Oracle漏洞扫描安全加固

1、关于操作系统和数据库合规检查漏洞的解决方案Oracle数据库分册适用软件版本Oracle10g、11g适用硬件版本主题关于操作系统和数据库合规检查漏洞的解决方案Oracle数据库分册1、 问题描述与原因：Oracle数据库在合规检查时被扫描出漏洞，要求对这些漏洞进行解决。2、 应对措施：对存在漏洞进行定制的安全加固操作。 3、 执行条件/注意事项：Ø 加固前确保服务器、数据库、网管运行均正常。最好重启下服务器、数据库和网管查看重启后网管是否能运行正常。如果加固前服务器本身有问题，加固后服务器运行异常会加大排查难度。Ø 本解决方案执行完成后，需要重启Oracle数据库来生效某

2、些操作。Ø 本解决方案不必完全执行，请根据系统扫描出的漏洞选择对应的漏洞条目进行操作。Ø 如无特殊说明，本文中的执行用户均为oracle 4、 操作步骤：漏洞清单（单击可跳转）：（注：漏洞名称与配置项信息中的配置项名称对应。）漏洞1. 检查是否对用户的属性进行控制（5）漏洞2. 检查是否配置Oracle软件账户的安全策略（2）漏洞3. 检查是否启用数据字典保护漏洞4. 检查是否在数据库对象上设置了VPD和OLS（6）漏洞5. 检查是否存在dvsys用户dbms_macadm对象（14）漏洞6. 检查是否数据库应配置日志功能（11）漏洞7. 检查是否记录操作日志（13）漏洞8

3、. 检查是否记录安全事件日志（7）漏洞9. 检查是否根据业务要求制定数据库审计策略漏洞10. 检查是否为监听设置密码漏洞11. 检查是否限制可以访问数据库的地址（1）漏洞12. 检查是否使用加密传输（4）漏洞13. 检查是否设置超时时间（15）漏洞14. 检查是否设置DBA组用户数量限制（3）漏洞15. 检查是否删除或者锁定无关帐号漏洞16. 检查是否限制具备数据库超级管理员（SYSDBA）权限的用户远程登录（10）漏洞17. 检查口令强度设置（17）漏洞18. 检查帐户口令生存周期（12）漏洞19. 检查是否设置记住历史密码次数（8）漏洞20. 检查是否配置最大认证失败次数漏洞21. 检查是

4、否在配置用户所需的最小权限（9）漏洞22. 检查是否使用数据库角色（ROLE）来管理对象的权限(16)漏洞23. 检查是否更改数据库默认帐号的密码执行Oracle安全加固操作前备份文件：bash-3.2$ cp $ORACLE_HOME/network/admin/listener.ora $ORACLE_HOME/network/admin/bash-3.2$ cp $ORACLE_HOME/network/admin/sqlnet.ora $ORACLE_HOME/network/admin/Oracle数据库漏洞的解决方案全部执

5、行完成后，需要重启Oracle实例来生效某些操作。漏洞1. 检查是否对用户的属性进行控制类型：Oracle数据库类问题：SQL> select count(t.username) from dba_users t where profile not in ('DEFAULT','MONITORING_PROFILE');COUNT(T.USERNAME)- 0解决方案：暂时不处理。漏洞2. 检查是否配置Oracle软件账户的安全策略类型：Oracle数据库类问题：略解决方案：暂时不处理漏洞3. 检查是否启用数据字典保护类型：Oracle数据库类问题：SQL

6、> select value from v$parameter where name like '%O7_DICTIONARY_ACCESSIBILITY%'select value from v$parameter where name like '%O7_DICTIONARY_ACCESSIBILITY%'*ERROR at line 1:ORA-01034: ORACLE not availableProcess ID: 0Session ID: 0 Serial number: 0解决方案：在数据库启动的情况下，通过下面的命令检查o7_dictio

7、nary_accessibility的参数值:bash-3.2$ sqlplus system/oracle<SID>SQL*Plus: Release .0 - Production on Thu Jan 9 11:33:56 2014Copyright (c) 1982, 2007, Oracle. All Rights Reserved.Connected to:Oracle Database 10g Enterprise Edition Release .0 - ProductionWith the Partitioning, OLAP, D

8、ata Mining and Real Application Testing optionsSQL> show parameter o7_dictionary_accessibility;NAME TYPE VALUE- - -O7_DICTIONARY_ACCESSIBILITY boolean FALSE检查出默认的结果是FALSE后，使用下面的命令退出SQL*PLUS：SQL> exitDisconnected from Oracle Database 11g Enterprise Edition Release .0 - 64bit ProductionW

9、ith the Partitioning, OLAP, Data Mining and Real Application Testing options漏洞4. 检查是否在数据库对象上设置了VPD和OLS类型：Oracle数据库类问题：SQL> select count(*) from v$vpd_policy; COUNT(*)- 0解决方案：暂时不处理。漏洞5. 检查是否存在dvsys用户dbms_macadm对象类型：Oracle数据库类问题：SQL> select count(*) from dba_users where username='DVSYS'

10、COUNT(*)- 0解决方案：暂时不处理。漏洞6. 检查是否数据库应配置日志功能类型：Oracle数据库类问题：SQL> select count(*) from dba_triggers t where trim(t.triggering_event) = trim('LOGON'); COUNT(*)- 0解决方案：暂时不处理。漏洞7. 检查是否记录操作日志类型：Oracle数据库类问题：SQL> select value from v$parameter t where = 'audit_trail'select value f

11、rom v$parameter t where = 'audit_trail'*ERROR at line 1:ORA-01034: ORACLE not availableProcess ID: 0Session ID: 0 Serial number: 0解决方案：暂时不处理。漏洞8. 检查是否记录安全事件日志类型：Oracle数据库类问题：SQL> select count(*) from dba_triggers t where trim(t.triggering_event) = trim('LOGON'); COUNT(*)- 0

12、解决方案：暂时不处理。漏洞9. 检查是否根据业务要求制定数据库审计策略类型：Oracle数据库类问题：SQL> select value from v$parameter t where = 'audit_trail'select value from v$parameter t where = 'audit_trail'*ERROR at line 1:ORA-01034: ORACLE not availableProcess ID: 0Session ID: 0 Serial number: 0解决方案：暂时不处理。漏洞1

13、0. 检查是否为监听设置密码类型：Oracle数据库类问题：$ cat find $ORACLE_HOME -name sqlnet.ora | grep -v "#"|grep -v "$"find: 0652-081 cannot change directory to </oracle/app/oracle/dbhome_1/sysman/config/pref>: : The file access permissions do not allow the specified action.$ cat find $ORACLE_HOM

14、E -name listener.ora | grep -v "#"|grep -v "$"find: 0652-081 cannot change directory to </oracle/app/oracle/dbhome_1/sysman/config/pref>: : The file access permissions do not allow the specified action.SID_LIST_LISTENER = (SID_LIST = (SID_DESC = (SID_NAME = PLSExtProc) (ORA

15、CLE_HOME = /oracle/app/oracle/dbhome_1) (PROGRAM = extproc) ) (SID_DESC = (GLOBAL_DBNAME = minos) (ORACLE_HOME = /oracle/app/oracle/dbhome_1) (SID_NAME = minos) ) )LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = 41)(PORT = 1521) ) )ADR_BASE_LISTENER = /or

16、acle/app/oracle解决方案：bash-3.2$ lsnrctlLSNRCTL for IBM/AIX RISC System/6000: Version .0 - Production on 08-JAN-2014 15:11:21Copyright (c) 1991, 2011, Oracle. All rights reserved.Welcome to LSNRCTL, type "help" for information.LSNRCTL> change_passwordOld password: <如果之前没有密码则这里不填

17、，直接按Enter键>New password: Reenter new password: Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=2)(PORT=1521)Password changed for LISTENERThe command completed successfullyLSNRCTL> save_configConnecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=2)(PORT=1521)Save

18、d LISTENER configuration parameters.Listener Parameter File /oracle/app/oracle//dbhome_1/network/admin/listener.oraOld Parameter File /oracle/app/oracle//dbhome_1/network/admin/listener.bakThe command completed successfullyLSNRCTL> exitbash-3.2$ 设置完成后通过下面的命令检查：bash-3.2$ cat $ORACL

19、E_HOME/network/admin/listener.ora | grep "PASSWORDS"有输出则说明已经设置成功了。漏洞11. 检查是否限制可以访问数据库的地址类型：Oracle数据库类问题：$ cat find $ORACLE_HOME -name sqlnet.ora | grep -v "#"|grep -v "$"find: 0652-081 cannot change directory to </oracle/app/oracle/dbhome_1/sysman/config/pref>: :

20、The file access permissions do not allow the specified action.$ cat find $ORACLE_HOME -name listener.ora | grep -v "#"|grep -v "$"find: 0652-081 cannot change directory to </oracle/app/oracle/dbhome_1/sysman/config/pref>: : The file access permissions do not allow the speci

21、fied action.SID_LIST_LISTENER = (SID_LIST = (SID_DESC = (SID_NAME = PLSExtProc) (ORACLE_HOME = /oracle/app/oracle/dbhome_1) (PROGRAM = extproc) ) (SID_DESC = (GLOBAL_DBNAME = minos) (ORACLE_HOME = /oracle/app/oracle/dbhome_1) (SID_NAME = minos) ) )LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRE

22、SS = (PROTOCOL = TCP)(HOST = 41)(PORT = 1521) ) )ADR_BASE_LISTENER = /oracle/app/oracle解决方案：检查$ORACLE_HOME/network/admin/sqlnet.ora文件中是否有以下行：TCP.VALIDNODE_CHECKING = YESTCP.INVITED_NODES = (<host_1>, <host_2>, )其中<host_x>是允许访问本数据库的IP地址。如果没有，则根据需要在文件中添加，随后重启数据库。重启完成后，则数据

23、库只允许TCP.INVITED_NODES列出的IP来访问。如果不存在sqlnet.ora文件，请使用以下命令创建此文件后再实施上面的操作：bash-3.2$ touch $ORACLE_HOME/network/admin/sqlnet.ora漏洞12. 检查是否使用加密传输类型：Oracle数据库类问题：$ cat find $ORACLE_HOME -name sqlnet.ora | grep -v "#"|grep -v "$"find: 0652-081 cannot change directory to </oracle/app/o

24、racle/dbhome_1/sysman/config/pref>: : The file access permissions do not allow the specified action.$ cat find $ORACLE_HOME -name listener.ora | grep -v "#"|grep -v "$"find: 0652-081 cannot change directory to </oracle/app/oracle/dbhome_1/sysman/config/pref>: : The file

25、access permissions do not allow the specified action.SID_LIST_LISTENER = (SID_LIST = (SID_DESC = (SID_NAME = PLSExtProc) (ORACLE_HOME = /oracle/app/oracle/dbhome_1) (PROGRAM = extproc) ) (SID_DESC = (GLOBAL_DBNAME = minos) (ORACLE_HOME = /oracle/app/oracle/dbhome_1) (SID_NAME = minos) ) )LISTENER =

26、(DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = 41)(PORT = 1521) ) )ADR_BASE_LISTENER = /oracle/app/oracle解决方案：暂时不处理。漏洞13. 检查是否设置超时时间类型：Oracle数据库类问题：$ cat find $ORACLE_HOME -name sqlnet.ora | grep -v "#"|grep -v "$"find: 0652-081 cannot change di

27、rectory to </oracle/app/oracle/dbhome_1/sysman/config/pref>: : The file access permissions do not allow the specified action.$ cat find $ORACLE_HOME -name listener.ora | grep -v "#"|grep -v "$"find: 0652-081 cannot change directory to </oracle/app/oracle/dbhome_1/sysman/

28、config/pref>: : The file access permissions do not allow the specified action.SID_LIST_LISTENER = (SID_LIST = (SID_DESC = (SID_NAME = PLSExtProc) (ORACLE_HOME = /oracle/app/oracle/dbhome_1) (PROGRAM = extproc) ) (SID_DESC = (GLOBAL_DBNAME = minos) (ORACLE_HOME = /oracle/app/oracle/dbhome_1) (SID_

29、NAME = minos) ) )LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = 41)(PORT = 1521) ) )ADR_BASE_LISTENER = /oracle/app/oracle解决方案：通过下面的命令检查是否设置了SQLNET.EXPIRE_TIME的参数值为10：bash-3.2$ grep -i "SQLNET.EXPIRE_TIME" $ORACLE_HOME/network/admin/sqlnet.ora如

30、果没有设置，在$ORACLE_HOME/network/admin/sqlnet.ora文件中添加一行：SQLNET.EXPIRE_TIME=10随后重新启动监听和数据库。如果不存在sqlnet.ora文件，请使用以下命令创建此文件后再实施上面的操作：bash-3.2$ touch $ORACLE_HOME/network/admin/sqlnet.ora漏洞14. 检查是否设置DBA组用户数量限制类型：Oracle数据库类问题：略解决方案：手动将其他非oracle的用户从dba组中删除，将oracle用户从root或system组中删除。查询用户所属组的命令是groups <usern

31、ame>。改变用户所属组的命令是 usermod -G <groupname1> , <groupname2> <username>。漏洞15. 检查是否删除或者锁定无关帐号类型：Oracle数据库类问题：SQL> select t.username from dba_users t where t.account_status = 'OPEN'select t.username from dba_users t where t.account_status = 'OPEN'*ERROR at line 1:ORA

32、-01034: ORACLE not availableProcess ID: 0Session ID: 0 Serial number: 0解决方案：暂时不处理。漏洞16. 检查是否限制具备数据库超级管理员（SYSDBA）权限的用户远程登录类型：Oracle数据库类问题：SQL> select t.VALUE from v$parameter t where upper(t.NAME) like '%REMOTE_LOGIN_PASSWORDFILE%'VALUE-EXCLUSIVE解决方案：在数据库启动时，通过下面的命令检查remote_login_passwordf

33、ile的参数值：bash-3.2$ sqlplus sys/oracle<SID> as sysdbaSQL*Plus: Release .0 - Production on Thu Jan 9 11:33:56 2014Copyright (c) 1982, 2007, Oracle. All Rights Reserved.Connected to:Oracle Database 10g Enterprise Edition Release .0 - ProductionWith the Partitioning, OLAP, Data Mini

34、ng and Real Application Testing optionsSQL> show parameters remote_login_passwordfile;NAME TYPE VALUE- - -remote_login_passwordfile string EXCLUSIVE如果参数值为NONE，则默认满足安全要求。否则，通过下面的SQL语句修改参数值为NONE：SQL> alter system set remote_login_passwordfile=NONE scope=spfile;System altered.修改后重启数据库：SQL> shu

35、tdown immediateDatabase closed.Database dismounted.ORACLE instance shut down.bash-3.2$ export ORACLE_SID=<SID>bash-3.2$ sqlplus /nologSQL*Plus: Release .0 - Production on Tue May 20 11:01:55 2014Copyright (c) 1982, 2010, Oracle. All Rights Reserved.SQL> conn / as sysdbaConnected to

36、an idle instance.SQL> startupORACLE instance started.Total System Global Area 8589934592 bytesFixed Size 2065744 bytesVariable Size 3238009520 bytesDatabase Buffers 5301600256 bytesRedo Buffers 48259072 bytesDatabase mounted.Database opened.SQL>检查参数值是否修改成功：SQL> show parameters remote_login_

37、passwordfile;NAME TYPE VALUE- - -remote_login_passwordfile string NONE修改成功后退出SQL*PLUS：SQL> exitDisconnected from Oracle Database 10g Enterprise Edition Release .0 - ProductionWith the Partitioning, OLAP, Data Mining and Real Application Testing options漏洞17. 检查口令强度设置类型：Oracle数据库类问题：SQL>

38、 select count(*) from dba_profiles where resource_name = 'PASSWORD_VERIFY_FUNCTION' and limit = 'NULL' COUNT(*)- 1解决方案：暂时不处理。漏洞18. 检查帐户口令生存周期类型：Oracle数据库类问题：SQL> select limit from dba_profiles t where resource_name = 'PASSWORD_LIFE_TIME'LIMIT-UNLIMITEDDEFAULTDEFAULT解决方案：暂时

39、不处理。漏洞19. 检查是否设置记住历史密码次数类型：Oracle数据库类问题：SQL> select limit from dba_profiles t where resource_name = 'PASSWORD_REUSE_MAX'LIMIT-UNLIMITEDDEFAULTDEFAULT解决方案：暂时不处理。漏洞20. 检查是否配置最大认证失败次数类型：Oracle数据库类问题：SQL> select limit from dba_profiles t where resource_name = 'FAILED_LOGIN_ATTEMPTS'

40、;select limit from dba_profiles t where resource_name = 'FAILED_LOGIN_ATTEMPTS'*ERROR at line 1:ORA-01034: ORACLE not availableProcess ID: 0Session ID: 0 Serial number: 0解决方案：在数据库启动的情况下，通过下面的命令检查FAILED_LOGIN_ATTEMPTS的值:bash-3.2$ sqlplus system/oracle<SID>SQL*Plus: Release .0 -

41、Production on Thu Jan 9 11:33:56 2014Copyright (c) 1982, 2007, Oracle. All Rights Reserved.Connected to:Oracle Database 10g Enterprise Edition Release .0 - ProductionWith the Partitioning, OLAP, Data Mining and Real Application Testing optionsSQL> SELECT RESOURCE_NAME, LIMIT FROM DBA_PROF

42、ILES WHERE RESOURCE_NAME='FAILED_LOGIN_ATTEMPTS' AND PROFILE='DEFAULT'RESOURCE_NAME LIMIT- -FAILED_LOGIN_ATTEMPTS UNLIMITED如果LIMIT的值为6，则符合安全要求。否则，通过下面的SQL语句修改参数值：SQL> ALTER PROFILE DEFAULT LIMIT FAILED_LOGIN_ATTEMPTS 6;Profile altered.检查参数值是否修改成功：SQL> SELECT RESOURCE_NAME, LIMI

43、T FROM DBA_PROFILES WHERE RESOURCE_NAME='FAILED_LOGIN_ATTEMPTS' AND PROFILE='DEFAULT'RESOURCE_NAME LIMIT- -FAILED_LOGIN_ATTEMPTS 6修改成功后退出SQL*PLUS：SQL> exitDisconnected from Oracle Database 10g Enterprise Edition Release .0 - ProductionWith the Partitioning, OLAP, Data Mini

44、ng and Real Application Testing options漏洞21. 检查是否在配置用户所需的最小权限类型：Oracle数据库类问题：SQL> select count(a.username) from dba_users a left join dba_role_privs b on a.username = b.grantee where granted_role = 'DBA' and a.username not in ('SYS','SYSMAN','SYSTEM','WKSYS'

45、;,'CTXSYS');COUNT(A.USERNAME)- 19解决方案：暂时不处理。漏洞22. 检查是否使用数据库角色（ROLE）来管理对象的权限类型：Oracle数据库类问题：SQL> select count(a.username) from dba_users a left join dba_role_privs b on a.username = b.grantee where granted_role = 'DBA' and a.username not in ('SYS','SYSMAN','SYST

46、EM','WKSYS','CTXSYS');COUNT(A.USERNAME)- 19解决方案：暂时不处理。漏洞23. 检查是否更改数据库默认帐号的密码类型：Oracle数据库类问题：SQL> select username,password from dba_users where password in('DF02A496267DEE66','2BE6F80744E08FEB','9793B3777CD3BD1A','CE4A36B8E06CA59C','9C30855E7

47、E0CB02D','6399F3B38EDF3288');USERNAME PASSWORD- -DIP CE4A36B8E06CA59CMDDATA DF02A496267DEE66SQL> select username,password from dba_users where password in('66F4EF5650C20355','BFBA5A553FD9E28A','7C9BA362F8314299','71E687F036AD56E5','anonymous','88D8364765FCE6AF');USERNAME PASSWORD- -EXFSYS 66F4EF5650C20355ANONYMOUS anonymousWMSYS 7C9BA362F8314299CTXSYS 71E687F036AD56E5DMSYS BFBA5A553FD9E28AXDB 88D8364765FCE6AF6 rows selected.SQL> select username,password from dba_user