Document Type | Technical Information
Category | Security
Applicable Product Versions | Tibero6, Tibero7
Document Number | TSETI016
Overview
| Category | Inspection Item | Importance | Code |
|---|---|---|---|
| Account Management | Change and use default account passwords, privileges, etc. | High | D-01 |
| Remove unnecessary database accounts or set them to locked before use | High | D-02 | |
| Set password usage period and complexity according to organizational policy | High | D-03 | |
| Allow database administrator privileges only to necessary accounts and groups | High | D-04 | |
| Restrictions on Password Reuse | Medium | D-12 | |
| Assign and use individual database user accounts | Medium | D-13 |
This document describes the security vulnerability measures for the item "Account Management - Restrictions on Password Reuse (D-12)".
Inspection Content and Purpose
- Check whether password restrictions are set to prevent reuse of previous passwords when changing passwords.
- Check whether restrictions on password reuse are applied to prevent reuse of previous passwords during password changes, thereby fundamentally blocking superficial password changes.
Inspection Criteria
| Criteria | Details |
|---|---|
| Good | When PASSWORD_REUSE_TIME, PASSWORD_REUSE_MAX parameters are set and applied |
| Vulnerable | When PASSWORD_REUSE_TIME, PASSWORD_REUSE_MAX parameters are not set or applied |
Precautions Before Action
Check Default Account List
The default accounts created during Tibero installation are as follows. Additional or deleted accounts may exist depending on the DB version.
| Account Name | Password | Remarks |
| SYS | tibero | Account cannot be deleted |
| SYSCAT | syscat | Account cannot be deleted |
| SYSGIS | sysgis | Account cannot be deleted |
| OUTLN | outln | Account cannot be deleted |
| TIBERO | tmax | Account can be deleted |
| TIBERO1 | tmax | Account can be deleted Does not exist from version T7 and above |
| SYSBACKUP | tibero | Account cannot be deleted Exists in some versions of T6FS07 (patch 301647 available) and from version T7 and above |
| LBACSYS | lbacsys | Account cannot be deleted Exists from version T7 and above |
Password Usage Period and Complexity
For password reuse settings, please refer to the contents of PASSWORD_REUSE_TIME and PASSWORD_REUSE_MAX.
| Type | Description |
| PASSWORD_REUSE_TIME | Sets the forbidden period for password reuse ex) Setting 30 means the same password cannot be reused for 30 days |
| PASSWORD_REUSE_MAX | Prohibits reuse of the most recently changed passwords up to the set number ex) Setting 10 means the same password cannot be reused for 10 times; use a different value |
Method
Configuration
1. Create and Apply New Profile
- Check existing profiles before creation
set lines 400 col profile for a20 col resource_name for a30 col resource_type for a20 col limit for a20 select * from dba_profiles where RESOURCE_TYPE = 'PASSWORD'; PROFILE RESOURCE_NAME RESOURCE_TYPE LIMIT -------------------- ------------------------------ -------------------- -------------------- DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD UNLIMITED DEFAULT PASSWORD_LIFE_TIME PASSWORD UNLIMITED DEFAULT PASSWORD_REUSE_TIME PASSWORD UNLIMITED DEFAULT PASSWORD_REUSE_MAX PASSWORD UNLIMITED DEFAULT PASSWORD_VERIFY_FUNCTION PASSWORD NULL_VERIFY_FUNCTION DEFAULT PASSWORD_LOCK_TIME PASSWORD 1 DEFAULT PASSWORD_GRACE_TIME PASSWORD UNLIMITED DEFAULT LOGIN_PERIOD PASSWORD UNLIMITED 8 rows selected.
- Create profile
CREATE PROFILE [profile_name] LIMIT FAILED_LOGIN_ATTEMPTS [value] PASSWORD_LOCK_TIME [value] PASSWORD_LIFE_TIME [value] PASSWORD_REUSE_TIME [value] PASSWORD_REUSE_MAX [value] PASSWORD_GRACE_TIME [value] PASSWORD_VERIFY_FUNCTION [value]; ex) CREATE PROFILE prof LIMIT failed_login_attempts 3 password_lock_time 1/1440 password_life_time 90 password_reuse_time unlimited password_reuse_max 10 password_grace_time 10 password_verify_function verify_function;
- Check profile after creation
set lines 400 col profile for a20 col resource_name for a30 col resource_type for a20 col limit for a50 select * from dba_profiles where RESOURCE_TYPE = 'PASSWORD'; PROFILE RESOURCE_NAME RESOURCE_TYPE LIMIT -------------------- ------------------------------ -------------------- -------------------- DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD UNLIMITED DEFAULT PASSWORD_LIFE_TIME PASSWORD UNLIMITED DEFAULT PASSWORD_REUSE_TIME PASSWORD UNLIMITED DEFAULT PASSWORD_REUSE_MAX PASSWORD UNLIMITED DEFAULT PASSWORD_VERIFY_FUNCTION PASSWORD NULL_VERIFY_FUNCTION DEFAULT PASSWORD_LOCK_TIME PASSWORD 1 DEFAULT PASSWORD_GRACE_TIME PASSWORD UNLIMITED DEFAULT LOGIN_PERIOD PASSWORD UNLIMITED PROF FAILED_LOGIN_ATTEMPTS PASSWORD 3 PROF PASSWORD_LIFE_TIME PASSWORD 90 PROF PASSWORD_REUSE_TIME PASSWORD UNLIMITED PROF PASSWORD_REUSE_MAX PASSWORD 10 PROF PASSWORD_VERIFY_FUNCTION PASSWORD VERIFY_FUNCTION PROF PASSWORD_LOCK_TIME PASSWORD .000694444444444444444444444444444444444 444 PROF PASSWORD_GRACE_TIME PASSWORD 10 PROF LOGIN_PERIOD PASSWORD UNLIMITED 16 rows selected.
- Check profile by account
set lines 400 col username for a30 col profile for a30 SELECT USERNAME,PROFILE FROM DBA_USERS; USERNAME PROFILE ------------------------------ ------------------------------ SYS TIBERO SYSCAT SYSGIS OUTLN TIBERO1 P_TEST PROSYNC 8 rows selected.
- Change profile setting per account
ALTER USER [USERNAME] PROFILE [PROFILE name]; ex) alter user sys profile prof;
- Confirm profile setting per account
SELECT USERNAME,PROFILE FROM DBA_USERS; USERNAME PROFILE ------------------------------ ------------------------------ SYS PROF TIBERO PROF SYSCAT PROF SYSGIS PROF OUTLN PROF TIBERO1 PROF P_TEST PROF PROSYNC PROF 8 rows selected.
2. Modify RESOURCE in Existing Profile
- Check profile before modification
set lines 400 col profile for a20 col resource_name for a30 col resource_type for a20 col limit for a20 select * from dba_profiles where RESOURCE_TYPE = 'PASSWORD'; PROFILE RESOURCE_NAME RESOURCE_TYPE LIMIT -------------------- ------------------------------ -------------------- -------------------- DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD UNLIMITED DEFAULT PASSWORD_LIFE_TIME PASSWORD UNLIMITED DEFAULT PASSWORD_REUSE_TIME PASSWORD UNLIMITED DEFAULT PASSWORD_REUSE_MAX PASSWORD UNLIMITED DEFAULT PASSWORD_VERIFY_FUNCTION PASSWORD NULL_VERIFY_FUNCTION DEFAULT PASSWORD_LOCK_TIME PASSWORD 1 DEFAULT PASSWORD_GRACE_TIME PASSWORD UNLIMITED DEFAULT LOGIN_PERIOD PASSWORD UNLIMITED 8 rows selected.
- Modify PASSWORD_REUSE_TIME and PASSWORD_REUSE_MAX values in the profile
ALTER PROFILE [PROFILE name] LIMIT [RESOURCE NAME] [value]; ex) ALTER PROFILE DEFAULT LIMIT PASSWORD_REUSE_MAX 10;
- Check profile after modification
set lines 400 col profile for a20 col resource_name for a30 col resource_type for a20 col limit for a20 select * from dba_profiles where RESOURCE_TYPE = 'PASSWORD'; PROFILE RESOURCE_NAME RESOURCE_TYPE LIMIT -------------------- ------------------------------ -------------------- -------------------- DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD UNLIMITED DEFAULT PASSWORD_LIFE_TIME PASSWORD UNLIMITED DEFAULT PASSWORD_REUSE_TIME PASSWORD UNLIMITED DEFAULT PASSWORD_REUSE_MAX PASSWORD 10 DEFAULT PASSWORD_VERIFY_FUNCTION PASSWORD NULL_VERIFY_FUNCTION DEFAULT PASSWORD_LOCK_TIME PASSWORD 1 DEFAULT PASSWORD_GRACE_TIME PASSWORD UNLIMITED DEFAULT LOGIN_PERIOD PASSWORD UNLIMITED 8 rows selected.
Rollback
1. Rollback Profile per Account
If a new profile was created without changing the default profile settings, assign that profile.
ALTER USER [USERNAME] PROFILE [PROFILE name]; ex) alter user sys profile default;
2. Rollback RESOURCE in Existing Profile
ALTER PROFILE [PROFILE name] LIMIT [RESOURCE NAME] [value]; ex) ALTER PROFILE prof LIMIT PASSWORD_REUSE_MAX UNLIMITED;