This post introduces how to implement security hardening of Oracle database.
1. Verification function of password limits
Below script contains a verification function name ora12c_verify_function
:1
2[[email protected] ~]$ ls -l $ORACLE_HOME/rdbms/admin/utlpw*
-rw-r--r--. 1 oracle oinstall 12543 11月 7 2013 /oracle/app/oracle/product/12c/db_1/rdbms/admin/utlpwdmg.sql
2. Resource limit of default profile after executing utlpwdmg.sql
utlpwdmg.sql script will modify default profile as below rules:
1 | ALTER PROFILE DEFAULT LIMIT |
Also create ORA_STIG_PROFILE
as below rules:
1 | SQL> col profile for a30 |
3. Difference between 11g and 12c
3.1 verify_function_11G Function Password Requirements
This function checks for the following requirements when users create or modify passwords:
- The password is not the same as the user name, nor is it the user name spelled backward or with the numbers 1–100 appended.
- The password is not the same as the server name or the server name with the numbers 1–100 appended.
- The password is not too simple (for example, oracle, oracle with the numbers 1–100 appended, welcome1, database1, account1, user1234, password1, oracle123, computer1, abcdefg1, or change_on_install).
- The password includes at least 1 numeric and 1 alphabetic character.
- The password differs from the previous password by at least 3 characters.
The following internal checks are also applied:
- The password contains no fewer than 8 characters and does not exceed 30 characters.
- The password does not contain the double-quotation character ("). It can be surrounded by double-quotation marks, however.
3.2 ora12c_verify_function Password Requirements
The ora12c_verify_function function provides requirements that the Department of Defense Database Security Technical Implementation Guide recommends.
This function checks for the following requirements when users create or modify passwords:
- The password contains no fewer than 8 characters and includes at least 1 numeric and 1 alphabetic character.
- The password is not the same as the user name or the user name reversed.
- The password is not the same as the database name.
- The password does not contain the word oracle (such as oracle123).
- The password is not too simple (for example, welcome1, database1, account1, user1234, password1, oracle123, computer1, abcdefg1, or change_on_install).
- The password differs from the previous password by at least 3 characters.
- The password contains at least one special character.
The following internal checks are also applied:
- The password does not exceed 30 characters.
- The password does not contain the double-quotation character ("). It can be surrounded by double-quotation marks, however.
3.3 ora12c_strong_verify_function Function Password Requirements
The ora12c_strong_verify_function function fulfills the Department of Defense Database Security Technical Implementation Guide requirements.
This function checks for the following requirements when users create or modify passwords:
The password must contain at least 2 upper case characters, 2 lower case characters, 2 numeric characters, and 2 special characters. These special characters are as follows:
1
‘ ~ ! @ # $ % ^ & * ( ) _ - + = { } [ ] \ / < > , . ; ? ' : | (space)
The password must differ from the previous password by at least 4 characters.
The following internal checks are also applied:
- The password contains no fewer than nine characters and does not exceed 30 characters.
- The password does not contain the double-quotation character ("). It can be surrounded by double-quotation marks, however.
4. Example of modifying user profile
1 | alter profile default limit PASSWORD_LIFE_TIME UNLIMITED; |
5. Summary
Even with Oracle 12c, security hardening is not enabled by force, DBA need to execute utlpwdmg.sql
manually to enable.
By default, this script will update default profile, which is the default profile for all users. It's recommended to modify this script, not using default profile for all users.
Reference:
Database Security Guide-Configuring Authentication
EOF