Network security guarantee: Oracle database evaluation

Time:2022-5-8

The following results take Oracle 11g as an example. It is managed through PL / SQL without any configuration. It is evaluated according to the requirements of ISO 2.0 standard, 2021 report template and three-level system.

1、 Identification

a) The logged in users shall be identified and authenticated. The identity identification shall be unique, and the identity authentication information shall have complexity requirements and be changed regularly;

SYSDBA is the highest authority administrator of Oracle database. Sqlplus or PL / SQL management software is usually used for management. PL / SQL is a third-party management software, but the SQL query statement is the same.

Note: if SYSDBA is managed locally, you can log in successfully even if you enter your password indiscriminately. You need to change sqlnet Ora file.

1. Whether the administrator needs to enter the user name / password when logging in the database, and there is no empty port order;

Network security guarantee: Oracle database evaluation

image.png

2. UseSelect username,account_status from dba_users; Display the information of all users who can log in to the database: (), those are open and those are locked. Is the uid unique

Network security guarantee: Oracle database evaluation

image.png

3. Pass the orderselect * from dba_profiles where resource_type=’password’;orSELECT LIMIT FROM DBA_PROFILES WHERE PROFILE=’DEFAULT’ AND RESOURCE_NAME=’PASSWORD_VERIFY_FUNCTION’;If NULL, the password complexity requirement is not set.

In order to thank the readers for their support, we have prepared the following benefits for you:

[one > get < one]

1. More than 200 e-books of network security series

2. Complete kit (the most complete Chinese version, which one you want to use)

3. 100 SRC source code technical documents (continuous project learning and real knowledge through practice)

4. Basic introduction to network security, Linux, web security, attack and defense videos (2021 latest version)

6. Network security learning route (bid farewell to non mainstream learning)

7. Analysis of CTF flag competition (topic analysis and actual operation)
[one > get < one]

Network security guarantee: Oracle database evaluation

image.png

If any, the setting should be

(1)PASSWORD_ LOGIN_ Attempts = number of login attempts;
(2)PASSWORD_ LIFE_ Time limit = password is not set;
(3)PASSWORD_ ROUSE_ Max = unlimited the number of times that a previously used password must be reset before it is re enabled (the number of times it is repeated);
(4)PASSWORD_ VERIFY_ Funciton = null, password complexity check function is not set;
(5)PASSWORD_ GRACE_ Time =, grace period for password modification: 7;

b) It shall have the function of handling login failure, and shall configure and enable relevant measures such as ending the session, limiting the number of illegal logins and automatically exiting when the login connection times out;

1. Through inputSELECT LIMIT FROM DBA_PROFILES WHERE PROFILE=’DEFAULT’ AND RESOURCE_NAME=’FAILED_LOGIN_ATTEMOTS’;
If the query result is’ unlimited ‘, there is no limit on the number of login retries. Users exceeding this value are locked. You can use alter profile default limit failed_ LOGIN_ Attempts 10 (10 retries)

Network security guarantee: Oracle database evaluation

image.png

2. Through inputSELECT LIMIT FROM DBA_PROFILES WHERE PROFILE=’DEFAULT’ AND RESOURCE_NAME=’PASSWORD_LOCK_TIME’;, if the query result is’ unlimited ‘, there is no limit on the number of login failures. You can use alter profile default limit password_ LOCK_ Time 1 / 24 (lock for one day after retry failure)

Network security guarantee: Oracle database evaluation

image.png

3. Through inputSELECT LIMIT FROM DBA_PROFILES WHERE PROFILE=’DEFAULT’ AND RESOURCE_NAME=’IDLE_TIME’;, if the query result is’ unlimited ‘, there is no login timeout limit.

Network security guarantee: Oracle database evaluation

image.png

c) In case of remote management, necessary measures shall be taken to prevent the identification information from being eavesdropped in the process of network transmission;

Sqlplus or PL / SQL is used to connect the database and manage the database. The communication between the client and the server is encrypted, so Oracle complies with this item by default.

d) Two or more combination authentication technologies such as password, password technology and biotechnology shall be used to authenticate the user’s identity, and at least one of them shall be realized by password technology.

According to the interview with the administrator, whether the two factor identification technology is adopted and what is the identification technology. The default does not match.

2、 Access control

a) Assign accounts and permissions to logged in users;

Through inputSelect username,account_status from dba_users;Statement, which mainly checks the available users in the database. There must be at least two. This evaluation item requires at least two accounts in Oracle, and the permissions of these two accounts are different.

1. Users are assigned accounts, permissions and related settings, mainly depending on the available accounts (for example, using the “user permission list”);
2. Whether the access rights of anonymous and default accounts have been disabled or restricted. If only Mgmt_ If uiew, system, Sys and dbsnmp are enabled and others are enabled, it is qualified.

b) The default account should be renamed or deleted, and the default password of the default account should be modified

In Oracle, the two accounts sys and system are most commonly used by default users.
1. Whether the default account names such as sys, system and dbsnmp have been renamed or the default password has been modified. The default password of sys is change_ ON_ INSTALL; SYSTEM:MANAGER; The default password of dbsnmp is: dbsnmp. You can log in to the test.

c) Redundant and expired accounts should be deleted or deactivated in time to avoid the existence of shared accounts

Whether the interview administrator has redundant or expired accounts, and whether the administrator user and the account correspond one by one through inputSelect username,account_status from dba_users;Check whether there are users such as default account Scott / outln / ordsy, and there is no account_ Account with status of expired. Interview the administrator whether there is a shared account, etc. Example does not comply.

Network security guarantee: Oracle database evaluation

image.png

d) The minimum authority required by the management user shall be granted to realize the separation of authority of the management user··

1. Through inputSelect username,account_status from dba_users;View the purpose of the user whose status is open. Whether to divide roles and whether there are multiple users to manage the database;
2. Through inputselect * from dba_tab_privs where grantee=’SYS’ ORDER BY GRANTEE;Check which users are granted the highest permission of sys and know whether the permissions of management users have been separated;

Network security guarantee: Oracle database evaluation

image.png

3. By interviewing the administrator and managing whether the user authority is the minimum authority required for their work tasks, and whether there is a corresponding user authority table.
4. Through inputselect granted_role from dba_role_privs where grantee=’PUBLIC’; The return value () knows whether public is authorized to the user. If yes, it does not comply;
5. By entering in the command window
Show parameter O7_DICTIONARY_ACCESSIBILITY
; Return value (whether it is false); (if this parameter is set to false, it is qualified. If the user has any table permission, he can access the objects of other users except sys user, and he has no right to access the data dictionary base table.)

Network security guarantee: Oracle database evaluation

image.png

Tips: SQL statements are executed in the PL / SQL file – SQL window, and show and other command statements are executed in the command window. Sqlplus is not distinguished.

To sum up, judge the degree of conformity.

e) The authorized subject shall configure the access control policy, which specifies the access rules of the subject to the object

Through the interview with the administrator, whether the login user is assigned roles and permissions by a specific account. Whether there are specific access rules.

f) The granularity of access control should reach the user level or process level for the subject, and the file and database table level for the object

1. Through interview with database administrator, whether to formulate database access control strategy, and the granularity of access control is database table level. This item meets the requirements by default.

g) Security marks should be set for important subjects and objects, and the access of subjects to information resources with security marks should be controlled

Through interview with database administrator: whether to set security marks for important subjects and objects. Oracle itself should not have this function. It may rely on the operating system or any third-party software, such as Oracle_ Label_ Security. This item generally does not comply with the default.

3、 Safety audit

a) The security audit function shall be enabled to cover each user and audit important user behaviors and important security events

Oracle has its own audit function, which can be accessed through audit_ Use the trail parameter to enable the use.
1. Through inputshow parameter audit_trail; The return value is dB by default, that is, the audit function is enabled for ordinary users. If it is none, it is not enabled;

Network security guarantee: Oracle database evaluation

image.png

2. Through inputselect * from dba_ stmt_ audit_ opts; And select * from DBA_ priv_ audit_ opts;Return results such as user_ Name is null. Audit is started for these important events, and the audit is for all users, which meets the requirements.

Network security guarantee: Oracle database evaluation

image.png
Network security guarantee: Oracle database evaluation

image.png

3. Through inputshow parameter audit_sys_operations;Return result audit_ sys_ Operations Boolean false does not audit the SQL statements directly issued during SYSDBA or sysoper privileged connection. It needs to be enabled. The default is false.

Network security guarantee: Oracle database evaluation

image.png

To sum up, analyze and judge the degree of conformity.

b) The audit record shall include the date and time of the event, user, type of event, success of the event and other audit related information

By entering * * select * from AUD $** View the format of the audit log, which is consistent by default. (enter show parameter dump_dest and the value of backgroup_dump_dest is the location of the log file.). The figure below does not show the complete.

Network security guarantee: Oracle database evaluation

image.png

c) Audit records shall be protected and backed up regularly to avoid unexpected deletion, modification or overwrite

What are the technical backup measures taken by the administrator through the regular interview? 1. What are the technical backup measures taken by the administrator? For example, import to the log server through syslog port.
2. Whether only specific administrators have the operation authority on audit records, and ordinary users cannot access audit records.

d) The audit process should be protected against unauthorized interruption

Oracle meets this by default.
1. Check who the SYSDBA and sysoper permissions are granted to, whether the non administrator account can interrupt the audit process, and whether the audit process is protected.
2. Enter * * alter system set audit_ trail=none; ** It is concluded that if it cannot succeed, it meets the requirements. The example is SYSDBA, the highest authority administrator login, which can operate. You need to log in through an ordinary user to check whether this command can be executed. If so, this item does not meet the requirements.

Network security guarantee: Oracle database evaluation

image.png

4、 Intrusion Prevention

a) Follow the principle of minimum installation and install only the required components and applications

Through inputselect * from v$option;Know whether the installed components are redundant. If value is true, it is installed. [image upload failed… (image-c9a1b2-1634546762405)]

b) Unnecessary system services, default shares and high-risk ports should be turned off

This item is not applicable and is not involved in the database.

c) The management terminal managed through the network shall be limited by setting the terminal access mode or network address range

By viewing sqlnet.com in the installation path of Oracle Viewing tcp.net from ora file validnode_ checking/tcp/invited_ Whether nodes is configured as:
tcp.validnode_checking=yes
tcp,invited_ Nodes = () know whether the remote connection IP is set.

Most of them are not set. They are basically remote databases indirectly through the remote management operating system.

d) Data validity inspection function shall be provided to ensure that the contents input through man-machine interface or communication interface meet the system setting requirements 8

This item is not applicable and is not involved in the database.

e) It should be able to find possible known vulnerabilities and repair them in time after full test and evaluation

1. Whether the interview administrator conducts vulnerability scanning or penetration test regularly or irregularly, and the cycle is ();
2. Whether the high-risk vulnerabilities related to the database are found through this vulnerability scanning, and if so, whether the vulnerabilities are repaired in time.

f) It shall be able to detect the intrusion of important nodes and provide alarm in case of serious intrusion events

This item is not applicable and is not involved in the database.

5、 Malicious code prevention

Technical measures against malicious code attacks or active immune trusted verification mechanism shall be adopted to timely identify intrusion and virus behaviors and effectively block them

This item is not applicable and is not involved in the database.

6、 Trusted verification

Based on the trusted root, the system boot program, system program, important configuration parameters and application program of the computing device can be trusted verified, and the dynamic trusted verification can be carried out in the key execution links of the application program. After detecting that its credibility is damaged, the alarm will be given, and the verification results will be formed into audit records and sent to the security management center

Through the interview with the administrator, whether the trusted technology is adopted is generally not adopted. Trusted technology is mainly based on trusted chip and trusted root, and there are many hardware levels. But now the products on the market have not been widely popularized.

7、 Other control points

Data integrity, data confidentiality, data backup and recovery, residual information protection and personal information protection are not considered here and are uniformly reflected in the five types of data in the secure computing environment.