An unlocked user is a security problem. Currently, all my unlocked users have only CREATE SESSION as system privilege, evtl ALTER SESSION. Except SYS, SYSTEM and DBSNMP To minimize this security problem, I implemented the following strategy on my test system. 1) delete password file, set remote_login_passwordfile=NONE, O7_DICTIONARY_ACCESSIBILITY=FALSE 2) alter user SYSTEM account lock; 3a)… Continue reading lock system, restrict dbsnmp
Category: security
RECOVERY_CATALOG_OWNER
I just tried today to limit power of rman : REVOKE ALTER SESSION, CREATE DATABASE LINK FROM RECOVERY_CATALOG_OWNER; It seems I can still do a backup… probably those privilege are not needed by rman, maybe just inherited from Connect in an older released !?
encrypted listener password
There a few major changes in the database administration and the database security between 9i and 10g. In 9i, I used to grep in the listener.ora to find out the password. LISTENER_LSC61 = (DESCRIPTION=(ADDRESS_LIST= (ADDRESS=(PROTOCOL=TCP)(HOST=dbsrv85a.ex.zkb.ch)(PORT=10061)(QUEUESIZE=200)) )) PASSWORDS_LISTENER_LSC61 = 1234567890ABCDEF this 64bit encrypted string can be used in 9i to stop the listener $ lsnrctl LSNRCTL… Continue reading encrypted listener password
oracle voyage worm
I wrote a mini script to protect my customer from being attacked by an “oracle voyage worm” variant : revoke CREATE DATABASE LINK from CONNECT; revoke ALL on SYS.UTL_FILE from PUBLIC; revoke ALL on SYS.UTL_HTTP from PUBLIC; revoke ALL on SYS.UTL_SMTP from PUBLIC; revoke ALL on SYS.UTL_TCP from PUBLIC; grant EXECUTE on SYS.UTL_FILE to XDB;… Continue reading oracle voyage worm
FAILED_LOGIN_ATTEMPTS part 2
Ref: part 1 I reported this lack of documentation on http://forums.oracle.com/forums/thread.jspa?threadID=330359 Here is my test case (take care, it will create a new db!) : SQL> startup force quiet nomount; ORACLE instance started. SQL> create database controlfile reuse extent management local default tablespace users default temporary tablespace temp undo tablespace undotbs1; Database created. SQL> @?/rdbms/admin/catalog… Continue reading FAILED_LOGIN_ATTEMPTS part 2
FAILED_LOGIN_ATTEMPTS default to 10 in 10gR2
I just noticed FAILED_LOGIN_ATTEMPTS now defaults to 10 in 10gR2. Not found in the doc. I will report it tomorrow in the documentation feedback on otn