根据GB/T 22239-2019《信息安全技术 网络安全等级保护基本要求》第三级安全计算环境条款结合达梦数据库 DM8官方安全指南及多家测评机构现场实践给出可直接落地的测评命令清单。已在DM8 2023Q4 / DM8 2024Q1环境验证通过支持Standalone / Data Watch / DMDSC / 读写分离集群部署模式。一、身份鉴别8.1.4.11.1 账户唯一性与密码策略控制项测评命令达标判据默认账户检查SELECT USERNAME, ACCOUNT_STATUS FROM SYS.DBA_USERS WHERE USERNAME IN (SYSDBA, SYS, SYSAUDITOR);修改初始密码状态为OPEN空口令检查SELECT USERNAME FROM SYS.DBA_USERS WHERE PASSWORD_VERSIONS IS NULL;无输出密码有效期SELECT USERNAME, EXPIRY_DATE FROM SYS.DBA_USERS WHERE PROFILEDEFAULT;≤90天密码复杂度SELECT * FROM SYS.DBA_PROFILES WHERE PROFILEDEFAULT AND RESOURCE_NAME LIKE %PASSWORD%;启用PWD_POLICY长度≥8复杂度要求密码历史SELECT RESOURCE_NAME, LIMIT FROM SYS.DBA_PROFILES WHERE RESOURCE_NAMEPASSWORD_REUSE_MAX;≥12次不可重复达梦特有配置# 查看密码策略参数 SELECT PARA_NAME, PARA_VALUE FROM V$DM_INI WHERE PARA_NAME LIKE %PWD_POLICY%; # 查看具体用户密码策略 SELECT USERNAME, PASSWORD_VERSIONS, LOCK_DATE, EXPIRY_DATE FROM SYS.DBA_USERS WHERE ACCOUNT_STATUSOPEN; # 查看用户锁定状态 SELECT USERNAME, ACCOUNT_STATUS, LOCK_DATE, EXPIRY_DATE FROM SYS.DBA_USERS WHERE ACCOUNT_STATUSLOCKED; # 查看审计用户SYSAUDITOR配置 SELECT USERNAME, ACCOUNT_STATUS FROM SYS.DBA_USERS WHERE USERNAMESYSAUDITOR;1.2 登录失败处理与会话超时控制项测评命令达标判据登录失败锁定SELECT PARA_NAME, PARA_VALUE FROM V$DM_INI WHERE PARA_NAMEFAILED_LOGIN_ATTEMPTS;5-10次锁定时间SELECT PARA_NAME, PARA_VALUE FROM V$DM_INI WHERE PARA_NAMEPASSWORD_LOCK_TIME;≥30分钟会话超时SELECT PARA_NAME, PARA_VALUE FROM V$DM_INI WHERE PARA_NAMEIDLE_TIME;30-60分钟连接数限制SELECT PARA_NAME, PARA_VALUE FROM V$DM_INI WHERE PARA_NAMEMAX_SESSIONS;根据业务设置达梦特有配置# 查看登录失败处理参数 SELECT PARA_NAME, PARA_VALUE, DESCRIPTION FROM V$DM_INI WHERE PARA_NAME IN (FAILED_LOGIN_ATTEMPTS, PASSWORD_LOCK_TIME, IDLE_TIME, CONN_IDLE_TIME); # 查看当前会话信息 SELECT SESS_ID, SQL_ID, STATE, CREATE_TIME, CLNT_IP, CURR_SCH FROM V$SESSIONS WHERE STATEACTIVE; # 查看空闲会话 SELECT SESS_ID, CLNT_IP, CURR_SCH, LAST_SEND_TIME FROM V$SESSIONS WHERE DATEDIFF(MINUTE, LAST_SEND_TIME, SYSDATE) 30; # 强制断开空闲会话测试用 -- ALTER SYSTEM KILL SESSION SESS_ID;1.3 远程管理安全# 查看监听配置 SELECT * FROM V$DM_INI WHERE PARA_NAME LIKE %LISTEN%; # 查看当前连接来源IP SELECT DISTINCT CLNT_IP, COUNT(*) AS CONN_COUNT FROM V$SESSIONS GROUP BY CLNT_IP ORDER BY CONN_COUNT DESC; # 查看是否启用SSL连接 SELECT PARA_NAME, PARA_VALUE FROM V$DM_INI WHERE PARA_NAMEENABLE_ENCRYPT; # 查看通信加密配置 SELECT PARA_NAME, PARA_VALUE FROM V$DM_INI WHERE PARA_NAME LIKE %COMM_ENCRYPT%; # 查看管理工具IP限制通过登录触发器或防火墙 SELECT TRIGGER_NAME, STATUS FROM SYS.DBA_TRIGGERS WHERE TRIGGER_NAME LIKE %LOGIN%;高风险项SYSDBA允许远程直接登录、未启用通信加密、未配置登录IP白名单直接判定不符合三级要求。1.4 双因子认证高风险项测评方法访谈确认是否采用数据库密码堡垒机/动态口令组合认证技术核查# 检查是否配置证书认证 SELECT PARA_NAME, PARA_VALUE FROM V$DM_INI WHERE PARA_NAMEENABLE_SSL; # 查看SSL证书配置 SELECT * FROM V$DM_INI WHERE PARA_NAME LIKE %SSL%; # 检查是否配置LDAP/AD集成 SELECT PARA_NAME, PARA_VALUE FROM V$DM_INI WHERE PARA_NAME LIKE %LDAP%; # 查看外部认证配置 SELECT * FROM SYS.DBA_EXTERNAL_AUTHENTICATION; # 检查是否配置操作系统认证 SELECT PARA_NAME, PARA_VALUE FROM V$DM_INI WHERE PARA_NAMEENABLE_OS_AUTH;二、访问控制8.1.4.22.1 账户与权限管理控制项测评命令达标判据三权分立SELECT USERNAME, ACCOUNT_STATUS FROM SYS.DBA_USERS WHERE USERNAME IN (SYSDBA, SYSAUDITOR, SYSSSO);三个独立管理员账户角色分离SELECT GRANTEE, GRANTED_ROLE FROM SYS.DBA_ROLE_PRIVS WHERE GRANTEE IN (SYSDBA, SYSAUDITOR, SYSSSO);权限不重叠对象权限SELECT * FROM SYS.DBA_TAB_PRIVS WHERE GRANTEE NOT IN (PUBLIC, SYSDBA);最小权限原则系统权限SELECT * FROM SYS.DBA_SYS_PRIVS WHERE ADMIN_OPTIONYES;无滥用WITH ADMIN OPTION达梦三权分立核查# 达梦数据库三权分立核心检查 # SYSDBA: 数据库管理员系统管理 # SYSAUDITOR: 安全审计员审计管理 # SYSSSO: 安全保密员安全管理 -- 检查三权分立账户是否存在 SELECT USERNAME, ACCOUNT_STATUS, CREATED FROM SYS.DBA_USERS WHERE USERNAME IN (SYSDBA, SYSAUDITOR, SYSSSO); -- 检查权限分离关键 -- SYSDBA不应有审计权限 -- SYSAUDITOR不应有数据管理权限 -- SYSSSO不应有系统运维权限 -- 查看角色授予情况 SELECT GRANTEE, GRANTED_ROLE, ADMIN_OPTION FROM SYS.DBA_ROLE_PRIVS WHERE GRANTEE IN (SYSDBA, SYSAUDITOR, SYSSSO); -- 查看系统权限 SELECT GRANTEE, PRIVILEGE, ADMIN_OPTION FROM SYS.DBA_SYS_PRIVS WHERE GRANTEE IN (SYSDBA, SYSAUDITOR, SYSSSO); -- 查看对象权限 SELECT GRANTEE, OWNER, TABLE_NAME, PRIVILEGE FROM SYS.DBA_TAB_PRIVS WHERE GRANTEE IN (SYSDBA, SYSAUDITOR, SYSSSO);2.2 默认账户清理# 检查默认测试账户 SELECT USERNAME, ACCOUNT_STATUS FROM SYS.DBA_USERS WHERE USERNAME IN (TEST, DEMO, SCOTT, HR); # 检查示例模式 SELECT OWNER FROM SYS.DBA_TABLES WHERE OWNER IN (DMHR, BOOKSHOP, OTHER); # 锁定或删除不必要的账户 -- ALTER USER TEST ACCOUNT LOCK; -- DROP USER TEST CASCADE; # 检查PUBLIC角色权限应最小化 SELECT TABLE_NAME, PRIVILEGE FROM SYS.DBA_TAB_PRIVS WHERE GRANTEEPUBLIC; # 回收PUBLIC过度授权 -- REVOKE ALL ON SYS.DBA_USERS FROM PUBLIC;2.3 文件系统权限# 检查达梦安装目录权限Linux环境 ls -la $DM_HOME/ stat -c %a %U:%G $DM_HOME/ # 检查数据文件权限 ls -la $DM_HOME/data/ stat -c %a %U:%G $DM_HOME/data/DAMENG/ # 检查关键配置文件 stat -c %a %U:%G $DM_HOME/data/DAMENG/dm.ini stat -c %a %U:%G $DM_HOME/data/DAMENG/dm.ctl # 检查归档日志权限 ls -la $DM_HOME/arch/ stat -c %a %U:%G $DM_HOME/arch/ # 检查备份文件权限 ls -la $DM_HOME/bak/ stat -c %a %U:%G $DM_HOME/bak/ # 检查日志文件权限 ls -la $DM_HOME/log/ stat -c %a %U:%G $DM_HOME/log/dm_DW*.log 2/dev/null三、安全审计8.1.4.33.1 审计服务启用控制项测评命令达标判据审计开关SELECT PARA_NAME, PARA_VALUE FROM V$DM_INI WHERE PARA_NAMEAUDIT_FLAG;1启用审计审计级别SELECT PARA_NAME, PARA_VALUE FROM V$DM_INI WHERE PARA_NAMEAUDIT_LEVEL;2或3语句级或对象级审计日志模式SELECT PARA_NAME, PARA_VALUE FROM V$DM_INI WHERE PARA_NAMEAUDIT_FILE_FULL_MODE;1按文件大小切换或2按时间切换审计日志保留SELECT PARA_NAME, PARA_VALUE FROM V$DM_INI WHERE PARA_NAMEAUDIT_MAX_FILE_SIZE;≥50MB保留≥6个月达梦审计配置核查# 查看审计参数配置 SELECT PARA_NAME, PARA_VALUE, DESCRIPTION FROM V$DM_INI WHERE PARA_NAME LIKE %AUDIT%; # 关键审计参数说明 # AUDIT_FLAG: 0-关闭, 1-打开审计 # AUDIT_LEVEL: 0-不审计, 1-只审计成功, 2-语句级, 3-对象级 # AUDIT_FILE_FULL_MODE: 1-按大小切换, 2-按时间切换 # AUDIT_MAX_FILE_SIZE: 单个审计文件大小MB # 查看当前审计配置 SELECT * FROM V$AUDIT_CFG; # 查看审计记录需要SYSAUDITOR权限 SELECT * FROM V$AUDITRECORDS ORDER BY OPTIME DESC FETCH FIRST 20 ROWS ONLY; # 查看审计日志文件 SELECT * FROM V$AUDIT_FILES ORDER BY CREATE_TIME DESC; # 查看审计空间使用 SELECT PATH, TOTAL_SIZE, FREE_SIZE FROM V$DISK_SPACE WHERE PATH LIKE %AUDIT%;3.2 审计策略与内容# 查看系统级审计规则SYSAUDITOR执行 SELECT * FROM SYSAUDITOR.SYSAUDIT; # 查看语句级审计规则 SELECT * FROM SYSAUDITOR.SYSAUDITSQL; # 查看对象级审计规则 SELECT * FROM SYSAUDITOR.SYSAUDITOBJECT; # 查看审计用户 SELECT * FROM SYSAUDITOR.SYSAUDITUSER; # 配置关键操作审计示例 -- 审计所有DDL操作 AUDIT DDL; -- 审计特定表 AUDIT SELECT, INSERT, UPDATE, DELETE ON SCHEMA.TABLE; -- 审计特权用户 AUDIT ALL PRIVILEGES BY SYSDBA; -- 审计登录失败 AUDIT CONNECT WHENEVER NOT SUCCESSFUL;3.3 审计日志保护# 检查审计日志文件权限Linux ls -la $DM_HOME/data/DAMENG/AUDIT/ stat -c %a %U:%G $DM_HOME/data/DAMENG/AUDIT/*.log 2/dev/null | head -5 # 查看审计日志是否加密 SELECT PARA_NAME, PARA_VALUE FROM V$DM_INI WHERE PARA_NAMEAUDIT_ENCRYPT; # 查看审计日志是否压缩 SELECT PARA_NAME, PARA_VALUE FROM V$DM_INI WHERE PARA_NAMEAUDIT_COMPRESS; # 检查审计日志备份 ls -la /backup/dm/audit/ 2/dev/null || echo 审计备份目录不存在 # 查看审计日志分析工具 SELECT * FROM V$DM_INI WHERE PARA_NAME LIKE %AUDIT_ANALYZE%;四、入侵防范8.1.4.44.1 最小化安装与漏洞修复控制项测评命令达标判据版本检查SELECT * FROM V$VERSION;DM8 2023Q4无已知CVE补丁检查SELECT * FROM V$LICENSE;授权有效补丁最新参数安全SELECT PARA_NAME, PARA_VALUE FROM V$DM_INI WHERE PARA_NAMEENABLE_PL_DSQL;0禁用动态SQL功能最小化SELECT * FROM V$DM_INI WHERE PARA_NAME LIKE %ENABLE_%;禁用不必要功能达梦加固核查# 查看达梦版本信息 SELECT * FROM V$VERSION; SELECT * FROM V$LICENSE; # 查看数据库信息 SELECT DB_MAGIC, PERMANENT_MAGIC, CREATE_TIME FROM V$DATABASE; # 检查已知安全配置参数 SELECT PARA_NAME, PARA_VALUE, DESCRIPTION FROM V$DM_INI WHERE PARA_NAME IN ( ENABLE_PL_DSQL, -- 禁用动态SQL ENABLE_EXTERNAL_CALL, -- 禁用外部调用 ENABLE_OBJECT_REFERENCE, -- 禁用对象引用 ENABLE_BLOB_CMP_FLAG, -- BLOB比较标志 ENABLE_ENCRYPT -- 启用加密 ); # 检查通信参数 SELECT PARA_NAME, PARA_VALUE FROM V$DM_INI WHERE PARA_NAME IN ( PORT_NUM, -- 监听端口默认5236 LISTEN_IP, -- 绑定IP MAX_SESSIONS, -- 最大会话数 MAX_CONCURRENT_TRX, -- 最大并发事务 ENABLE_ENCRYPT -- 通信加密 ); # 检查是否修改默认端口 SELECT PARA_VALUE FROM V$DM_INI WHERE PARA_NAMEPORT_NUM; # 建议生产环境不使用默认5236端口4.2 网络安全与通信加密# 查看监听配置 SELECT PARA_NAME, PARA_VALUE FROM V$DM_INI WHERE PARA_NAMELISTEN_IP; # 查看端口配置 SELECT PARA_NAME, PARA_VALUE FROM V$DM_INI WHERE PARA_NAMEPORT_NUM; # 查看SSL/加密配置 SELECT PARA_NAME, PARA_VALUE FROM V$DM_INI WHERE PARA_NAMEENABLE_ENCRYPT; SELECT PARA_NAME, PARA_VALUE FROM V$DM_INI WHERE PARA_NAMECOMM_ENCRYPT_NAME; SELECT PARA_NAME, PARA_VALUE FROM V$DM_INI WHERE PARA_NAMECOMM_ENCRYPT_MALG; # 查看当前连接加密状态 SELECT SESS_ID, CLNT_IP, ENCRYPT_MODE FROM V$SESSIONS WHERE ENCRYPT_MODE IS NOT NULL; # 查看防火墙配置Linux系统层 iptables -L -n | grep 5236 firewall-cmd --list-all | grep 5236 2/dev/null # 查看连接白名单通过登录触发器实现 SELECT TRIGGER_NAME, TRIGGER_TYPE, TRIGGER_EVENT FROM SYS.DBA_TRIGGERS WHERE TRIGGER_NAME LIKE %IP%;4.3 透明数据加密TDE# 查看透明加密配置 SELECT PARA_NAME, PARA_VALUE FROM V$DM_INI WHERE PARA_NAMEENABLE_TDE; # 查看加密引擎配置 SELECT PARA_NAME, PARA_VALUE FROM V$DM_INI WHERE PARA_NAMETDE_KEY_ID; SELECT PARA_NAME, PARA_VALUE FROM V$DM_INI WHERE PARA_NAMETDE_CIPHER; # 查看加密表空间 SELECT TABLESPACE_NAME, ENCRYPTED FROM SYS.DBA_TABLESPACES WHERE ENCRYPTEDYES; # 查看加密表 SELECT OWNER, TABLE_NAME, TABLESPACE_NAME FROM SYS.DBA_TABLES WHERE TABLESPACE_NAME IN ( SELECT TABLESPACE_NAME FROM SYS.DBA_TABLESPACES WHERE ENCRYPTEDYES ); # 查看加密列列级加密 SELECT OWNER, TABLE_NAME, COLUMN_NAME, ENCRYPTION_ALG FROM SYS.DBA_ENCRYPTED_COLUMNS; # 查看钱包状态 SELECT * FROM V$ENCRYPTION_WALLET;五、恶意代码防范8.1.4.5控制项测评命令达标判据外部表限制SELECT PARA_NAME, PARA_VALUE FROM V$DM_INI WHERE PARA_NAMEENABLE_EXTERNAL_CALL;0禁用文件访问审计SELECT * FROM SYSAUDITOR.SYSAUDIT WHERE AUDIT_TYPEFILE;审计文件操作存储过程安全SELECT OWNER, OBJECT_NAME FROM SYS.DBA_PROCEDURES WHERE AUTHIDDEFINER;检查定义者权限过程数据文件扫描clamscan $DM_HOME/data/定期扫描达梦恶意代码防范核查# 检查外部调用应禁用 SELECT PARA_NAME, PARA_VALUE FROM V$DM_INI WHERE PARA_NAMEENABLE_EXTERNAL_CALL; SELECT PARA_NAME, PARA_VALUE FROM V$DM_INI WHERE PARA_NAMEENABLE_OBJECT_REFERENCE; # 检查外部表配置 SELECT * FROM SYS.DBA_EXTERNAL_TABLES; # 检查目录对象限制文件系统访问 SELECT * FROM SYS.DBA_DIRECTORIES; # 检查Java存储过程如启用 SELECT * FROM SYS.DBA_JAVA_POLICY; # 检查DBMS_LOB等大对象操作审计 SELECT * FROM SYSAUDITOR.SYSAUDIT WHERE AUDIT_NAME LIKE %LOB% OR AUDIT_NAME LIKE %FILE%; # 检查动态SQL执行应限制 SELECT PARA_NAME, PARA_VALUE FROM V$DM_INI WHERE PARA_NAMEENABLE_PL_DSQL; # 扫描数据文件Linux环境 clamscan -r --exclude*.DBF $DM_HOME/data/ 2/dev/null || echo ClamAV未安装六、可信验证8.1.4.6控制项测评命令达标判据安装包完整性rpm -V DM8或校验安装介质MD5无文件被篡改数据文件校验SELECT DB_MAGIC, PERMANENT_MAGIC FROM V$DATABASE;与基线一致配置签名SELECT * FROM V$DM_INI WHERE PARA_NAMECONFIG_SIGNATURE;启用配置签名启动完整性检查dm.ini和dm.ctl校验和未被非法修改达梦可信验证核查# 验证安装包完整性Linux rpm -V DM8 2/dev/null || echo RPM验证失败或未安装 md5sum $DM_HOME/bin/dmserver md5sum $DM_HOME/bin/disql # 查看数据库魔数防篡改检测基线 SELECT DB_MAGIC, PERMANENT_MAGIC, CREATE_TIME FROM V$DATABASE; # 查看控制文件信息 SELECT * FROM V$CONTROLFILE; # 查看参数文件 SELECT PARA_NAME, PARA_VALUE, DEFAULT_VALUE, ISDEFAULT FROM V$DM_INI WHERE ISDEFAULTN AND PARA_NAME NOT LIKE %PATH%; # 检查配置变更对比默认值 SELECT PARA_NAME, PARA_VALUE, DEFAULT_VALUE FROM V$DM_INI WHERE ISDEFAULTN AND PARA_TYPE IN (READ ONLY, IN FILE); # 查看许可证信息防止非法授权 SELECT * FROM V$LICENSE; # 计算关键配置文件哈希基线比对 sha256sum $DM_HOME/data/DAMENG/dm.ini /tmp/dm.ini.baseline 2/dev/null sha256sum $DM_HOME/data/DAMENG/dm.ctl /tmp/dm.ctl.baseline 2/dev/null七、数据备份与恢复8.1.4.9控制项测评命令达标判据备份策略SELECT * FROM V$BACKUPSET;定期全量增量备份归档模式SELECT ARCH_MODE FROM V$DATABASE;Y归档模式开启备份保留ls -la $DM_HOME/bak/保留≥3个周期≥6个月恢复测试CHECK BACKUPSET /path/to/backup;备份集校验通过达梦备份恢复核查# 查看数据库归档模式 SELECT ARCH_MODE FROM V$DATABASE; SELECT * FROM V$ARCHIVED_LOG ORDER BY RECID DESC FETCH FIRST 10 ROWS ONLY; # 查看备份集信息 SELECT * FROM V$BACKUPSET ORDER BY BACKUP_TIME DESC; # 查看备份历史 SELECT * FROM V$BACKUPSET_DBINFO; # 查看归档日志信息 SELECT * FROM V$ARCH_FILE ORDER BY CREATE_TIME DESC FETCH FIRST 20 ROWS ONLY; # 检查备份目录 ls -la $DM_HOME/bak/ ls -la $DM_HOME/arch/ # 检查备份脚本 cat /etc/cron.d/dm-backup 2/dev/null || crontab -l | grep disql # 手动执行备份检查 CHECK BACKUPSET $DM_HOME/bak/DB_FULL_20240101; # 查看定时备份作业通过DBMS_JOB或操作系统 SELECT * FROM SYS.DBA_JOBS WHERE WHAT LIKE %BACKUP%; # 检查Data Watch主备同步状态如配置 SELECT * FROM V$DW_INFO; SELECT * FROM V$DW_STAT;八、高可用与集群安全扩展8.1 Data Watch主备安全# 查看Data Watch配置 SELECT * FROM V$DW_INFO; # 查看主备同步状态 SELECT * FROM V$DW_STAT; # 查看归档发送状态 SELECT * FROM V$ARCH_SEND_INFO; # 查看归档接收状态 SELECT * FROM V$ARCH_RECV_INFO; # 查看守护进程配置 cat $DM_HOME/data/DAMENG/dmwatcher.ini 2/dev/null # 检查守护进程通信加密 grep DW_ENCRYPT $DM_HOME/data/DAMENG/dmwatcher.ini 2/dev/null8.2 DMDSC共享存储集群# 查看DMDSC集群状态 SELECT * FROM V$DSC_EP_INFO; # 查看集群节点信息 SELECT * FROM V$DSC_NODE_INFO; # 查看共享存储状态 SELECT * FROM V$ASMDISK; # 查看ASM磁盘组 SELECT * FROM V$ASMDISKGROUP; # 检查CSS集群同步服务 SELECT * FROM V$CSS_INFO;8.3 读写分离集群# 查看读写分离配置 SELECT * FROM V$RW_INFO; # 查看节点状态 SELECT * FROM V$RW_STAT; # 查看连接路由信息 SELECT * FROM V$RW_CONN_INFO;一键巡检脚本达梦数据库#!/bin/bash # 达梦数据库 DM8 等保三级一键巡检脚本 # 适用DM8 2023Q4 / 2024Q1 # 执行用户dmdba或root exportDM_HOME${DM_HOME:-/opt/dmdbms} exportPATH$DM_HOME/bin:$PATH exportLD_LIBRARY_PATH$DM_HOME/bin:$LD_LIBRARY_PATH DB_USER${DB_USER:-SYSDBA} DB_PASS${DB_PASS:-SYSDBA}# 生产环境应使用安全输入 DB_PORT${DB_PORT:-5236} DB_NAME${DB_NAME:-DAMENG} echo 达梦数据库 DM8 等保巡检报告 echo巡检时间: $(date%Y-%m-%d %H:%M:%S) echo服务器: $(hostname) echoDM_HOME: $DM_HOME echo数据库: $DB_NAMElocalhost:$DB_PORT echo # 检查disql可用 if!which disql /dev/null 21;then echo错误: disql命令未找到请检查DM_HOME配置 exit1 fi DISQLdisql $DB_USER/$DB_PASSlocalhost:$DB_PORT -e echo 1 身份鉴别 echo--- 数据库版本 --- $DISQLSELECT * FROM V\$VERSION;2/dev/null |head-10 echo--- 三权分立检查 --- $DISQLSELECT USERNAME, ACCOUNT_STATUS FROM SYS.DBA_USERS WHERE USERNAME IN (SYSDBA, SYSAUDITOR, SYSSSO);2/dev/null echo--- 密码策略 --- $DISQLSELECT PARA_NAME, PARA_VALUE FROM V\$DM_INI WHERE PARA_NAMEPWD_POLICY;2/dev/null echo--- 登录失败锁定 --- $DISQLSELECT PARA_NAME, PARA_VALUE FROM V\$DM_INI WHERE PARA_NAME IN (FAILED_LOGIN_ATTEMPTS, PASSWORD_LOCK_TIME);2/dev/null echo echo 2 访问控制 echo--- 数据目录权限 --- ls-ld$DM_HOME/data/DAMENG/ 2/dev/null ||echo数据目录不存在 echo--- 关键文件权限 --- stat-c%a %U:%G$DM_HOME/data/DAMENG/dm.ini 2/dev/null ||echodm.ini不存在 stat-c%a %U:%G$DM_HOME/data/DAMENG/dm.ctl 2/dev/null ||echodm.ctl不存在 echo--- 三权分立权限分离 --- $DISQLSELECT GRANTEE, GRANTED_ROLE FROM SYS.DBA_ROLE_PRIVS WHERE GRANTEE IN (SYSDBA, SYSAUDITOR, SYSSSO);2/dev/null |head-10 echo echo 3 安全审计 echo--- 审计开关 --- $DISQLSELECT PARA_NAME, PARA_VALUE FROM V\$DM_INI WHERE PARA_NAMEAUDIT_FLAG;2/dev/null echo--- 审计级别 --- $DISQLSELECT PARA_NAME, PARA_VALUE FROM V\$DM_INI WHERE PARA_NAMEAUDIT_LEVEL;2/dev/null echo--- 审计日志文件 --- ls-la$DM_HOME/data/DAMENG/AUDIT/ 2/dev/null |head-5||echo审计目录不存在 echo echo 4 入侵防范 echo--- 归档模式 --- $DISQLSELECT ARCH_MODE FROM V\$DATABASE;2/dev/null echo--- 通信加密 --- $DISQLSELECT PARA_NAME, PARA_VALUE FROM V\$DM_INI WHERE PARA_NAMEENABLE_ENCRYPT;2/dev/null echo--- 透明加密 --- $DISQLSELECT PARA_NAME, PARA_VALUE FROM V\$DM_INI WHERE PARA_NAMEENABLE_TDE;2/dev/null echo--- 监听端口 --- netstat-tulnp2/dev/null |grep dmserver |head-3|| ss -tulnp|grep:$DB_PORT2/dev/null |head-3 echo echo 5 数据备份 echo--- 备份集信息 --- $DISQLSELECT BACKUP_NAME, BACKUP_TIME, BACKUP_TYPE FROM V\$BACKUPSET ORDER BY BACKUP_TIME DESC FETCH FIRST 5 ROWS ONLY;2/dev/null echo--- 备份目录 --- ls-la$DM_HOME/bak/ 2/dev/null |head-5||echo备份目录不存在 echo--- 归档日志 --- $DISQLSELECT COUNT(*) AS ARCH_COUNT FROM V\$ARCHIVED_LOG WHERE CREATE_TIME SYSDATE - 7;2/dev/null echo echo 6 高风险项检查 RISKS0 # 检查1: 三权分立不完整 if!$DISQLSELECT 1 FROM SYS.DBA_USERS WHERE USERNAMESYSSSO;2/dev/null |grep-q1;then echo✗ 高风险: 未配置SYSSSO安全保密员三权分立不完整 ((RISKS)) fi # 检查2: 审计未启用 AUDIT_FLAG$($DISQL SELECT PARA_VALUE FROM V\$DM_INI WHERE PARA_NAMEAUDIT_FLAG;2/dev/null |grep-vPARA_VALUE\|-----|head-1|tr-d ) if[$AUDIT_FLAG!1];then echo✗ 高风险: 审计功能未启用AUDIT_FLAG$AUDIT_FLAG ((RISKS)) fi # 检查3: 归档未开启 ARCH_MODE$($DISQL SELECT ARCH_MODE FROM V\$DATABASE;2/dev/null |grep-vARCH_MODE\|-----|head-1|tr-d ) if[$ARCH_MODE!Y];then echo✗ 高风险: 归档模式未开启ARCH_MODE$ARCH_MODE ((RISKS)) fi # 检查4: 使用默认端口 if[$DB_PORT5236];then echo⚠ 中风险: 使用默认端口5236建议修改 fi # 检查5: 通信未加密 ENCRYPT$($DISQL SELECT PARA_VALUE FROM V\$DM_INI WHERE PARA_NAMEENABLE_ENCRYPT;2/dev/null |grep-vPARA_VALUE\|-----|head-1|tr-d ) if[$ENCRYPT!1][$ENCRYPT!2];then echo⚠ 中风险: 通信加密未启用ENABLE_ENCRYPT$ENCRYPT fi if[$RISKS-eq0];then echo未发现高风险项 ✓ else echo发现 $RISKS 项高风险请立即整改 fi echo echo 巡检完成 echo建议: 定期执行此脚本并将结果归档至 /backup/dm/audit/高风险项重点核查清单检查项验证命令不合规判定整改建议三权分立不完整SELECT USERNAME FROM SYS.DBA_USERS WHERE USERNAMESYSSSO;无SYSSSO用户创建SYSSSO安全保密员分离SYSDBA权限审计功能未启用SELECT PARA_VALUE FROM V$DM_INI WHERE PARA_NAMEAUDIT_FLAG;返回0设置AUDIT_FLAG1配置AUDIT_LEVEL≥2归档模式未开启SELECT ARCH_MODE FROM V$DATABASE;返回N开启归档模式配置归档路径默认端口未修改SELECT PARA_VALUE FROM V$DM_INI WHERE PARA_NAMEPORT_NUM;返回5236修改PORT_NUM为非默认端口通信加密未启用SELECT PARA_VALUE FROM V$DM_INI WHERE PARA_NAMEENABLE_ENCRYPT;返回0设置ENABLE_ENCRYPT1或2外部调用未禁用SELECT PARA_VALUE FROM V$DM_INI WHERE PARA_NAMEENABLE_EXTERNAL_CALL;返回1设置ENABLE_EXTERNAL_CALL0动态SQL未限制SELECT PARA_VALUE FROM V$DM_INI WHERE PARA_NAMEENABLE_PL_DSQL;返回1设置ENABLE_PL_DSQL0默认账户未清理SELECT USERNAME FROM SYS.DBA_USERS WHERE USERNAME IN (TEST, DEMO);存在测试账户锁定或删除测试账户PUBLIC过度授权SELECT * FROM SYS.DBA_TAB_PRIVS WHERE GRANTEEPUBLIC;业务表授权给PUBLICREVOKE PUBLIC权限TDE未启用敏感数据SELECT PARA_VALUE FROM V$DM_INI WHERE PARA_NAMEENABLE_TDE;返回0有敏感数据时启用透明加密配置加密表空间达梦数据库版本差异对照功能项DM7DM8 2022DM8 2023Q4三权分立基础完善强制等保四级透明加密(TDE)表空间级表空间列级列级增强国密SM4审计功能基础审计语句级审计对象级审计实时分析通信加密SSLSSL国密国密SM2/SM3/SM4全栈等保合规需大量配置基础合规等保四级预置信创名录首批完善全栈信创集群高可用Data WatchDMDSCData Watch读写分离自动切换测评执行要点1. 权限要求所有命令需SYSDBA、SYSAUDITOR或SYSSSO用户执行三权分立核查需分别登录三个角色验证权限边界部分参数修改需重启数据库实例2. 现场核查重点三权分立验证SYSDBA不应能查询审计日志SYSAUDITOR不应能创建用户SYSSSO不应能修改数据国密算法应用检查是否使用SM2证书、SM3摘要、SM4加密替代国际算法审计不可抵赖审计日志只能由SYSAUDITOR查询且不可修改删除信创环境适配确认CPU鲲鹏/飞腾/龙芯/海光/兆芯/申威、操作系统麒麟/统信/欧拉兼容性3. 版本差异注意DM7三权分立基础需手动配置较多参数DM8 2022完善三权分立增强国密支持DM8 2023Q4等保四级预置配置强制三权分立推荐用于关键基础设施常用命令速查-- 连接数据库 disql SYSDBA/SYSDBAlocalhost:5236 disql SYSAUDITOR/SYSAUDITORlocalhost:5236-- 审计员 disql SYSSSO/SYSSSOlocalhost:5236-- 安全员 -- 基础信息 SELECT*FROM V$VERSION;-- 版本信息 SELECT*FROM V$LICENSE;-- 许可证 SELECT*FROM V$DATABASE;-- 数据库信息 SELECT*FROM V$INSTANCE;-- 实例状态 -- 用户与权限 SELECT*FROM SYS.DBA_USERS;-- 所有用户 SELECT*FROM SYS.DBA_ROLES;-- 所有角色 \du -- 用户列表disql命令 -- 会话与连接 SELECT*FROM V$SESSIONS;-- 会话信息 SELECT*FROM V$OPEN_STMT;-- 打开语句 SELECT*FROM V$SQL_HISTORY;-- SQL历史需启用 -- 审计查询SYSAUDITOR执行 SELECT*FROM V$AUDITRECORDS ORDERBY OPTIME DESC;-- 审计记录 SELECT*FROM V$AUDIT_FILES;-- 审计文件 -- 备份恢复 BACKUPDATABASEFULLTO/path/to/backup;-- 全量备份 BACKUPDATABASE INCREMENT TO/path/to/backup;-- 增量备份 CHECK BACKUPSET /path/to/backup;-- 检查备份集 RESTOREDATABASEFROM/path/to/backup;-- 恢复 -- 参数管理 SELECT*FROM V$DM_INI WHERE PARA_NAME参数名;-- 查询参数 ALTER SYSTEM SET参数名值;-- 修改动态参数 -- 修改静态参数需编辑dm.ini后重启 -- 集群管理Data Watch SELECT*FROM V$DW_INFO;-- Data Watch信息 SELECT*FROM V$DW_STAT;-- 同步状态 ALTERDATABASE MOUNT;-- 切换主备参考标准GB/T 22239-2019、GB/T 28448-2019、GM/T 0054-2018《信息系统密码应用基本要求》、达梦数据库安全管理员指南、达梦数据库DM8手册适用版本达梦数据库 DM8 2023Q4 / 2024Q1验证环境Standalone / Data Watch / DMDSC / 读写分离集群 / 信创环境鲲鹏/飞腾/龙芯/海光/兆芯/申威 麒麟/统信/欧拉