Oracle 11g Database Security Reinforcement Considerations _oracle

In the database security configuration, it is necessary to do the related security reinforcement work. To confirm the security of the database, however, sometimes, improper operation or database business account changes password, and the program's connection to the database configuration encapsulated in the jar, if the jar of the connection database configuration information does not make the corresponding changes. will have serious consequences for this business account in the database.

Therefore, it is particularly important to really understand the state of Oracle security database users. Let's take a look at the various user statuses in the Oracle database.

Oracle database users have a variety of statuses to view User_astatus_map view.

sql> col status for A30
sql> select * from User_astatus_map;

  status# STATUS
----------------------------------------

     0 OPEN
     1 expired
     2 expired (GRACE)
     4 LOCKED (TIMED)
     8 LOCKED
     5 Expired & LOCKED (TIMED)
     6 expired (GRACE) & LOCKED (TIMED)
     9 Expired & Amp LOCKED
    Expired (GRACE) & LOCKED

9 rows selected.

We can see from the above query that there are 9 different states of account in Oracle, corresponding to the Account_status field in the Dba_users view.

Below I separately on each state the meaning and the occurrence situation makes a simple explanation, for the future system management and maintenance.
Analysis of the above 9 states is not difficult to see, in fact, the independent State only open, expired, LOCKED, expired (GRACE), LOCKED (TIMED) 5 of forms. The other 4 are just a combination of several previous forms.

Or you can also understand this:

The above 9 states can be divided into two main categories:

1, the basic state (the first five types for the basic state: 0 OPEN, 1 expired, 2 expired (GRACE), 4 LOCKED (TIMED), 8 LOCKED);

2, the combination of state (the latter four are combined State: 5 Expired & LOCKED (TIMED), 6 expired (GRACE) & LOCKED (TIMED), 9 expired & LOCKED, expired ( GRACE) & LOCKED);

The combined states of the latter four can obtain two combinations of their states through the state number status#. Master the first five kinds can be.

For detailed explanation, please refer to the following:

OPEN: This is the most common, is to indicate that this is available, without any restrictions on the account
LOCKED: Indicates that the account is locked by the DBA. Generally through ALTER user username account lock (unlock);
Expired: Indicates that the account is set to expire password and requires the user to modify the password at the next logon (the system will be prompted to modify the password the first time it is set to expire)
Expired (Grace): When Grace has been set (after the first successful login to the password expiration of the number of days to change the password, in this period of time, the account is reminded to modify the password and can be normal landing, Account_status displayed as expired (GRACE).
LOCKED (TIMED): This state indicates that the number of LOGIN failures has exceeded failed_login_attempts and is automatically locked by the system, and it should be noted that in Oracle 10g the default defaults are 10 times.

Expired & LOCKED: Indicates that this account is set to expire with password and is locked.
Expired (Grace) & LOCKED (TIMED): When Account_stutus is expired (Grace), the user attempts to fail more LOGIN times than failed_login_attempts, Automatically locked by the system
Expired & LOCKED (TIMED): When account expire was set, the user failed to LOGIN more than Failed_login_attempts and was automatically locked by the system
Expired (Grace) & LOCKED: After the user account_status to expired (Grace), the state after the account was manually locked by the DBA

The following example action is used to illustrate:

I have the following security settings for the Oracle Database profile file: (failed_login_attempts 6 is the limit on the maximum number of times a user tries to fail, only the maximum attempt is allowed to fail 6 times)

Sql>alter profile DEFAULT LIMIT
 failed_login_attempts 6
 password_life_time
 password_reuse_time 60
 Password_reuse_max 5
 Password_verify_function verify_function_11g
 password_lock_time 1/24
 password_grace_time 90;

Query the status of the current user by using the following statement:

Sql> select Username,account_status from Dba_users;

USERNAME            account_status
--------------------------------------------------------------

dba_user            OPEN
Dbsnmp             Open
sysman             open
SCOTT             open
flows_files          expired & LOCKED
Mdsys             Expired & LOCKED
Wmsys             Expired & LOCKED
orddata            expired & LOCKED
ctxsys             expired & LOCKED
ANONYMOUS           Expired & LOCKED

Next, use the account Dba_user and Scott, try to connect to the library with the wrong password more than 6 times, and then view the state of the database user:

Sql> select Username,account_status from Dba_users;

USERNAME            account_status
--------------------------------------------------------------

dba_user            expired (GRACE) & LOCKED (TIMED)
Dbsnmp             Open
sysman             open
SCOTT              expired (GRACE) & LOCKED (TIMED)
flows_files           Expired & LOCKED
mdsys              expired & LOCKED
wmsys              expired & LOCKED
orddata             Expired & LOCKED
ctxsys             expired & LOCKED
ANONYMOUS            expired & LOCKED

It turns out that when the user Dba_user and Scott are expired (GRACE), the user attempts to fail the LOGIN more than Failed_login_attempts and is automatically locked by the system.

If these two users for the production of the current network of business accounts, the administrator can not detect problems in time or alarm, will cause business interruption and other serious consequences.