Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The default password for the user is created when ALTIBASE HDB is installed is as follows.

...

Info

To know how to change the SYS user password, refer to the "How to change the sys user password' page.


Using WITH GRANT OPTION

...

With WITH GRANT OPTION, the user who has been granted object access rights can grant the appropriate rights to other users, so object access rights can be abused without DBA management.

Code Block
SELECT DISTINCT(A.USER_NAME) GRANTEE,      -- Users with WITH GRANT OPTION
       C.USER_NAME GRANTOR,                -- User granted WITH GRANT OPTION
       B.OBJ_TYPE,                         -- 객Object type (T: table, S: sequence, P: stored procedure or stored function, V: view)
       B.OBJ_ID,                           -- Object ID (for tables, views, and sequences, maps to the TABLE_ID of SYS_TABLES_; for stored procedures and stored functions, maps to the PROC_OID of SYS_PROCEDURES_)
       D.PRIV_NAME,                        -- Previlege name
       B.WITH_GRANT_OPTION                 -- If the value is 1, it means that WITH GRANT OPTION has been granted.
  FROM SYSTEM_.SYS_USERS_ A,
       SYSTEM_.SYS_GRANT_OBJECT_ B,
       SYSTEM_.SYS_USERS_ C,
       SYSTEM_.SYS_PRIVILEGES_ D
 WHERE A.USER_NAME <> 'SYSTEM_'
   AND B.GRANTEE_ID = A.USER_ID
   AND B.GRANTOR_ID = C.USER_ID
   AND B.PRIV_ID = D.PRIV_ID
   AND B.WITH_GRANT_OPTION = 1;

How to manage

Code Block
titleGranting permission without WITH GRANT OPTION after removing WITH GRANT OPTION
languagesql
-- When the user6 user has the privilege to grant SELECT and DELETE privileges on the employees table to other users.
REVOKE SELECT, DELETE ON employees FROM user6;
GRANT SELECT, DELETE ON employees TO user6;

Checking Environment Files

...

Altibase.properties file access authority setting

...

Maliciously altered altibase.properties file, one of the Altibase critical files, can lead to database failure.

How to check

Code Block
titleTo check altibase.properties file permissions
languagebash
$ ls -l $ALTIBASE_HOME/conf/altibase_properties

How to manage

Set the altibase.properties file privilege setting to 600 or 640.

Code Block
titleExample of file privilege setting
languagebash
$ ls -l $ALTIBASE_HOME/conf/altibase.properties
-rw-r--r-- 1 heejung.lee heejung.lee 27652 2014-09-26 12:52 /data/heejung.lee/63119/conf/altibase.properties

$ find $ALTIBASE_HOME -name altibase.properties -exec chmod 600 {} \;

$ ls -l $ALTIBASE_HOME/conf/altibase.properties
-rw------- 1 heejung.lee heejung.lee 27652 2014-09-26 12:52 /data/heejung.lee/63119/conf/altibase.properties

Log Anchor, Logfile, Datafile access privilege setting

Database failure may occur if the log anchor, logfile, and datafile files, which are important files for ALTIBASE HDB database operation, are modified with malicious intent.

How to check

Code Block
titleCheck the privileges of Log Anchor, Logfile, and Datafile files
languagebash
$ ls -l $ALTIBASE_HOME/logs/loganchor*

How to manage

Log Anchor, Logfile, Datafile file privileges setting is set to 600 or 640.

Code Block
titleExample of privilege setting
languagebash
$ ls -l $ALTIBASE_HOME/logs/loganchor*
-rw-r----- 1 heejung.lee heejung.lee 14156 2014-09-26 12:53 /data/heejung.lee/63119/logs/loganchor0
-rw-r----- 1 heejung.lee heejung.lee 14156 2014-09-26 12:53 /data/heejung.lee/63119/logs/loganchor1
-rw-r----- 1 heejung.lee heejung.lee 14156 2014-09-26 12:53 /data/heejung.lee/63119/logs/loganchor2


$ find $ALTIBASE_HOME --name loganchor* -exec chmod 600 {} \;

$ ls -l $ALTIBASE_HOME/logs/loganchor*
-rw------- 1 heejung.lee heejung.lee 14156 2014-09-26 12:53 /data/heejung.lee/63119/logs/loganchor0
-rw------- 1 heejung.lee heejung.lee 14156 2014-09-26 12:53 /data/heejung.lee/63119/logs/loganchor1
-rw------- 1 heejung.lee heejung.lee 14156 2014-09-26 12:53 /data/heejung.lee/63119/logs/loganchor2

 

Checking iSQL command shell history

 

...

When connecting to a database using iSQL, if an account and password are entered together, the password may be leaked because the record is recorded in the shell history (.history or .sh_history) file.

How to check

Code Block
titleTo check isql execution history in shell history file
languagebash
$ grep isql ~/.sh_history

How to manage

When connecting to iSQL, do not enter the user and password at the shell prompt.

Code Block
titleTo check isql execution history in shell history file
languagebash
$ isql -u sys -p manager -s 127.0.0.1 -port 31109          # If the user connects in this way, the user's username and password may be exposed.

# Enter the account and password individually after executing only the iSQL command as shown below.

$ isql&nbsp;
…
Write Server Name (default:127.0.0.1) :
Write UserID : sys
Write Password :
ISQL_CONNECTION = TCP, SERVER = 127.0.0.1, PORT_NO = 20300
iSQL>

Set access privilege to 600 to protect the shell history (.history or .sh_history) file.

Code Block
languagebash
$ chmod 600 ~/.sh_history


DBMS Security Settings

 

...


Using Public Synonym

...

How to check

Code Block
titleTo check public Synonym
languagesql
SELECT OBJECT_OWNER_NAME, SYNONYM_NAME FROM SYSTEM_.SYS_SYNONYMS_ WHERE OBJECT_OWNER_NAME = 'SYSTEM_';

How to Manage

PUBLIC SYNONYM is created when a database is created to provide convenience to DB users, and it is not recommended to delete it because it uses general queries such as dual table lookup, or it is frequently used in procedures such as print and println.

However, if it inevitably needs to be dropped, the user can use the DROP statement as shown below.

Please drop it after checking whether PUBLIC SYNONYM is used in the application.

Code Block
titleTo drop PUBLIC SYNONYM
languagesql
DROP PUBLIC SYNONYM synonym_name;


Account lockout policy settings such as lockout time according to the number of login failure

 

...

Applicable version

  • From ALTIBASE HDB 4.3.9.211
  • From ALTIBASE HDB 5.3.3.89
  • From ALTIBASE HDB 5.5.1.5.1
  • From ALTIBASE HDB 6.1.1.2.1
  • From ALTIBASE HDB 6.3.1

How to check

Code Block
titleCheck if the database user has the appropriate settings
languagesql
-- In FAILED_LOGIN_ATTEMPTS, if the number of connection failures exceeds the set value, the password of the user is locked.
-- PASSWORD_LOCK_TIME means password lockout period (days).
-- If it is 0, it means not set.
SELECT USER_NAME, FAILED_LOGIN_ATTEMPTS, PASSWORD_LOCK_TIME FROM SYSTEM_.SYS_USERS_;

How to manage

Code Block
-- After adding FAILED_LOGIN_ATTEMPTS and PASSWORD_LOCK_TIME properties in $ALTIBASE_HOME/conf/altibase.properties, restart ALTIBASE HDB server.
-- When a database user is created after setting this property, the password expiration date is set based on this value.
-- The following is how to check the property settings.

SELECT NAME, VALUE1 FROM V$PROPERTY WHERE NAME IN ('FAILED_LOGIN_ATTEMPTS', 'PASSWORD_LOCK_TIME');
Code Block
titleWhen creating a database user
languagesql
CREATE USER user1 IDENTIFIED BY user1 LIMIT (FAILED_LOGIN_ATTEMPTS 3, PASSWORD_LOCK_TIME 3);
Code Block
titleWhen performing ALTER USER
ALTER USER USER1 LIMIT (FAILED_LOGIN_ATTEMPTS 3, PASSWORD_LOCK_TIME 3);

패스워드 복잡도 설정

 

...

Applicable version

  • From ALTIBASE HDB 4.3.9.211
  • From ALTIBASE HDB 5.3.3.89
  • From ALTIBASE HDB 5.5.1.5.1
  • From ALTIBASE HDB 6.1.1.2.1
  • ALTiBASE HDB 6.3.1

How to check

Code Block
SELECT USER_NAME, PASSWORD_VERIFY_FUNCTION FROM SYSTEM_.SYS_USERS_;         -- The PASSWORD_VERIFY_FUNCTION column means password complexity setting,
                                                                            -- If it is NULL, it means it is not set.

How to manage

To set the database user password complexity, create a callback function and use the PASSWORD_VERIFY_FUNCTION option in the LIMIT clause when executing CREATE USER or ALTER USER.

Code Block
CREATE USER username IDENTIFIED BY password LIMIT (PASSWORD_VERIFY_FUNCTION user callback function; -- PASSWORD_VERIFY_FUNCTION option password complexity setting in LIMIT clause

-- Example
CREATE USER user1 IDENTIFIED BY "user1" LIMIT (PASSWORD_VERIFY_FUNCTION pwd_verify_function);
Code Block
ALTER USER username LIMIT (PASSWORD_VERIFY_FUNCTION user callback function);

-- Example
ALTER USER user1 LIMIT (PASSWORD_VERIFY_FUNCTION pwd_verify_function);
Code Block
titleTo create callback function
languagesql
CREATE OR REPLACE FUNCTION pwd_verify_function
( username varchar(20),
    password varchar(20))
RETURN varchar(100)
AS
result        varchar(100);
pwdLength     integer;
isDigit       boolean;
isChar        boolean;
isPunction    boolean;
digitArray    varchar(20);
punctionArray varchar(25);
charArray     varchar(52);

BEGIN
    digitArray    := '0123456789';
    charArray     := 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
    punctionArray :='!"#$%&()``*+,-/:;<=>?_';

    -- Check if the password is same as the username
    IF LOWER(password) = LOWER(username) THEN
        result := 'Password same as or similar to user';
        RETURN result;
    END IF;

    -- Check for the minimum length of the password
    IF LENGTH(password) < 4 THEN
        result := 'Password length less than 4';
        RETURN result;
    END IF;

    -- Check if the password is too simple.
    IF LOWER(password) IN ('welcome', 'database', 'account', 'user', 'password', 'altibase', 'computer', 'abcd') THEN
        result := 'Password too simple';
        RETURN result;
    END IF;

    -- Check if the password contains at least one letter, one digit and one
    -- punctuation mark.
    -- 1. Check for the digit
    isDigit := FALSE;
    pwdLength := length(password);
    FOR i IN 1...10 LOOP
    FOR j IN 1...pwdLength LOOP
    IF substr(password,j,1) = substr(digitArray,i,1) THEN
        isDigit := TRUE;
        GOTO findchar;
    END IF;
    END LOOP;
    END LOOP;
    IF isDigit = FALSE THEN
        result := 'Password should contain at least one digit, one character and one punctuation';
        RETURN result;
    END IF;

    -- 2. Check for the character
    <<findchar>>
    isChar := FALSE;
    FOR i IN 1...length(charArray) LOOP
    FOR j IN 1...pwdLength LOOP
    IF substr(password,j,1) = substr(charArray,i,1) THEN
        isChar := TRUE;
        --GOTO findpunct;
    END IF;
    END LOOP;
    END LOOP;
    IF isChar = FALSE THEN
        result := 'Password should contain at least one digit, one character and one punctuation';
        RETURN result;
    END IF;

    -- 3. Check for the punctuation
    <<findpunct>>
    isPunction := FALSE;
    FOR i IN 1...length(punctionArray) LOOP
    FOR j IN 1...pwdLength LOOP
    IF substr(password,j,1) = substr(punctionArray,i,1) THEN
        isPunction := TRUE;
        GOTO endsearch;
    END IF;
    END LOOP;
    END LOOP;
    IF isPunction = FALSE THEN
        result := 'Password should contain at least one digit, one character and one punctuation';
        RETURN result;
    END IF;

    <<endsearch>>

    result := 'TRUE';
    RETURN result;
END;
/


Periodic change of password

...

Applicable version

  • ALTIBASE HDB 4.3.9.211
  • ALTIBASE HDB 5.3.3.89
  • ALTIBASE HDB 5.5.1.5.1
  • ALTIBASE HDB 6.1.1.2.1
  • ALTIBASE HDB 6.3.1

How to check

Code Block
titleCheck if PASSWORD_LIFE_TIME for each user is set
languagesql
 select user_name, PASSWORD_LIFE_TIME  from system_.sys_users_;          -- The value of PASSWORD_LIFE_TIME is in days, and if it is 0, it means that it is not set.

Check the PASSWORD_LIFE_TIME property with the command below. If the value is 0, it means that the password expiration date is not set.

After adding the PASSWORD_LIFE_TIME property in $ALTIBASE_HOME/conf/altibase.properties, restart the ALTIBASE HDB server.
When a database user is created after setting this property, the password expiration date is set based on this value.

Code Block
titleSetting the PASSWORD_LIFE_TIME property
select name, value1 from v$property where name = 'PASSWORD_LIFE_TIME';
Code Block
languagesql
CREATE USER user1 IDENTIFIED BY user1 LIMIT (PASSWORD_LIFE_TIME 5);     -- Setting the password expiration date using the LIMIT clause
Code Block
titleWhen performing ALTER USER
languagesql
ALTER USER USER1 LIMIT (PASSWORD_LIFE_TIME 7);

Changing the ALTIBASE HDB service port default

...

The default service port of the ALTIBASE HDB server is 20300.

How to check

Code Block
titleTo check Service Port
languagesql
select name, value1 from v$property where name = 'PORT_NO';

How to manage

After changing the value of PORT_NO in $ALTIBASE_HOME/conf/altibase.properties, restart the Altibase server process.

 

Session IDLE_TIMEOUT settings

...

IDLE_TIMEOUT can be changed for each session, so it can be changed in session even if it is affected by ALTIBASE HDB server properties when connected.

How to check

Code Block
titleCheck ALTIBASE HDB server settings
languagesql
select name, value1 from v$property where name = 'IDLE_TIMEOUT';
Code Block
titleSettings applied per session
languagesql
select DB_USERNAME, IDLE_TIME_LIMIT, COMM_NAME, CLIENT_APP_INFO, CLIENT_PID from v$session;

How to manage

Code Block
titleTo change properties
languagesql
ALTER SESSION SET IDLE_TIMEOUT = 60;   -- When changing session units. The unit is seconds.
ALTER SYSTEM SET IDLE_TIMEOUT = 60;    -- When applied to all sessions. Applied from the newly connected session.
  • To reflect the changed value even when the Altibase server process is restarted, the value of the IDLE_TIMEOUT property must be changed in $ALTIBASE_HOME/conf/altibase.properties.

Basic auditing (user sentences, privileges, objects, etc.)

...

Auditing function is provided starting from ALTIBASE HDB version 6.3.1.

How to check

Code Block
titleHow to check-How to check whether auditing is set
languagesql
SELECT * FROM SYSTEM_.SYS_AUDIT_OPTS_;

--Example
iSQL> SELECT * FROM SYSTEM_.SYS_AUDIT_OPTS_;
USER_NAME             OBJECT_NAME           OBJECT_TYPE           SELECT_OP  INSERT_OP  UPDATE_OP  DELETE_OP  MOVE_OP  MERGE_OP  ENQUEUE_OP  DEQUEUE_OP  LOCK_TABLE_OP  EXECUTE_OP  COMMIT_OP  ROLLBACK_OP  SAVEPOINT_OP  CONNECT_OP  DISCONNECT_OP  ALTER_SESSION_OP  ALTER_SYSTEM_OP  DDL_OP
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ALTITEST              AUD1                  TABLE                 -/-  A/A  -/-  -/-  -/-  -/-  -/-  -/-  -/-  -/-  -/-  -/-  -/-  -/-  -/-  -/-  -/-  -/-
1 row selected.
Code Block
titleHow to check-whether to enable auditing
languagesql
SELECT * FROM SYSTEM_.SYS_AUDIT_

--Example
iSQL> select * from system_.sys_audit_;                      -- If the value of IS_STARTED is 1, it means that the auditing function is activated.
IS_STARTED  START_TIME  STOP_TIME    RELOAD_TIME
--------------------------------------------------------
1           23-JUN-2014               23-JUN-2014
1 row selected.
  • For a description of each field, please refer to -> 3. Data Dictionary section of the General Reference manual.

How to manage

If auditing is not set, refer to '14. Database Auditing' and '5. Set it by referring to the 'Data Control' section.

Manual download page: http://support.altibase.com/en/manual

Restriction of remote access to DB server

...

This feature is available starting from ALTIBASE HDB 5.

How to check and manage

Check the ACCESS_LIST property in $ALTIBASE_HOME/conf/altibase.properties.

If it is not set, you need to restart after changing the setting in altibase.properties file.

Setting SYSDBA login restrictions

ALTIBASE HDB has no login restrictions for SYSDBA and can only control remote access.
This feature is available starting from ALTIBASE HDB version 5.

How to check

Code Block
SELECT NAME, VALUE1 FROM V$PROPERTY WHERE NAME ='REMOTE_SYSDBA_ENABLE'; --value1 = 1: remote access of sysdba is possible, value1 = 0: remote access of sysdba is not possible

How to manage

Code Block
titleHow to manage
languagesql
ALTER SYSTEM SET REMOTE_SYSDBA_ENABLE = 0;
  • To reflect the changed value even when the Altibase server process is restarted, the value of the REMOTE_SYSDBA_ENABLE property must be changed in $ALTIBASE_HOME/conf/altibase.properties.

Security Patch

...

Applying the latest patch

...

The latest version of ALTIBASE HDB can be found on the Customer Support Service Portal.

However, since patch packages are uploaded irregularly except for the following cases, please contact us for the latest patch version by requesting service at +82-2-2082-1114 or the Customer Support Service Portal.

  • When a major version is released
  • When critical bugs are reflected