Overview
This document explains how to check each DB vulnerability diagnosis item.
This document is and diagnosis items were prepared based on customer inquiries.
Account Manager
List of accounts (User account management to block unauthorized access)
How to check
How to check database users
How to manage
If there is an unnecessary account in the database user output result, check the DBA or application manager and remove it.
Using weak password (change default account and password)
How to check
The default password for the user created when ALTIBASE HDB is installed is as follows.
USER | PASSWORD |
|---|---|
SYS | MANAGER |
ALTITEST | ALTITEST |
Connect to the database and check whether to use the default password.
How to manage
If access is possible with the default password, change the password of the user after checking the association with the application.
Example of changing password
Using WITH GRANT OPTION
With WITH GRANT OPTION, the user who has been granted object access rights can grant the appropriate rights to other users, so object access rights can be abused without DBA management.
How to manage
Granting permission without WITH GRANT OPTION after removing WITH GRANT OPTION
Checking Environment Files
Altibase.properties file access authority setting
Maliciously altered altibase.properties file, one of the Altibase critical files, can lead to database failure.
How to check
To check altibase.properties file permissions
How to manage
Set the altibase.properties file privilege setting to 600 or 640.
Example of file privilege setting
Log Anchor, Logfile, Datafile access privilege setting
Database failure may occur if the log anchor, logfile, and datafile files, which are important files for ALTIBASE HDB database operation, are modified with malicious intent.
How to check
Check the privileges of Log Anchor, Logfile, and Datafile files
How to manage
Log Anchor, Logfile, Datafile file privileges setting is set to 600 or 640.
Example of privilege setting
Checking iSQL command shell history
When connecting to a database using iSQL, if an account and password are entered together, the password may be leaked because the record is recorded in the shell history (.history or .sh_history) file.
How to check
To check isql execution history in shell history file
How to manage
When connecting to iSQL, do not enter the user and password at the shell prompt.
To check isql execution history in shell history file
Set access privilege to 600 to protect the shell history (.history or .sh_history) file.
DBMS Security Settings
Using Public Synonym
How to check
To check public Synonym
How to Manage
PUBLIC SYNONYM is created when a database is created to provide convenience to DB users, and it is not recommended to delete it because it uses general queries such as dual table lookup, or it is frequently used in procedures such as print and println.
However, if it inevitably needs to be dropped, the user can use the DROP statement as shown below.
Please drop it after checking whether PUBLIC SYNONYM is used in the application.
To drop PUBLIC SYNONYM
Account lockout policy settings such as lockout time according to the number of login failure
Applicable version
- From ALTIBASE HDB 4.3.9.211
- From ALTIBASE HDB 5.3.3.89
- From ALTIBASE HDB 5.5.1.5.1
- From ALTIBASE HDB 6.1.1.2.1
- From ALTIBASE HDB 6.3.1
How to check
Check if the database user has the appropriate settings
How to manage
When creating a database user
When performing ALTER USER
패스워드 복잡도 설정
Applicable version
- From ALTIBASE HDB 4.3.9.211
- From ALTIBASE HDB 5.3.3.89
- From ALTIBASE HDB 5.5.1.5.1
- From ALTIBASE HDB 6.1.1.2.1
- ALTiBASE HDB 6.3.1
How to check
How to manage
To set the database user password complexity, create a callback function and use the PASSWORD_VERIFY_FUNCTION option in the LIMIT clause when executing CREATE USER or ALTER USER.