\\检查是否限制具备数据库超级管理员(SYSDBA)权限的用户远程登录。已修复
修复前:SQL> show parameter remote_login_passwordfile;
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
remote_login_passwordfile string EXCLUSIVE
修复方法:
alter system set remote_login_passwordfile=NONE scope=spfile sid='*';
修复后:
SQL> show parameter remote_login_passwordfile;
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
remote_login_passwordfile string NONE
\\检查是否对用户的属性进行控制。已修复
修复方法:alter profile SYS_PROF limit PASSWORD_LIFE_TIME 60 PASSWORD_REUSE_TIME 60 PASSWORD_REUSE_MAX 5 PASSWORD_VERIFY_FUNCTION verify_function PASSWORD_GRACE_TIME 90;
alter profile CMSZ_PROF limit PASSWORD_LIFE_TIME 60 PASSWORD_REUSE_TIME 60 PASSWORD_REUSE_MAX 5 PASSWORD_VERIFY_FUNCTION verify_function PASSWORD_GRACE_TIME 90;
alter profile APP_PROF limit PASSWORD_LIFE_TIME 60 PASSWORD_REUSE_TIME 60 PASSWORD_REUSE_MAX 5 PASSWORD_VERIFY_FUNCTION verify_function PASSWORD_GRACE_TIME 90;
alter profile MONITORING_PROFILE limit PASSWORD_LIFE_TIME 60 PASSWORD_REUSE_TIME 60 PASSWORD_REUSE_MAX 5 PASSWORD_VERIFY_FUNCTION verify_function PASSWORD_GRACE_TIME 90;
修复后:
SQL> select * from DBA_PROFILES where PROFILE='SYS_PROF';
PROFILE RESOURCE_NAME RESOURCE LIMIT
------------------------------ -------------------------------- -------- ----------------------------------------
SYS_PROF COMPOSITE_LIMIT KERNEL DEFAULT
SYS_PROF SESSIONS_PER_USER KERNEL DEFAULT
SYS_PROF CPU_PER_SESSION KERNEL DEFAULT
SYS_PROF CPU_PER_CALL KERNEL DEFAULT
SYS_PROF LOGICAL_READS_PER_SESSION KERNEL DEFAULT
SYS_PROF LOGICAL_READS_PER_CALL KERNEL DEFAULT
SYS_PROF IDLE_TIME KERNEL 120
SYS_PROF CONNECT_TIME KERNEL DEFAULT
SYS_PROF PRIVATE_SGA KERNEL DEFAULT
SYS_PROF FAILED_LOGIN_ATTEMPTS PASSWORD 6
SYS_PROF PASSWORD_LIFE_TIME PASSWORD 60
SYS_PROF PASSWORD_REUSE_TIME PASSWORD 60
SYS_PROF PASSWORD_REUSE_MAX PASSWORD 5
SYS_PROF PASSWORD_VERIFY_FUNCTION PASSWORD VERIFY_FUNCTION
SYS_PROF PASSWORD_LOCK_TIME PASSWORD DEFAULT
SYS_PROF PASSWORD_GRACE_TIME PASSWORD 90 \\建议改为7就行了
\\检查是否启用数据字典保护。已修复。
修复方法:alter system set O7_DICTIONARY_ACCESSIBILITY=FALSE scope=spfile sid='*';
修复后:
SQL> show parameter O7_DICTIONARY_ACCESSIBILITY
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
O7_DICTIONARY_ACCESSIBILITY boolean FALSE
\\检查是否设置数据库口令复杂度,建议系统用户不更改:MGMT_VIEW,SYS,SYSTEM,SYSMAN。已修复。
修复方法:select distinct profile from dba_profiles;
select username,profile from dba_users where account_status='OPEN';
alter user GUOBB profile CMSZ_PROF;
alter user SCOTT profile CMSZ_PROF;
alter user YANGMM profile CMSZ_PROF;
alter user FVNOPUB profile APP_PROF;
修复后:
SQL> select username,profile from dba_users where account_status='OPEN';
USERNAME PROFILE
------------------------------ ------------------------------
GUOBB CMSZ_PROF
SCOTT CMSZ_PROF
YANGMM CMSZ_PROF
MCBDBA APP_PROF
FVNOPUB APP_PROF
DBSNMP MONITORING_PROFILE
MGMT_VIEW DEFAULT
SYS DEFAULT
SYSTEM DEFAULT
SYSMAN DEFAULT
\\检查是否限制DBA组中的操作系统用户(只有oracle安装用户) ,oracle/grid用户必须为dba组。其他用户可以去掉。不需修复
修复方法:grep dba /etc/group
修复后:
oracle@tyqzoraa[fms1]:/home/oracle$ grep dba /etc/group
dba::201:grid,oracle
asmdba::206:grid,oracle
\\检查是否设置登录认证方式。已修复
修复方法:alter system set REMOTE_OS_AUTHENT=FALSE scope=spfile sid='*';
修复后:
SQL> show parameter REMOTE_OS_AUTHENT
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
remote_os_authent boolean FALSE
\\检查是否设置PUBLIC角色执行权限。在使用中不能去除权限。已修复
修复前:select table_name from dba_tab_privs where grantee='PUBLIC' and privilege='EXECUTE' and table_name in ('UTL_FILE','UTL_TCP','UTL_HTTP','UTL_SMTP','DBMS_LOB','DBMS_SYS_SQL','DBMS_JOB');
TABLE_NAME
------------------------------
DBMS_LOB
UTL_TCP
UTL_HTTP
UTL_FILE
UTL_SMTP
DBMS_JOB
修复方法:
revoke execute on 程序包名称 from public;
修复后:
SQL> select table_name from dba_tab_privs where grantee='PUBLIC' and privilege='EXECUTE' and table_name in ('UTL_FILE','UTL_TCP','UTL_HTTP','UTL_SMTP','DBMS_LOB','DBMS_SYS_SQL','DBMS_JOB');
TABLE_NAME
------------------------------
DBMS_LOB
UTL_FILE
DBMS_JOB
\\检查是否设置用户登录日志触发器。可以做,建议保留7天的登陆日志。已修复
修复前:SQL> select count(*) from LOGIN_LOG;
ERROR at line 1:
ORA-00942: table or view does not exist
修复方法:
create table LOGIN_LOG(
SESSION_ID NUMBER(32) NOT NULL,
LOGIN_ON_TIME DATE,
USER_IN_DB VARCHAR(50),
IP_ADDRESS VARCHAR(20)
) tablespace users;
create trigger LOGIN_INFO
after logon on database
begin
insert into LOGIN_LOG(SESSION_ID,LOGIN_ON_TIME,USER_IN_DB,IP_ADDRESS) select AUDSID,sysdate,sys.login_user,SYS_CONTEXT('USERENV','IP_ADDRESS') from v$session where AUDSID=USERENV('SESSIONID');
end;
/
SQL> ! cat /home/oracle/DELETE_LOGIN_LOG.sql
create or replace procedure DELETE_LOGIN_LOG
as
jobno_lihb number;
begin
jobno_lihb := 10086;
DBMS_JOB.SUBMIT(jobno_lihb,'delete from SYS.LOGIN_LOG;',SYSDATE,'SYSDATE+7');
commit;
end DELETE_LOGIN_LOG;
/
exec DELETE_LOGIN_LOG
//select * from user_jobs where what like 'delete from SYS.LOGIN_LOG%'; 查看作业号
//exec dbms_job.remove(61); 根据作业号清除作业
修复后:
SQL> select count(*) from LOGIN_LOG;
COUNT(*)
----------
901
\\检查是否设置数据库监听器(LISTENER)启动密码。可以做。已修复
修复方法:[grid@./localhost ~]$ $ORACLE_HOME/bin/lsnrctl
LSNRCTL> start
LSNRCTL> set current_listener LISTENER
LSNRCTL> set password
LSNRCTL> save_config
vi listener.ora的内容,把密码写进去,避免忘记
\\检查是否根据机器性能和业务需求,设置最大最小连接数。200和225数值太小,建议不做。不能修复
修复方法:alter system set processes=200 scope=spfile;
alter system set sessions=225 scope=spfile;
修复后:
SQL> show parameter processes
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
aq_tm_processes integer 1
db_writer_processes integer 3
gcs_server_processes integer 2
global_txn_processes integer 1
job_queue_processes integer 1000
log_archive_max_processes integer 4
processes integer 1000
SQL> show parameter sessions
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
java_max_sessionspace_size integer 0
java_soft_sessionspace_limit integer 0
license_max_sessions integer 0
license_sessions_warning integer 0
sessions integer 1536
shared_server_sessions integer
\\全部做完需要重启才能生效
单实例:直接shutdown immediate 然后startup
rac集群:
一个节点一个节点来。a节点关闭启动,b节点关闭启动。
来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/31441616/viewspace-2140627/,如需转载,请注明出处,否则将追究法律责任。
转载于:http://blog.itpub.net/31441616/viewspace-2140627/