Document Type | Technical Information
Category | Security
Applicable Product Versions | Tibero6, Tibero7
Document Number | TSETI012
Overview
| Category | Inspection Item | Importance | Code |
|---|---|---|---|
| Account Management | Use by changing the password and permissions of default accounts | High | D-01 |
| Remove unnecessary accounts in the database or use after setting lock | High | D-02 | |
| Set password usage period and complexity according to institutional policies | High | D-03 | |
| Allow database administrator privileges only to necessary accounts and groups | High | D-12 | |
| Set restrictions on password reuse | Medium | D-13 | |
| Assign DB user accounts individually for use | Medium | D-05 |
This document describes the security vulnerability countermeasure for the item "Account Management - Remove unnecessary accounts in the database or use after setting lock (D-02)".
Inspection Content and Purpose
- Check for unnecessary accounts in the DBMS that are not used for DB management or operation.
- Check for the presence of unnecessary accounts to ensure preparedness against unauthorized DB access that may occur due to leakage of unnecessary account information (passwords).
Inspection Criteria
| Criteria | Content |
|---|---|
| Good | No unnecessary accounts found after checking account information |
| Vulnerable | Presence of unauthorized accounts, retired employee accounts, test accounts, or other unnecessary accounts |
Precautions Before Action
Check Default Account List
The default accounts created during Tibero installation are as follows. Depending on the DB version, accounts may be added or removed. Additionally, there are accounts that should not be deleted or locked, so please check the following details before proceeding.
| Account Name | Password | Remarks |
| SYS | tibero | Account cannot be deleted Account cannot be locked |
| SYSCAT | syscat | Account cannot be deleted Account can be locked |
| SYSGIS | sysgis | Account cannot be deleted Account can be locked |
| OUTLN | outln | Account cannot be deleted Account can be locked |
| TIBERO | tmax | Account can be deleted Account can be locked |
| TIBERO1 | tmax | Account can be deleted Account can be locked Does not exist from version T7 and above |
| SYSBACKUP | tibero | Account cannot be deleted Account can be locked Exists in some versions of T6FS07 (patch 301647 applied) and from version T7 and above |
| LBACSYS | lbacsys | Account cannot be deleted Account can be locked Exists from version T7 and above |
Check Linked Systems
It is necessary to check the DB accounts used by linked systems in advance. Accounts used by linked systems should be excluded from the action targets.
Irreversibility After Account Deletion
When an account is deleted, all related objects (TABLE, VIEW, PROCEDURE, etc.) are also deleted. There is no way to restore a deleted account.
Method
Settings
- Check account list
set lines 400 col username for a30 col account_status for a30 SELECT USERNAME,ACCOUNT_STATUS FROM DBA_USERS; -- T6 FS07 (patch 301647 not applied) query results USERNAME ACCOUNT_STATUS ------------------------------ ------------------------------ SYS OPEN SYSCAT OPEN SYSGIS OPEN OUTLN OPEN TIBERO OPEN TIBERO1 OPEN -- T7 query results USERNAME ACCOUNT_STATUS ------------------------------ ------------------------------ SYS OPEN SYSCAT OPEN SYSGIS OPEN OUTLN OPEN SYSBACKUP OPEN TIBERO OPEN LBACSYS OPEN
- Delete account
DROP USER [USERNAME] CASCADE; ex) Delete TIBERO account DROP USER tibero CASCADE;
- Lock account
ALTER USER [USERNAME] ACCOUNT LOCK; ex) Lock SYSCAT account ALTER USER syscat ACCOUNT LOCK;
Restore
- Check account list
set lines 400 col username for a30 col account_status for a30 SELECT USERNAME,ACCOUNT_STATUS FROM DBA_USERS; -- T6 FS07 (patch 301647 not applied) query results USERNAME ACCOUNT_STATUS ------------------------------ ------------------------------ SYS OPEN SYSCAT LOCKED SYSGIS OPEN OUTLN OPEN TIBERO1 OPEN -- T7 query results USERNAME ACCOUNT_STATUS ------------------------------ ------------------------------ SYS OPEN SYSCAT LOCKED SYSGIS OPEN OUTLN OPEN SYSBACKUP OPEN LBACSYS OPEN
- Restore deleted account
There is no separate method to restore a deleted account; it must be recreated.
CREATE USER [USERNAME] IDENTIFIED BY '[PASSWORD]'; GRANT CONNECT,RESOURCE TO [USERNAME]; ex) Create TIBERO user CREATE USER tibero IDENTIFIED BY 'tmax'; GRANT CONNECT,RESOURCE TO tibero;
- Restore account lock
ALTER USER [USERNAME] ACCOUNT UNLOCK; ex) Unlock SYSCAT account ALTER USER syscat ACCOUNT UNLOCK;