- Overview
- Account Manager
- Checking Environment Files
- DBMS Security Settings
- Using Public Synonym
- Account lockout policy settings such as lockout time according to the number of login failure
- 패스워드 복잡도 설정
- Periodic change of password
- Changing the ALTIBASE HDB service port default
- Session IDLE_TIMEOUT settings
- Basic auditing (user sentences, privileges, objects, etc.)
- Restriction of remote access to DB server
- Setting SYSDBA login restrictions
- Security Patch
Overview
This document explains how to check each DB vulnerability diagnosis item.
This document is and diagnosis items were prepared based on customer inquiries.
Account Manager
List of accounts (User account management to block unauthorized access)
How to check
How to manage
If there is an unnecessary account in the database user output result, check the DBA or application manager and remove it.
Using weak password (change default account and password)
How to check
The default password for the user is created when ALTIBASE HDB is installed is as follows.
USER | PASSWORD |
---|---|
SYS | MANAGER |
ALTITEST | ALTITEST |
Connect to the database and check whether to use the default password.
How to manage
If access is possible with the default password, change the password of the user after checking the association with the application.
Using WITH GRANT OPTION
With WITH GRANT OPTION, the user who has been granted object access rights can grant the appropriate rights to other users, so object access rights can be abused without DBA management.
How to manage
Checking Environment Files
Altibase.properties file access authority setting
Maliciously altered altibase.properties file, one of the Altibase critical files, can lead to database failure.
How to check
How to manage
Set the altibase.properties file privilege setting to 600 or 640.
Log Anchor, Logfile, Datafile access privilege setting
Database failure may occur if the log anchor, logfile, and datafile files, which are important files for ALTIBASE HDB database operation, are modified with malicious intent.
How to check
How to manage
Log Anchor, Logfile, Datafile file privileges setting is set to 600 or 640.
Checking iSQL command shell history
When connecting to a database using iSQL, if an account and password are entered together, the password may be leaked because the record is recorded in the shell history (.history or .sh_history) file.
How to check
How to manage
When connecting to iSQL, do not enter the user and password at the shell prompt.
Set access privilege to 600 to protect the shell history (.history or .sh_history) file.
DBMS Security Settings
Using Public Synonym
How to check
How to Manage
PUBLIC SYNONYM is created when a database is created to provide convenience to DB users, and it is not recommended to delete it because it uses general queries such as dual table lookup, or it is frequently used in procedures such as print and println.
However, if it inevitably needs to be dropped, the user can use the DROP statement as shown below.
Please drop it after checking whether PUBLIC SYNONYM is used in the application.
Account lockout policy settings such as lockout time according to the number of login failure
Applicable version
- From ALTIBASE HDB 4.3.9.211
- From ALTIBASE HDB 5.3.3.89
- From ALTIBASE HDB 5.5.1.5.1
- From ALTIBASE HDB 6.1.1.2.1
- From ALTIBASE HDB 6.3.1
How to check
How to manage
패스워드 복잡도 설정
Applicable version
- From ALTIBASE HDB 4.3.9.211
- From ALTIBASE HDB 5.3.3.89
- From ALTIBASE HDB 5.5.1.5.1
- From ALTIBASE HDB 6.1.1.2.1
- ALTiBASE HDB 6.3.1
How to check
How to manage
To set the database user password complexity, create a callback function and use the PASSWORD_VERIFY_FUNCTION option in the LIMIT clause when executing CREATE USER or ALTER USER.
Periodic change of password
Applicable version
- ALTIBASE HDB 4.3.9.211
- ALTIBASE HDB 5.3.3.89
- ALTIBASE HDB 5.5.1.5.1
- ALTIBASE HDB 6.1.1.2.1
- ALTIBASE HDB 6.3.1
How to check
Check the PASSWORD_LIFE_TIME property with the command below. If the value is 0, it means that the password expiration date is not set.
After adding the PASSWORD_LIFE_TIME property in $ALTIBASE_HOME/conf/altibase.properties, restart the ALTIBASE HDB server.
When a database user is created after setting this property, the password expiration date is set based on this value.
Changing the ALTIBASE HDB service port default
The default service port of the ALTIBASE HDB server is 20300.
How to check
How to manage
After changing the value of PORT_NO in $ALTIBASE_HOME/conf/altibase.properties, restart the Altibase server process.
Session IDLE_TIMEOUT settings
IDLE_TIMEOUT can be changed for each session, so it can be changed in session even if it is affected by ALTIBASE HDB server properties when connected.
How to check
How to manage
- To reflect the changed value even when the Altibase server process is restarted, the value of the IDLE_TIMEOUT property must be changed in $ALTIBASE_HOME/conf/altibase.properties.
Basic auditing (user sentences, privileges, objects, etc.)
Auditing function is provided starting from ALTIBASE HDB version 6.3.1.
How to check
- For a description of each field, please refer to -> 3. Data Dictionary section of the General Reference manual.
How to manage
If auditing is not set, refer to '14. Database Auditing' and '5. Set it by referring to the 'Data Control' section.
Manual download page: http://support.altibase.com/en/manual
Restriction of remote access to DB server
This feature is available starting from ALTIBASE HDB 5.
How to check and manage
Check the ACCESS_LIST property in $ALTIBASE_HOME/conf/altibase.properties.
If it is not set, you need to restart after changing the setting in altibase.properties file.
Setting SYSDBA login restrictions
ALTIBASE HDB has no login restrictions for SYSDBA and can only control remote access.
This feature is available starting from ALTIBASE HDB version 5.
How to check
How to manage
- To reflect the changed value even when the Altibase server process is restarted, the value of the REMOTE_SYSDBA_ENABLE property must be changed in $ALTIBASE_HOME/conf/altibase.properties.
Security Patch
Applying the latest patch
The latest version of ALTIBASE HDB can be found on the Customer Support Service Portal.
However, since patch packages are uploaded irregularly except for the following cases, please contact us for the latest patch version by requesting service at +82-2-2082-1114 or the Customer Support Service Portal.
- When a major version is released
- When critical bugs are reflected