等保问题
在项目现场测试、上线阶段建议开启密码复杂度验证函数,以Oracle 12c
和Oracle 11g
为例
12c下开启密码复杂度验证函数
CDB和PDB都需要执行下面命令
sqlplus / as sysdba
CONNECT SYSTEM
@?/rdbms/admin/utlpwdmg.sql
alter profile default limit password_life_time unlimited;
ALTER PROFILE DEFAULT LIMIT FAILED_LOGIN_ATTEMPTS UNLIMITED;
alter profile DEFAULT limit PASSWORD_LOCK_TIME UNLIMITED;
alter profile DEFAULT limit PASSWORD_GRACE_TIME UNLIMITED;
注:需一行一行复制粘贴进行执行
修改default profile的密码策略
实际上执行utlpwdmg.sql
后自动修改PASSWORD_VERIFY_FUNCTION
,为保险起见执行语句
alter profile default limit PASSWORD_VERIFY_FUNCTION ora12c_verify_function;
新建system profile
以下为CDB模式下操作
sqlplus sys/luckserver@ITPM as sysdba //cdb登录
create profile C##_SYSTEM_PROFILE limit
PASSWORD_LIFE_TIME 60
PASSWORD_GRACE_TIME 90
PASSWORD_REUSE_MAX 5
PASSWORD_REUSE_TIME 60
PASSWORD_VERIFY_FUNCTION ora12c_verify_function;
修改sys、system用户profile
以下为CDB模式下操作
alter user sys profile C##_SYSTEM_PROFILE;
alter user system profile C##_SYSTEM_PROFILE;
PDB模式下新建system profile、修改sys、system用户profile
参考以上二步执行语句,将C##_
去除即可
验证
CDB和PDB模式下都需要验证
SELECT * FROM dba_profiles where profile in ('DEFAULT','C##_SYSTEM_PROFILE') order by profile;
SELECT username,PROFILE FROM dba_users order by created;
11g开启密码复杂度验证函数
1、开启密码复杂度验证函数
sqlplus / as sysdba
@?/rdbms/admin/utlpwdmg.sql
alter profile default limit password_life_time unlimited;
ALTER PROFILE DEFAULT LIMIT FAILED_LOGIN_ATTEMPTS UNLIMITED;
alter profile DEFAULT limit PASSWORD_LOCK_TIME UNLIMITED;
alter profile DEFAULT limit PASSWORD_GRACE_TIME UNLIMITED;
2、修改default profile的密码策略(实际上执行utlpwdmg.sql后自动修改PASSWORD_VERIFY_FUNCTION)
alter profile default limit PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION;
3、新建system profile
create profile SYSTEM_PROFILE limit
PASSWORD_LIFE_TIME 60
PASSWORD_GRACE_TIME 90
PASSWORD_REUSE_MAX 5
PASSWORD_REUSE_TIME 60
PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION;
4、修改sys、system用户profile
alter user sys profile SYSTEM_PROFILE;
alter user system profile SYSTEM_PROFILE;
5、验证
SELECT * FROM dba_profiles order by profile;
SELECT username,PROFILE FROM dba_users order by created;