1.密码复杂度,对于可登录系统的账户,设置口令长度不低于8位,由大小写字母、特殊字符和数字无规律排列而成,口令有效期不超过180天,过期前7天给予提示,过期超过7天后强制修改口令,否则禁用账户或限制访问权限。
shared_preload_libraries = 'passwordcheck'
create extension passwordcheck;
alter system set passwordcheck.enable=on;
alter system set passwordcheck.password_length = 8;
alter system set passwordcheck.password_condition_letter = 3;
alter system set passwordcheck.password_condition_digit = 3;
alter system set passwordcheck.password_condition_punct = 1;
select sys_reload_conf();
2.密码有效期
shared_preload_libraries = 'identity_pwdexp'
create extension identity_pwdexp;
alter system set identity_pwdexp.password_change_interval = 172;
alter system set identity_pwdexp.max_password_change_interval = 180;
select sys_reload_conf();
3.修改管理用户访问,,对于无法重命名或删除的默认账户,可通过限制其访问权限、限制允许登录的地址范围、加强身份鉴别、重命名特权命令等途径缓解风险。
sys_hba.conf
host all system,sso,sao 10.72.54.1/32 scram-sha-256
host all system,sso,sao 10.72.54.2/32 scram-sha-256
host all system,sso,sao 10.72.54.3/32 scram-sha-256
host all system,sso,sao 0.0.0.0/0 reject
host all all 0.0.0.0/0 scram-sha-256
4.空闲连接
alter system set client_idle_timeout = 1800;
select sys_reload_conf();