INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

Oracle 11g and RAC Database Security

Oracle 11g and RAC Database Security

(OP)
hello All,

I am being asked to come up with best practices for Database Security.
Our environment is Oracle Database 11g on AIX.
We also have a RAC environment.
Lastly we have a MS SQL Server on windows NT.

1) I suggested we take an audit of default passwords(scott as an example)and make sure the accounts is locked or default passwords are changed. Question, does anyone knows a script or process that can extract all other default accounts in the database?

2) Also, would anyone have a oracle security user group that I can join for uptodate method/measure in database world?

3) Has anyone heard of this group - Data Management Institute(http://datainstitute.org/webportal/)
Please advise if I should join their security sub group.

Thanks for your input as always.

RE: Oracle 11g and RAC Database Security

hi

11g -- Check users which have default password set. Suggest change accordingly
SQL> select * from dba_users_with_defpwd;

SECURITY
Ensure remote OS authentication is disabled
Setting the REMOTE_OS_AUTHENT parameter to True forces Oracle to accept a client operating system user name received over a non-secure connection and use it for account access.

• Set REMOTE_OS_AUTHENT to FALSE

Ensure data dictionary protection is enabled
Setting the 07_DICTIONARY_ACCESSIBILITY to TRUE allows users with ANY system privileges to ac-cess the data dictionary. As a result, these user accounts can be exploited to gain unauthorized ac-cess to data. Instead the data dictionary should be protected such that only those authorized users making DBA-privileged connections can use the ANY system privilege to access the data dictionary.

• Set 07_DICTIONARY_ACCESSIBILITY to FALSE. If a user needs view access to the data dictionary, then it is permissible to grant that user the SELECT ANY DICTIONARY system privilege.

Ensure database trace files are not readable
The _TRACE_FILES_PUBLIC parameter indicates whether or not debugging trace files generated by Oracle in the directory specified by the USER_DUMP_DEST parameter are readable to everyone. Access to these debugging trace files should be restricted in order to prevent exposing sensitive information regarding the database as well as the applications running on it.

• Set _TRACE_FILES_PUBLIC to FALSE.

Ensures remote OS roles are disabled
The REMOTE_OS_ROLES parameter specifies whether operating system roles are allowed for remote clients. If users connect to the database over Oracle Net, and their roles are not authenticated by Oracle, the remote user could impersonate another operating system user over a network connection. Allowing users to remotely authenticate is a bad security practice in itself. Adding the ability to assume operating system roles for these accounts makes the situation even more insecure.

• Set REMOTE_OS_ROLES to FALSE

Ensures sessions for users who connect as SYS are fully audited
The AUDIT_SYS_OPERATIONS parameter enables or disables the auditing of operations issued by user SYS, and users connecting with SYSDBA or SYSOPER privileges. Since these are highly privileged users, auditing can be especially important.

• Set AUDIT_SYS_OPERATIONS to TRUE

Sy UK

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close