濮阳杆衣贸易有限公司

主頁(yè) > 知識(shí)庫(kù) > 提升Oracle用戶(hù)密碼安全性的策略

提升Oracle用戶(hù)密碼安全性的策略
熱門(mén)標(biāo)簽:圖像地圖標(biāo)注 分布式呼叫中心 海南400電話哪里辦理 貴陽(yáng)電話外呼系統(tǒng)哪家好 南寧人工智能電銷(xiāo)機(jī)器人費(fèi)用 400電話是不是免費(fèi)申請(qǐng) 安陽(yáng)外呼系統(tǒng)免費(fèi) 濟(jì)南地圖標(biāo)注公司 呼倫貝爾智能手機(jī)地圖標(biāo)注

環(huán)境:Oracle 11.2.0.4

客戶(hù)需求:主要背景是數(shù)據(jù)庫(kù)中有很多業(yè)務(wù)用戶(hù)名,且由于部分用戶(hù)缺乏安全意識(shí),甚至直接將自己的密碼設(shè)置為和用戶(hù)名一樣,目前客戶(hù)期望密碼設(shè)置不要過(guò)于簡(jiǎn)單,最起碼別和用戶(hù)名一致或相似就好。

1.官方解決方案

實(shí)際上Oracle提供有一個(gè)非常好用的安全校驗(yàn)函數(shù),來(lái)提升用戶(hù)密碼的復(fù)雜性。這個(gè)在之前的文章《Oracle 11g 安全加固》中的“1.8.數(shù)據(jù)庫(kù)密碼安全性校驗(yàn)函數(shù)”章節(jié)就已經(jīng)有了確切的解決方案,核心內(nèi)容如下:

select limit from dba_profiles where profile='DEFAULT' and resource_name='PASSWORD_VERIFY_FUNCTION';
prompt =============================
prompt == 8.數(shù)據(jù)庫(kù)密碼安全性校驗(yàn)函數(shù) 
prompt =============================
prompt 執(zhí)行創(chuàng)建安全性校驗(yàn)函數(shù)的腳本
@?/rdbms/admin/utlpwdmg.sql
 select limit from dba_profiles where profile='DEFAULT' and resource_name='PASSWORD_VERIFY_FUNCTION';

2.刪減版解決方案

上面這個(gè)自帶的安全性校驗(yàn)函數(shù)對(duì)檢查過(guò)于嚴(yán)苛,而客戶(hù)目前的需求就只有一個(gè),不允許密碼和用戶(hù)名完全一樣或過(guò)于相似就可以了。于是乎,我就從這個(gè)腳本中找到這項(xiàng)需求,把其他暫時(shí)不需要的部分全部去掉。這樣,就得到了如下的刪減版腳本:

Rem
Rem $Header: rdbms/admin/utlpwdmg1.sql /st_rdbms_11.2.0/1 2013/01/31 01:34:11 skayoor Exp $
Rem
Rem utlpwdmg.sql
Rem
Rem Copyright (c) 2006, 2013, Oracle and/or its affiliates. 
Rem All rights reserved. 
Rem
Rem NAME
Rem  utlpwdmg.sql - script for Default Password Resource Limits
Rem
Rem DESCRIPTION
Rem  This is a script for enabling the password management features
Rem  by setting the default password resource limits.
Rem
Rem NOTES
Rem  This file contains a function for minimum checking of password
Rem  complexity. This is more of a sample function that the customer
Rem  can use to develop the function for actual complexity checks that the 
Rem  customer wants to make on the new password.
Rem
Rem MODIFIED (MM/DD/YY)
Rem skayoor  01/17/13 - Backport skayoor_bug-14671375 from main
Rem asurpur  05/30/06 - fix - 5246666 beef up password complexity check 
Rem nireland 08/31/00 - Improve check for username=password. #1390553
Rem nireland 06/28/00 - Fix null old password test. #1341892
Rem asurpur  04/17/97 - Fix for bug479763
Rem asurpur  12/12/96 - Changing the name of password_verify_function
Rem asurpur  05/30/96 - New script for default password management
Rem asurpur  05/30/96 - Created
Rem
-- This script sets the default password resource parameters
-- This script needs to be run to enable the password features.
-- However the default resource parameters can be changed based 
-- on the need.
-- A default password complexity function is also provided.
-- This function makes the minimum complexity checks like
-- the minimum length of the password, password not same as the
-- username, etc. The user may enhance this function according to
-- the need.
-- This function must be created in SYS schema.
-- connect sys/password> as sysdba before running the script
CREATE OR REPLACE FUNCTION verify_function_11G_WJZYY
(username varchar2,
 password varchar2,
 old_password varchar2)
 RETURN boolean IS 
 n boolean;
 m integer;
 differ integer;
 isdigit boolean;
 ischar boolean;
 ispunct boolean;
 db_name varchar2(40);
 digitarray varchar2(20);
 punctarray varchar2(25);
 chararray varchar2(52);
 i_char varchar2(10);
 simple_password varchar2(10);
 reverse_user varchar2(32);
BEGIN 
 digitarray:= '0123456789';
 chararray:= 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
 -- Check if the password is same as the username or username(1-100)
 IF NLS_LOWER(password) = NLS_LOWER(username) THEN
  raise_application_error(-20002, 'Password same as or similar to user');
 END IF;
 FOR i IN 1..100 LOOP
  i_char := to_char(i);
  if NLS_LOWER(username)|| i_char = NLS_LOWER(password) THEN
  raise_application_error(-20005, 'Password same as or similar to user name ');
  END IF;
 END LOOP;
 -- Everything is fine; return TRUE ; 
 RETURN(TRUE);
END;
/
GRANT EXECUTE ON verify_function_11G_WJZYY TO PUBLIC;
-- This script alters the default parameters for Password Management
-- This means that all the users on the system have Password Management
-- enabled and set to the following values unless another profile is 
-- created with parameter values set to different value or UNLIMITED 
-- is created and assigned to the user.
ALTER PROFILE DEFAULT LIMIT
PASSWORD_LIFE_TIME 180
PASSWORD_VERIFY_FUNCTION verify_function_11G_WJZYY;

我們將這個(gè)腳本,遵守之前Oracle的命名方式,將其命名為utlpwdmg1.sql,放在同樣的路徑下。

這樣,我們執(zhí)行這個(gè)腳本就可以創(chuàng)建這個(gè)校驗(yàn)函數(shù):

3.測(cè)試驗(yàn)證方案

將上面的刪減版腳本進(jìn)行測(cè)試并驗(yàn)證功能是否實(shí)現(xiàn):

--執(zhí)行腳本創(chuàng)建校驗(yàn)函數(shù)
@?/rdbms/admin/utlpwdmg1.sql
--確認(rèn)執(zhí)行成功
select limit from dba_profiles where profile='DEFAULT' and resource_name='PASSWORD_VERIFY_FUNCTION';
--將PASSWORD_LIFE_TIME修改為30(選做)
ALTER PROFILE DEFAULT LIMIT PASSWORD_LIFE_TIME 30;
--查詢(xún)dba_profiles內(nèi)容
select * from dba_profiles order by 1;
--查詢(xún)用戶(hù)狀態(tài)和過(guò)期時(shí)間
select USERNAME, PASSWORD, ACCOUNT_STATUS, LOCK_DATE, EXPIRY_DATE from dba_users;

測(cè)試用戶(hù)密碼不能與用戶(hù)名相同或者相似,否則會(huì)修改失?。?/p> 

--密碼與用戶(hù)名一樣,修改失?。?
SYS@jyzhao1 >alter user jingyu identified by jingyu;
alter user jingyu identified by jingyu
*
ERROR at line 1:
ORA-28003: password verification for the specified password failed
ORA-20002: Password same as or similar to user
--密碼與用戶(hù)名相似,修改失敗:
SYS@jyzhao1 >alter user jingyu identified by jingyu1;
alter user jingyu identified by jingyu1
*
ERROR at line 1:
ORA-28003: password verification for the specified password failed
ORA-20005: Password same as or similar to user name
--密碼與用戶(hù)名不一致,修改成功:
SYS@jyzhao1 >alter user jingyu identified by alfred;
User altered.

4.用戶(hù)最近一次的登錄時(shí)間

11g默認(rèn)開(kāi)啟了審計(jì),從aud$表中可以查到用戶(hù)最近登錄的時(shí)間:

--查詢(xún)數(shù)據(jù)庫(kù)時(shí)區(qū)
select property_value from database_properties where property_name='DBTIMEZONE';
--查詢(xún)aud$表
select MAX(to_char(a.ntimestamp#, 'YYYY-MM-DD HH24:MI:SS')) last_login,
  u.username
 from sys.aud$ a, dba_users u
 where a.USERID(+) = u.username
 and u.user_id > 90
 group by u.username
 ORDER BY 1;

結(jié)果示例:

SYS@jyzhao1 >select MAX(to_char(a.ntimestamp#, 'YYYY-MM-DD HH24:MI:SS')) last_login,
 2   u.username
 3 from sys.aud$ a, dba_users u
 4 where a.USERID(+) = u.username
 5  and u.user_id > 90
 6 group by u.username
 7 ORDER BY 1;
LAST_LOGIN   USERNAME
------------------- ------------------------------
2018-04-17 07:16:46 JINGYU
     TESTTESTTEST
     XS$NULL
SYS@jyzhao1 >

上述查詢(xún)結(jié)果LAST_LOGIN為空的用戶(hù),就是在審計(jì)中沒(méi)有記錄到該用戶(hù)的登錄信息。

總結(jié)

以上所述是小編給大家介紹的提升Oracle用戶(hù)密碼安全性的策略,希望對(duì)大家有所幫助,如果大家有任何疑問(wèn)請(qǐng)給我留言,小編會(huì)及時(shí)回復(fù)大家的。在此也非常感謝大家對(duì)腳本之家網(wǎng)站的支持!

您可能感興趣的文章:
  • oracle 11g數(shù)據(jù)庫(kù)安全加固注意事項(xiàng)
  • Oracle數(shù)據(jù)庫(kù)安全策略分析(一)
  • Oracle數(shù)據(jù)庫(kù)安全策略分析 (三)
  • Oracle數(shù)據(jù)庫(kù)的安全策略
  • Oracle數(shù)據(jù)庫(kù)安全策略分析(二)
  • Oracle監(jiān)聽(tīng)口令及監(jiān)聽(tīng)器安全詳解
  • Oracle數(shù)據(jù)庫(kù)安全策略
  • Oracle數(shù)據(jù)安全面面觀
  • Oracle數(shù)據(jù)庫(kù)的安全策略
  • Oracle 11g實(shí)現(xiàn)安全加固的完整步驟

標(biāo)簽:遼源 涼山 合肥 南充 許昌 焦作 滁州 郴州

巨人網(wǎng)絡(luò)通訊聲明:本文標(biāo)題《提升Oracle用戶(hù)密碼安全性的策略》,本文關(guān)鍵詞  提升,Oracle,用戶(hù),密碼,安全,;如發(fā)現(xiàn)本文內(nèi)容存在版權(quán)問(wèn)題,煩請(qǐng)?zhí)峁┫嚓P(guān)信息告之我們,我們將及時(shí)溝通與處理。本站內(nèi)容系統(tǒng)采集于網(wǎng)絡(luò),涉及言論、版權(quán)與本站無(wú)關(guān)。
  • 相關(guān)文章
  • 下面列出與本文章《提升Oracle用戶(hù)密碼安全性的策略》相關(guān)的同類(lèi)信息!
  • 本頁(yè)收集關(guān)于提升Oracle用戶(hù)密碼安全性的策略的相關(guān)信息資訊供網(wǎng)民參考!
    • 推薦文章
    吉首市| 商都县| 丰镇市| 永修县| 庆安县| 德州市| 海宁市| 集贤县| 安化县| 仪征市| 若羌县| 无为县| 马鞍山市| 陆河县| 阿尔山市| 米林县| 梁山县| 上杭县| 邛崃市| 青冈县| 东乌珠穆沁旗| 东兴市| 霍城县| 滨海县| 肇源县| 东山县| 紫云| 安徽省| 措美县| 哈尔滨市| 柘城县| 巨鹿县| 察雅县| 绥棱县| 揭阳市| 孟州市| 镇原县| 洛浦县| 四平市| 峨边| 游戏|