Skip to main content
📓 Tibero Online Manual Click here 📓

Search

Welcome to Tibero GTS!

Security Vulnerability Option Management - Password Verification Function Setting

Document TypeㅣTechnical Information

CategoryㅣSecurity

Applicable Product VersionsㅣTibero6, Tibero7

Document NumberㅣTSETI019

 

Overview

CategoryCheck ItemImportanceCode
Option ManagementAdjust so that the Role of application program or DBA accounts is not set to PublicHighD-08
Set OS ROLES, REMOTE_OS_AUTHENTICATION, REMOTE_OS_ROLES to FALSEHighD-09
Password verification function is set and appliedMediumD-19
Restriction of unauthorized Object OwnersLowD-20
Restriction on unauthorized use of GRANT OPTIONMediumD-21
Set database resource limit function to TRUELowD-22
Critical Information and Communication Infrastructure - Detailed Guide for Technical Vulnerability Analysis and Evaluation Methods (2021.03.)

This document describes the security vulnerability mitigation measures for the "Option Management - Password Verification Function is Set and Applied (D-19)" item. 

 

Inspection Content and Purpose

  • Check whether the PASSWORD_VERIFY_FUNCTION value that verifies password complexity is set.
  • By setting the PASSWORD_VERIFY_FUNCTION value, basic password policies are applied to strengthen security for login and enhance the stability of stored data.

 

Inspection Criteria

CriteriaDescription
GoodWhen password verification function is used for validation
VulnerableWhen password verification function is not set 
Critical Information and Communication Infrastructure - Detailed Guide for Technical Vulnerability Analysis and Evaluation Methods (2021.03.)

 

Precautions Before Action

Check Basic Account List

The default accounts created during Tibero installation are as follows. Depending on the DB version, additional or removed accounts may exist. 

Account NamePasswordRemarks
SYStibero

Account cannot be deleted

DBA privileges required

SYSCATsyscatAccount cannot be deleted
SYSGISsysgisAccount cannot be deleted
OUTLNoutlnAccount cannot be deleted
TIBEROtmaxAccount can be deleted
TIBERO1tmax

Account can be deleted

Does not exist from version T7 and above

SYSBACKUPtibero

Account cannot be deleted

Exists in some versions of T6FS07 (patch 301647 available) and from T7 and above

LBACSYSlbacsys

Account cannot be deleted

Exists from T7 and above

 

Check Connected Systems

It is necessary to check the DB accounts used in connected systems in advance. 

 

Password Verification Functions

These are functions related to password verification. There are VERIFY_FUNCTION, VERIFY_FUNCTION2, and NULL_VERIFY_FUNCTION for password verification. VERIFY_FUNCTION2 can be used if a specific patch is applied, so please refer to this.

TypeDescription
PASSWORD_VERIFY_FUNCTION

Specifies the function that checks the validity of the password string when changing the password

By default, the NULL_VERIFY_FUNCTION is applied

FunctionDescription
VERIFY_FUNCTION

- Password length must be at least 4 characters

- Password must include at least one number, letter, and special character

- Username and password must be different

- Password cannot be an easily guessable word

- Predefined words ('welcome','database','account','user','password','tibero','computer','abcd') cannot be used

- Password must differ from the immediately previous password by at least 3 characters

VERIFY_FUNCTION2

- Password length must be at least 8 characters

- Password must include at least one number and letter

- Password cannot include the username

- Password cannot include the username in reverse order

- Password cannot include the DB name

- Password cannot include easily guessable words

- Predefined words ('welcome','database','account','user','password','tibero','computer','abcd') cannot be used

- Password must differ from the immediately previous password by at least 3 characters

* Usable on T6 with patch 258810a applied or T7 and above

NULL_VERIFY_FUNCTIONNo restrictions on password

 

Method

Setting

  • Check profile before operation
set lines 400
col profile for a20
col resource_name for a30
col resource_type for a20
col limit for a40
select * from dba_profiles where RESOURCE_TYPE = 'PASSWORD';


PROFILE              RESOURCE_NAME                  RESOURCE_TYPE        LIMIT
-------------------- ------------------------------ -------------------- ----------------------------------------
DEFAULT              FAILED_LOGIN_ATTEMPTS          PASSWORD             UNLIMITED
DEFAULT              PASSWORD_LIFE_TIME             PASSWORD             UNLIMITED
DEFAULT              PASSWORD_REUSE_TIME            PASSWORD             UNLIMITED
DEFAULT              PASSWORD_REUSE_MAX             PASSWORD             UNLIMITED
DEFAULT              PASSWORD_VERIFY_FUNCTION       PASSWORD             NULL_VERIFY_FUNCTION
DEFAULT              PASSWORD_LOCK_TIME             PASSWORD             1
DEFAULT              PASSWORD_GRACE_TIME            PASSWORD             0
DEFAULT              LOGIN_PERIOD                   PASSWORD             UNLIMITED

 

  • Modify PASSWORD_VERIFY_FUNCTION value
ALTER PROFILE [PROFILE NAME] LIMIT [RESOURCE NAME] [SETTING VALUE];

ex) ALTER PROFILE DEFAULT LIMIT PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION;

 

  • Check profile after operation
set lines 400
col profile for a20
col resource_name for a30
col resource_type for a20
col limit for a40
select * from dba_profiles where RESOURCE_TYPE = 'PASSWORD';

PROFILE              RESOURCE_NAME                  RESOURCE_TYPE        LIMIT
-------------------- ------------------------------ -------------------- ----------------------------------------
DEFAULT              FAILED_LOGIN_ATTEMPTS          PASSWORD             UNLIMITED
DEFAULT              PASSWORD_LIFE_TIME             PASSWORD             UNLIMITED
DEFAULT              PASSWORD_REUSE_TIME            PASSWORD             UNLIMITED
DEFAULT              PASSWORD_REUSE_MAX             PASSWORD             UNLIMITED
DEFAULT              PASSWORD_VERIFY_FUNCTION       PASSWORD             VERIFY_FUNCTION
DEFAULT              PASSWORD_LOCK_TIME             PASSWORD             1
DEFAULT              PASSWORD_GRACE_TIME            PASSWORD             0
DEFAULT              LOGIN_PERIOD                   PASSWORD             UNLIMITED

 

Revert

  • Revert profile
ALTER PROFILE [PROFILE NAME] LIMIT [RESOURCE NAME] [SETTING VALUE];

ex) ALTER PROFILE DEFAULT LIMIT PASSWORD_VERIFY_FUNCTION NULL_VERIFY_FUNCTION;