[20171101]修改oracle口令安全问题.txt

[20171101]修改oracle口令安全问题.txt

--//等保的问题,做一些关于修改oracle口令方面的测试.

1.oracle修改口令一般如下方式:

alter user scott identified by oracle;
password scott
第三方工具,通常也是执行以上类似的命令.我使用SQL Tracker(toad自带的工具)测试,实际上执行的也是第1种方式.

2.测试:
--//我自己曾经建立一个脚本(我修改加入包含alter的内容):
# cat -v Tcpdumpsql
#! /bin/bash
/usr/sbin/tcpdump  -l -i eth0 -s 16384 -A -nn src host $1 and dst port 1521 2>/dev/null |  tee -a /tmp/aa1 |sed -u -e  "s/^M/!/g;s/^E\.\..\{1,100\}//;s/\.*$//;s/^\.*//" | \
awk '{if (tolower($0) ~ "select" || tolower($0) ~ "update" ||  tolower($0) ~ "delete" ||tolower($0) ~ "alter" || tolower($0) ~ "insert" || $0 ~ "ORA-" ) {p=1;print} \
else if(p == 1 && $0 !~ "^[0-9][0-9]:") {print} else if ($0 ~ "^[0-9][0-9]:") {p=0}}'

--//注:^M 实际上在vi里面要通过ctrl+v ctrl+m输入(windows下ctrl+q ctrl+m),主要是因为我们开发写PB代码使用~r而没有加~n,这样
--//在显示时因为没有换行显示内容会被覆盖.

3.测试alter user修改口令:
--//在client端登录,执行如下测试命令:
select sysdate from dual;
alter user scott identified by oracle;
select Sysdate from dual;

--//在服务器执行:
# Tcpdumpsql cliend_ip
--//注:client_id换成对应的ip.
select sysdate from dual
%alter user scott identified by oracle
select Sysdate from dual

--//很明显修改口令的命令暴露无遗.

4.测试password修改口令:
--//在client端登录,执行如下测试命令:
select sysdate from dual;
password
select Sysdate from dual;

--//在服务器执行:
# Tcpdumpsql cliend_ip
select sysdate from dual
        ....................SCOTT.....AUTH_SESSKEY........!...!AUTH_PASSWORD@...@1498887FF997E2D432717C036E8672E9858F261F5A058B6927A9CE4DA137D1AD.........AUTH_NEWPASSWORD@...@FD4CD857F51847B1B86CFDC3263776C365CC27A33FACD76763AB40FE3B073052....!...!AUTH_TERMINAL.....IKD84BCP.........AUTH_PROGRAM_NM.....sqlplus.exe.........AUTH_MACHINE.....WORKGROUP\IKD84BCP.........AUTH_PID        ...     1404:5880.........AUTH_SID!...!Administrator.........AUTH_ALTER_SESSION......ALTER SESSION SET NLS_LANGUAGE= 'AMERICAN' NLS_TERRITORY= 'AMERICA' NLS_CURRENCY= '$' NLS_ISO_CURRENCY= 'AMERICA' NLS_NUMERIC_CHARACTERS= '.,' NLS_CALENDAR= 'GREGORIAN' NLS_DATE_FORMAT= 'YYYY-MM-DD HH24:MI:SS' NLS_DATE_LANGUAGE= 'AMERICAN' NLS_SORT= 'BINA.RY' TIME_ZONE= '+08:00' NLS_COMP= 'BINARY' NLS_DUAL_CURRENCY= '$' NLS_TIME_FORMAT= 'HH.MI.SSXFF AM' NLS_TIMESTAMP_FORMAT= 'YYYY-MM-DD HH24:MI:SS.FF' NLS_TIME_TZ_FORMAT= 'HH.MI.SSXFF AM TZR' NLS_TIMESTAMP_TZ_FORMAT= 'YYYY-MM-DD HH24:MI:SS.FF TZH:TZM'
select Sysdate from dual

--//做一些格式化处理
....................SCOTT.....AUTH_SESSKEY........!...!AUTH_PASSWORD@...@1498887FF997E2D432717C036E8672E9858F261F5A058B6927A9CE4DA137D1AD
.........AUTH_NEWPASSWORD@...@FD4CD857F51847B1B86CFDC3263776C365CC27A33FACD76763AB40FE3B073052....!...!AUTH_TERMINAL.....IKD84BCP
.........AUTH_PROGRAM_NM.....sqlplus.exe.........AUTH_MACHINE.....WORKGROUP\IKD84BCP.........AUTH_PID        ...     
1404:5880.........AUTH_SID!...!Administrator.........AUTH_ALTER_SESSION......ALTER SESSION SET NLS_LANGUAGE= 'AMERICAN'
NLS_TERRITORY= 'AMERICA' NLS_CURRENCY= '$' NLS_ISO_CURRENCY= 'AMERICA' NLS_NUMERIC_CHARACTERS= '.,'
NLS_CALENDAR= 'GREGORIAN' NLS_DATE_FORMAT= 'YYYY-MM-DD HH24:MI:SS' NLS_DATE_LANGUAGE= 'AMERICAN' NLS_SORT= 'BINA.RY' TIME_ZONE= '+08:00'
NLS_COMP= 'BINARY' NLS_DUAL_CURRENCY= '$' NLS_TIME_FORMAT= 'HH.MI.SSXFF AM' NLS_TIMESTAMP_FORMAT= 'YYYY-MM-DD HH24:MI:SS.FF'
NLS_TIME_TZ_FORMAT= 'HH.MI.SSXFF AM TZR' NLS_TIMESTAMP_TZ_FORMAT= 'YYYY-MM-DD HH24:MI:SS.FF TZH:TZM'

SYS@book> column SPARE4 format a70
SYS@book> select name,password,spare4 from user$ where name='SCOTT';
NAME  PASSWORD                       SPARE4
----- ------------------------------ ----------------------------------------------------------------------
SCOTT 0EDE56329E1D82EA               S:52BD300CE604E12EB9D6731005A8294E77D62C898D4C7CB2827DFCAE90AC

--//从这里看出,改变口令使用password更加安全一些.