【YashanDB知识库】YashanDB安全设置示例

本文内容来自YashanDB官网，原文内容请见 https://www.yashandb.com/newsinfo/7281303.html?templateId=171...

设置密码复杂度

密码复杂度开关打开，打开后密码必须满足：①至少八位长度 ② 数字＋大小写＋特殊字符

alter system set \_CHECK\_PASSWORD\_COMPLEXITY=true;

示例：

SQL> alter system set _CHECK_PASSWORD_COMPLEXITY=true;Succeed.SQL> create user user1 identified by simple1;YAS-02317 failed to check password complexity for password must contain at least 8 charactersSQL> create user user1 identified by Short1_;YAS-02317 failed to check password complexity for password must contain at least 8 charactersSQL> create user user1 identified by Complex1;YAS-02317 failed to check password complexity for password must contain at least 1 special characterSQL> create user user1 identified by Complex1_;Succeed.SQL> drop user user1;

备注：对于存储在数据库表中的密码，YashanDB提供\_CHECK\_PASSWORD\_COMPLEXITY（隐藏参数，默认值FALSE）用于控制是否开启密码强度控制，该参数默认为false不开启。弱密码对于系统安全有严重危害性，建议生产环境打开开关。开启密码强度控制后，YashanDB将在密码设置时进行强度校验，输入的密码需要满足 ①至少八位长度 ② 数字＋大小写＋特殊字符组合的条件后才能设置成功。 所有账号（包括SYS账号）的密码符合复杂度要求 所有账号（包括SYS账号）的密码需要满足 ①至少八位长度 ② 数字＋大小写＋特殊字符示例：

SYS/Abc123_2yP=y)USER1/O1001ZGAfaes_0UP2

设置密码策略 所有的profile（尤其是默认策略 - default），都需要设置： FAILED\_LOGIN\_ATTEMPTS 3 –- 登录失败锁定次数 PASSWORD\_LIFE\_TIME 90 –- 密码过期天数 PASSWORD\_REUSE\_TIME 1800 –- 密码复用间隔最小天数 PASSWORD\_REUSE\_MAX 6 –- 密码复用次数最大次数 PASSWORD\_LOCK\_TIME 1 –- 密码锁定天数 PASSWORD\_GRACE\_TIME 7 –- 密码过期前宽限天数 示例：

alter profile default limitFAILED_LOGIN_ATTEMPTS 3PASSWORD_LIFE_TIME 90PASSWORD_REUSE_TIME 1800PASSWORD_REUSE_MAX 6PASSWORD_LOCK_TIME 1PASSWORD_GRACE_TIME 7;SQL> alter profile default limit FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LIFE_TIME 90 PASSWORD_REUSE_TIME 1800 PASSWORD_REUSE_MAX 6 PASSWORD_LOCK_TIME 1 PASSWORD_GRACE_TIME 7;Succeed.SQL> select * from dba_profiles;PROFILE RESOURCE_NAME RESOURCE_TYPE LIMIT---------------------------------------------------------------- ---------------------------------------------------------------- ------------- ---------------------------------------------DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD 3DEFAULT PASSWORD_LIFE_TIME PASSWORD 90DEFAULT PASSWORD_REUSE_TIME PASSWORD 1800DEFAULT PASSWORD_REUSE_MAX PASSWORD 6DEFAULT PASSWORD_LOCK_TIME PASSWORD 1DEFAULT PASSWORD_GRACE_TIME PASSWORD 76 rows fetched.SQL> select username, profile from dba_users;USERNAME PROFILE---------------------------------------------------------------- ----------------------------------------------------------------SYS DEFAULTDBBAK DEFAULTDBMGR PROF_SYSUSER1 DEFAULTUSER2 DEFAULT5 rows fetched.

无实际使用用途且非管理员的账号处于锁定状态 无实际使用用途且非管理员的账号（例如：MDSYS）处于锁定状态示例：

SQL> select username, account_status from dba_users;USERNAME ACCOUNT_STATUS---------------------------------------------------------------- ---------------------------------SYS OPENMDSYS LOCKED2 rows fetched.

禁用免密登录 对于崖山，禁止用户免密登录是检查$YASDB\_DATA/config/yasdb\_net.ini，应有配置ENABLE\_LOCAL\_OSAUTH = off

禁用默认密码 检查崖山默认密码是Cod-2022或者yasdb\_123，无法登录用户示例：

[yashan@host-10-76-249-193 ~]$ yasql sys/Cod-2022YashanDB SQL Release 22.2.12.100 aarch64YAS-02143 invalid username/password, login deniedplease input user name:YASQL-00007 invalid username/password; logon deniedplease input user name:YASQL-00007 invalid username/password; logon deniedYASQL-00007 unable to CONNECT to Server after 3 attempts[yashan@host-10-76-249-193 ~]$ yasql sys/yasdb_123YashanDB SQL Release 22.2.12.100 aarch64YAS-02143 invalid username/password, login deniedplease input user name:YASQL-00007 invalid username/password; logon deniedplease input user name:YASQL-00007 invalid username/password; logon deniedYASQL-00007 unable to CONNECT to Server after 3 attempts

加密存储 根据实际情况调整。 1、如果客户无加密要求，则跳过此项设置。 2、如果只对某些表存在加密要求，则建表DDL需要使用加密表空间。 示例：

CREATE TABLESPACE USER1_SECURITY_DATA DATAFILE '?/dbfiles/USER1_SECURITY_DATA1.dbf' SIZE 2G AUTOEXTEND ON MAXSIZE UNLIMITED ENCRYPTION ENCRYPT;CREATE TABLE USER1.TABLE1(COL1 INT PRIMRARY KEY, COL2 VARCHAR(100), xxx) TABLESPACE USER1_SECURITY_DATA;

3、如果用于所有表都存在加密要求，则不仅建表需要使用加密表空间，且用户的默认表空间也需要设置为加密表空间。 示例：

CREATE TABLESPACE USER1_SECURITY_DATA DATAFILE '?/dbfiles/USER1_SECURITY_DATA1.dbf' SIZE 2G AUTOEXTEND ON MAXSIZE UNLIMITED ENCRYPTION ENCRYPT;CREATE TABLE USER1.TABLE1(COL1 INT PRIMARY KEY, COL2 VARCHAR(100), xxx) TABLESPACE USER1_SECURITY_DATA;ALTER USER USER1 DEFAULT TABLESPACE USER1;

设置审计策略 已开启审计：日志功能，审计内容覆盖到每个用户，能够记录重要用户行为和重要安全事件。用户登录系统、自主访问控制的所有操作记录、重要用户行为(如增加/删除用户，删除库表)等。注意：对仅对DBA权限用户设置LOGON/LOGOFF审计（如果有多个DBA账号，都需要审计）

alter system set UNIFIED_AUDITING=true;CREATE AUDIT POLICY UP1 PRIVILEGES CREATE ANY TABLE, CREATE TABLE, ALTER ANY TABLE, DROP ANY TABLE, GRANT ANY PRIVILEGE, GRANT ANY OBJECT PRIVILEGE, GRANT ANY ROLE, CREATE USER, ALTER USER, DROP USER, DROP ANY ROLE, AUDIT SYSTEM;CREATE AUDIT POLICY UP2 ACTIONS DROP TABLE, DROP ROLE, CREATE AUDIT POLICY, ALTER AUDIT POLICY, DROP AUDIT POLICY, AUDIT, NOAUDIT;CREATE AUDIT POLICY UP3 ACTIONS LOGON, LOGOFF;AUDIT POLICY UP3 BY SYS;AUDIT POLICY UP1;AUDIT POLICY UP2;

示例：

设置审计清理策略 设置审计日志保留270天，每天清理一次过期的审计日志

BEGINDBMS_SCHEDULER.CREATE_JOB ('updateaudit_archive_time','PLSQL_BLOCK','BEGIN DBMS_AUDIT_MGMT.SET_LAST_ARCHIVETIMESTAMP(DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, sysdate-270);END;' ,0,SYSDATE,'sysdate+1',NULL,'DEFAULT_JOB_CLASS',TRUE,FALSE,'update audit archive time');END;/BEGINDBMS_AUDIT_MGMT.CREATE_PURGE_JOB (DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,SYSDATE + 5/24,'sysdate + 1','audit_job',TRUE);END;/

示例：

SQL> BEGIN2 DBMS_SCHEDULER.CREATE_JOB (3 'update_audit_archive_time',4 'PLSQL_BLOCK',5 'BEGIN DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP(DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, sysdate-270);END;' ,6 0,7 SYSDATE,8 'sysdate+1',9 NULL,10 'DEFAULT_JOB_CLASS',11 TRUE,12 FALSE,13 'update audit archive time');14 END;15 /PL/SQL Succeed.SQL> select job_name, REPEAT_INTERVAL from DBA_SCHEDULER_JOBS;JOB_NAME REPEAT_INTERVAL---------------------------------------------------------------- ----------------------------------------------------------------GATHER_STATS_JOB cast(TRUNC(SYSDATE+1) + 2/24 as timestamp)UPDATE_AUDIT_ARCHIVE_TIME sysdate+12 rows fetched.SQL> select job_name, JOB_ACTION from DBA_SCHEDULER_JOBS;JOB_NAME JOB_ACTION---------------------------------------------------------------- ----------------------------------------------------------------GATHER_STATS_JOB begin DBMS_STATS.GATHER_DATABASE_STATS('GATHER AUTO', 0, 8, 'FOR ALL COLUMNS SIZE AUTO', 'GLOBAL', TRUE, TRUE); end;UPDATE_AUDIT_ARCHIVE_TIME BEGIN DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP(DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, sysdate-270);END;2 rows fetched.SQL> BEGIN2 DBMS_AUDIT_MGMT.CREATE_PURGE_JOB (3 DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,4 SYSDATE + 5/24,5 'sysdate + 1',6 'audit_job',7 TRUE);8 END;9 /PL/SQL Succeed.SQL> select job_name, REPEAT_INTERVAL from DBA_SCHEDULER_JOBS;JOB_NAME REPEAT_INTERVAL---------------------------------------------------------------- ----------------------------------------------------------------GATHER_STATS_JOB cast(TRUNC(SYSDATE+1) + 2/24 as timestamp)UPDATE_AUDIT_ARCHIVE_TIME sysdate+1AUDIT_JOB sysdate + 13 rows fetched.SQL> select job_name, JOB_ACTION from DBA_SCHEDULER_JOBS;JOB_NAME JOB_ACTION---------------------------------------------------------------- ----------------------------------------------------------------GATHER_STATS_JOB begin DBMS_STATS.GATHER_DATABASE_STATS('GATHER AUTO', 0, 8, 'FOR ALL COLUMNS SIZE AUTO', 'GLOBAL', TRUE, TRUE); end;UPDATE_AUDIT_ARCHIVE_TIME BEGIN DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP(DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, sysdate-270);END;AUDIT_JOB BEGIN DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL(DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED, true); END;3 rows fetched.

收尾包含但不限于：

【YashanDB知识库】YashanDB安全设置示例

YashanDB

引用和评论

YashanDB V23.4 LTS全库闪回新特性解读

做到真正0丢失、0重复：Apache SeaTunnel 实现万亿级数据一致性全解密

好用的开源埋点方案-ClkLog埋点用户分析系统

Devin 发布 DeepWiki，2 星的项目直接装出万星的气场

【TVM教程】为 ARM CPU 自动调度神经网络

DNS服务器地址大全

【赵渝强老师】在Docker中运行达梦数据库