Document Type | Technical Information
Category | Security
Applicable Product Versions | Tibero6, Tibero7
Document Number | TSETI011
Overview
| Category | Check Item | Importance | Code |
|---|---|---|---|
| Account Management | Change and use default account passwords, permissions, etc. | High | D-01 |
| Remove unnecessary database accounts or lock them before use | High | D-02 | |
| Set password usage period and complexity according to organizational policies | High | D-03 | |
| Grant database administrator permissions only to necessary accounts and groups | High | D-12 | |
| Set restrictions on password reuse | Medium | D-13 | |
| Assign DB user accounts individually | Medium | D-05 |
This document describes security vulnerability countermeasures for the "Account Management - Change and use default account passwords, permissions, etc. (D-01)" item.
Inspection Details and Purpose
- Check whether the default password and permission policies of DBMS default accounts have been changed and are in use.
- The purpose is to verify whether the default password and permission policies of DBMS default accounts have been changed and are in use to block unauthorized default password brute force attacks.
Inspection Criteria
| Criteria | Details |
|---|---|
| Good | If default account default passwords and permission policies have been changed and are in use |
| Vulnerable | If default account default passwords and permission policies have not been changed and are in use |
Precautions Before Action
Check Default Account List
The default accounts created during Tibero installation are as follows. Depending on the DB version, additional or removed accounts may exist. Also, some accounts should not be deleted, so please review the following information before taking action.
| Account Name | Password | Remarks |
| SYS | tibero | Account cannot be deleted |
| SYSCAT | syscat | Account cannot be deleted |
| SYSGIS | sysgis | Account cannot be deleted |
| OUTLN | outln | Account cannot be deleted |
| TIBERO | tmax | Account can be deleted |
| TIBERO1 | tmax | Account can be deleted Does not exist from version T7 and above |
| SYSBACKUP | tibero | Account cannot be deleted Exists in some T6FS07 versions (301647 patch available) and from T7 version and above |
| LBACSYS | lbacsys | Account cannot be deleted Exists from T7 version and above |
Verify Linked Systems
It is necessary to check the DB accounts used by linked systems in advance. Usually, each linked system creates and uses its own DB account, but sometimes sys accounts or default accounts (tibero or tibero1) are used. In such cases, password changes must be coordinated and performed together with the linked systems.
Password Management Method
- Set a password of at least 8 characters combining letters, numbers, and special characters that differ from the account name
- Compose with at least two types of characters among the following: uppercase letters (26), lowercase letters (26), numbers (10), special characters (32), with a minimum length of 10 characters; or combine at least three types with a minimum length of 8 characters.
- Use different passwords for each system
- If passwords are recorded, record them in a modified form
- Change passwords frequently whenever possible
Method
Settings
- Check account list
SELECT USERNAME FROM DBA_USERS; -- T6 FS07 (without 301647 patch) query result USERNAME -------------------------------------------------------------------------------- SYS SYSCAT SYSGIS OUTLN TIBERO TIBERO1 -- T7 query result USERNAME --------------------------------------------------------------------------------- SYS SYSCAT SYSGIS OUTLN SYSBACKUP TIBERO LBACSYS
- Change account password
ALTER USER [USERNAME] IDENTIFIED BY '[NEW PASSWORD]'; ex) Change sys account password to Tibero123# ALTER USER sys IDENTIFIED BY 'Tibero123#';
Restoration
- Check account list
SELECT USERNAME FROM DBA_USERS; -- T6 FS07 (without 301647 patch) query result USERNAME -------------------------------------------------------------------------------- SYS SYSCAT SYSGIS OUTLN TIBERO TIBERO1 -- T7 query result USERNAME --------------------------------------------------------------------------------- SYS SYSCAT SYSGIS OUTLN SYSBACKUP TIBERO LBACSYS
- Restore account password
ALTER USER [USERNAME] IDENTIFIED BY '[OLD PASSWORD]'; ex) Change sys account password back to tibero ALTER USER sys IDENTIFIED BY 'tibero';