查看: 1909|回复: 0

[Oracle数据库] 12c密码加固

发表于 2018-1-25 08:00:00
关于Oracle12c 密码加固金融行业都是有要求的,这里做一个测试记录。
  1. 1、创建一个用户
  2. SYS@orcl1> create user roidba identified by roidba;
  3. create user roidba identified by roidba
  4. *
  5. ERROR at line 1:
  6. ORA-28003: password verification for the specified password failed
  7. ORA-20001: Password same as or similar to user --出现报错,提示密码验证失败。
  8. 2、查看profile
  9. SYS@orcl1> select * from dba_profiles;
  10. PROFILE RESOURCE_NAME RESOURCE_TYPE LIMIT COMMON
  11. ------------------ ------------------------------ ---------------- --------------- ------
  12. DEFAULT COMPOSITE_LIMIT KERNEL UNLIMITED NO
  13. DEFAULT SESSIONS_PER_USER KERNEL UNLIMITED NO
  14. DEFAULT CPU_PER_SESSION KERNEL UNLIMITED NO
  15. DEFAULT CPU_PER_CALL KERNEL UNLIMITED NO
  16. DEFAULT LOGICAL_READS_PER_SESSION KERNEL UNLIMITED NO
  17. DEFAULT LOGICAL_READS_PER_CALL KERNEL UNLIMITED NO
  18. DEFAULT IDLE_TIME KERNEL UNLIMITED NO
  19. DEFAULT CONNECT_TIME KERNEL UNLIMITED NO
  20. DEFAULT PRIVATE_SGA KERNEL UNLIMITED NO
  21. DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD 10 NO
  22. DEFAULT PASSWORD_LIFE_TIME PASSWORD 180 NO
  23. DEFAULT PASSWORD_REUSE_TIME PASSWORD UNLIMITED NO
  24. DEFAULT PASSWORD_REUSE_MAX PASSWORD UNLIMITED NO
  25. DEFAULT PASSWORD_VERIFY_FUNCTION PASSWORD VERIFY_FUNCTION NO
  26. DEFAULT PASSWORD_LOCK_TIME PASSWORD 1 NO
  27. DEFAULT PASSWORD_GRACE_TIME PASSWORD 7 NO
  28. ORA_STIG_PROFILE COMPOSITE_LIMIT KERNEL DEFAULT NO
  29. ORA_STIG_PROFILE SESSIONS_PER_USER KERNEL DEFAULT NO
  30. ORA_STIG_PROFILE CPU_PER_SESSION KERNEL DEFAULT NO
  31. ORA_STIG_PROFILE CPU_PER_CALL KERNEL DEFAULT NO
  32. ORA_STIG_PROFILE LOGICAL_READS_PER_SESSION KERNEL DEFAULT NO
  33. ORA_STIG_PROFILE LOGICAL_READS_PER_CALL KERNEL DEFAULT NO
  34. ORA_STIG_PROFILE IDLE_TIME KERNEL 15 NO
  35. ORA_STIG_PROFILE CONNECT_TIME KERNEL DEFAULT NO
  36. ORA_STIG_PROFILE PRIVATE_SGA KERNEL DEFAULT NO
  37. ORA_STIG_PROFILE FAILED_LOGIN_ATTEMPTS PASSWORD 3 NO
  38. ORA_STIG_PROFILE PASSWORD_LIFE_TIME PASSWORD 60 NO
  39. ORA_STIG_PROFILE PASSWORD_REUSE_TIME PASSWORD 365 NO
  40. ORA_STIG_PROFILE PASSWORD_REUSE_MAX PASSWORD 10 NO
  41. ORA_STIG_PROFILE PASSWORD_VERIFY_FUNCTION PASSWORD ORA12C_STRONG_V NOERIFY_FUNCTION --使用了12c密码验证策略
  42. ORA_STIG_PROFILE PASSWORD_LOCK_TIME PASSWORD UNLIMITED NO
  43. ORA_STIG_PROFILE PASSWORD_GRACE_TIME PASSWORD 5 NO
  44. 32 rows selected.
  45. SYS@orcl1>
复制代码

3、密码验证策略要求

  1. ora12c_strong_verify_function Function Password Requirements
  2. The ora12c_strong_verify_function function fulfills the Department of Defense Database Security Technical Implementation Guide requirements.
  3. This function checks for the following requirements when users create or modify passwords:
  4. The password must contain at least 2 upper case characters, 2 lower case characters, 2 numeric characters, and 2 special characters. These special characters are as follows:
  5. --要求至少2个大写,两个小写,2个数字,2个特殊字符
  6. ‘ ~ ! @ # $ % ^ & * ( ) _ - + = { } [ ] \ / < > , . ; ? ' : | (space)
  7. The password must differ from the previous password by at least 4 characters.
  8. The following internal checks are also applied:
  9. The password contains no fewer than nine characters and does not exceed 30 characters.
  10. The password does not contain the double-quotation character ("). It can be surrounded by double-quotation marks, however.
复制代码

4、根据要求重新创建一个用户

  1. SYS@orcl1> create user roidba identified by "FXlv12!@";
  2. User created.
  3. SYS@orcl1> grant connect to roidba;
  4. Grant succeeded.
  5. SYS@orcl1> conn roidba/"FXlv12!@"
  6. Connected.
  7. ROIDBA@orcl1>
复制代码

5、取消密码复杂度验证

  1. SYS@orcl1> ALTER PROFILE DEFAULT LIMIT PASSWORD_VERIFY_FUNCTION NULL;
  2. Profile altered.
  3. SYS@orcl1> alter user roidba identified by roidba;
  4. User altered.
  5. SYS@orcl1>
复制代码

6、设置密码复杂度验证操作过程

  1. Enabling Password Complexity Verification
  2. The utlpwdmg.sql script can be customized to enable password complexity verification.
  3. Log in to SQL*Plus with administrative privileges.
  4. For example:
  5. CONNECT SYSTEM
  6. Enter password: password
  7. Run the utlpwdmg.sql script (or your modified version of this script) to create the password complexity functions in the SYS schema.
  8. @$ORACLE_HOME/rdbms/admin/utlpwdmg.sql
  9. Grant any users who must use this function the EXECUTE privilege on it.
  10. For example:
  11. GRANT pmsith EXECUTE ON ora12c_strong_verify_function;
  12. In the default profile or the user profile, set the PASSWORD_VERIFY_FUNCTION setting to either the sample password complexity function in the utlpwdmg.sql script, or to your customized function. Use one of the following methods:
  13. Log in to SQL*Plus with administrator privileges and use the CREATE PROFILE or ALTER PROFILE statement to enable the function. Ensure that you have the EXECUTE privilege on the function.
  14. For example, to update the default profile to use the ora12c_strong_verify_function function:
  15. ALTER PROFILE default LIMIT
  16. PASSWORD_VERIFY_FUNCTION ora12c_strong_verify_function;
复制代码


回复

使用道具 举报