oracle数据库安全基线自动检测脚本

#!/bin/bash

#version 2.1 此脚本在rhel,centos,oel系统均已测试通过,适用于9i 10g 11g。但未在aix,solaris,unix测试,如果遇到问题请自行微调。

#Author: jn
#Date: 2016.8
HOSTNAME=`hostname`
echo $HOSTNAME > orack.res.lst
SQLPLUS=$ORACLE_HOME/bin/sqlplus

$SQLPLUS "/ as sysdba" << EOF
-------  设置行宽、叶宽  ----------
set line 150
set pagesize 1000
set feed off
spool orack.res.lst
-------  脚本开始运行的时间  ------------
select 'Started On ' || to_char(sysdate,'yyyy-mm-dd hh24:mi:ss') started_time from dual;
-------  Oracle的版本  ------------
select banner from v\$version;
#select banner from v$version;
------- 查看Oracle登录认证方式 ----------
show parameter remote_login_passwordfile
------- 查看 oracle 用户密码HASH值 -----------
select name,password from user\$;
select name,password from user\$ where name in ( select username from dba_users where account_status='OPEN');
-------  查看出于Active状态的帐号  ------------
col username for a20
col profile for a20
select username,profile from dba_users where account_status='OPEN';

set line 150
set pagesize 1000
col profile for a20
col resource_name for a30
col resource for a25
col limit for a30
select * from dba_profiles;
select * from dba_profiles where profile='DEFAULT';
-------  查看是否开启了资源限制  ------------
show parameter resource_limit
-------查看审计开启情况-----
show parameter audit
-------  查看密码方面的限制  ------------
col resource_name for a40
col limit for a20
col profile for a40
select resource_name,limit,profile from dba_profiles where resource_type='PASSWORD';
------- 查看哪些用户具有DBA权限  ---------------
col grantee for a15
col granted_role for a15
col admin_option for a15
col default_role for a15
select * from dba_role_privs where grantee in ( select username from dba_users where account_status='OPEN') and granted_role='DBA' order by grantee;
------- 查询视图dba_tab_privs被授予了public角色和执行权限表的数量 -------
select count(*) table_name from dba_tab_privs where grantee='PUBLIC' and privilege='EXECUTE' and table_name in ('UTL_FILE', 'UTL_TCP', 'UTL_HTTP', 'UTL_SMTP', 'DBMS_LOB', 'DBMS_SYS_SQL', 'DBMS_JOB');
------- 查看激活用户的配置情况 -------
select * from dba_profiles where profile in (select profile from dba_users where account_status='OPEN') and  limit NOT IN('DEFAULT','UNLIMITED','NULL');
------- 查看第三方审计工具的安装情况 -------
SELECT * FROM V\$OPTION WHERE PARAMETER = 'Oracle Database Vault';
#SELECT * FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';
------- 查看oracle最大连接数-------
show parameter processes;
------- 查看非系统用户角色被授予dba的用户的数量 -------
select count(a.username) from  dba_users a left join dba_role_privs b on a.username = b.grantee where granted_role = 'DBA' and a.username not in ('SYS','SYSMAN','SYSTEM');
------- 查看数据库会话 -------
show parameter sessions;
------- 当sql92_security被设置成TRUE时,对表执行UPDATE/DELETE操作时会检查当前用户是否具备相应表的SELECT权限 --------
show parameter sql92_security;
------- O7_DICTIONARY_ACCESSIBILITY参数控制对数据字典的访问.设置为true,如果用户被授予了如select any table等any table权限,用户即使不是dba或sysdba用户也可以访问数据字典,建议为false -------
show parameter O7_DICTIONARY_ACCESSIBILITY;
spool off
EOF

# Oracle Port Number
echo -e "\n\n" >> orack.res.lst
echo "----------Port 1521 in listener.ora----------" >> orack.res.lst
echo "" >> orack.res.lst
LISTEN_ORA=$ORACLE_HOME/network/admin/listener.ora
SQLNET_ORA=$ORACLE_HOME/network/admin/sqlnet.ora
if [ -f $LISTEN_ORA ];then
   grep 1521 $LISTEN_ORA >> orack.res.lst
else
   echo "File $LISTEN_ORA Is Not Exists!!!" >> orack.res.lst
fi

# Listener Password
echo -e "\n" >> orack.res.lst
echo "----------Listener Password in listener.ora----------" >> orack.res.lst
echo "" >> orack.res.lst
if [ -f $LISTEN_ORA ];then
   grep -i PASSWORDS_LISTENER $LISTEN_ORA >> orack.res.lst
else
   echo "File $LISTEN_ORA Is Not Exists!!!" >> orack.res.lst
fi

# SQLNET TIMEOUT
echo -e "\n" >> orack.res.lst
echo "----------sqlnet timeout in sqlnet.ora----------" >> orack.res.lst
echo "" >> orack.res.lst
if [ -f $SQLNET_ORA ];then
   grep -i SQLNET.EXPIRE_TIME $SQLNET_ORA >> orack.res.lst
else
   echo "File $SQLNET_ORA Is Not Exists!!!" >> orack.res.lst
fi

# SQLNET Trusted IP 
echo -e "\n" >> orack.res.lst
echo "----------sqlnet trusted IP in sqlnet.ora----------" >> orack.res.lst
echo "" >> orack.res.lst
if [ -f $SQLNET_ORA ];then
   egrep -i "tcp.validnode_checking|tcp.invited_nodes|tcp.excluded_nodes" $SQLNET_ORA >> orack.res.lst
else
   echo "File $SQLNET_ORA Is Not Exists!!!" >> orack.res.lst
fi

echo -e "\n\n" >> orack.res.lst
echo "==========================  End On `date`  ==========================" >> orack.res.lst

展开阅读全文

没有更多推荐了,返回首页