DB安全检查

1.Checking if default account/password is changed or removed
- Check if following default ID/Password is changed or removed for each DB product.
◈ For all Oracle servers
scott/tiger
system/manager
dbsnmp/dbsnmp
tracesvr/trace
sys/change_on_install
sapr3/sap
demo/demo
outln/outln
mtssys/mtssys
ordsys/ordsys
ordplugins/ordplugins
mdsys/mdsys
ctxsys/ctxsys
adams/wood
blake/paper
jones/steel
clark/cloth
aurora＄orb＄unauthenticated/invalid
wksys/wksys
olapsys/manager
olapdba/olapdba
LBACSYS/LBACSYS
olapsvr/instance

※ To check - Follow either of following methods
① Check if you can log in when you type "sqlplus ID/PASSWD" in Command Prompt.
② After connecting to Oracle, type "select * from ALL_USERS." Then, check default IDs above and try connecting with "sqlplus ID/PASSWORD." See if you can log in.

◈ For all SQL servers
sa/null, probe/null

◈ For all MySQL servers
root/null, null/null, mysql/null

◈ For all Sybase servers
sa/null

2.Checking if DB password is strenghthend
- Check if passwords are strengthened for DB user accounts.
(Exception: default accounts set up with packages)"

◈ For all database servers
Check if password policy is applied.
(6 characters or more, alphanumeric, no repetition of same characters 4 consecutive times or more)
※ To check
① (Oracle) if managed by profile,
Check if verification function that defines password rules for profiles assigned to users are set and if verification rules are defined.
SQL> select username, profile from dba_users; (profile in use)
SQL> select LIMIT from dba_profiles where profile='profile'
and RESOURCE_NAME='PASSWORD_VERIFY_FUNCTION';
＊ if 'UNLIMITED' is generated as value of LIMIT, profile is not defined.
(or)
Check if user is created by simple password
create user samsungcert identified by samsung PROFILE (profile in use) ;

② If there is no profile,
Check if person in charge can make connection with DBA account and standard user accounts using simple password"

3.Disabling DBA rights for ordinary users
- Check if passwords are strengthened for DB user accounts.
(Exception: default accounts set up with packages)"
◈ For all database servers
Check if password policy is applied.
(6 characters or more, alphanumeric, no repetition of same characters 4 consecutive times or more)
※ To check
① (Oracle) if managed by profile,
Check if verification function that defines password rules for profiles assigned to users are set and if verification rules are defined.
SQL> select username, profile from dba_users; (profile in use)
SQL> select LIMIT from dba_profiles where profile='profile'
and RESOURCE_NAME='PASSWORD_VERIFY_FUNCTION';
＊ if 'UNLIMITED' is generated as value of LIMIT, profile is not defined.
(or)
Check if user is created by simple password
create user samsungcert identified by samsung PROFILE (profile in use) ;

② If there is no profile,
Check if person in charge can make connection with DBA account and standard user accounts using simple password"

4.Removing fragility for each DB product
- Check removal of security fragility from each DB product.
◈ For all SQL servers,
""xp_cmdshell"" should not be executed for all DB accounts (including SA)
※ To check
① Execute ""xp_cmdshell"" with Query Analyzer
[ Command ] xp_cmdshell ""dir""
→ Although execute right for ""xp_cmdshell"" is marked with""x"" in Enterprise Manager, it may actually be executed. Therefore, be sure to check with Query Analyzer."

5.Applying security patches
- Apply security patches.
- Apply security patches for each DB product

◈ For Oracle 8.0.x, 8.1.x, 9.0.x, 9.2.x,
Patches for Buffer Overflow Vulnerability
(UNIX)
. Oracle 8, 8i, 9i Release 1 : Patches 2642117, 2642267, 2642439, 2620726
→ It is possible to apply Patch 2832809 that includes all the above 4 patches.
. Oracle 9i Release 2 : Patch Set 9.2.0.3 (patch#-2761332) or higher
(Windows)
. Oracle 8.1.7.4 : Patch 2899111 (8.1.7.4 patch 9)
. Oracle 9.0.1.4 : Patch 2781666 (9.0.1.4 patch 1)
. Oracle 9.2.0.2 : Patch 2814865 (9.2.0.2 patch 1)
※ For both Windows and Unix, patches are not applied for versions not listed above or if patches are not provided for platforms.

◈ For all SQL servers,
1) Apply accumulated security patches for SQL Server
. Hotfix Q815495 should be applied to SQL Server 2000 (mandatory for sp3 or higher)
. Hotfix Q815495 should be applied to SQL Server 7.0 (mandatory for sp4 or higher)
※ To check
Execute select @@version with Query Analyzer, check the followings:
Microsoft SQL Server 7.0 - 7.00.1094 (Intel X86)
Microsoft SQL Server 2000 (32bit) - 8.00.0818 (Intel X86) "

1.Removing unnecessary DB accounts
- Remove any unqualified accounts, testing accounts no longer needed, unnecessary accounts. If they are not removed, lock them.
" ① Unqualified accounts - leaving employees and contractors, former employees, employees suspended.
② Testing accounts no longer needed - accounts of which purposes (i.e. application testing) are finished.
③ Unnecessary accounts - accounts created by installation of packages but not used as default accounts (Unnecessary accounts are NOT default accounts created when DB is installed but accounts that interworks with package software)
※ To check(Oracle) ☞ select username, lock_date from dba_users"

2.Controlling client IP address and port access
"- Check if they keep number of DB handlers minimum, control access rights, and manage users.
(Exception if applications that interworks with DB are in Client-Server environment)
＊ Check if IP address and ports that are available for connections are restricted.

◈ For Oracle V7.1 or higher
Control clients that can access DB server by IP address.
(Exception: if DB interworks with applications in CS environment)
※ To check
Open ""＄ORACLE_HOME/network/admin/protocol.ora""
tcp.validnode_checking = yes → Deny all servers
tcp.invited_nodes=( 192.168.0.1 ) → Accept only allowed IP addresses
＊ For Oracle 9i, it may be applied to ""sqlnet.ora.""
◈ For MySQL servers,
Control clients that can access DB server by IP address
※ To check
Run ""mysql>use mysql"", Inquire user account when inquiring 'user' table. If ""%"" is marked in ""Host"" field, remote connections are allowed from anywhere. Deduct points for it."
3.Removing fragility for each DB product
"- Check if security holes are covered for each DB product.

◈ For all Oracle servers (Oracle 7.3.4 or higher)
1) Set password since log file of TNS Listener may be modified.
※ To check
Run ""LSNRCTL"", check listerner status, see if SECURITY is ""ON""
(Exception) if DB is configured for HA
2) Minimize operations of database links
Remove any unused DB links and operate DB links at minimum.
※ To check
☞ select * from SYS.LINK＄;
select * from user_db_links;
select * from all_db_links;
3) Revoke ""create library"" privilege from normal users except DBA.
※ To check
When following commands are executed, library should not be created.
SQL>create or replace library exec_shell as '/usr/lib/libc.a';
SQL>/ "

4.Applying security patches
"- Apply security patches for each DB product

◈ For Oracle 8.1.x, 9.0.x, 9.2.x
Latest security patches (Refer to Alert#68)
(UNIX)
. Oracle 8.1.7.4 : Patch 3811838
. Oracle 9.0.1.4 : Patch 3811857
. Oracle 9.0.1.5 : Patch 3811865
. Oracle 9.2.0.4 : Patch 3811887
. Oracle 9.2.0.5 : Patch 3811906
. Oracle 10.1.0.2 : Patch 3811942
(Windows)
. Oracle 8.1.7.4 : Patch 3820881
. Oracle 9.0.1.4 : Patch 3836293
. Oracle 9.0.1.5 : Patch 3815663
. Oracle 9.2.0.4 : Patch is scheduled to be released in October 2004
. Oracle 9.2.0.5 : Patch 3738339
. Oracle 10.1.0.2 : Patch 3768706
※ Since Orable does not provide patches for all platforms, apply patches only for corresponding platforms.
(Platform reference : http://metalink.oracle.com/metalink/plsql/ml2_documents.showNOT?
p_id=281189.1&p_showHeader=1&p_showHelp=1 ← Authentication for meta link is needed)
"

[@more@]

来自 “ ITPUB博客 ” ，链接：http://blog.itpub.net/503782/viewspace-983278/，如需转载，请注明出处，否则将追究法律责任。

转载于:http://blog.itpub.net/503782/viewspace-983278/