修改參數(shù)值：sql> alter profile default limit failed_login_attempts 6;profile alt

44、ered.檢查參數(shù)值是否修改成功：sql> select resource_name, limit from dba_profiles where resource_name='failed_login_attempts' and profile='default'resource_name limit- -failed_login_attempts 6修改成功后退出sql*plus：sql> exitdisconnected from oracle database 10g enterprise edition release .0

45、 - productionwith the partitioning, olap, data mining and real application testing options漏洞21. 檢查是否在配置用戶所需的最小權(quán)限類型：oracle數(shù)據(jù)庫類問題：sql> select count(a.username) from dba_users a left join dba_role_privs b on a.username = b.grantee where granted_role = 'dba' and a.username not in ('sys

46、9;,'sysman','system','wksys','ctxsys');count(a.username)- 19傳播優(yōu)秀word版文檔 ，希望對您有幫助，可雙擊去除！解決方案：暫時(shí)不處理。漏洞22. 檢查是否使用數(shù)據(jù)庫角色（role）來管理對象的權(quán)限類型：oracle數(shù)據(jù)庫類問題：sql> select count(a.username) from dba_users a left join dba_role_privs b on a.username = b.grantee where granted_role =

47、 'dba' and a.username not in ('sys','sysman','system','wksys','ctxsys');count(a.username)- 19解決方案：暫時(shí)不處理。漏洞23. 檢查是否更改數(shù)據(jù)庫默認(rèn)帳號的密碼類型：oracle數(shù)據(jù)庫類問題：sql> select username,password from dba_users where password in('df02a496267dee66','2be6f80744e0

48、8feb','9793b3777cd3bd1a','ce4a36b8e06ca59c','9c30855e7e0cb02d','6399f3b38edf3288');username password- -dip ce4a36b8e06ca59cmddata df02a496267dee66sql> select username,password from dba_users where password in('66f4ef5650c20355','bfba5a553fd9e28a'

49、;,'7c9ba362f8314299','71e687f036ad56e5','anonymous','88d8364765fce6af');username password- -exfsys 66f4ef5650c20355anonymous anonymouswmsys 7c9ba362f8314299ctxsys 71e687f036ad56e5dmsys bfba5a553fd9e28axdb 88d8364765fce6af6 rows selected.sql> select username,password from dba_users where pa