Document Type | Technical Information
Category | Security
Applicable Product Versions | Tibero6, Tibero7
Document Number | TSETI014
Overview
| Category | Inspection Items | Importance | Code |
|---|---|---|---|
| Account Management | Change the password and privileges of default accounts for use | High | D-01 |
| Remove unnecessary accounts from the database or lock them before use | High | D-02 | |
| Set password usage period and complexity according to organization policies | High | D-03 | |
| Allow database administrator privileges only to necessary accounts and groups | High | D-04 | |
| Set restrictions on password reuse | Medium | D-12 | |
| Assign DB user accounts individually for use | Medium | D-13 |
This document describes the security vulnerability mitigation measures for the item "Account Management - Allow database administrator privileges only to necessary accounts and groups (D-04)".
Inspection Content and Purpose
- Check whether administrator privileges are granted only to accounts and groups that require administrator privileges.
- By verifying that administrator privileges are granted only to accounts and groups that require them, it aims to prevent abuse of administrator privileges and minimize the possibility of unauthorized DB access due to account leakage.
Inspection Criteria
| Criteria | Details |
|---|---|
| Good | Administrator privileges are granted only to accounts and groups that require administrator privileges |
| Vulnerable | Privileges are granted to accounts and groups that do not require administrator privileges |
Precautions Before Action
Check Default Account List
The default accounts created when installing Tibero are as follows. Since some default accounts may necessarily require administrator privileges, prior confirmation is needed.
| Account Name | Password | Remarks |
| SYS | tibero | Account cannot be deleted Administrator privileges required |
| SYSCAT | syscat | Account cannot be deleted |
| SYSGIS | sysgis | Account cannot be deleted |
| OUTLN | outln | Account cannot be deleted |
| TIBERO | tmax | Account can be deleted |
| TIBERO1 | tmax | Account can be deleted Does not exist from version T7 and above |
| SYSBACKUP | tibero | Account cannot be deleted Exists from some versions of T6FS07 (patch 301647 available) and T7 and above |
| LBACSYS | lbacsys | Account cannot be deleted Exists from version T7 and above |
Method
Configuration
- Check users with administrator privileges before work
set lines 400 col grantee for a20 col granted_role for a20 select GRANTEE, GRANTED_ROLE from dba_role_privs where granted_role='DBA'; GRANTEE GRANTED_ROLE -------------------- -------------------- SYS DBA TIBERO1 DBA 2 row selected.
- Revoke administrator privileges
REVOKE DBA FROM [USERANME]; ex) revoke dba from tibero1;
- Check users with administrator privileges after work
select GRANTEE, GRANTED_ROLE from dba_role_privs where granted_role='DBA'; GRANTEE GRANTED_ROLE -------------------- -------------------- SYS DBA 1 row selected.
Reversion
- Grant administrator privileges
GRANT DBA TO [USERNAME]; ex) grant dba to tibero1;