Skip to end of metadata
Go to start of metadata

 

Overview


This document explains DB security checklist.

 

Account Manager


 

List of accounts (User account management to block unauthorized access)


How to check

How to check database users

 

How to manage

If there is an unnecessary account in the database user output result, check the DBA or application manager and remove it.


Using weak password (change default account and password)


How to check

The default password for the user is created when ALTIBASE HDB is installed is as follows.

USER

PASSWORD

SYS

MANAGER

ALTITEST

ALTITEST

Connect to the database and check whether to use the default password.

How to manage

If access is possible with the default password, change the password of the user after checking the association with the application.

Example of changing password
Icon

To know how to change the SYS user password, refer to the "How to change the sys user password' page.

Privileges Management


 

DBA Privilege Management (System Privilege Restriction)


Check the privileges of the database user and delete any unnecessary system privileges.

ROLE is supported from ALTIBASE HDB 6.5.1.

How to check

Checking the system privileges the user has
SYSTEM privilege of ALTIBASE HDB

How to manage

Remove SYSTEM privilege

 

Using WITH GRANT OPTION


With WITH GRANT OPTION, the user who has been granted object access privileges can grant the appropriate privileges to other users, so object access privileges can be abused without DBA management.

How to manage

Granting permission without WITH GRANT OPTION after removing WITH GRANT OPTION

Checking Environment Files


il, is, server file permission setting


These files include password.

How to check

To check file permissions

How to manage

Set file permission to 700.

Example of file permission setting

 

 

Altibase.properties file permission setting


Maliciously altered altibase.properties file, one of the Altibase critical files, can lead to database failure.

How to check

To check altibase.properties file permissions

How to manage

Set the altibase.properties file permission to 600 or 640.

Example of file permission setting

Log Anchor, Logfile, Datafile access privilege setting

Database failure may occur if the log anchor, logfile and datafile files, which are important files for ALTIBASE HDB database operation, are modified with malicious intent.

How to check

Check the permissions of Log Anchor, Logfile and Datafile files

How to manage

logs and dbs directory permissions are set to 700 or 750.

Log Anchor, Logfile and Datafile file permissions are set to 600 or 640.

Example of privilege setting

 

Checking iSQL command shell history


When connecting to a database using iSQL, if an account and password are entered together, the password may be leaked because the record is recorded in the shell history file.

How to check

To check isql execution history in shell history file

How to manage

When connecting to iSQL, do not enter the user and password at the shell prompt.

To check isql execution history in shell history file

Set access privilege to 600 to protect the shell history (.history or .sh_history) file.


DBMS Security Settings



Using Public Synonym


How to check

To check public Synonym

How to Manage

PUBLIC SYNONYM is created when a database is created to provide convenience to DB users, and it is not recommended to delete it because it uses general queries such as dual table lookup, or it is frequently used in procedures such as print and println.

However, if it inevitably needs to be dropped, the user can use the DROP statement as shown below.

Please drop it after checking whether PUBLIC SYNONYM is used in the application.

To drop PUBLIC SYNONYM


Account lockout policy settings such as lockout time according to the number of login failure


Applicable version

  • From ALTIBASE HDB 4.3.9.211
  • From ALTIBASE HDB 5.3.3.89
  • From ALTIBASE HDB 5.5.1.5.1
  • From ALTIBASE HDB 6.1.1.2.1
  • From ALTIBASE HDB 6.3.1

How to check

Check if the database user has the appropriate settings

How to manage

When creating a database user
When performing ALTER USER

Password complexity setting


Applicable version

  • From ALTIBASE HDB 4.3.9.211
  • From ALTIBASE HDB 5.3.3.89
  • From ALTIBASE HDB 5.5.1.5.1
  • From ALTIBASE HDB 6.1.1.2.1
  • ALTIBASE HDB 6.3.1

How to check

How to manage

To set the database user password complexity, create a callback function and use the PASSWORD_VERIFY_FUNCTION option in the LIMIT clause when executing CREATE USER or ALTER USER.

To create callback function


Periodic change of password


Applicable version

  • ALTIBASE HDB 4.3.9.211
  • ALTIBASE HDB 5.3.3.89
  • ALTIBASE HDB 5.5.1.5.1
  • ALTIBASE HDB 6.1.1.2.1
  • ALTIBASE HDB 6.3.1

How to check

Check if PASSWORD_LIFE_TIME for each user is set

Check the PASSWORD_LIFE_TIME property with the command below. If the value is 0, it means that the password expiration date is not set.

After adding the PASSWORD_LIFE_TIME and PASSWORD_GRACE_TIME property in $ALTIBASE_HOME/conf/altibase.properties, restart the ALTIBASE HDB server.

When a database user is created after setting this property, the password expiration date and grace period is set based on this value.

Setting the PASSWORD_LIFE_TIME property
When performing ALTER USER

Changing the ALTIBASE HDB default service port


The default service port of the ALTIBASE HDB server is 20300.

How to check

To check Service Port

How to manage

After changing the value of PORT_NO in $ALTIBASE_HOME/conf/altibase.properties, restart the Altibase server process.

 

Session IDLE_TIMEOUT settings


IDLE_TIMEOUT can be changed for each session, so it can be changed in session even if it is affected by ALTIBASE HDB server properties when connected.

How to check

Check ALTIBASE HDB server settings
Settings applied per session

How to manage

To change properties
  • To reflect the changed value even when the Altibase server process is restarted, the value of the IDLE_TIMEOUT property must be changed in $ALTIBASE_HOME/conf/altibase.properties.

Basic auditing (user sentences, privileges, objects, etc.)


Auditing function is provided starting from ALTIBASE HDB version 6.3.1.

How to check

How to check-How to check whether auditing is set
How to check-whether to enable auditing
  • For a description of each field, please refer to Data Dictionary section of the General Reference manual.

How to manage

Refer to Administrator's Manual and SQL Reference AUDIT section.

Manual download page: http://support.altibase.com/en/manual

Restriction of remote access to DB server


This feature is available starting from ALTIBASE HDB 5.

How to check and manage

Check the ACCESS_LIST property in $ALTIBASE_HOME/conf/altibase.properties.

If it is not set, you need to restart after changing the setting in altibase.properties file.

Refer to ACCESS_LIST property in General Reference Manual.

Setting SYSDBA login restrictions

ALTIBASE HDB has no login restrictions for SYSDBA and can only control remote access.
This feature is available starting from ALTIBASE HDB version 5.

How to check

How to manage

How to manage
  • To reflect the changed value even when the Altibase server process is restarted, the value of the REMOTE_SYSDBA_ENABLE property must be changed in $ALTIBASE_HOME/conf/altibase.properties.

Security Patch


Applying security patch


Security patch of Altibase can be found on the Customer Support Service Portal.

  • When major bugs including security bugs are fixed, new patch is uploaded on the Customer Support Service Portal.

 

  • No labels