加固Oracle安全,為監聽設定口令

liglewang發表於2011-11-05
Oracle

   近日安全部門在對系統進行安全掃描檢查時,報出有幾套庫的監聽LISTENER的口令沒有設定的警告資訊,大部分系統的監聽口令都是被設定的,僅有少量的幾套9I10G的監聽沒有配置口令,既然要做這項工作,就先做個測試,也與大家分享下。

   10G版本上的測試:

[oracle@ligle-db admin]$ lsnrctl
LSNRCTL for Linux: Version 10.2.0.4.0 - Production on 12-APR-2011 12:49:20
Copyright (c) 1991, 2007, Oracle.  All rights reserved.
Welcome to LSNRCTL, type "help" for information.
LSNRCTL> set current_listener LIGLEWANG_LSNR      - - >設定為當前監聽
Current Listener is LIGLEWANG_LSNR
LSNRCTL> change_password                - - >改變密碼
Old password:
New password:
Reenter new password:
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=ligle-db)(PORT=8000)))
Password changed for LIGLEWANG_LSNR
The command completed successfully
LSNRCTL> save_config                    - - >儲存配置
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=ligle-db)(PORT=8000)))
Saved LIGLEWANG_LSNR configuration parameters.
Listener Parameter File   /u01/app/oracle/product/10.2.0/db_1/network/admin/listener.ora
Old Parameter File   /u01/app/oracle/product/10.2.0/db_1/network/admin/listener.bak
The command completed successfully
LSNRCTL> status                      - - >查詢監聽狀態
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=ligle-db)(PORT=8000)))
STATUS of the LISTENER
------------------------
Alias                     LIGLEWANG_LSNR
Version                   TNSLSNR for Linux: Version 10.2.0.4.0 – Production
Start Date                12-APR-2011 12:46:46
Uptime                    0 days 0 hr. 3 min. 44 sec
Trace Level               off
Security                  ON: Password or Local OS Authentication
SNMP                      OFF
Listener Parameter File   /u01/app/oracle/product/10.2.0/db_1/network/admin/listener.ora
Listener Log File        
u01/app/oracle/product/10.2.0/db_1/network/log/liglewang_lsnr.log
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=ligle-db)(PORT=8000)))
The listener supports no services
The command completed successfully

status命令的輸出中,可以看到有這樣一行:

Security                  ON: Password or Local OS Authentication

該行表示使用本地作業系統認證,這種認證方式在我們對監聽進行維護時是不需要輸入口令的,這也是跟9i的一個小差別。當然也不是任何登入到OS中的使用者都可以對LISTENER進行維護的,比如系統中存在ligle這樣的一個使用者:

[ligle@ligle-db ~]$ id                      - - >當前OS使用者為ligle
uid=503(ligle) gid=501(oinstall) groups=501(oinstall),502(dba)
[ligle@ligle-db ~]$ lsnrctl
LSNRCTL for Linux: Version 10.2.0.4.0 - Production on 12-APR-2011 13:16:17
Copyright (c) 1991, 2007, Oracle.  All rights reserved.
Welcome to LSNRCTL, type "help" for information.
LSNRCTL> set current_listener LIGLEWANG_LSNR      - - >設定為當前監聽
Current Listener is LIGLEWANG_LSNR
LSNRCTL> status                      - - >檢視監聽狀態(此操作沒問題)
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=ligle-db)(PORT=8000)))
STATUS of the LISTENER
------------------------
Alias                     LIGLEWANG_LSNR
Version                   TNSLSNR for Linux: Version 10.2.0.4.0 – Production
Start Date                12-APR-2011 12:46:46
Uptime                    0 days 0 hr. 29 min. 44 sec
Trace Level               off
Security                  ON: Password or Local OS Authentication
SNMP                      OFF
Listener Parameter File   /u01/app/oracle/product/10.2.0/db_1/network/admin/listener.ora
Listener Log File        
u01/app/oracle/product/10.2.0/db_1/network/log/liglewang_lsnr.log
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=ligle-db)(PORT=8000)))
The listener supports no services
The command completed successfully
LSNRCTL> stop                               - - >停止監聽(報錯)
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=ligle-db)(PORT=8000)))
TNS-01190: The user is not authorized to execute the requested listener command
LSNRCTL> set password                       - - >輸入密碼
Password:
The command completed successfully
LSNRCTL> stop                               - - >停止監聽(正常)
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=ligle-db)(PORT=8000)))
The command completed successfully

可以看到OS使用者ligle在對stop監聽的時候,報TNS-01190錯誤,這是因為該使用者沒有輸入監聽口令所致;在透過set password設定口令之後,方可對監聽執行維護操作。

Bset Regards

2011.11.05

--The End—

來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/25834554/viewspace-710259/,如需轉載,請註明出處,否則將追究法律責任。

相關文章