The following procedure describes how to set up and operate a Teradata Vantage system at a level of security equivalent to the Common Criteria evaluated configuration.
- Establish a system security policy.
- Establish the physical security controls for the system. See Controlling Physical Access.
- Establish operating system and network security controls for the database server.
- Install the system hardware and software following Teradata-supplied installation documentation. Be sure to use the documentation that corresponds to the applicable hardware, software, and operating system versions.
- Run the DIPACC script, provided on the software release media, to allow access logging. See Setting Up the DBC.AccLogRule Macro. This script creates the AccLogRule macro in system user DBC, which allows you to enable access logging.Do not run the tpareset command until instructed, later in this procedure.
- Change the password control parameters defined in the DBC.SysSecDefaults table to the recommended default values:
UPDATE DBC.SysSecDefaults SET /* password must be at least 8 characters in length */ PasswordMinChar = 8, /* password cannot exceed 30 characters */ PasswordMaxChar = 30, /* digits required in a password */ PasswordDigits = 'r', /* alpha, special characters required in a password */ PasswordSpecChar = 'r', /* user name will be locked after 3 failed logons */ MaxLogonAttempts = 3, /* user name will remain locked for 5 minutes */ LockedUserExpire = 5, /* passwords will expire in 90 days */ ExpirePassword = 90, /* a password cannot be reused for 270 days */ PasswordReuse = 270 /* dictionary words cannot be used in a password */ PasswordRestrictWords = 'Y' WHERE PrimeIndex = 1;
See also About Password Controls.
- Change the default PASSWORD parameter for usernames DBC, SYSTEMFE, and SYSADMIN (via MODIFY USER), and protect the new passwords in accordance with your security policy. For example, to modify user DBC:
The following example shows the SQL you can use to modify user DBC:
MODIFY USER DBC AS PASSWORD = xxx;
- Grant the necessary rights to SECADMIN to carry out security administrator duties. Only the security administrator (and user DBC) should have these privileges.
GRANT USER ON SECADMIN TO SECADMIN /* maintain users */ ; GRANT ROLE TO SECADMIN /* maintain roles */ ; GRANT PROFILE TO SECADMIN /* maintain profiles */ ; GRANT SELECT ON DBC TO SECADMIN /* select on dictionary tables */ ; GRANT UPDATE ON DBC.SysSecDefaults TO SECADMIN /* password characteristics */ ; GRANT EXECUTE ON DBC.LogonRule TO SECADMIN /* logon rules */ ; GRANT EXECUTE ON DBC.AccLogRule TO SECADMIN /* access logging */ ; GRANT DELETE ON DBC.AccLogTbl TO SECADMIN /* delete audit entries */ ; GRANT DELETE ON DBC.DeleteAccessLog TO SECADMIN /* delete audit entries */ ; GRANT DELETE ON DBC.EventLog TO SECADMIN /* delete event log */ ;These are the minimum privileges required for the security administrator to fulfill Common Criteria requirements, but you can grant additional privileges if your security policy requires them.
- Use the tpareset command to restart the system to activate access logging and the revised password controls. For more information, see Teradata Vantage™ - Database Utilities, B035-1102.
- Initiate logging of all user attempts to access the security administrator macros, including access by the security administrator, to check for possible attempts to learn or compromise system security measures:
BEGIN LOGGING WITH TEXT ON EACH ALL ON MACRO DBC.LogonRule, MACRO DBC.AccLogRule;
- Establish any additional security logging that is required by your site security policy. See Monitoring Database Access.
- Establish any logon rules required by your security policy.
- Implement an analysis and reporting process to examine the output of access logs, according to your site security policy. See Investigating Database Access Attempts.