当生产环境oracle密码快过期时,如果修改密码的话应用程序也得对应停服务去修改密码,连接数据库的工具的密码全部得做一次更新,这时候就可以用以下的安全加固方法了。
--1、查询非被锁状态下的用户、过期时间、profile、密码
select username, profile,account_status,EXPIRY_DATE,password from dba_users where account_status not like '%LOCK%';
select name,password from sys.user$ where name in (select username from dba_users where account_status='OPEN');
select * from dba_profiles where RESOURCE_NAME in ('PASSWORD_REUSE_TIME','PASSWORD_REUSE_MAX');
--2、回退安全加固
alter profile default limit PASSWORD_REUSE_MAX unlimited;
alter profile default limit PASSWORD_REUSE_TIME unlimited;
alter profile MONITORING_PROFILE limit PASSWORD_REUSE_MAX unlimited;
alter profile MONITORING_PROFILE limit PASSWORD_REUSE_TIME unlimited;
--3、刷新密码(执行以下sql)
select 'alter user ' name ' identified by values ''' password ''';' from sys.user$ where name in ( select username from dba_users where account_status not like '%LOCK%');
--4、安全加固
alter profile default limit PASSWORD_REUSE_MAX 5;
alter profile default limit PASSWORD_REUSE_TIME 1800;
alter profile MONITORING_PROFILE limit PASSWORD_REUSE_MAX 5;
alter profile MONITORING_PROFILE limit PASSWORD_REUSE_TIME 1800;
--5、检查用户过期日期及安全加固机制
select username, profile,account_status,EXPIRY_DATE,password from dba_users where account_status not like '%LOCK%';
select from dba_profiles where profile='DEFAULT';