Oracle 11g database security reinforcement considerations, oracle11g

Source: Internet
Author: User

Oracle 11g database security reinforcement considerations, oracle11g

In database security configuration, security reinforcement is required. To ensure database security, however, sometimes, after improper operations or database business account password modification, the configuration of database connection for the program is encapsulated in jar, if the configuration information of the connected database in jar is not modified. This will cause serious consequences to the business account of the database.

Therefore, it is especially important to understand the status of Oracle Security database users. Next, let's take a look at the various user statuses in the oracle database.

ORACLE database users have multiple statuses. You can view the USER_ASTATUS_MAP view.

SQL> col status for a30SQL> select * from user_astatus_map;  STATUS# STATUS---------- ------------------------------     0 OPEN     1 EXPIRED     2 EXPIRED(GRACE)     4 LOCKED(TIMED)     8 LOCKED     5 EXPIRED & LOCKED(TIMED)     6 EXPIRED(GRACE) & LOCKED(TIMED)     9 EXPIRED & LOCKED    10 EXPIRED(GRACE) & LOCKED9 rows selected.

Through the above query, we can see that the account in Oracle has a total of 9 different states, corresponding to the account_status field in the dba_users view.

Next, I will give a brief description of the meaning and situations of each State to facilitate future system management and maintenance.
The preceding nine States show that the independent States are only OPEN, EXPIRED, LOCKED, EXPIRED (GRACE), and LOCKED (TIMED. The other four are just combinations of the previous forms.

Or you can understand it as follows:

The preceding nine states can be divided into two categories:

1. Basic status (the first five are basic statuses: 0 OPEN, 1 EXPIRED, 2 EXPIRED (GRACE), 4 LOCKED (TIMED), and 8 LOCKED );

2. Combination status (the last four are combination statuses: 5 EXPIRED & LOCKED (TIMED), 6 EXPIRED (GRACE) & LOCKED (TIMED), 9 EXPIRED & LOCKED, 10 EXPIRED (GRACE) & LOCKED );

You can use STATUS # To obtain two combinations of the last four states. Master the first five options.

For more information, see:

OPEN: This is the most common one. It indicates that this account is available and has no restrictions.
LOCKED: indicates that the account is LOCKED by the DBA. Generally, the account is LOCKED (unlock) through alter user username account );
EXPIRED: indicates that the account has been set to expire with the password. You are required to change the password next time you log on (the system will prompt you to change the password upon the first login after the account is set to expire)
EXPIRED (GRACE): After grace is set (the number of days after the password expires after the first successful logon, the password can be changed. During this period, the account is reminded to change the password and can be logged on normally. account_status is displayed as EXPIRED (GRACE ).
LOCKED (TIMED): this status indicates that the number of failed logins exceeds FAILED_LOGIN_ATTEMPTS and is automatically LOCKED by the system. Note that the DEFAULT value is 10 in Oracle 10 Gb.

EXPIRED & LOCKED: indicates that the account is set to expire and LOCKED.
EXPIRED (GRACE) & LOCKED (TIMED): When account_stutus is EXPIRED (GRACE), the number of login attempts failed by the user exceeds FAILED_LOGIN_ATTEMPTS, which is automatically LOCKED by the system.
EXPIRED & LOCKED (TIMED): When the account expire is set, the number of logins failed by the user exceeds FAILED_LOGIN_ATTEMPTS, which is automatically LOCKED by the system.
EXPIRED (GRACE) & LOCKED: The status after the user account_status is EXPIRED (GRACE) and the account is manually LOCKED by the DBA

The following describes how to use an instance:

I have made the following security settings for the profile file of the oracle database: (FAILED_LOGIN_ATTEMPTS 6 is the maximum number of logon attempts failed by the user. Here, only a maximum of 6 failed attempts are allowed)

SQL>ALTER PROFILE DEFAULT LIMIT FAILED_LOGIN_ATTEMPTS 6 PASSWORD_LIFE_TIME 60 PASSWORD_REUSE_TIME 60 PASSWORD_REUSE_MAX 5 PASSWORD_VERIFY_FUNCTION verify_function_11g PASSWORD_LOCK_TIME 1/24 PASSWORD_GRACE_TIME 90;

Use the following statement to query the status of the current user:

SQL> select username,account_status from dba_users;USERNAME            ACCOUNT_STATUS------------------------------ --------------------------------DBA_USER            OPENDBSNMP             OPENSYSMAN             OPENSCOTT             OPENFLOWS_FILES          EXPIRED & LOCKEDMDSYS             EXPIRED & LOCKEDWMSYS             EXPIRED & LOCKEDORDDATA            EXPIRED & LOCKEDCTXSYS             EXPIRED & LOCKEDANONYMOUS           EXPIRED & LOCKED

Next, use the account dba_user and scott to attempt to connect to the database more than six times with the wrong password, and then check the database user status:

SQL> select username,account_status from dba_users;USERNAME            ACCOUNT_STATUS------------------------------ --------------------------------DBA_USER            EXPIRED(GRACE) & LOCKED(TIMED)DBSNMP             OPENSYSMAN             OPENSCOTT              EXPIRED(GRACE) & LOCKED(TIMED)FLOWS_FILES           EXPIRED & LOCKEDMDSYS              EXPIRED & LOCKEDWMSYS              EXPIRED & LOCKEDORDDATA             EXPIRED & LOCKEDCTXSYS             EXPIRED & LOCKEDANONYMOUS            EXPIRED & LOCKED

It turns out that when the user DBA_USER and SCOTT are EXPIRED (GRACE), the number of login attempts failed exceeds the number of FAILED_LOGIN_ATTEMPTS, which is automatically locked by the system.

If the two users are business accounts for production of the current network, the Administrator may cause business interruptions and other serious consequences if they fail to detect problems or report alarms in time.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.