数据库基本加固方案

技术文件技术文件名称数据库基本加固方案Oracle技术文件编号版本文件质量等级共页17（包括封面）拟制审核__________________________会签__________________________标准化________________________批准__________________________中兴通讯股份有限公司设置或修改参数SQLNET.EXPIRE_TIME=10加密数据库网络连接（可选）

2.

4.4ZTE-Oracle-EL04-04Windows环境下，选择开始菜单中的Oracle NetManager,Unix环境中，在Oracle用户下,执行$netmgr

1.在Oracle NetManager中选择u OracleAdvanced Security

2.然后选择Encryptiono

3.选择Client或Server选项

4.选择加密类型

5.输入加密种子（可选）

6.选择加密算法（可选）

7.保存网络配置，sqlnet.ora被更新注意，Oracle服务器选择Server,Oracle客户端选择Client,服务器客户端都需要配置日志配置

8.5ZTE-Oracle-E05打开登录日志

2.

5.1ZTE-Oracle-EL05-01登录触发器待补充版.Oracle sql数据库安全组件配置

9.6ZTE-Oracle-E06使用选件（可选，待补充）

9.

1.1ZTE-Oracle-EL06-01Data Vault使用虚拟私有数据库和标签安全选件

9.

1.2ZTE-Oracle-EL05-02（可选，待补充）安装验证过的数据库补丁107ZTE-Oracle-E07安装经过验证的最新数据库补丁

10.

1.1ZTE-Oracle-EH07-01Oracle数据库版本WAP网关彩信短信Oracle9iOracle10g附录3用户帐号速查

3.

1.1Oracle用户名默认密码描述change onD----sys.installAll of the basetables and views for the databasesdata dictionaryarestored in the schemaSYS.These basetables andviews arecritical for theoperation of Oracle.To maintain the integrityofthedata dictionary,tables in the SYSschema aremanipulated onlyby Oracle;they shouldneverbe modifiedby anyuser ordatabase administrator,and nooneshould createany tablesin theschema ofthe userSYS.The DBAshould changethe passwordfor SYSimmediately afterdatabasecreation!!!The SYSTEMusername createsadditional tables andviewsthat displaysystemManageradministrative information,and internaltablesandviews usedby Oracletools.Never createin the SYSTEM schematables ofinterest toindividualusers.SYSTEM is a littlebit weaker11user thanSYS,for example,it hasnoaccess toso calledX$tables theveiy internalstructure tablesofOracle.Although inreal lifeyou maybe ina situationwhen someproduct orwhateveryou wantto createobjects inabove mentionedusers schemas.Be flexible,dont sacrifacea productonly becauseit willcreate someobjectsin SYSor SYSTEMschemaThe DBAshould changethe passwordfor SYSTEMimmediately afterdatabasecreation!!!The defaultsuper user account used to setup andadminister enterprisesysmanmanager.The password is setwhen thedatabase is installed.dbsnmp dbsnmpSupports Oracle SNMPSimple NetworkManagement Protocol.The OracleIntelligent Agentrequires adatabase logonfor eachSID thatitmanages.By defaultthis account is calledDBSNMP”and the passwordis DBSNMP”.The accountname and/or passwordSHOULD be changedfrom the default butyou willneed tomake afew additionalmodifications.In theexamples below,you willneed toreplace anyinformation withbracketswith theinformation fromyour system.

1.Remove allJobs andEvents currentlyregistered againstthisdatabase.

2.Stop theIntelligent AgentOracle-Oracle8i%Isnrctl dbsnmp_stopOracle9i%agentctl stop

3.Edit the$ORACLE_HOME/network/admin/snmp_rw.ora file.Add thefollowing parameter:SNMP.CONNECT.connect_string.NAME=usernameSNMP.CONNECT.connect_string.PASSWORD=passwordThe variableconnect_string is the exactlisting ofthe databasenameas itappears inthe snmp_ro.ora file.If usernameisthe default DBSNMP,there isno needtospecify the user here.Only the passwordisrequired.On UNIX,set thefollowing permissionon thenSNMP_RW.ORAn file:%chmod600snmp_rw.ora

4.Change theDBSNMP passwordon thedatabase.You canuseeither SecurityManager,Sqlplus,or Server Manager.If youuse SQLPlusorServerManager,you canissue thefollowing command:SQL alteruser dbsnmpidentified bynnewpasswordn;

5.Stop andrestart theIntelligent Agent.outln outlnOracle8i addsthe OUTLNuser schemato supportPlan Stability.TheOUTLN useracts asa placeto centrallymanage metadataassociated withstoredoutlines.This userhas DBA role.It isused forplan stabilityie.to keepthe sameexecutionplans for the samequeries evenif yoursystem configurationorstatistics changes.Execution planswill bethe samein differentOraclereleases withdifferent optimizers.The DBAshould eitherlock the user accountor changethe passwordforthe OUTLNuser immediatelyafter databasecreation!!!mdsys mdsysSupports Oracle Spatial.Oracle Spatialis anintegrated setoffunctions andprocedures thatenables spatialdata tobe stored,accessed,and analyzedquickly andefficiently inan Oracle8i database.[..]The spatialattribute ofa spatialfeature isthe geometricrepresentationof itsshape insome coordinatespace.This isreferred toas itsgeometry.The DBAshould eitherlock the user accountor changethe passwordforthe MDSYSuser immediatelyafter databasecreation!!!ordsys ordsysSupportsOracle8i Time Series.Oracle8i TimeSeries inpreviousreleases calledthe Oracle8TimeSeriesCartridge isan extensiontoOracle8i thatprovides storageand retrievalof timestampeddata throughobjecttypes.Oracle8i TimeSeries isa buildingblock forapplicationsrather thanbeing anend-user applicationin itself.It consistsof datatypesalong withrelated functionsfor managingand processingtime seriesdata.The DBAshould eitherlock theuser accountor changethe passwordforthe ORDSYSuser immediatelyafter databasecreation!!!ordplugins ordpluginsSupportsOracle interMedia.Oracle interMediaisasingle productthatenables Oracle8i tostore,manage,and retrievetext,documents,geographic locationinformation,images,audio,and videoin anintegratedfashion withother enterpriseinformation.Oracle interMediaextendsOracle8i reliability,availability,and datamanagement totext andmultimediacontent inInternet,electronic commerce,and media-richapplications aswell asonline Internet-based geocodingservices forlocatorapplications.The DBAshould eitherlock theuser accountor changethe passwordforthe ORDPLUGINSuser immediatelyafter databasecreation!!!ctxsys ctxsysSupportsOracleConText Cartridge.Oracle8ConText Cartridgeprovidespowerful search,retrieval,and viewingcapabilities fortextstored inan Oracle8database.In addition,ConText providesadvancedlinguistic processingof English-language text.The DBAshould eitherlock theuser accountor changethe passwordforthe CTXSYSuser immediatelyafter databasecreation!!!Dynamic ServicesSecured WebService.Dynamic ServicesEnginedssys dssysDS Engine allowscreation,aggregation anddeployment ofservicesfrom avariety ofcontent sources.At themoment,Dynamic Servicessupportscontent accessfrom databasesSQL/PLSQL aswell asInternetapplications HTTP/HTTPS.DS Enginecan interpretXML andHTMLcontent alongwith theresult setsreturned fromdatabase access.DSEngine isintegrated withOracle Portalvia aWeb Providermechanism.This integrationallows allthe servicesregistered withDSEngineto beaccessibleas portlets.The DBAshould eitherlock theuseraccountor changethepasswordforthe DSSYSuser immediatelyafter databasecreation!!!perfstat perfstatOracleStatistics PackageSTATSPACK userthat supersedesUTLBSTAT/UTLESTAT.The PERFSTATuser willhold allof thetablesand packagesfor theperformance diagnostictool STATSPACK.Created By:$ORACLE_HOME/rdbms/admin/spcusr.sqlUsed to support Oracles Ultrasearch option.This featureand userwasWKPROXY change_onintroduced in Oracle9i.The useraccount IS NOT lockedby defaultis_installonly assigned the CREATESESSION11privilege.None theless,thisaccount isnot lockedby defaultand Oraclehighly recommendsthat thisdefault password bechanged.Created By:$ORACLE_HOME/ultrasearch/admin/wkOcsys.sqlWKSYS change_on Used to support OraclesUltrasearchoption.This featureand userwas_install introducedin Oracle9i.The useraccount ISNOT lockedby defaultand asyoucan seebelow,is granted the highlyprivileged roleof DBA.Giventhat this user isgrantedthe DBAroleand isnot lockedby default,Oraclehighly recommendsthat thisdefault passwordbechanged.This supportaccount isassignedthefollowing privilegesin Oracle9i:*CONNECT*RESOURCE木DBA*ALL PRIVILEGES*CTXAPP*CREATE PUBLICSYNONYM*DROP PUBLICSYNONYM*CREATE ANYVIEW*DROP ANYVIEW*CREATE ANYTABLE*DROPANY TABLE*CREATE ANYINDEX*DROP ANYINDEX*CREATE ANYSEQUENCE*DROPANY SEQUENCE*CREATE ANYTRIGGER*DROP ANYTRIGGER*JAVAUSERPRIV*JAVASYSPRIV*SELECT ONSYS.USER$*SELECT ONSYS.V_$PARAMETER*SELECT ONSYS.GV_$INSTANCE*SELECT ONSYS.V_$DATABASE*SELECT ONSYS.DBA_CONSTRAINTS*SELECT ONSYS.DBA_JOBS*SELECT ONSYS.DBA_DB_LINKS*SELECT ONSYS.DBA_ROLE_PRIVS*SELECT ONSYS.DBA_LOCK*SELECT ONSYS.DBMS_LOCK_ALLOCATED*SELECT ONSYS.PROCEDURE$*SELECT ONSYS.DBA_TABLES*SELECT ONSYS.DBA_VIEWS*SELECT ONSYS.DBA_TAB_COLUMNS*EXECUTE ONSYS.DBMS_LOCK*EXECUTE ONSYS.DBMS_PIPE*EXECUTE ONSYS.DBMS_REGISTRYThe defaulttablespace for this userwill be“DRSYS”while itstemporarytablespace willbe TEMP”.Created By:$ORACLE_HOME/ultrasearch/admin/wkOinstall.sqlwk_proxy wk_proxy Used for ultrasearch.Used tostore allthe metadatainformation for Oracle WorkspacewmsyswmsysManager.This userwas introducedinOracle9i andlike mostOracle9isupporting accountsis lockedby default.The useraccountis lockedbecause wewant thepassword tobe publicbut restrictaccess totheaccount totheSYSschema.So,to unlockthe account,DBA privilegesarerequired.Created By:$ORACLE_HOME/rdbins/adinin/owinctab.plbmtssys Used for Microsofttransaction serversupport.XDB change_on Usedto supportSQL XMLmanagement:XML DB.This user isgranted tworoles:“RESOURCE”and“JAVAUSERPRIV”.Oracle_installrecommends changing thepasswordforthis user after creation.This userisconfigured witha defaulttablespace ofXDB andatemporary tablespaceof“TEMP”.Created By:$ORACLE_HOME/rdbms/admin/catqm.sql...IDENTIANONYMO UsedtosupportSQL XMLmanagement:XML DB.Allows HTTPFIEDBYUS accessto OracleXML DB.This usershould onlybe used for HTTPVALUESlogins.The accountislockednear theend ofthe catqm.sql script.anonymoUS,Usedtosupport OracleData Mining.In Oracle9i,this user is grantedodmodmthe roles:nSELECT_CATALOG_ROLEn,nHS_ADMIN_ROLEn,nAQ_USER_ROLEn.Oracle recommendschangingthe defaultpassword asthe accountISNOTlocked aftercreation.The defaulttablespace forthis user is ODM with temporarytablespaceTEMP.The ODMtablespace is populated with segmentsfrom usersODM andODM_MTR.Created By:$ORACLE_HOME/dm/admin/dmcrt.sqlUsed tosupportOracleData Mining.In Oracle9i,this useris grantedODM_MTR mtrpwHSELECT_CATALOG_ROLEn andnHS_ADMIN_ROLEn.Oraclerecommends changingthedefaultpassword asthe accountIS NOTlockedaftercreation.The defaulttablespace forthisuseris ODM”withtemporary tablespaceTEMP”.The nODMntablespace ispopulated withsegmentsfrom usersODM andODM_MTR.Created By:$ORACLE_HOME/dm/admin/dmcrt.sqlOLAPSYS mtrpwThis useriscreate ifOLAP optionisinstalledand isused tocreateOLAP metadatastructures.In Oracle9i,thisuseris grantednSELECT_CATALOG_ROLEn andnHS_ADMIN_ROLEn.Oraclerecommends changingthedefaultpassword.The defaulttablespace forthisuserisODMwithtemporary tablespaceTEMP”.The ODMtablespaceispopulatedwithsegmentsfrom usersODM andODM_MTR.Created By:$ORACLE_HOME/dm/admin/dmcrt.sqlOracle Traceserver.SupportsOracleTrace forOEM inOracle.TRACESVR traceOracleTrace isusedtocollect awide varietyof data,such asperformancestatistics,diagnostic data,system resourceusage,and businesstransactiondetails.Replication user.This useris manuallycreated bytheDBAusingREPADMIN ManagedbyCREATE USER...Thisuseris alsocreated inthe scripts:DBA when$ORACLE_HOME/ldap/admin/oidrsrms.sql anduseris$ORACLE_HOME/ldap/admin/oidrsms.sql.Oracle recommendscreated.changingthedefaultpasswordif automaticallycreated.Used bythe DirectoryIntegration PlatformDIP whichDIPsynchronizeschanges inthe OracleInternet Directorywith applicationsinthe database.DMSYS Thisuserisused forData Mining.exfsys Thisschema isusedforexpression filters.Ibacsys Theadministration accountforOracle Label Security.mddata Usedby OracleSpatial tostore Geocoderand routerdata.Usedforthe OracleEnterprise ManagerDatabase Control.Itsmgmt_viewRandompassword isgenerated randomly.UsedforSQL/MM StillImage Standard.SIJNFORMTN_SCHEM AAURORA$O Description:Create thepublic userfortheAurora/ORB.This istheRandomRB$UNAUTidentity anynon-validated ORBclient willrun as.This istheuserforHENTICATE userswho don*t authenticateintheAurora/ORBD CreatedBy:jisorb.sqlDescription:Create thepublic userfortheAurora/ORB.This istheAURORA$JI RandomS$UTILITY$identity anynon-validated ORBclient willrun as.This istheuserforusers whodont authenticateintheAurora/ORBCreated By:jisbgn.sqlDescription:Create thepublic userfortheAurora/ORB.This istheOSE$HTTP$RandomADMINidentity anynon-validated ORBclient willrun as.This istheuserforusers whodon*t authenticateintheAurora/ORBCreated By:jishausr.sqlWell knownand oftenreferenced sampleschema.Everyone shouldknowScott scottaboutthe magicalemp anddept tables.VERY MANYexamples inOracleADAMSdocs andnot onlyare basedon thisschema soYou shouldknow it!JONESThe usershould bedropped inall productiondatabases..CLARKBLAKEHROEPMSHQSQS_ESQS_WSQS_CBQS_CSQS_ADMQS_CBADMBI修改记录拟制/修改H文件编号版本号更改理由拟制人/修改人期主要更改内容（写要点即可）王华刚无无

1.02009/04/

151.1王华刚2009/06/01补充内容补充修改密码有效期90天之前要改密码问题王华刚配置编号配置加固项编号

52.

52.

52.

2.2ZTE-Oracle-EM02-02操作系统dba组只有oracle（或还有oinstall）用户

62.

72.

72.

82.

2.7ZTE-Oracle-EL02-07设置只有sysdba权限的用户才可以访问数据字典…

82.

92.

4.1ZTE-Oracle-EL04-01设定listener密码（可选，确定对双机切换的影响）

92.

92.

92.

102.

112.

112.

113.

2.1ZTE-Oracle-E01Oracle帐号安全加操作

2.2ZTE-Oracle-E02最小组件安装

2.

1.1ZTE-Oracle-EMOl-01Oracle项目给出使用到的组件列表:Oracle版本Oracle组件WAP网关彩信短信Oracle9iOracle10g删除锁定无用帐号221ZTE-Oracle-EH02-01锁定SQLalter userusername accountlock;删除:SQLdrop userusername cascade;删除用户WAP网关彩信短信SCOTTANONYMOUSCTXSYSDBSNMP可以锁定珊IJ除DIPDMSYSEXFSYSHRLBACSYSMDDATAMDSYSMGMT.VIEWODMQSWKPROXYWKSYSODM_MTROLAPSYSORDPLUGINSOEORDSYS可以锁定/删除OUTLNSHSI_INFORMTN_SCHEMAWMSYS可以锁定珊U除XDBTSMSYSWK_TESTSYSMANRMANQS_WSQS_OSQS_ESQS_CSQS.CBADMQS_CBPM QS_ADM操作系统组只有（或

2.

2.2ZTE-Oracle-EM02-02dba oracle还有）用户oinstall具体操作请参考相关操作系统加固方案修改默认密码并使用强密码

2.

2.3ZTE-Oracle-EH02-03建立密码验证函数，内容如下veri fy__passwd.sql执行脚本不会对原有密码造成影响，因此还需要再修改密码:SQLAlter usersys identified by passwordSQLAlter user systemidentified bypasswordSQLAlteruser业务用J1identifiedbypassword需要修改密码的业务用户列表业务需要修改口令的用户WAP网关sys、system＞其他业务补充，必须修改帐号密码才能进行下一步设定密码生存期的操作彩信sys、system＞其他业务补充,必须修改帐号密码才能进行下一步设定密码生存期的操作短信sys＞system＞其他业务补充，必须修改帐号密码才能进行下一步设定密码生存期的操作修改用户密码后，需要进行的其他操作:业务修改用户密码后的操作说明WAP网关彩信短信如果有双机环境，修改sys/system密码，注意双机切换脚本的有效性设置口令生存期为天（可选）

2.

2.4ZTE-Oracle-EL02-0490＞SQL alterpro LIMIT PASSWORD_LIFE_TIME90说明在修改profile之前，必须进行223中的修改密码操作，如果不修改，可能在限定密码生存期之后登录失败禁止重复密码

2.

2.5ZTE-Oracle-EL02-05SQLalter proLIMITPASSWORD_REUSE_MAX5配置当用户连续认证失败次数超过

2.

2.6ZTE-Oracle-EL02-066次（不含次），锁定该用户使用的账号（可选）6SQLalter proLIMIT FAILED_LOGIN_ATTEMPTS6设置只有权限的用户才可以访

2.

2.7ZTE-Oracle-EL02-07sysdba问数据字典使用pfile的情况修改pfile文件参数O7_DICTIONARY_ACCESSIBILITY=false配置后重新启动数据库生效使用spfile的情况SQLAlter systemset07_DICTI0NARY_ACCESSIBILITY二FALSE scope=spfile配置后重新启动数据库生效说明，pfile文件默认位置如下Unix$ORACLE_HOME/dbs/init5/D.ora）Windows%ORACLE_HOME%\DATABASE\initS/Z.oraSID为Oracle数据库标识符审计要求（可选）

2.

2.8ZTE-Oracle-E03审计方案

2.

3.1ZTE-Oracle-EL03-01审计功能的使用与注意事项.oracle do业务需要审计的表需要审计的操作WAP网关彩信短信数据库连接安全

2.4ZTE-Oracle-E04设定密码可选，确定

2.

4.1ZTE-Oracle-EL04-01listener对双机切换的影响）$IsnrctlLSNRCTL change_passwordOld password:OldPassword NotdisplayedNew password:NewPassword NotdisplayedReenter newpassword:NewPassword NotdisplayedConnecting toDESCRIPTION=ADDRESS=PROTOCOL二TCPHOST=o忆c/e/2oVPORT=

[52]IP=/B4DRPassword changedfor LISTENERThecommand completedsuccessfully注意配置listener对双机切换的影响配置访问的白名单242ZTE-Oracle-EM04-02listener$vi$ORACLE_HOME/network/admin/sqlnet.ora设置或修改参数tcp.validnode_checking=yestcp.invited_nodes=ipJ,ip2…注意在tcp.invited_nodes参数中，一定要有本机的ip地址或者localhost配置连接超时断开（可选）

2.

4.3ZTE-Oracle-EL04-03$vi$ORACLE_HOME/network/admin/sqlnet.ora。