oracle 10g,11g 可以查找以下,12c没有测试
一、查看profile配置并记录;
二、在重置密码之前修改profile(PASSWORD_REUSE_MAX、PASSWORD_REUSE_TIME、 PASSWORD_VERIFY_FUNCTION)三个参数以免发生报错;
三、查询当前处于OPEN状态的用户,并自动生成重置密码的SQL,执行生成的SQL完成密码重置
四、修改profile为要求值(三个参数);
五、密码过期时间确定
----------------------------------------------------------------
1.查询数据库当前profile配置
set lin 200;
col PROFILE for a20
set pagesize 9999
col RESOURCE_NAME for a36
col LIMIT for a20
select PROFILE,RESOURCE_NAME,LIMIT from dba_profiles order by 1;
2.将查询出来的profile的参数PASSWORD_REUSE_MAX和PASSWORD_REUSE_TIME设置为unlimited,
PASSWORD_VERIFY_FUNCTION设置为NULL,不然重置密码操作可能会报错
alter profile DEFAULT limit PASSWORD_REUSE_MAX unlimited;
alter profile DEFAULT limit PASSWORD_REUSE_TIME unlimited;
alter profile DEFAULT limit PASSWORD_VERIFY_FUNCTION null;
alter profile DEFAULT limit FAILED_LOGIN_ATTEMPTS unlimited;
alter profile DEFAULT limit PASSWORD_LOCK_TIME unlimited;
alter profile DEFAULT limit PASSWORD_GRACE_TIME unlimited;
alter profile DEFAULT limit PASSWORD_LIFE_TIME unlimited;
alter profile DEFAULT limit PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION;
alter profile DEFAULT limit PASSWORD_REUSE_MAX 3;
alter profile DEFAULT limit FAILED_LOGIN_ATTEMPTS 6;
3.查询当前处于OPEN状态的用户,并自动生成重置密码的SQL,执行生成的SQL完成密码重置(特别特别注意空格跟对齐)
select USER#,name,SPARE4 from sys.user$(12c) -----这一句有点问题
select ' alter user ' || name ||' identified by values '''||SPARE4 ||''';' from sys.user$
where name in (select username from dba_users
where ACCOUNT_STATUS<>'LOCK' and ACCOUNT_STATUS not like 'EXPIRED%LOCKED'); (12c以这一句为标准) ---这一句有点问题。
select ' alter user ' || name ||' identified by values '''||password ||''';' from sys.user$
where name in (select username from dba_users
where ACCOUNT_STATUS<>'LOCK' and ACCOUNT_STATUS not like 'EXPIRED%LOCKED');(11G以这一句为标准)
select ' alter user ' || username ||' identified by values '''||password ||''';' from dba_users
where ACCOUNT_STATUS<>'LOCK' and ACCOUNT_STATUS not like 'EXPIRED%LOCKED';(10G以这一句为标准)
select ' alter user ' || username || ' identified by values ''' || password || ''';' from dba_users where account_status='OPEN';
4.修改其他profile为等保所要求的值,参考如下(实际按要求更改/步骤1记录的参数一致?)
alter profile DEFAULT limit PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION;
alter profile DEFAULT limit PASSWORD_REUSE_TIME 180;
alter profile DEFAULT limit PASSWORD_REUSE_MAX 5;
alter profile DEFAULT limit PASSWORD_LIFE_TIME 180;
alter profile DEFAULT limit FAILED_LOGIN_ATTEMPTS 5;
alter profile MONITORING_PROFILE limit PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION;
alter profile MONITORING_PROFILE limit PASSWORD_LIFE_TIME 180;
alter profile MONITORING_PROFILE limit FAILED_LOGIN_ATTEMPTS 5;
alter profile MONITORING_PROFILE limit PASSWORD_REUSE_MAX 5;
alter profile MONITORING_PROFILE limit PASSWORD_REUSE_TIME 1800;
alter profile MONITORING_PROFILE limit PASSWORD_GRACE_TIME 10;
5.密码过期时间确认
col USERNAME for a20
col PASSWORD for a32
col ACCOUNT_STATUS for a20
set lin 100
select username,PASSWORD,ACCOUNT_STATUS,EXPIRY_DATE from dba_users order by 3;
11G
set lin 120
col username for a10
col profile for a15
col account_status for a10
select b.username,b.profile,b.account_status,b.created,a.ptime,b.lock_date,b.expiry_date from
(select * from sys.user$) a,
(select * from dba_users) b
where a.name=b.username and ACCOUNT_STATUS<>'LOCK' and ACCOUNT_STATUS not like 'EXPIRED%LOCKED';
------------------------------------------------------------------
参数说明
Failed_login_attempts:指定在帐户被锁定之前所允许尝试登陆的的最大次数
Password_life_time:指定同一密码所允许使用的天数。
password_reuse_time:指定了密码不能重用前的天数(必须为整数)
password_reuse_max:则指定了当前密码被重用之前密码改变的次数(必须为整数)
Password_verify_function:该字段允许将复杂的PL/SQL密码验证脚本做为参数传递到create profile语句。对Function名称,指定的是密码验证规,则的名称,指定为Null则意味着不使用密码验证功能。如果为密码参数指定表达式,则该表达式可以是任意格式,除了数据库 量子查询。
Password_grace_time:指定宽限天数,数据库发出警告到登陆失效前的天数;如果数据库密码在这中间没有被修改,则过期会失效;
------------------------------------------------------------------
select username,account_status,lock_date from dba_users where ACCOUNT_STATUS<>'LOCK' and ACCOUNT_STATUS not like 'EXPIRED%LOCKED';
set lin 120
col username for a10
col profile for a15
col account_status for a10
select b.username,b.profile,b.account_status,b.created,a.ptime,b.lock_date,b.expiry_date from
(select * from sys.user$) a,
(select * from dba_users) b
where a.name=b.username and ACCOUNT_STATUS<>'LOCK' and ACCOUNT_STATUS not like 'EXPIRED%LOCKED';
使用utlpwdmg.sql脚本创建密码复杂度校验函数。
@ $ORACLE_HOME/RDBMS/ADMIN/utlpwdmg.sql