检查口令强度设置
注意事项及影响:
- 用户修改密码时对密码复杂度有要求,而且所有profile都需要设置密码负责度函数否则检查通不过
- 该项没有影响,可以加固
序号 |
操作内容 |
操作步骤 |
责任人 |
时间 |
1 |
登陆数据库 |
Sqlplus ‘/as sysdba’ |
|
|
2 |
检查数据库状态 |
Select open_mode from v$database; |
|
|
3 |
创建密码函数 |
@?/rdbms/admin/utlpwdmg.sql
|
|
|
4 |
生成修改语句 |
select 'alter profile ' || profile || ' limit PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION;' from dba_profiles group by profile;
|
|
|
5 |
运行修改密码函数语句 |
运行上面查询生成的sql 语句 |
|
|
这边数据库的加固项,是对数据库的口令进行加固。
PASSWORD_VERIFY_FUNCTION:指定验证口令复杂度的验证函数。Oracle 提供了一个默认的口令校验函数,这可以通过运行脚本utlpwdmg.sql 来建立该函数,脚本保存在$ORACLE_HOME\rdbms\admin 目录中。DBA 也可以通过修改脚本来实现自己 的口令校验函数。
(1)先来看一下数据库没有加固之前的概要文件里面的内容
SQL> select PROFILE,RESOURCE_NAME,LIMIT from dba_profiles where PROFILE='DEFAULT';
PROFILE RESOURCE_NAME LIMIT
DEFAULT PASSWORD_VERIFY_FUNC NULL --可以看到值为空
(2)SQL> @?/rdbms/admin/utlpwdmg.sql
Function created.
Grant succeeded.
Profile altered.
Function created.
Grant succeeded.
1.生成修改概要文件的语句
SQL> select 'alter profile ' || profile ||
' limit PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION;'
from dba_profiles
group by profile;
'ALTERPROFILE'||PROFILE||'LIMITPASSWORD_VERIFY_FUNCTIONVERIFY_FUNCTION;'
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
alter profile MONITORING_PROFILE limit PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION;
alter profile TEST limit PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION;
alter profile DEFAULT limit PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION;
可以看到所有的概要文件的PASSWORD_VERIFY_FUNCTION都设置为VERIFY_FUNCTION。
2.修改概要文件
SQL> alter profile TEST limit PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION;
Profile altered.
SQL> alter profile DEFAULT limit PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION;
Profile altered.
SQL> select PROFILE,RESOURCE_NAME,LIMIT from dba_profiles where PROFILE='DEFAULT';
PROFILE RESOURCE_NAME LIMIT
DEFAULT PASSWORD_VERIFY_FUNC VERIFY_FUNCTIONTION
可以看到概要文件里面的PASSWORD_VERIFY_FUNC值由null变为了VERIFY_FUNCTIONTION。
3.测试口令强度
SQL> alter user test identified by 123456;
alter user test identified by 123456
*
ERROR at line 1:
ORA-28003: password verification for the specified password failed
ORA-20003: Password should contain at least one \
digit, one character and one punctuation
简单密码无法更新,需要将密码设置为复杂的。
4.下面是utlpwdmg.sql里面的内容 可以看到具体这个.sql创建的函数是用来检测要修改的密码
[oracle@Database1 admin]$ cat utlpwdmg.sql
-- This script sets the default password resource parameters
-- This script needs to be run to enable the password features.
-- However the default resource parameters can be changed based
-- on the need.
-- A default password complexity function is also provided.
-- This function makes the minimum complexity checks like
-- the minimum length of the password, password not same as the
-- username, etc. The user may enhance this function according to
-- the need.
-- This function must be created in SYS schema.
-- connect sys/<password> as sysdba before running the script
CREATE OR REPLACE FUNCTION verify_function_11G
(username varchar2,
password varchar2,
old_password varchar2)
RETURN boolean IS
n boolean;
m integer;
differ integer;
isdigit boolean;
ischar boolean;
ispunct boolean;
db_name varchar2(40);
digitarray varchar2(20);
punctarray varchar2(25);
chararray varchar2(52);
i_char varchar2(10);
simple_password varchar2(10);
reverse_user varchar2(32);
BEGIN
digitarray:= '0123456789';
chararray:= 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
-- Check for the minimum length of the password
IF length(password) < 8 THEN
raise_application_error(-20001, 'Password length less than 8');
END IF;
-- Check if the password is same as the username or username(1-100)
IF NLS_LOWER(password) = NLS_LOWER(username) THEN
raise_application_error(-20002, 'Password same as or similar to user');
END IF;
FOR i IN 1..100 LOOP
i_char := to_char(i);
if NLS_LOWER(username)|| i_char = NLS_LOWER(password) THEN
raise_application_error(-20005, 'Password same as or similar to user name ');
END IF;
END LOOP;
-- Check if the password is same as the username reversed
FOR i in REVERSE 1..length(username) LOOP
reverse_user := reverse_user || substr(username, i, 1);
END LOOP;
IF NLS_LOWER(password) = NLS_LOWER(reverse_user) THEN
raise_application_error(-20003, 'Password same as username reversed');
END IF;
-- Check if the password is the same as server name and or servername(1-100)
select name into db_name from sys.v$database;
if NLS_LOWER(db_name) = NLS_LOWER(password) THEN
raise_application_error(-20004, 'Password same as or similar to server name');
END IF;
FOR i IN 1..100 LOOP
i_char := to_char(i);
if NLS_LOWER(db_name)|| i_char = NLS_LOWER(password) THEN
raise_application_error(-20005, 'Password same as or similar to server name ');
END IF;
END LOOP;
-- Check if the password is too simple. A dictionary of words may be
-- maintained and a check may be made so as not to allow the words
-- that are too simple for the password.
IF NLS_LOWER(password) IN ('welcome1', 'database1', 'account1', 'user1234', 'password1', 'oracle123', 'computer1', 'abcdefg1', 'change_on_install') THEN
raise_application_error(-20006, 'Password too simple');
END IF;
-- Check if the password is the same as oracle (1-100)
simple_password := 'oracle';
FOR i IN 1..100 LOOP
i_char := to_char(i);
if simple_password || i_char = NLS_LOWER(password) THEN
raise_application_error(-20007, 'Password too simple ');
END IF;
END LOOP;
-- Check if the password contains at least one letter, one digit
-- 1. Check for the digit
isdigit:=FALSE;
m := length(password);
FOR i IN 1..10 LOOP
FOR j IN 1..m LOOP
IF substr(password,j,1) = substr(digitarray,i,1) THEN
isdigit:=TRUE;
GOTO findchar;
END IF;
END LOOP;
END LOOP;
IF isdigit = FALSE THEN
raise_application_error(-20008, 'Password must contain at least one digit, one character');
END IF;
-- 2. Check for the character
<<findchar>>
ischar:=FALSE;
FOR i IN 1..length(chararray) LOOP
FOR j IN 1..m LOOP
IF substr(password,j,1) = substr(chararray,i,1) THEN
ischar:=TRUE;
GOTO endsearch;
END IF;
END LOOP;
END LOOP;
IF ischar = FALSE THEN
raise_application_error(-20009, 'Password must contain at least one \
digit, and one character');
END IF;
<<endsearch>>
-- Check if the password differs from the previous password by at least
-- 3 letters
IF old_password IS NOT NULL THEN
differ := length(old_password) - length(password);
differ := abs(differ);
IF differ < 3 THEN
IF length(password) < length(old_password) THEN
m := length(password);
ELSE
m := length(old_password);
END IF;
FOR i IN 1..m LOOP
IF substr(password,i,1) != substr(old_password,i,1) THEN
differ := differ + 1;
END IF;
END LOOP;
IF differ < 3 THEN
raise_application_error(-20011, 'Password should differ from the \
old password by at least 3 characters');
END IF;
END IF;
END IF;
-- Everything is fine; return TRUE ;
RETURN(TRUE);
END;
/
GRANT EXECUTE ON verify_function_11G TO PUBLIC;
-- This script alters the default parameters for Password Management
-- This means that all the users on the system have Password Management
-- enabled and set to the following values unless another profile is
-- created with parameter values set to different value or UNLIMITED
-- is created and assigned to the user.
ALTER PROFILE DEFAULT LIMIT
PASSWORD_LIFE_TIME 180
PASSWORD_GRACE_TIME 7
PASSWORD_REUSE_TIME UNLIMITED
PASSWORD_REUSE_MAX UNLIMITED
FAILED_LOGIN_ATTEMPTS 10
PASSWORD_LOCK_TIME 1
PASSWORD_VERIFY_FUNCTION verify_function_11G;