Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

 

Overview


This document explains how to check each DB vulnerability diagnosis item.

This document is and diagnosis items were prepared based on customer inquiries.

 

Account Manager


 

List of accounts (User account management to block unauthorized access)


How to check

How to check database users

 

How to manage

If there is an unnecessary account in the database user output result, check the DBA or application manager and remove it.


Using weak password (change default account and password)


How to check

The default password for the user created when ALTIBASE HDB is installed is as follows.

USER

PASSWORD

SYS

MANAGER

ALTITEST

ALTITEST

Connect to the database and check whether to use the default password.

How to manage

If access is possible with the default password, change the password of the user after checking the association with the application.

Example of changing password
Icon

To know how to change the SYS user password, refer to the "How to change the sys user password' page.


Using WITH GRANT OPTION


With WITH GRANT OPTION, the user who has been granted object access rights can grant the appropriate rights to other users, so object access rights can be abused without DBA management.

How to manage

Granting permission without WITH GRANT OPTION after removing WITH GRANT OPTION

Checking Environment Files


Altibase.properties file access authority setting


Maliciously altered altibase.properties file, one of the Altibase critical files, can lead to database failure.

How to check

To check altibase.properties file permissions

How to manage

Set the altibase.properties file privilege setting to 600 or 640.

Example of file privilege setting

Log Anchor, Logfile, Datafile access privilege setting

Database failure may occur if the log anchor, logfile, and datafile files, which are important files for ALTIBASE HDB database operation, are modified with malicious intent.

How to check

Check the privileges of Log Anchor, Logfile, and Datafile files

How to manage

Log Anchor, Logfile, Datafile file privileges setting is set to 600 or 640.

Example of privilege setting

 

Checking iSQL command shell history

 


When connecting to a database using iSQL, if an account and password are entered together, the password may be leaked because the record is recorded in the shell history (.history or .sh_history) file.

How to check

To check isql execution history in shell history file

How to manage

When connecting to iSQL, do not enter the user and password at the shell prompt.

To check isql execution history in shell history file

Set access privilege to 600 to protect the shell history (.history or .sh_history) file.


DBMS Security Settings

 



Using Public Synonym

 


How to check

To check public Synonym

How to Manage

PUBLIC SYNONYM is created when a database is created to provide convenience to DB users, and it is not recommended to delete it because it uses general queries such as dual table lookup, or it is frequently used in procedures such as print and println.

However, if it inevitably needs to be dropped, the user can use the DROP statement as shown below.

Please drop it after checking whether PUBLIC SYNONYM is used in the application.

To drop PUBLIC SYNONYM


Account lockout policy settings such as lockout time according to the number of login failure

 


Applicable version

  • From ALTIBASE HDB 4.3.9.211
  • From ALTIBASE HDB 5.3.3.89
  • From ALTIBASE HDB 5.5.1.5.1
  • From ALTIBASE HDB 6.1.1.2.1
  • From ALTIBASE HDB 6.3.1

How to check

Check if the database user has the appropriate settings

How to manage

When creating a database user
When performing ALTER USER

패스워드 복잡도 설정

 


Applicable version

  • From ALTIBASE HDB 4.3.9.211
  • From ALTIBASE HDB 5.3.3.89
  • From ALTIBASE HDB 5.5.1.5.1
  • From ALTIBASE HDB 6.1.1.2.1
  • ALTiBASE HDB 6.3.1

How to check

How to manage

To set the database user password complexity, create a callback function and use the PASSWORD_VERIFY_FUNCTION option in the LIMIT clause when executing CREATE USER or ALTER USER.

 



  • No labels