Document Type | Technical Information
Category | Security
Applicable Product Versions | Tibero6, Tibero7
Document Number | TSETI015
Overview
| Category | Inspection Item | Importance | Code |
|---|---|---|---|
| Account Management | Change the password, privileges, etc. of default accounts before use | High | D-01 |
| Remove unnecessary accounts from the database or lock them before use | High | D-02 | |
| Set password usage period and complexity according to organizational policies | High | D-03 | |
| Allow database administrator privileges only to necessary accounts and groups | High | D-04 | |
| Set restrictions on password reuse | Medium | D-12 | |
| Use DB user accounts individually | Medium | D-13 |
This document describes the security vulnerability mitigation measures for the item "Account Management - Use DB User Accounts Individually (D-13)".
Inspection Content and Purpose
- Check whether different accounts are used per user when accessing the DB.
- Check whether each user accesses the DB using their own DBMS account to prepare for log audit tracking issues that may arise from sharing DB accounts.
Inspection Criteria
| Criteria | Description |
|---|---|
| Good | Using accounts per user |
| Vulnerable | Using shared accounts |
Precautions Before Action
Check Default Account List
The default accounts created when installing Tibero are as follows. Additional or removed accounts may exist depending on the DB version.
| Account Name | Password | Remarks |
| SYS | tibero | Account cannot be deleted |
| SYSCAT | syscat | Account cannot be deleted |
| SYSGIS | sysgis | Account cannot be deleted |
| OUTLN | outln | Account cannot be deleted |
| TIBERO | tmax | Account can be deleted |
| TIBERO1 | tmax | Account can be deleted Does not exist from version T7 and above |
| SYSBACKUP | tibero | Account cannot be deleted Exists in some versions of T6FS07 (patch 301647 applied) and from T7 and above |
| LBACSYS | lbacsys | Account cannot be deleted Exists from T7 and above |
Check Linked Systems
It is necessary to check the DB accounts used in linked systems in advance.
Method
Configuration
- Check the account list
set lines 400 col username for a30 col account_status for a30 SELECT USERNAME,ACCOUNT_STATUS FROM DBA_USERS; -- T6 FS07 (without patch 301647) query results USERNAME ACCOUNT_STATUS ------------------------------ ------------------------------ SYS OPEN SYSCAT OPEN SYSGIS OPEN OUTLN OPEN TIBERO OPEN TIBERO1 OPEN -- T7 query results USERNAME ACCOUNT_STATUS ------------------------------ ------------------------------ SYS OPEN SYSCAT OPEN SYSGIS OPEN OUTLN OPEN SYSBACKUP OPEN TIBERO OPEN LBACSYS OPEN
- Delete unnecessary accounts
When deleting unnecessary accounts, objects (Tables, Indexes, Views, Functions, etc.) within the account will also be deleted, so if objects exist, it is recommended to back them up before proceeding.
DROP USER [USERNAME] CASCADE; ex) drop user tibero cascade;
- Create accounts according to purpose such as per user or per linked system
When deleting unnecessary accounts, objects (Tables, Indexes, Views, Functions, etc.) within the account will also be deleted. It is recommended to back up before deleting accounts.
CREATE USER [USERNAME] IDENTIFIED BY '[PASSWORD]'; GRANT CONNECT, RESOURCE TO [USERNAME]; ex) Create user TEST_AP create user test_ap identified by 'TestAp123!'; grant connect, resourceto test_ap;
Restoration
- Restore deleted accounts
There is no specific restoration method for deleted accounts; they must be newly created. Then, restore the objects backed up before deletion.
CREATE USER [USERNAME] IDENTIFIED BY '[PASSWORD]'; GRANT CONNECT,RESOURCE TO [USERNAME]; ex) Create user TIBERO1 CREATE USER tibero IDENTIFIED BY 'tmax'; GRANT CONNECT,RESOURCE TO tibero;