Oracle normalmente no lo acostumbraremos a encontrar en Pymes sino más bien en empresas grandes. Ésto hace nos tengamos que poner las pilas en términos de seguridad, no aplicar una simple configuración sino realizar un buen y detallado estudio. Qué mejor que ayudarnos de un checklist para poder aplicar una buena configuración y que no se nos pase absolutamente nada. Es por ello que os adjunto uno en formato excel y que básicamente se divide en cuatro pestañas: Reforzamiento, Actualizaciones de Seguridad, Contraseñas por defecto y Puertos por defecto utilizados por Oracle
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Oracle normalmente no lo acostumbraremos a encontrar en Pymes sino más bien en empresas grandes. Ésto hace nos tengamos que poner las pilas en términos de seguridad, no aplicar una simple configuración sino realizar un buen y detallado estudio.
Qué mejor que ayudarnos de un checklist para poder aplicar una buena configuración y que no se nos pase absolutamente nada. Es por ello que os adjunto uno en formato excel y que básicamente se divide en cuatro pestañas: Reforzamiento, Actualizaciones de Seguridad, Contraseñas por defecto y Puertos por defecto utilizados por Oracle
index Name of precautionary measure
1.00.00 Host Operating System security Issues1.01.01 Oracle software permissions
1.01.02 Lock Oracle account1.01.03
1.01.04 Limit access to software owner account
1.01.05
1.01.06 secure or remove DBSNMP
1.02.02 set umask value to a secure value
1.02.03
1.02.04 Windows file permissions and type.
1.02.05
1.02.06
1.03.01 Audit membership of OSDBA and root group
1.03.02 Ensure Oracle is not in the root group1.03.03 Don’t use dba name for the OSDBA group
1.03.04
Do not name Oracle software owner account "oracle"
Use separate owner for listener from database software
Check owner and group for all files in $ORACLE_HOME
Location of temp directories TMP_DIR, TMPDIR and TEMP
Check windows groups used for ORACLE_HOME and ORACLE_BASE
Don’t use the name ORA_DBA for the OSDBA group on Microsoft.
1.04.01 Check trace file permissions1.04.02 Remove tkprof from production db
1.04.03 disable the otrace utility
1.04.04 Check permissions of the datafiles
1.04.05 Regulary audit Oracle log files
1.04.06 Check for sensitive temporary files1.04.07 Check for tertiary trace files1.04.08 Check for remote data access files (RDA)
1.04.09 Raw device permissions
1.05.01 Usernames/ passwords in process list
1.05.02 Restrict the ps command1.05.03 Restrict shell history files for usernames and
passwords
1.06.01 Secure network communications
1.06.02
1.06.03 Secure password transmission on the server1.06.04 Secure password transmission on the client1.06.05 JDBC thin minimum permissions
1.07.01 Permissions on Oracle SUID and SGID files1.07.02
1.08.01
1.08.02
1.08.03 Audit cron for usernames and passwords1.08.04
1.08.05 Remove db creation scripts
1.09.01 Use O/S auditing facilities
1.09.02
1.09.03 Integrity check O/S files used by Oracle1.09.04 host based IDS
set ORA_ENCRYPT_LOGIN to TRUEset DBLINK_ENCRYPT_LOGIN to TRUE
Remove SUID and SGID files in $ORACLE_HOME
Check environment variables for usernames and password
Audit the machine for scripts containing usernames and passwords
Audit client machines for configuration files containing usernames and passwords
Save log files to a separate server using Syslog or Windows event viewer
1.09.05 Review expected processes regularly
1.10.01 monitor and set control file permissions
1.11.01
1.11.02
1.11.03
1.12.01 Audit for export file existence
1.12.02 Changing database passwords after full import
1.13.01
1.13.02 Save archivelog files to disk
Check who is creating trace files and audit their presence
Audit trace files for attempts to read database internal structuresEnsure no user has ALTER SESSION and ALTER SYSTEM privileges
Locate archive log files and check no user except ORACLE can read them
Lock dormant database accounts and remove after time delay
Use obfuscated naming convention for users accounts
Change SID and service name for third-party applicationsCheck separate applications authentication systems
3.01.02
3.01.03 Audit Java access to the O/S
3.01.04 Be aware of how Java and Oracle interact3.01.05 Secure Con Text
3.01.06 Remove oo4o if not needed3.02.01 Remove PUBLIC select on ALL_USERS
3.02.02 Secure all ALL_% views3.03.01 secure or remove extproc
3.04.01
Check dbms_backup_restore package permissions
Understand Data Access Descriptor administration
3.05.01 Check access to catalog roles
3.05.02 Check access to dba role views
3.05.03 Password protect admin roles3.05.04 Check role hierarchy depth3.05.05 Adopt role naming conventions3.05.06 Create a role to manage users accounts3.06.01 Database in archivelog mode?
3.06.02 Check user_dump_dest is valid3.06.03 Check background_dump_dest is valid3.06.04 Check core_dump_dest is valid3.06.05 Check that global_names is true3.06.06 Check that log_archive_start is set to true3.06.07 Check max_enabled_roles less than 30
3.06.08
3.06.09 Check that os_roles is set to false3.06.10
3.06.11 Check that remote_os_authent is set to false
3.06.12 Check that remote_os_roles is set to false
3.06.13
3.06.14
3.06.15 Audit remote_listener
3.06.16
Check that os_authent_prefix is set to “” (null string).
Check that O7_dictionary_accessibility is set to false
Periodically confirm parameters in database are the same as the configuration file
Check IFILE and the contents of files pointed to by IFILE
Check that pfile and spfile can only be written to and read by the software owner.
3.06.17 Audit exempt access policy privilege
3.06.18 Check record locking parameters
3.06.19 Check for SQL92_security
3.07.01 Non sys objects in system tablespace
3.08.01 Check for users who have dba privilege
3.08.02
3.08.03 ANY privileges
3.08.04 “WITH ADMIN” or "WITH GRANT" privileges
3.08.05 Check for privileges granted “WITH GRANT”3.08.06 system privileges granted
3.08.07
3.08.08
3.08.09 “CREATE LIBRARY” privilege
users or roles granted ALL PRIVILEGES or too many privileges
Check for application objects owned by privileged usersCheck for direct access granted to tables and objects rather than through ROLES
3.08.10
3.08.11 Audit access privileges on objects3.08.12 Use Integrity constraints3.08.13 Use triggers to insert critical data3.08.14 Restrict users to one role at once3.08.15 “BECOME USER” privilege
3.08.16 CREATE ANY DIRECTORY privilege
3.08.17 CREATE ANY JOB privilege
3.09.01 Check for EXTERNAL users and also DBA
3.09.02 Check for external users who are dba3.09.03
3.09.04
3.09.05 Do not use remote host based authentication3.09.06
3.10.01 Revoke public execute privilege on utl_file
3.10.02 Revoke public execute privilege on utl_tcp
3.10.03 Revoke public execute privilege on utl_http
3.10.04 Revoke public privilege on utl_smtp
Use roles to access underlying database objects
Check for external users who have “ALL PRIVILEGES”Ensure external users have the least privileges possible
Check that no external users have SYSDBA or SYSOPER
3.10.05
3.10.06
3.10.07
3.10.08
3.10.09 Audit packages available via a database link3.10.10 Use invokers rights PL/SQL procedures3.10.11 Check DIRECTORY objects
3.10.12 Revoke execute privileges on sys.initjvmaux
3.10.13 Revoke public execute privilege on dbms_job
3.10.14
3.10.15 Revoke public execute privilege on owa_util
3.11.01
3.11.02 Access tables through packages or roles.3.12.01 Change system users default tablespace.3.12.02
3.13.01 Revoke the RESOURCE role from users
Audit public execute privileges on sys owned packages.
Revoke the public execute privilege on dbms_random.Revoke the public execute privilege on dbms_lob
Revoke any privileges on dbms_sql and dbms_sys_sql granted
Revoke public execute privilege on dbms_scheduler
Use ROLES instead of directly granted privileges where possible
Change users default and temporary tablespaces
3.13.02 Revoke the CONNECT role
3.13.03 Add passwords to administrative roles
3.13.04 Revoke all from PUBLIC that's not needed
3.14.01 Set password lifetime in profile to 603.14.02 Set password grace time to 33.14.03 Set password reuse max to 203.14.04 Set failed login attempts to 53.14.05 Set up profiles for database users
3.14.06 Set up general profile parameters3.15.01 Set _trace_files_public to false
3.15.02 Review initialisation parameters
3.15.03 Ensure system triggers fire3.16.01
3.17.01 Check each user has a tablespace quota
3.17.02
3.18.01
3.19.01 Check for triggers on others tables
3.20.01
3.20.02 Audit access to all dba and sys owned views3.20.03 Revoke SELECT ANY TABLE 3.21.01
Audit tablespaces for Rogue objects and whether autoextensible.
Establish different users for schema management and data managementSet up naming conventions for schema owners and administrators and users
Audit access to critical sys/dba owned tables and views with oracle passwords
Revoke object creation privileges from all but schema owners and DBA’s
3.21.02 Audit general users object access
3.22.01 Audit views to ensure correct access
3.23.01
3.24.01 07_DICTIONARY_ACCESSIBILITY =FALSE
3.25.01 Prevent the dba from reading application data3.26.01
3.27.01 Disable unneeded TCP ports.
3.28.01 Audit and secure statspack
4.00.00 Auditing4.01.01 Configure audit and storage.
4.02.01 Audit failures on critical objects
4.02.02 Use triggers to capture login events4.03.01 Audit create session
4.03.02 Audit use of all 4.03.03 Audit the use of all drop statements4.03.04 Audit the use of all alter statements
LOCK SYS and SYSTEM and create new DBA accounts
Audit integration and server to sever communications
4.03.05 Audit the use of create user4.03.06 Audit use of create role4.03.07 Audit all create statements4.03.08 Review audit logs
4.03.09 Use Log Miner to audit in the case of forensics
4.04.01 Configure basic audit4.04.02 Limit users who can change the audit
4.04.03 Protect,backup and purge the audit trail
4.04.04 Backup the audit trail4.04.05 Purge the audit trail4.04.06 Audit all SYS operations4.05.01 Check date / time stamps on database objects
4.06.01
4.07.01 Use triggers for row level auditing upto 8i
4.07.02 VPD, RLS and label security
4.08.01
4.09.01
4.10.01 Monitor Other Oracle generated log files
5.00.00 Networking
Ensure reports and alerts are in place to deal with irregularities found through audit
Be aware of possible failure to be alerted of suspicious activitiesBe aware of possible failure to audit the security profile.
5.01.01 listener Password and Admin restrictions
5.01.02 Prevent remote dba access on sql*net v15.01.03 Audit the listener.ora file5.01.04 Enable shared sockets
5.01.05
5.01.06 Change the standard listener ports 1521, 1526
5.01.07 Change the names of the SID and Listener
5.01.08
5.01.09
5.01.10 Secure listener.ora at the O/S level
5.01.11 listener logging enabled
5.02.01 Restrict sources of connections
5.02.02 Use connection manager to restrict by source
5.03.01 Set the listener password5.04.01 Restrict listener banner information5.05.01 Use a firewall to protect the Oracle server.5.06.01 Audit Oracle client file permissions5.06.02 Audit client configuration file contents
Use a firewall to protect the Oracle server
Do not use hostnames in listener.ora In small environments.
Use a personal firewall on database administrator computers
5.06.03 Audit the listener and sqlnet files on the server
5.07.01 database links
5.07.02
5.07.03 Create a policy to manage database links5.07.04 Database link user should not be a dba5.07.05
5.08.01
5.08.02
5.09.01
5.10.01 Secure remote dba access to the server5.10.02 Use an application gateway firewall5.11.01 Set server to dedicated in the tnsnames.ora file
5.11.02 Oracle ports scan
5.12.01 intelligent agent
5.12.02 Protect clear text passwords for SNMP5.13.01 encrypt data transfer
Discover what objects can be seen in the linked database
Audit what links exist into and from the databaseConfirm the file permissions in the network admin directoryAdd only minimum configuration files to all clientsKeep up to date with Oracle listener vulnerabilities and patch
6.01.01 Backup and recovery procedures
6.01.02 Document recovery procedures
6.01.03 Store backup media off site
6.01.04 Schedule cold backups6.01.05 Validate the backup media regularly6.01.06 Do not allow backups to be available on-line6.01.07 Create and use media retrieval procedures6.02.01 On line redo logs mirroring
6.03.01
6.03.02 -6.03.03 -6.04.01
6.04.02 Keep Oracle data files on separate disks6.04.03 Use OFA6.04.04
6.05.01
6.06.01
6.06.02
7.00.00 Application Development7.01.01 wrap PL/SQL code in the database
7.01.02 Checksum all PL/SQL objects in the database
Ensure the database is in archive log mode and protected
Separate the Oracle software from data and from on-line redo and archive
Use striping and mirroring or RAID for Oracle dataDestroy old disks that have contained database data.
Document and review disaster recovery proceduresInclude business users in disaster recovery planning
7.01.03
7.01.04
7.01.05
7.01.06
7.02.01 Secure accounts accessing through ODBC
7.02.02
7.02.03
7.03.01
7.04.01 Review procedures for adding new applications
7.05.01 Establish procedures for movers, -rs and joiners
7.06.01 Audit application file permissions7.07.01
7.08.01 ad-hoc queries against production database7.09.01 test and development databases
7.09.02
7.09.03
Audit PL/SQL code for hard coded usernames and passwords
Audit PL/SQL code for possible SQL injection attacks
Ensure as little information as possible about schema structure is available from the code in OraclePre-compile Java code before loading into the database
Implement procedures to limit which applications can access the database and from whereAudit software/admin tools accessing the database
When decommissioning old applications remove all binaries and files
Audit application development on production databases
Check for database links with access to production databases from development or test systemsEnsure “live” data held in test or development is mangled or obfuscated.
7.09.04
7.09.05
7.09.06 No developer access to production7.09.07
7.09.08
7.09.09
7.10.01
7.10.02
7.11.01 Resources used by the database
7.12.01
7.12.02
7.13.01
7.13.02 Ensure the schema owner is not a dba7.13.03 Lock schema owner accounts7.14.01 Audit public synonyms7.15.01
7.15.02 Consider not using Java7.15.03 Do not allow applications to change the schema
7.16.01 Batch processes
7.16.02
7.16.03
7.16.04
7.17.01 Product user profile in SQL*Plus
7.17.02 Audit query tool privileges
Do not locate test and development databases on the same server as productionEnsure there is no access from test and development to production
No developer database accounts should exist on production databaseBackups and exports copy passwords to test and development – ensure they are not the samePlace development and test on different network segment to productionnon application objects in application tablespaces
Ensure no privileged user owns application objects
Application authenticaion vs Oracle authentication
Do not use one database login to authenticate all usersDo not use schema owners for administration tasks
Hard coded usernames and passwords in applications
Do not use external accounts for batch processesConsider password retrieval and use in schedulersEnable batch database accounts only when needed
7.18.01 Encrypt critical data
7.19.01
7.19.02
7.20.01 Use change control7.21.01 Audit use of advance queues7.22.01 Audit client access and dev tools
7.23.01
7.24.01 Checksum application files for Trojans7.25.01
7.25.02 Configure HTTPS and secure the listener7.25.03 Add authentication for users7.25.04 Set HTTP passwords7.25.05 Configure product user profile for iSQL*Plus7.25.06 Restrict databases that can be accessed7.25.07 Disable iSQL*Plus on production servers
7.27.01 remove debugger privileges
7.28.01 Be careful to sanitise data for external use
Audit generated applications for known weaknessesAudit public libraries used for know vulnerabilities
Ensure no tool offers better access to the database than the application
Start the Oracle HTTP Server as a non privileged user
8.00.00 Apply latest patch and keep up to date with vulnerabilities
Credits: Thanks to David Litchfield and Pete Finnigan as well as all the SANS oracle security team led by Paul Wright.
The threat that it mitigates
attacker taking over the oracle account and using it maliciouslyattacker knowing the account name makes it quicker to attack that account
lack of identity trail i.e. who is it that is logging on as oracle
attacker gaining control of listener allows control of database
-
-
-
manually create a group that is not called ORA_DBA for the ORACLE group
attacker taking control of files that should be owned by Oracle accountCheck OS file permissions in $ORACLE_HOME/bin and $ORACLE_HOME and should all be owned by ORACLE and group membership checked and recorded.OTHER group was able to edit the binaries used to run oracle then a denial of service could be easily mounted. Also malicous binaries could be written over the actual b inaries.
DBSNMP can read user$ as it has the SELECT ANY DICTIONARY privilege . It has a default account/pass so common way into the database. DBSNMP is the user account that the Oracle Intelligent agent uses which has to be able to login remotely and automatically for the intelligent agent functionality to work.
means that files created by the ORACLE acount will have secure permissions by default.
This will prevent malicious access to the Oracle software on the server as long as the normal Windows hardening procedures are also taken.
Oracle installation requires a temp directory. Should not use /tmp as permissions are open. Therefore set TMP_DIR and TMPDIR variables to more secure locations which only ORACLE account should have permission to read, write and execute .
should not contain root account or other low privileged users as OSDBA maps to SYS AS SYSDBA which is the most powerful user/role combination in the Oracle database. OSDBA can shutdown the whole database. Also make sure ORACLE is not a member of the root group.
dba is the generic group name for the OS dba group and this should not be used as it known and would make attacking the OS easier.
-tkprof is used to read trace files and should be used off the production server
The datafiles (.dbf) hold the actual persistent data and need to be protected
--
-
otrace has known security issues and also performance issues as the .dat files it uses can grow to be very large.
In order to recognise suspicious activity in the database the dba should monitor all log files which are kept historically for a set period of time.
RDA files contain a lot of internal connection details and are uploaded to oracle support in an insecure manner. This input should be sanitised before sending to Oracle support.
Oracle raw devices should have minimum permissions so only Oracle can use them. In UNIX the usernames and passwords that scripts are being run under may show when running the ps -ef command. This is a well known issue as an attacker could simply read these credentials and then impersonate that user.
shell history recalls the previous commands but could also show an attacker a username password combination e.g sqlplus scott/tiger
--
--
--
TNS sends much information in the clear such as the version number of the database. SQL*PLUS username/password via Oracle Authentication is encrypted but it has been broken by NGS and our recommendation is to use SSH for client to server communications and IPSEC for permanent server/server connections. Oracle Advanced Security is a more expensive option to the above. This is a link that discusses the weaknesses of Oracles network authentication mechanism. http://www.fors.com/eoug97/papers/0356.htm
An attacker can force a second non-encrypted login which is defended by setting this parameter
jdbc thin drive transmits clear text error message including username and encrypted password and possibly used therefore set minimum privileges for users with thin client access.
older versions of oracle 8 have many SETUID and SGID binaries most of which can be removed either by permission or completely. Dbnsmp is SUID root and should either be removed or changed.The users environment may contain usernames and passwords to make scripts work easily
automated scripts have to work as a user which may be hardcoded into a script. Check cron jobs too.
The database configuration assistant can be used to create databases but also creates scripts with username /passwords that are insecure.
OS auditing can be useful for Oracle to see what the OSDBA, OSOPER groups and ORACLE user have been doing.
correlated log analysis is a growing requirement in large enterprises so that events can followed over many systems. This may be a hack or a system failure. This requires synchronised time.
attacker editing the control files which are needed for Oracle to work
-
-
-
a process list can show programs that are not meant to be running. One of these may be malicious
trace files can contain sensitive data such as the ability to read internal database structures and be dumped by anyone with ALTER SESSION privilege. Audit the presence of check files to make sure no unauthorised user is doing so and that no unauthorised user can read trace files created.
ALTER SYTEM allows the trace and dump directories to be changed and ALTER SESSION privilege allows the database structures to be dumped.
Attacker may either export the db's data including SYS.USER$ passwords or be able to read a legitimate export which could be imported into the attackers own database.
The redo logs are a record of the SQL commands needed to return the database to a previous state and may be archived preferably remotely in order to facilitate a backup recovery. This data is precious and should be protected.
External tables are a link to the OS which allow database user to modify OS file and OS user to modify database file if the permissions allow. Therefore the permission/privileges of these external tables should be checked at both ends. This is not as serious as the UTL_FILE but should be checked.
Native PLSQL compilation allows PLSQL to be compiled via a C compiler to native code. This is dangerous as access to this functionality would allow execution of other binary files and to wrap exisitng PLSQL packages with their own code.
Psservice allows a windows service to be shut down remotely. Therefore secure the ORACLE account
at the database level above the OS are users as well that should be monitored. Users such as SYS that are not meant to be logged in most times can be checked to see if they have a session open Third party application user management is often required. Sometimes however it can be managed by the database. Applications store their passwords in the database anyway so this link has to strong anyway. It is often possible to bypass application security by logging in directly as the application user.
strong memorable passwords are essential and the profile features of oracle can be used to control password lifetime, reuse, lock time and gracetime. Use of profiles is heavily recommended.Need to use the Password management features of Oracle to allow constant checking for compliancy.
users may use the same login and password for convenience or to hide their identity. This make saccountability impossible.
-
-
--
--
-- this
Oracle comes installed with many default accounts which are set with a default password. 10g release 1 and 2 are improving the security of these accounts by locking the default ones but they still come with default passwords. 8i and 9i have many default accounts that are unlocked with default known passwords and have high privileges assigned such as being able to read the password hashes from sys.user$. There are also many default accounts for third party applications that use Oracle. This list of default accounts includes users and roles.
default accounts may not have password management features enabled as the profile has to be changed and the profile assigned to the user/role. It is important that accounts be protected from an attacker attempting to brute force an account.
The SYS and SYSTEM password are default user accounts as well and are set with the default passwords such as manage and change_on_install. This should be included in a default password audit but may be overlooked so it is worth explicity checking these accounts due to their sensitivity.
This parameter is set to NONE prior to 8.1.7 and EXCLUSIVE after that. It should be checked that the value has not been changed.
It is possible for accounts such as ordsys to have tablespaces using SYSTEM which if allocated without a quota could be filled up by the account and DoS the machine.
- this
-
-
-
-
Oracle passwords are by default limited to 30 characters that can be used and the variety of each character is limited to alphanumerics a few special characters all upper case. Given this fact they are susceptible to being cracked.An example of this problem is shown in this paper by Josh Wrighthttp://www.sans.org/info/911/
With leaving staff and contract workers it is possible that there are accounts in the db that are not being used termed "dormant".There should be a process that can identify accounts that are not being used anymore so that they can be removed.
users such as SYS, INTERNAL and users granted SYSDBA/SYSOPER have their password recorded in $ORACLE_HOME/dbs/orapw<SID>
Separate applications often have their own authentication system which may provide a weak point of entry. It is worth querying the database tables for these passwords.
UTL_FILE_DIR is the location on the OS that UTL_FILE package points to from Oracle database. This should not be set to "*", the location of the trace directories, "/tmp", "/" or other locations where important scripts lie. The reason being that UTL_FILE could be used to open a script and then saved as empty which would render the script useless.
-
-
-
-
This package can copy, alter and delete files and so needs to be controlled tightly.
Java can be used to access the OS from Oracle so Java permissions should be checked and if not needed should be revoked completely.
Oracle Context allows a database user to access external files.The functionality is owned by CTXSYS which unfortunately also has PUBLIC execute on many of the packages and tables.
ALL_USERS is a view like DBA_USERS but intended for anyone to use which is why PUBLIC is granted select on it. This view does show the usernames and this information is part of the way in which the password algorithm works as the username is the salt used to encrypt the password. See the end of SECOPs book.
ExtProc enables external access to C libraries on the OS from the database and from the Listener remotely if enabled which it is by default. This is inherently insecure and additionally NGS has found buffer overflows in the fixes that were made to subsequently secure Extproc.http://www.ngssoftware.com/advisories/ora-extproc.txthttp://www.oracle.com/technology/deploy/security/pdf/plsextproc_alert.pdfhttp://www.oracle.com/technology/deploy/security/pdf/2003alert57.pdfPlease see the Shellcoders handbook page 406-10 for more detail of the buffer overflow.Also see Database Hackers Handbook page 89Also see security the Listener further on in this guide.
----
-----
--
Can be spoofed remotely so need to disable
-
Only DBA should have access to the catalog roles SELECT_CATALOG_ROLEEXECUTE_CATALOG_ROLE'DELETE_CATALOG_ROLE
Views pre-fixed by the lettes DBA are for the use of the DBA and should not be viewable by non DBA users. Unauthorised access should be revoked.
Preferably, in order to allow complete Point In Time recovery the database should be in ARCHIVELOG mode which means that the redo logs are kept so that the database can be reinstated to a previous state.It is also preferable that the ARCHIVELOGs are kept remotely so that if the local machine becomes unusable the logs are not affected.
In order to limit the Role inheritance heirarchy set max_enabled_roles to 25 or soIf os_authent_prefix is set to “” (null string) then a user can either logon externally or internally not both. External is insecure and should be seperated in this manner.
If true then can log in without oracle authentication. This can be hacked easily from a non windows machine as it relies on the way that the username is formed.
The init.ora file is a flat file which may not actually be loaded into the memory the database so it is worth checking the two. There is also the trick of adding parameters at a the very bottom of an extended init.ora file which may not show when a text editor is used.
IFILE parameter allows additional parameters to be contained in a separate init.ora pointed to by the first. Avoid use of this functionality where possible and check to see if it is being used or not. If so check the second parameter file to see what parameters are being set.
If the system is not using a remote listener then check to see if the remote_listener parameter is null.
SERIALIZABLE set to FALSE and ROW LOCKING set to ALWAYS
User must have SELECT to DELETE and UPDATE.
ANY privileges are to be avoided as it is not accurate to need.
-
-
exempt access policy privilege can be used to circumvent fine-grained security. Check for unauthorised granting of this privilege.
Check for non sys owned objects in the system tablespace that are not default Oracle objects.
this is most powerful role and should not be widely used so check for users and roles that have it.
A user could be granted ALL PRIVILEGES which is the opposite of least privilege and should be avoided.
“WITH ADMIN” or "WITH GRANT" privileges allow the grantee to pass on the privilege to any other user. This should be avoided and monitored.
system privileges tend to be more powerful and so should audited in case unauthorised users have them.
It is generally preferable to assign privileges to ROLES and ROLES to users rather than privileges to users. This is debatable though given the disadvantages of roles already highlighted so this item is not critical.
“CREATE LIBRARY” privilege can be used to access the OS and escalate privilege and so this privilege should be revoked if not completely needed.
-
----
--
-
--
“BECOME USER” privilege allows one user to act as another and should be closely monitored.
CREATE ANY DIRECTORY privilege allows a user to make a bridge between the DB and OS which is a potential security weakpoint and so this privilege should be monitored. There is no CREATE DIRECTORY so it is just CREATE ANY DIRECTORY.
CREATE ANY JOB privilege allows the grantee to run PLSQL jobs as another user and should be closely controlled.External users have already been addressed in the OS section but an extra check is to see which users have the password of 'EXTERNAL'.EXTERNAL users should have absolutely minimal privileges as it is possible to spoof their logins. No SYSDBA or SYSOPER users should be allowed to have EXTERNAL passwords.
UTL_FILE is used to bridge between the oracle database and the supporting OS and can be used to exploit the OS especially on Windows which has had problems limiting UTL_FILE to the $ORACLE_HOME.utl_tcp can be used to connect from an Oracle database over the network to another database and is a common way for a hacker to move from machine to machine. PUBLIC does not require these privileges.utl_tcp can be used to connect from an Oracle database over the network to another database and is a common way for a hacker to move from machine to machine. PUBLIC does not require these privileges.utl_tcp can be used to connect from an Oracle database over the network to another database and is a common way for a hacker to move from machine to machine. PUBLIC does not require these privileges.
-
--
---
SYS owned packages can be ran as SYS by any user with execute privileges unless INVOKER rights are specified which is not the default. PUBLIC as a role is a blunt instrument as it is too wide in most cases. Iit is difficult to maintain least privilege when the PUBLIC role is assigned privileges. This is especially the case when the privileges are to SYS owned objects which have the ability to run as SYS much like SUID in UNIX binaries.It is advised when developing internal packages that auth_id current_users is used instead of definers rights to make the risk of the package being used less critical.
DBMS_LOB can used to access files on the OS due to a bug in the way it handles relative paths. EXECUTE should be revoked from PUBLIC anyway but this is even better reason.These packages should not have PUBLIC EXECUTE privileges as they can be used to trick DBA into executing commands as invoker. This was more of a threat when security models pre 8i worked on definer rights only.
DIRECTORIES from an Oracle point of view are links to the OS and should be monitored as part of an audit. Directories tend to be left behind after they are used and no longer needed which is a medium security risk.
This package can be used to used to escalate privilege and so should not have privileges granted on it. By default it should have no privileges.dbms_job can be used to run scheduled jobs at a certain time which is useful for an attacker so that there scripts run unattended.Revoke execute privilegethe dbms_scheduler has had a number of attacks directed at it and should preferably not be used at all. For certain the default execute privileges that PUBLIC posesses on the package should be revoked.The OWA_UTIL PL/SQL application exposes a number of stored procedures, which may beaccessible anonymously via the web.It is better to organise privileges via ROLES than USERs directly as ROLES can be GRANTED and REVOKED en bulk
RESOURCE has more privileges than are required for instance UNLIMITED TABLESPACE which can cause a DoS.
----
-
CONNECT has more privileges than required to connect to the database. Revoke the connect role and replace with a stripped down version that has CREATE SESSIONSelect * from dba_sys_privs where grantee='CONNECT';
GRANTEE PRIVILEGE------------------------------ ----------------------CONNECT CREATE VIEWCONNECT CREATE TABLECONNECT ALTER SESSIONCONNECT CREATE CLUSTERCONNECT CREATE SESSIONCONNECT CREATE SYNONYMCONNECT CREATE SEQUENCECONNECT CREATE DATABASE LINK
In high security environments powerul roles such as DBA should be passworded. Please note that a passworded role granted to another role does not need a password anymore from the other role. Also password management features do not apply to roles so roles have weaknesses too.
PUBLIC role has privileges that can be accessed by any valid database account. As such all ROLEs and privileges not required should be revoked.
As well as pass management Profiles allow for session management which can help defend a session from attack. These profile parameters should be set up and different values set in different profiles for each security level of user.
Set _trace_files_public parameter when set to true can allow any user to read the trace files so explicitly set this to false.
-
-
-
--
Parameter value changes can be missed and have a large affect there fore they should be checked especially as some parameters are hidden.
An applications tablespace should not have objects owned by another user within it because if the object grows in size it may cause an denial of service on the application . Autoextensible tablespaces can also grow and deman too much disk space so this should be monitored.
In order to stop a user from taking up too much tablespace and possibly causing a DoD accidentally or maliciously a quota should be imposed that will limit the size of that users tablespace.
It is possible to steal data from another schema using a trigger. Triggers should be audited in order to find triggers in a schema owned by someone else.
user$, link$ and dba_users view allow access to the password hashes which in combination with the username makes decrypting the hash feasible.
object creation should be limited to the schema of the owner and to privileged accounts such as DBA. Object creation privileges such as create table should be revoked for non-DBA and non-schema owners.
due to privilege inheritance with ROLES it is easy for a user to be able to see objects they should not. The best way to test this thoroughly is to login as that user and see what can be seen.
VIEWs can by design be used to update the underlying table if update is granted on the VIEW. This should be monitored. On top of this is the fact that there has been a bug in Oracle where
--
-
---
This measure when combined with a less obviously named new DBA account will help to secure the database from unauthorised privileged access.
SELECT ANY TABLE privilege should be revoked but if a user does have it then the setting of 07_DICTIONARY_ACCESSIBILITY =FALSE would mean that they could not SELECT from the data dictionary which holds important metadata about the database including passwords.This can be used prevent DBA's reading critical data as well.
Ports 2100 and 8080 were added to 9iR2 as part of the XDB server and represent an additional attack surface which if not needed should be removed.PUBLIC has privileges on STATS$% tables and should be revoked and GRANTED back individually.
basic Oracle Auditing can either be to the OS or to the DB which is easier but the OS is more secure as the OS is harder for a DB user to delete and will less likely affect the running of the DB if the Audit logs get very large. SYS.AUD$ is the database table that takes the auditing logs which since it is on a SYSTEM tablespace and allowed to grow could DoS the whole database. Moving AUD$ away from SYSTEM tablespace is not supported by Oracle but can be done.The other major issue with auditing is the problem with performance as the more that is audited the more resources are taken away from the running of the server. It has often been the case that all auditing is switched off in order to aid performance. This is not recommended. Auditing of most important actions should be made as a minimum. These are all actions by SYS and actions on critical system tables such as SYS.USER$ by everyone.Please see Oracle Privacy Auditing by Arup Nanda for more detail on Auditing on Oracle.
The failure of any user to update a critical table is classic auditing priority and can be done easilly. The more users who are likely to be affected by this then the less it should be done due to performance hit.
Auditing create session would be used to catch the time that users logon and off. It would generate a lot of audit. The same principle follows for these audit actions:Audit grant,drop, alter,create user, create role,
---
-
-
----
-
-
-
The audit logs are easily readable via a view called dba_audit_trail.As someone is going to need to read and react to this audit this is another reason for selectively auditing the most important events in the DB. Aslong as redo logs are being archived off the databases state can always be inspected using Logminer http://www.giac.org/certified_professionals/practicals/gcfa/0159.php or reinstated.
Auditing is a sensitive subject especially when auditing privileged users.The auditing role should be limited to a small group and separate from the main DBA function so that they are independent.
If have to audit to sys.aud$ then can use auditing to protect the audit.Make sure the audit is backed up and purged so that the disk does not fill to cause DoS or lose audit logs.
can use triggers to provide row level auditing even though fine grained auditing is not present in 8i.FGA came in with 9i and allows auditing of what a user selected at the row level. This is implemented using dbms_fga.add_policy.Linked to FGA is Virtual Private Databases which allows segregation of data between users so that they are as if they were in seperate databases. VPD configuration is done using DBSM_RLS.Oracle Label Security use user labels to grant access at the row level.
The other logs apart from Basic Oracle Auditing are:Event Viewer,Syslog, Listener.log, access_log, error_log, sqlnet.log. These can be used to correlate information after an incident.
--
These default ports are well known and it is easy to change the port.
-
-----
The Oracle Listener is controlled by the LSNRCTL utility which previous to 10g allowed remote administration of the listener without authentication by default. This meant that anyone could shutdown the listener remotely. The Listener can be passworded which keeps remote administration but the password can be inputted as a hash that has been sniffed instead. This is assuming that the Listener password has been encrypted.The secure way to configure the listener is with Admin Restrictions ON which means that the Listener configuration changes have to be done locally by editing the Listener.ora file at the OS.
If Oracle is networking through a firewall then set it so that it can shared sockets.Oracle networks on 1521 by default at the server but as the connection is made MTS allocates a new server port for that connection. This will be blocked by most firewalls so one solution is to force MTS to allocate a known port after the initial exchange. An alternative to this is to use a Proxy firewall such as Checkpoint NG1 which keeps state of current connections and can therefore handle a change of port number.The Listener should not be connected to over the Internet.
Change the default SID name from ORCL and the default Listener name of Listener.IP addresses are safer and place less load on the DNS system but larger networks require hostnames so that traffic can travel between subnets and so that an IP related DoS can be averted.
If the listener.ora is the main point of Listener configuration then it should be secured appropriately using OS permissions.
Brute force attempts are not stopped by the Listener but it can log them if logging is enabled.valid node checking can be set so that only authorised source IP addresses can connect to the listener.
Connection manager can restrict connections based on origin, destination and SID and it can accept wildcards unlike valid node checking.
-
---
-
-
-
---
-
-
The networking files on the server should be audited to make sure that the permissions are adequate, the contents are correct and no nefarious copies of these files can be viewed by an unprivileged user.Please note that fat thumbed passwords may appear in the sqlnet.log from failed SQL*PLUS connections.
Database links are useful to make connections from one database to another. These links may contain clear text passwords and allow access to unsecured development databases. Links can be PUBLIC,PRIVATE or GLOBAL. PUBLIC can be used by any user and if this link is made using a fixed user the authentication details will be in the link. Database links between Production and Development should be avoided and all links should be audited so that least privilege is extended through the link to the target database.
Should run a regular port scan on the oracle server to see if additional services have been added or if Oracle ports not required are running.There are many default Oracle ports:1521, 1526 default listener which should be changed. Please check the appendices for a list of Oracle default port numbers.
The intelligent agent which functions like an Oracle version of SNMP called DBSNMP which uses the DBSNMP account with default password DBSNMP. It is possible to improve the security of this greatly above the default but it should not be used on an untrusted network.
SQL*PLUS encrypts passwords (which can be broken if attacker has the hash) but it does not encyrpt the data.If the client connections are made via web browser then SSL should be used which is part of OAS but can be implemented seperately from OAS.
----
remote archive logging is preferable
---
---
-
-
Availability is one of the most important components of a security plan. Having good backup and recovery procedures is part of maintaining availability and therefore is part of a security plan. This is especially the case when backups can be restored by an attacker. Why attack the server when you can easily gain the backups for the server. Once copied then they may be altered and if a recovery can be forced the attackers malware could get onto the server. Backups are a current research topic for researchers
Backup procedures should not only be secured and practised this should also be documented
In case of fire, bomb or flooding it is wise to have off site backup which must be secured.
The Oracle database cannot work normally without the redo logs and so these should be mirrored.
Data can be recovered from hard drives using forensics techniques both at the OS layer and DB layer.
Wrapping encodes the source code of a package in the database.This process is recommended especially if the source has proprietary code within it. A good reason for wrapping for example would be to hide the mathematical calculation that is used to gain a result which is passed back.
Checksumming all the objects in the database can be done using the packages within Oracle there is no need to do this externally unless there is a fear that the database has already been attacked.
-
-
-
-
-
-
-
-
-
Oracle 9i wrapped PLSQL has the ability to read strings by in the file. This can be a way to find usernames and passwords which should be checked for.
a common flaw with PLSQL packages both from Oracle and custom made is the susceptibility to SQL injection. See http://www.ngssoftware.com/papers/advanced_sql_injection.pdfIn essence the problem is code that forms dynamic SQL allowing SQL key symbols as input which instead of being parsed as string is parsed as SQL.
Java source code can be read from sys.obj$ table and can also be read using DBMS_LOB.ODBC will carry the privileges of the user over to Oracle and so these accounts should be checked too. Excel and Access can connect to Oracle via ODBC and will pick up all the PUBLIC privileges.
Tools such as Toad, PLSQL Developer, SQL Developer and DBA studio can be used to remotely access an Oracle database just like SQL*PLUS. These tools can allow an overview of database structure that is not needed for the developer.
Application developers often work on a production system before it is actually put into production so it is important to secure what they have left behind
separate the two and try to mirror closely the environment so that developers do not need access to the production server to test applications.
-
-
--
-
-
-
-
---
-
Batch processes should access the database through one specific account
-
-
The PUP can be used to control users access via SQL*PLUS
-
As described previously objects not owned the tablespaces schema owner can pose a risk if they grow and cause a DoS especially if the objects are owned by privileged users.
Resources can become overused especially with installation of third party applications therefore it is wise to check these resources after installation and running.Care should be taken when implementing and designing application authentication that it cannot be side stepped within Oracle.
Using a schema owner to access the databaes means that all objects within that schema become available as well as any higher privileges granted.
Avoid hardcoded usernames and passwords where possible certainly plaintext.
Since applications can be hacked through SQL injection, fuzzing and buffer overflows it is a good idea to give minimal privileges to the application. This would include not giving DDL privileges on the schema which would allow injected SQL to drop tables etc.
By enabling batch accounts at the time they run and disabling other accounts at that time activity can be monitored more easily.
-
-
--
-
--
-----
Sarbannes Oxley recommends the use of data encryption within the database which hinders an attacker and also stops DBA's from reading very sensitive data. This is recommended.
Audit saved passwords in the tools which may be encrypted weakly. Should be deleted. Also the accounts used via developer tools should have least privilege applied to them. It is good practise to checksum the developer tool binaries and compare these with known good hashes to make sure they have not been trojaned.
iSQL*Plus requires a working http server on the same machine as the database which is a security weakness. Disable iSQL*Plus on production servers.thre are a number of debuggers included with oracle such as dbms_debug, oradebug and via dbms_java. It would be preferable to remove these but not always possible so remove all privileges to them.They can be granted back when needed.
Data through employment adverts, RDA output to Support, Application server error pages etc should all be minimised as this is valuable reconaisance for a hacker. Especially using historcal records such as www.archive.org or googles cache.
version 3.1.1
Depending on both the components installed and the version of the database the latest CPU should be installed on test machines and then on the production machines unless it breaks current applications. The last two CPUs on 10 have applied more smoothly now that they are Java based. Please note that many vulnerabilities do not get patched for a long time so a member of the team should be tasked with monitoring websites that may have new Oracle security information of which there are many such as bugtraq and packetstorm.http://www.securityfocus.com/archive/1For example http://www.securityfocus.com/archive/1/432078http://ww.packetstormsecurity.nl/As well as the Oracle Security website.http://www.oracle.com/technology/deploy/security/alerts.htmPlus specialist Database security websites such as www.databasesecurity.comIt is not just Oracle vulnerabilities but also the supporting OS.
Description of how to do it
passwd -l <username> use a different OS account name for Oracle software owner
sudo to oracle
In UI select custom install and use different account for listener
bash-2.05$ umask 022
-
-
-groupadd <groupname>
controlpanel>admintools>compmanagement>groups
ls -alR > recursivels.txt$ORACLE_HOME/bin set to 0755and all other $ORACLE_HOME to 0750cat /etc/passwd
either drop DBSNMP DROP USER DBSNMP CASCADE; or run $ORACLE_HOME/rdbms/admincatnsnmp.sql/ change username/password is minimum. For high security should remove the DBSNMP binary from the $ORACLE_HOME/bin as this is SUID.Also change the DBSNMP password in snmp_rw.ora file
set file type to NTFSORACLE user account created to own the Oracle software should not be called "oracle"The user should be a local admin and not a domain user.This user should be made part of a group not called ORA_DBA.Remove everyone using inherited permissions.
cat /etc/group adduser <username> <groupname> Adds username to the group groupname
-delete tkprof binary from $ORACLE_HOME/bin
--
ls -al device/disk/volume
-
CD to the $ORACLE_HOME/otrace/admin directory of yourinstance and remove or delete the dat files related to otrace.process.datcollect.datregid.datOnce these are removed/deleted you should restart yourinstances and listener and otrace will be disabled.
The database file location is usually in the parent directory of the control files which can be found by select name,value from v$parameter where name='control_files';These permissions should be 600 if ORACLE is to run the db.
This process necessetates the archiving of log files and when space is an issue deleting logs of a certain age so that there is rotation. It is worth correlating with SYSOG and IDS logs using timestamp as the central unifier of these logs. Therefore strong synchronisation of timestamp is required. This should be done using GPS or CDMA to give an accurrate internal stratum 0 source not via untrusted NTP from external source.
A perl script could be used to parse the RDA files before sending to Oracle Support. This is a current research project at GIAC and more information will be available from this URL in the near future. http://www.giac.org/certified_professionals/listing/gsoc.phpThe local copy of the RDA files should be deleted after they have been sent.
hide.c available from oracle metalink support allows the username/password to be hid from the ps -ef command.Metalink notes 136480.1 and 1009091.6Should restrict use of the PS command using OS permissions.
restrict shell history by reducing the HISTSIZE environment variable to as low an amount as is appropriate for your environment for each user.
--REVOKE privilege from USER
chmod -s binaryname
--
--
Putty is a free and popular client that can be used for client connections. http://www.chiark.greenend.org.uk/~sgtatham/putty/Need to edit the tnsnames.ora file and port forward using putty# TNSNAMES.ORA,Network Configuration File:C:\oracle\ora90\network\admin\tnsnames.oraPLSQL =(DESCRIPTION = (ADDRESS-LIST = (ADDRESS = (PROTOCOL = TCP) (HOST = localhost) (PORT = 7774)))(CONNECT-DATA =(SERVER = DEDICATED)(SERVICE-NAME = plsql) ))
then:ssh -L 7774:venus:1521 venus
edit the text file init.ora to include the statement ORA_ENCRYPT_LOGIN=TRUE;DBLINK_ENCRYPT_LOGIN =TRUE
it is possible to read a users environment remotely so these should be audited and any that are not absolutely essential removed. Use the $env command or system>advaneed>environment variables.#!/bin/bash/find $ORACLE_HOME -name "*" -print | while read filenamedo echo "filename "$filename >>user.lis egrep -I 'connect|sqlplus' $filename >> user.lis2>/dev/null
audit the $ORACLE_HOME for this scripts and remove them and also remove the database configuration assistant or dbca which is in $ORACLE_HOME/bin.Tripwire can be used to monitor the state of the oracle files. Oracle basic auditing can be set to log to the OS instead of sys.aud$. This is recommended as the DBA cannot directly alter this auditing log.
save Oracle logs to syslog in a central remote loghost server. Syslogng is also worth looking at for this purpose.
-
-
-
lsof will list the processes on UNIX and can be compared to known list of good processes.to find OS Location select name from v$controlfile; .ctl files read/write by ORACLE only/bin/bash/ find $ORACLE_HOME -name "*.trc" -print | while read filename; do echo "FILENAME IS "$filename >> trc.lis; egrep -i 'Image' $filename >> trc.lis 2> /dev/null; doneaudit the presence of trace files:select name, value from v$parameter where name like '%dump_dest%';Then ls -al that directory to see who can read them. Also check for trace files outside of the usual destination using find $ORACLE_HOME -name "*.trc" -exec ls -al {} \; - print
select grantee, privilege from dba_sys_privs where privilege in ('ALTER SYSTEM', 'ALTER SESSSION');DBA ROLEs should be ignored as they need these privileges.
find $ORACLE_HOME -name "*" -print | while read filename do egrep -I 'EXPORT' $filename >>exp.lis 2> /dev/null done
select log_mode from v$database; select name, value from v$parameter where name like '%arch%';
SELECT * FROM v$session;
oracle label security can be used to as a solution to this problem.
alter profile default limit sessions_per_user 1;
example: SQL> select table_name, default_directory_name from dba_external_tables;TABLE_NAME DEFAULT_DIRECTORY_NAME------------------------------ ------------------------------SALES_TRANSACTIONS_EXT DATA_FILE_DIR
SQL> select * from all_directories where directory_name = 'DATA_FILE_DIR';
OWNER DIRECTORY_NAME------------------------------ ------------------------------DIRECTORY_PATH--------------------------------------------------------------------------------SYS DATA_FILE_DIR/u01/app/oracle/product/9.2.0/demo/schema/sales_history/ls -al /u01/app/oracle/product/9.2.0/demo/schema/sales_history/SQL> select grantee,privilege from dba_tab_privs where table_name='DATA_FILE_DIR';
v$parameters should be set to false or null.plsql_native_c_compilerplsql_native_library_dirplsql_native_library_subdir_countplsql_native_linkerplsql_native_make_file_name
psservice tool from sysinternals http://www.sysinternals.com/utilities/psservice.html
Run a password cracker on the checksums for the passwords from sys.user$ to see if they are strong. NGS SQuirreL for Oracle has one of the fastest.It is also common for some users to set the password to be the same as the user which is covered by SQuirreL
-
-
--
--
-- this
These default accounts need to be audited for which can be done using products such as NGS SQuirreL for oracle which has over a 1000 entries. There is a list of common default usernames in the appendices of this report. Default accounts that are not required should be dropped. Defaults accounts that may be required should be locked and password changed.ALTER USER ACCOUNT UNLOCK;WKSYS and DBSNMP are two of the most commonly used default accounts as they have strong privileges and are often overlooked.
ALTER USER defaultaccount PROFILE myprofile;The default profile is often used and should have password management features enabled using:ALTER PROFILE DEFAULTLIMIT FAILED_LOGIN_ATTEMPTS 5PASSWORD_LIFE_TIME 40PASSWORD_REUSE_MAX 10PASSWORD_REUSE__TIME UNLIMITEDPASSWORD_LOCK_TIME 1PASSWORD_GRACE_TIME 3;
Additional to running a password cracker or default password check it is recommended to explicity change the password to a new secure password so that it is known 100% that the password is secure using the advice in item named "Audit users accounts for weak passwords"
SELECT value FROM v$parameter where NAME='remote_login_passwordfile'; should return NONE or EXCLUSIVE. If not change the init_SID.oraselect username, default_tablespace, temporary_tablespace from dba_users; this will provide a list of tablespaces with SYSTEM. Change these with the following SQL.ALTER USER ORDSYS DEFAULT TABLESPACE tools TEMPORARY TABLESPACE temp;
- this
-
-
-
check the permissions on this file and change to -rw-r----- if necessary.
-
In order to set a secure password inoracle it is recommended to use a quoted password which allows for ctrl UNICODEcharacters to be used in each of the 30 places.ALTER USER PAUL IDENTIFIED BY "passwordincludingnumbersandctrlchars";"This makes the password very difficult indeed to crack."As well as making the pasword secure it is possible to set up alias' for the accounts so that users actual username is never known.
This is a hypothetical example given that hr_table contained a column of valid_users:(select name from sys.user$)minus(select valid_users from hr_table);The result would be invalid users.
select object_name object, object_type type, owner ownerfrom dba_objectswhere owner<>'SYS'and ((object_name like '%USER%'and object_name not like 'USER_%') or object_name like '%USR%'or object_name like '%PASSWD%'or object_name like '%PWD%'or object_name like '%PASS%')and object_type in('VIEW','TABLE')unionselect table_name object, column_name type, owner ownerfrom dba_tab_columnswhere owner<>'SYS'and (column_name like '%USER%'or column_name like '%USR%'or column_name like '%PASSWD%'or column_name like '%PWD%'or column_name like '%PASS%')/
select name, value from v$parameter where name = 'ult_file_dir';Also revoke access to UTL_FILE and only grant to those db accounts that require the OS access.
-
-
-
-
select privilege, grantee from dba_tab_privs where table_name='DBMS_BACKUP_RESTORE';revoke access as needed.select Count(1)from dba_objectswhere object_type Like '%JAVA%';--if this returns more than 3000 java is installed.
This query will show the privs given wiithin Java select grantee,type_name,name,kind,actionfrom dba_java_policywhere grantee not like 'JAVA%'and grantee<>'SYS'/Then revoke privs not need using dbms_java.revoke_permissionremove Java completely if not needed using $ORACLE_HOME/javavm/install/rmjvm.sql
if context is not being used then drop CTXSYS user DROP USER CTXSYS CASCADE;If it is being used then can just lock CTXSYSALTER USER CTXSYS ACCOUNT LOCK;Revoke all access to CTXSYS packages from PUBLIC.
revoke select on all_users from public;Will also need to test that the low privileged accounts that should not see the usernames cannot actually see them by logging in as them and testing. This is because the privilege hierarchy may inherit the ability to select from a different route.
To remove Extproc:-Remove the entries from the listener.ora file-Remove entries from any tnsnames.ora-Delete the extproc binary-Revoke create / alter (any) library privileges-Revoke create / alter procedure privilegesTo secure Extproc:-Create a separate user for the extproc listener-Remove extproc entries from listener.ora and tnsnames.ora- Create a new seperate listener for extproc-use valid node checking on the new extproc listener and restrict to IPC protocol only.
----
-----
--
-
select grantee,granted_rolefrom dba_role_privswhere granted_role in ('SELECT_CATALOG_ROLE','EXECUTE_CATALOG_ROLE','DELETE_CATALOG_ROLE');revoke as needed.
select grantee,privilege,table_namefrom dba_tab_privswhere table_name in ('DBA_ROLES','DBA_SYS_PRIVS','DBA_ROLE_PRIVS','ROLE_ROLE_PRIVS');
This query is for general parameter values.SELECT * FROM v$parameter ORDER BY name;This query is specifically for archivelog mode and whether it is switched on.select log_mode from v$database;
SELECT * FROM v$parameter where name ='max_enabled_roles';set in init.oraSELECT * FROM v$parameter where name ='os_authent_prefix';set in init.ora
SELECT value FROM v$parameter where name ='remote_os_authent';set in init.ora
SELECT value FROM v$parameter where name ='remote_os_roles';set in init.oraSELECT * FROM v$parameter ORDER BY name; and compare with the init<SID>.ora file
search the init.ora for an IFILE parameter and follow that up by inspecting any addional parameter file.
SELECT value FROM v$parameter where name ='remote_listener';set in init.ora
SELECT * FROM v$parameter where name ='serializable'; Not In 10g r2set in init.ora
SELECT * FROM v$parameter where name ='sql92_security';set in init.oraselect owner,segment_name,segment_typefrom dba_segmentswhere tablespace_name='SYSTEM'and owner<>'SYS';
select grantee from dba_role_privs where granted_role='DBA';Revoke from accounts that do not need itrevoke dba from accountname;Check for all privs:(select count(*) from system_privilege_map)intersect(select count(*) from dba_sys_privs group by grantee);Check for number of privs in case too many.select count(*) from system_privilege_map;select count(*),granteefrom dba_sys_privsgroup by grantee;
select grantee,privilegefrom dba_sys_privswhere privilege like '%ANY%';revoke where possible
select grantee,granted_rolefrom dba_role_privswhere admin_option='YES'unionselect grantee,privilege from dba_sys_privswhere admin_option='YES';Do the same query 'WITH GRANT';
select grantee,privilegefrom dba_sys_privswhere grantee not in ('SYSTEM','SYS','PUBLIC')and not exists (select 'A' from dba_roles where role=grantee)
These users have direct privileges.select distinct grantee, table_name, privilege from dba_tab_privs where grantee in((select grantee from dba_tab_privs)minus(select role from dba_roles));
This SQL will identify packages that are both owned by SYS and have EXECUTE granted to PUBLIC(select object_name from dba_objects where owner ='SYS' and object_type='PACKAGE')intersect(select table_name from dba_tab_privs where grantee='PUBLIC' and privilege='EXECUTE');
SELECT * FROM all_directories; andSELECT * FROM dba_directories;Un needed ones can droppedDROP DIRECTORY directory_name
select grantee, privilege from dba_tab_privs where table_name ='INITJVMAUX';
revoke execute on dbms_scheduler from public;
revoke execute on owa_util from public;
----
-set this paramete in the init<SID>.ora file
to identify those with CONNECT you can use this query.select grantee from dba_role_privs where granted_role='CONNECT';
CREATE ROLE dba_role IDENTIFIED BY "S0^Sorry"; or alter role dba identified by "S0^Sorry";See which roles are passworded.select *from dba_roleswhere password_required='NO';
This query will identify all ROLES and privs granted to PUBLIC.select 'SYSTEM','SYSTEM',privilegefrom dba_sys_privswhere grantee='PUBLIC'unionselect 'OBJECT',table_name,privilegefrom dba_tab_privswhere grantee='PUBLIC'unionselect 'COLUMN',table_name,privilegefrom dba_col_privswhere grantee='PUBLIC'unionselect 'ROLE','ROLE',granted_rolefrom dba_role_privswhere grantee='PUBLIC';
Parameters that can be set and will increase security are:CPU_PER_SESSIONPRIVATE_SGASESSIONS_PER_USERCONNECT_TIMEIDLE_TIME
-
-
-
--revoke create any table from user;
This SQL will list all parameters:select pin.ksppinm called, pcv.ksppstvl itsvaluefrom sys.x$ksppi pin, sys.x$ksppcv pcvwhere pin.inst_id=userenv('Instance')and pcv.inst_id=userenv('Instance')and pin.indx=pcv.indxand translate(pin.ksppinm,'_','^') like '^%';Alternatively an OS level checksum of the init<SID>.ora file would also verify more easily the state of the parameter file. Try to explicitly declare hidden parameters so that they are known. For example _system_trib_enabled set to FALSE will switch off all SYSTEM triggers which may be used for auditing actions on objects. This should be explicitly set and monitored.
This query will find the autoextensible tablespacesselect tablespace_name from dba_data_files where autoextensible='YES';
Check the users from this query and assign a quote where appropriate.(select name from sys.user$)minus(select username from dba_ts_quotas);
This query will find triggers not owned by the schema owner.select owner, trigger_name, table_owner, table_name from dba_triggers where owner<>table_owner and owner not in ('SYS','SYSTEM');
This query will select the users and roles that can select the hashes. (select grantee from dba_tab_privs where table_namein('USER$','DBA_USERS'))UNION(select grantee from dba_sys_privs where privilege in('SELECT ANYDICTIONARY','SELECT ANY TABLE'))UNION(select grantee from dba_role_privs where granted_rolein('DBA','OLAP_DBA','OLAP_USER','SELECT_CATALOG_ROLE'))ORDER BY GRANTEE; This query includes users who have SELECT ANY TABLE which is a privilege that should be revoked.
This query will return the privileges of a user.select 'SYSTEM', privilegefrom dba_sys_privswhere grantee='SCOTT'unionselect table_name,privilegefrom dba_tab_privswhere grantee='SCOTT'unionselect table_name,privilegefrom dba_col_privswhere grantee='SCOTT'unionselect 'ROLE', granted_rolefrom dba_role_privswhere grantee='SCOTT';
This SQL will identify VIEWs which allow base table to be edited.select grantee,table_name,privilegefrom dba_tab_privswhere exists (select 'x' from dba_views where view_name=table_name)and privilege<>'SELECT'unionselect grantee,table_name,privilegefrom dba_col_privswhere exists (select 'x' from dba_views where view_name=table_name)and privilege<>'SELECT'/
Also it is possible to bypass Oracle object security on underlying tables from a view as below(from David).SQL> connect / as sysdbaConnected.SQL> create table ttt (n number, text varchar2(20), constraint n_pk primarykey(n));Table created.SQL> insert into ttt (n,text) values (1,'abc');1 row created.SQL> grant select on ttt to scott;
SQL> connect scott/tigerConnected.SQL> create or replace view vvv as select a.n, a.text from sys.ttt a joinsys.ttt b on a.n = b.n;View created.SQL> select * from vvv; N TEXT---------- --------- 1 abc
07_DICTIONARY_ACCESSIBILITY =FALSE
--
-
---
alter user system account lock; or can also set the password to an impossible password using an impossible password like this:SQL> alter user sys identified by values 'no-decrypt';
User altered.
SQL> select password from dba_users where username = 'SYS'; PASSWORD ------------------------------no-decrypt
remove the line dispatcher=(PROTOCOL=TCP) (SERVICE=orat92XDB)
select * from dba_tab_privs where grantee ='PUBLIC' and table_name like 'STATS$%';revoke as necessary
It is recommended to log auditing to the OS. Select value from v$parameter where name = 'audit_trail';Set to OSPlease note on Windows OS trails are recorded to the Application Event Logs.It is recommended to audit at least all SYS actions.Select value from v$parameter where name = 'audit_sys_operations';Set to TRUE (this parameter is new in 9iR2)Plus to audit certain critical actions like selecting the password hashes. This is object auditing which would look like this:AUDIT SELECT ON SYS.USER$ BY ACCESSPlease note that compliance with data standards such as Sarbannes Oxley, HIPAA and GLB act require the ability to audit to Row Level sensitive data.
For example:audit update on sys.salaries whenever not successful;
Not difficult to do as just issue this command.AUDIT SESSION';
---
-
-
AUDIT ALL ON SYS.AUD$ BY ACCESS
----
-
-
-
select * from dba_audit_trail; This is a large view and there fore best read through a client like SQLDeveloper from Oracle or SQL Tools which is a free client. http://www.sqltools.net/
This query shows users with audit privileges.select grantee,privilegefrom dba_sys_privswhere privilege like '%AUDIT%';
dba_fga_audit_trail is the main view for seeing this row level audit and should be used.fine grained audit may be a requirement for compliancy sake so not negotiable but should only be needed for sensitive data.
The location of these logs should be known before and incident occurs and practise should be made at correlating these logs so that problems that may occur during an incident are solved beforehand.
--USE_SHARED_SOCKETS added to init.ora
Change the port using listener.ora file.
Edit the listener.ora file
use IP address in the listener.ora for smalll networks.
-
-----
Set a password on the Listener and set Admin Restrictions to ON. To encrypt the listener password change it through lsnrctl:lsnrctl>change_passwordpassword changedlsnrctl>save_config
Then restart the listener.
USE SSH TO THE OS TO ADMIN THE LISTENER.
Set the fixed MTS dispatchers in the init.ora file.http://www.cs.umbc.edu/help/oracle8/server.815/a67775/ch2x_mts.htm
chmod 600 listener.oraor using the NTFS file permissions.Also recommend taking a hash of the file so that it can be seen that is the same.
set:LOGGING_LISTENER=ONset protocol.ora in 8i and sqlnet.ora in 9i/10g:tcp.validnode_checking=YEStcp.invited_nodes =(10.1.1.161, etc)tcp.excluded_nodes=(10.1.1.160, etc)
needs configuring on each client in sqlnet.ora:USE_CMAN=TRUECan also use Oracle names or Oracel Internet Directory preferably OID.
-
---
-
-
-
---
-
-
Use Locate command on Linux, Find on Solaris or explorer search on Windows to find nefarious copies of listener.ora and sqlnet.ora.Check the permissions which should be 600 or similar.Secure the wallet directory for OID.
This will query the link$ table for stored passwords.select name,password from sys.link$;Do not set up links as the DBA user as this user can masquerade as any other and has too many privileges for a link.
Set DBLINK_ENCRYPT_LOGIN to TRUE.
Run a port scan using NMAP and vulnerability scan using Nessus or NGS SQuirreL for Oracle. The port number profile of that server should be recorded so that changes can be recognised. Remove needed services/ports.
OEM is very functional but its automation is built upon default account settings that are insecure and so for high security networks it is not recommended.Secure the snmp_ro.ora and snmp_rw.ora file as part of the IA audit.
If data sent is sensitive then the connection should be made over SSH. If the connection is permanent then setting up an IPSEC tunnel would be a more practicable solution. The best solution is the most expensive being Oracle Advanced Security.http://oracleheva1.oracle.com/docs/cd/B19306_01/network.102/b14268/asointro.htm
Test the off site backup procedures.
----
---
---
-
-
It is imperative to secure backup media and to practise using the backup processes so that a real recovery can be done efficiently in case of crisis.Remote Archive Logging is a key recommendation for good Oracle backup and recovery.Schedule both hot backups which take the data and Cold backups which will take all data and configuration for a complete rebuild. This will require some kind of failover secondary server if 24/7 is required.Rotate and renew backup media incase of worn tapes.
Document both the process of backup and recovery and the testing of these processes with sign off from security and senior admins so that it can be proven that this has been done. Need to have a process owner who is accountable in case of failure.
Mirroring simply involves making a copy of the redo log which can be done by Oracle Multiplexing or OS level mirroring. Put the mirrors on a different disk from the origina in case of disk failure. select log_mode from v$database;Ensure archive logs are written to backup and are purged and protected.
Use secure delete software to wipe the disks or magnetically wipe them. Then destroy them phsysically and if necessary distribute seperately. Physical reconstruction is possible though currently expensive.
use the following command at the OS.Wrap iname =infile oname=outfileWrapping the PLSQL is not a high security measure as it has been reverse engineered.Search for unwrapped code using the following.
select owner,name from dba_source where text like'%wrapped%';
select owner,name from dba_source where text not like'%wrapped%';
dbms_utility.get_hash_value can be used to get a hash value of a package.
-
precompile java and load using the loadjava utility.
-
-
-
-
-
-
-
-
run an automated grep like search on PLSQL packages to see the strings that are in them.
There are a number of cures for this http://www.ngssoftware.com/papers/DBMS_ASSERT.pdfPrepared statements are used in Java as well to stop this problem.The classic way to find these bugs is to insert a single quote into a text input field. This can be interpreted as a break in attempt so should only be done on internal applications with permisssion in writing.
lock down the privileges generally as previously described and test connecting to Oracle via MS Office applications.Applications that are allowed to access Oracle should be registered using DBMS_APPLICATION_INFO
Assign a specific account for applications like Toad so that it can be locked down in a way specifically to that application and its activitied monitored seperately.
Old application files should be removed and new ones should have the correct permissions assigned. Access to the database by development should be stopped before going to production and no more access granted unless requested and checked.Check for evidence of development work by comparing the timestamps on the view dba_objects. If the last_ddl_time is after development work should have stopped then there may have been unauthorised access.
developer privileges present in the development database should be tested to make sure they are not in production.Also check for db links between the two as described previouslyAlso make sure that test data in development is not real data but does closely model it.
-
-
--
-
-
-
-
---
-REVOKE DDL privileges that the Application account has been granted.
use the v_$resource_limit view to compare resource usage before and after. Compare this to the maximum resources available on that server and increase if necessary using ALTER SYSTEM.It is often a good idea where possible to use Oracles authentication system and secure it at the Oracle end. This also means that auditing and logging can be individual to the account being used rather than having all application users using the same Oracle account which the application manages.
Use a dedicated role that is assigned the required privileges and if possible lock the schema owners account.
encrypt usernames and passwords in the database and then log back in as that user so user is trackable.
product_user_profile view can be used to control users access. This is not available for ODBC
-
-
--
-
--
-----
revoke execute on dbms_debug from devaccount;
DBMS_OBFUSCATION_TOOLKIT is the main package internal to Oracle though there is also the new database vault functionality.
stop the http serveredit the oracle_apache.conf and comment out the line which includes isqlplus.conf by using a #
It is worth having an external blackbox pentest to see how much information can gained.
Use metalink to source the patchUse Opatch to apply the patch and then check the state of the applied package that should have been changed by using dbms_utility.get_hash_value.Please note that earlier versions of Opatch are quite unreliable and allow patch information to be accessed by any OS user.
Potential DBA Discussion criticality platform
1 ALL
time to lock and unlock when needed 1 ALL2 ALL
2 Unix
from fresh install no discussion needed on this point. 2 ALL
1
1 Unix
- 1 Unix
none needed 1 Win
none needed 1 Unix
- 1 Win
1 ALL
- 1 Unixnone needed 1 Unix
none needed 2 Win
no one should need write access to the files in the bin so there should not be discussion on this point. It is possible to run with tighter permissions though this should be tested and support from Oracle verified.
may be difficult after the fact as scripts may be hardcoded with this dataDBA do not want to use sudo so could disable remote login instead so have to su
DBA wants to use intelligent agent --> at least change the password for DBSNMP to a secure password. ALTER USER DBSNMP IDENTIFIED BY "SECURE PASSWORD"; See auditing weak passwords later.
If files may need to be read by those outside of the OSDBA group then could set 027 but depends on how many people are in the OSDBA group and how structured. If only two in OSDDBA/SYSDBA group then maybe 027 might be more time efficient but our recommendation is 022.
there may be additional discussion on who exactly will be a member of the OSDBA group which is a business decision. Need to have more than one person but not much more. Users that do not need complete power should access as SYSOPER for maintenance or as a low privileged Oracle db account directly. Least privilege is the key.
- 3 ALL3 ALL
none needed 2 ALL
1 ALL
3 ALL
- 2 ALL- 2 ALLnone needed 3 ALL
1 Unix
1 Unix
- 2 Unixnone needed 2 Unix
if absolutely needed could keep on production server but would need v.good reason such as no other place to read the trace files which had to be read there.
If a different user from ORACLE is used but in the same group then permisssions should be 660.
DBA may wish not correlate logs. The first time this is done takes along time but once a process is in place it can be automated. Time synchronisation will also be important for single sign on if and when implemented so it is a good idea to implement time syncrhonisation anyway.
if using veritas volume manager or similar then will have to use the tools supplied with that software.who gets permissions to ps is the question here. Root has it and ORACLE may need it as well as OSDBA and OSOPER. It should be limited below these users.
2 ALL
none needed 3 ALL
- 1 ALL- 1 ALLnone needed 1 ALL
3 Unixnone needed 3 Unix
3 ALL
2 ALL
- 2 Unix- 2 ALL
none needed 2 ALL
2 ALL
2 ALL
- 2 Unix- 3 ALL
DBA may say that this is a lot of work on each client. The option is Oracle Advanced Security which is expensive or to - as it is. An advanced attacker can sniff traffic and gain the plain text of the password if they have the hash of the password that is being used. It is a business and context decision as to whether the risk of malicious sniffing and unencryption warrants the extra work/cost of securing each client. A high security network should take this precaution.
discussion about what is essential. Can use scripts that prompt the user to input their password manually as compromise.
It may be the case that an automated script with a password is required then encrypt the password or at the very least limit the permissions so that it cannot be read by an unauthorised user.
none needed except that use of tripwire should be tested thoroughly before installation to make sure that it does not interfere with the smooth running of the server. If it does then manual checksumming of the oracle binaries can be carried out, recorded and then checked at agreed intervals.
May be too time consuming for the benefit but this is potentially very beneficial in all but a completely trusted network environment.
none needed 2 ALL
none needed 2 ALL
3 ALL
- 3 ALL
1 ALL
1 ALL
- 1 ALL
2 ALL
- 2 ALL
maybe DBA does not want to run a large find command on the machine while in production as may slow it down. Therefore can check the trace files manually and check for ALTER SESSION privileges.
should be no discussion on this but users may need to kill their own sessions therefore use kill command on UNIX or orakill.exe on windows to replace the ALTER SESSION capability
Running this find command on all files will slow down the machine whilst it is being done. This should be done whilst the machine is offline. Also change the passwords after a full export/import between machine environments e.g. production to development.
The archive logs can take up a lot of space so a remote dedicated storage is safer and easier to manager in terms of disk space. Access to these logs should be strictly controlled as they can allow the database to be reinstated on a separate machine especially if the database structure is known.
none needed 2 ALL
1 ALL
3 ALL
Where Windows is being used migrate towards 2003 OS 1 Win
none needed 3 ALL
3 ALL
1 ALL
none needed 2 ALL
Native PLSQL runs quicker so development team may require this functionality.Both requirements can be met by setting the parameters for the developer as the PLSQL needs compiling and then setting it back. This should be a rare occurance and therefore not take up too much itme.
check the security of the web application to the database. An audit can useful in these situations. What encrytion is used by the application. Is the database security stronger the application password security.
SQuirreL allows password auditing without actually viewing the passwords.
- 3 ALL
1 ALL
- 1 ALL
1 ALL
- 2 ALL- 2 ALL
1 ALL
- 1 ALL- 2 ALL
none needed 2 ALL
none needed 3 ALL
- 1 ALL- this 2 ALL
Default accounts is a pretty clear subject so should not be too much discussion. The main stumbling block is DBSNMP as this is used as the account that the Oracle intelligent uses to gather data remotely as part of Oracle Enterprise Manager (OEM) which is a GUI tool for managing many servers in an easy way.see the securing DBSNMP section.
The exact composition and settings of a profile are flexible to the policy and business need. As a minimum there should at least be a default profile with password management features enabled though the values would be negotiable. If there are many contexts then different profiles should be implemented to satisfy all groups needs.
There may be some resistance to changing the SYS and SYSTEM passwords to a known secure password but this should be ignored unless exceptionally good reason. Changing these passwords should be a matter of course as they will become more insecure over time . These passwords should be changed each month anyway. Changing them should not inconvenience the DBA and it will ensure they are secure and able to change.
2 ALL
- this 3 ALL
- 5 ALL
- 5 ALL
- 4 ALL2 ALL
none needed 3 ALL
- 4 ALL
3 ALL
3 ALL
auditing accounts for weak passwords can take along time so it is recommended to automate this process either using an SQL script locally or a remote testing application such as NGS SQuirreL for Oracle which is available as a free trial from http://www.ngssoftware.com/squirrelora.htm
This point clearly needs implementing the only question should be how which would be business process decision. It would be useful to allocate a business process owner so that could be responsible for removing leaving accounts and checking this has been done in Oracle.
no problem running the query but problem when passwords are found so have to prepare for this. It may be the case that the auditor should not view the passwords depending on privacy policy.If weak passwords are found this way then need to secure the tables that contain the passwords and talk the application provider.
none needed 3 ALL
2 ALL
- 2 ALLnone needed 3 ALL
- 2 ALLnone needed 3 ALL
- 4 ALL1 ALL
- 4 ALL
Business decision as to what Java permissions are required if Java is being used at all.
For DBA here is seperate Extproc listener if needed but try to avoid Extproc if possibly can.
Not aware of any good reasons not to do this. Disk space is a bad reason given the fall in disk prices.
none needed. 2 ALL
none needed. 2 ALL
2 ALL
1 ALL
1 ALL
The DBA role and SYS user will have this privilege. 1 ALL
1 ALL
The DBA role and SYS user will have this privilege. 2 ALL
- 2 ALL1 ALL
- 2 ALL
3 ALL
none needed should be enforced. 1 ALL
There will probably be SYSTEM and OUTLN objects which are default with Oracle but this check is looking for objects from other users which are out of place.
Compromise to taking away DBA role is to strip down the privileges of this role so it is not such a security risk.
create any directory does not have a non ANY version but most privs can be assigned more precisely so revoking ANY privileges should be enforced strongly. The DBA role and SYS user will have this privilege.
busines processs required to match the allocation of system privileges to the business requirement.
This is debatable given the disadvantages of roles already highlighted so this item is not critical.
- 3 ALL
- 2 ALL- 3 ALL- 3 ALL- 2 ALLnone needed. 2 ALL
The DBA role and SYS user will have this privilege. 2 ALL
The DBA role and SYS user will have this privilege. 2 ALL
none needed as previously addressed. 2 ALL
- 1 ALL- 1 ALL
- 2 ALL
- 2 ALL- 1 ALL
none needed - not negotiable 1 ALL
none needed - not negotiable 1 ALL
none needed - not negotiable 1 ALL
none needed - not negotiable 1 ALL
1 ALL
- 2 ALL
none needed - not negotiable 1 ALL
none needed - not negotiable 1 ALL
- 1 ALL- 2 ALLNeed to be able to verify which directories are actually needed. 2 ALL
none needed 2 ALL
none needed - not negotiable 2 ALL
none needed - not negotiable 1 ALL
2 ALL
2 ALL
- 4 ALL- 1 ALL- 2 ALL
1 ALL
Some packages need PUBLIC execute but many should not. Many recent PLSQL injection attacks are targetted at SYS owned definer rights PLSQL packages that PUBLIC has execute upon. Therefore execute should certainly be revoked on PUBLIC packages unless absolutely necessary. In either case the use of PUBLIC execute on SYS owned packages should certainly be audited, controlled and in the future deprecated.
This is will cause mod_plsql to stop working which will require execute being granted to the account used by the appserver to work again.ROLES granted to ROLES can cause an obfuscated hierarchy of privilges which can make it difficult to work out what privileges a user actually has so this item in the guide should be tempered with the proviso not to layer ROLES too deeply.
2 ALL
discretionary 2 ALL
2 ALL
- 3 ALL- 3 ALL- 2 ALL- 3 ALL
3 ALL
- 2 ALLnone needed 3 ALL
Thorough testing of the new ROLE to replace CONNECT would require time and testing.
This will take a long time and needs to be broken down into stages. The main amount of results will be the object privs form dba_tab_privs. Prioritise the others first and then prioritise SYS owned objects and objects that have known vulnerabilities.
agreeing how long a session can be left idle before it is disconnected is the main issue here and it depends on the power of the account and security context of the environment being used. DBA accounts should cut out more quickly and have less sessions per user normally.
none needed 3 ALL
- 1 ALLnone needed 3 ALL
none needed 3 ALL
- 3 ALL
- 5 ALL
none needed 2 ALL
1 ALL
- 1 ALL- 1 ALL
2 ALL
The permission of select any table is required by the DBSNMP account for the intelligent agent to work which may be a factor in keeping this privilege IF the Intelligent agent functionality is to be kept.
the schema owner will still be able to create tables in their own schema but not others. There needs to be a very good reason to not do this for all but high privileged users.
2 ALL
none needed 2 ALL
time intensive. If time pressured and not v.high security then better to approach from the direction of identifying the sensitive objects and seeing who has privileges on them rather than this method which looks at everything an individual can see and have to be repeated for each individual.
2 ALL
none needed 2 ALL
- 4 ALL- 2 ALL
none needed 2 ALL
none needed 2 ALL
1 ALL
2 ALL
- 2 ALL3 ALL
- 3 ALL- 3 ALL- 3 ALL
Note that SYS AS SYSDBA cannot be locked in this way so strenght in depth with the other measures needed especially OSDBA access from OS.
There can be much discussion on Auditing and the recommendations here represent the bare minimum that a server should have and should not represent a detriment to the performance of the server. Addtionally auditing can be added from here and is highly flexible and complex. Of major importance is the purging strategy as the more AUDIT the more logs and where to store them. Please see Oracle Privacy Auditing by Arup Nanda for more detail on Auditing on Oracle.
As long as the action being audited should not occur often and the action is critical then it is justified.
Will this affect performance. Best to test beforehand on dev server or at a time when contigencies have been put in place.
- 3 ALL- 3 ALL- 3 ALL
3 ALL
- 4 ALL
- 2 ALL1 ALL
OS is preferred as previously stated. 2 ALL
- 3 ALL- 4 ALL- 1 ALL- 3 ALL
- 3 ALL
3 ALL
3 ALL
- 2 ALL
- 2 ALL
1 ALL
Some audit has to be done and therefore some review of audit logs has to be done.The question is how much and how often which is a business decision sensitive to the security needs of that department.
should be unnegotiable. Please note that the newest functionality in Oracle database called database vault is specifically designed to withhold some control from senior DBA as this concept of everyone being accountable to policy is of current concern. http://www.oracle.com/technology/deploy/security/db_security/database-vault/index.html
1 ALL
- 4 ALL- 5 ALL
3 win
3 ALL
none needed. 2 ALL
none needed. 2 ALL
discretionary 3 ALL
- 2 ALL
none needed - not negotiable 1 ALL
none needed 2 ALL
discretionary 3 ALL
2 ALL
- 1 ALL- 3 ALL- 2 ALL- 4 ALL- 5 ALL
Minimum passworded Listener and very preferably should be Admin Restrictions ON which is now the default in 10g.Please see this document for more detail on securing the Oracle Listener. http://www.integrigy.com/info/Integrigy_OracleDB_Listener_Security.pdf It should be noted that some clustering software such as SUN Solaris v3.0 cannot restart the Listener automatically if it fails and is passworded. The new 3.1 version does.
Has a slight negative effect on performancy so only use when having to tunnel through a firewall.Can also use an Oracle aware firewall instead but Oracle Server must be protected from direct access by untrusted network such as the internet.
Architectural issue is complex and cannot presribe completely. OID seems to be preferred route.
Shoud not be much discussion needed. 2 ALL
Shoud not be much discussion needed. 1 ALL
- 2 ALL
- 1 ALL- 1 ALL- 1 ALL
- 2 ALL
- 2 ALL
- 2 ALL
- 1 ALL- 2 ALL- 1 ALL
none needed. 3 ALL
2 ALL
- 2 ALLnone needed. 2 ALL
- 3 ALL
depends on the security of the network environment.At least put in place the previous securing DBSNMP recommendations and preferably do not use at all. SQL*PLUS command line over SSH is preferred admin tool.
1 ALL
not negotiable. 1 ALL
Should not be negotiable. 2 ALL
- 3 ALL- 3 ALL- 2 ALL- 2 ALLnone needed 2 ALL
none needed 2 ALL
- 2 ALL- 3 ALL- 3 ALL
- 3 ALL- 5 ALL- 4 ALL
should not be needed. 2 ALL
- 4 ALL
- 4 ALL
2 ALL
This process can be automated so should not take long. 3 ALL
DBA's often appreciate this very well perhaps more fully than many security researchers in the past though the potential for attack via backups is now becoming more well known.http://www.dbaoncall.net/references/ref_backup_strategy.html
It is relatively easy to wrap the code. The question will be keeping the clear text version of the code and being able to keep a record of the state of the currently used version of the package which is where checksummng can be useful.
none needed 3 ALL
2 ALL
- 3 ALL
should not be needed. 3 ALL
none needed 2 ALL
- 2 ALL
none needed 3 ALL
- 4 ALL
- 4 ALL
- 2 ALL
- 3 ALLnone needed 3 ALL
- 3 ALL2 ALL
- 2 ALL
- 2 ALL
This process is difficult to do automatically and if there is a lot of code it may be worth seeking a specialised Code Review consultancy.
There may be teething stage for a new application that requires temporary privileges to the production server to be granted to development. A process should be in place to make sure that any temporary accounts are deleted after a set period of time.If real data does get in to the development db then the top priority is to make sure that the DB account usenames and passwords transferred are deleted and new ones created.
- 2 ALL
- 2 ALL
- 1 ALL- 2 ALL
- 2 ALL
- 2 ALL
2 ALL
- 2 ALL
should not be needed. 2 ALL
1 ALL
- 2 ALL
2 ALL
- 2 ALL- 2 ALL- 5 ALLCertainly no plaintext username and passwords. 2 ALL
- 2 ALLdiscussion should not be needed. 2 ALL
1 ALL
- 1 ALL
- 1 ALL
1 ALL
3 ALL
- 3 ALL
There is not always a choice in this depending on the third party application.
if not possible at least ensure that the schema owner has not been granted the DBA role.
The PUP can be bypassed so it should not be relied on heavilly. On the Oracle server SQL*PLUS security can be strengthened by making sure that no one other than ORACLE can access the sqlplus binary.
2 ALL
- 2 ALL
- 2 ALL
- 2 ALL- 2 ALL- 3 ALL
- 2 ALL
- 2 ALL- 1 ALL
- 3 ALL- 2 ALL- 2 ALL- 3 ALL- 2 ALLshould not be negotiable. 1 ALL
should not be negotiable. 1 ALL
2 ALL
It would normally agreed that there should be some data encyrpted and the DBA should certainly have the ability to encrypt data. How much data and how to encrypt data without the DBA's control over decryption is a business decission.
delist from google cache and archive.org and sanitise all data that is to be made external including to ORACLE support.
should not be negotiable. The problem is the time to do this.It is advisable to pay for an advanced scanner like NGS SQuirreL for Oracle which has the updates contained within it and automates the process of scanning for vulnerabilities through an enterprise.
version
ALL
ALLALL
ALL
ALL
ALL
ALL
ALL
ALL
ALL
ALL
ALLALL
ALL
ALLALL
ALL
ALL
ALL
ALLALLALL
ALL
ALL
ALLALL
ALL
ALL
ALLALLALL
ALLALL
ALL
ALL
ALLALL
ALL
ALL
ALL
ALLALL
ALL
ALL
ALL
ALL
ALL
ALL
ALL
ALL
ALL
>= 9i
>= 9i
ALL
ALL
ALL
ALL
>= 8
ALL
>= 8
ALL
ALL
ALL
>= 8iALLALL
ALLALL
ALL
ALL
ALLALL
ALL
ALL
ALL
ALL
>= 9iALL
ALL
ALL
ALL
ALL
ALL
>= 8
>= 8>= 8
>= 7ALL
ALL>= 8
9iAS
ALL
ALL
ALLALLALLALLALL
ALLALLALLALLALLALL
ALL
ALLALL
ALL
ALL
ALL
>= 9i
>= 9i
ALL
>= 9i
ALL
ALL
ALL
ALL
ALL
ALL
ALL
ALLALL
ALL
ALL
ALL
ALL
ALLALLALLALLALL
>=9i
>=10g
ALL
ALLALL
ALL
ALLALL
>= 8
>=8.1.7
>=8.1.7
>=8.1.7
ALL
ALL
>= 8i
ALL
ALLALL>= 8
ALL
ALL
>=10g
ALL
ALL
ALLALLALL
ALL
ALL
ALL
ALL
>= 8>= 8>= 8>= 8ALL
ALLALL
ALL
>=8iALL
ALL
ALL
ALL
ALL
ALL
ALLALLALL
ALL
ALL
ALL
ALL
ALLALL
>=9iR2
>= 8i
ALL
ALL
ALLALL
ALLALLALL
ALLALLALLALL
ALL
ALLALL
ALL
ALLALL>=9iR2ALL
ALL
ALL
>= 8
ALL
ALL
ALL
ALL
ALLALLALL
ALL
ALL
ALL
ALL
ALL
ALL
ALL
ALL
ALL
ALLALLALLALLALL
ALL
ALL
ALL
ALLALLALL
ALL
ALL
ALL
ALLALLALL
ALL
ALL
ALLALL
ALL
ALL
ALL
ALL
ALLALLALLALLALL
ALL
ALLALLALL
ALLALLALL
ALL
ALL
ALL
ALL
ALL
ALL
ALL
ALL
ALL
ALL
ALL
ALL
ALL
ALL
ALL
ALLALL
ALLALL
ALL
ALL
ALL
ALL
ALLALL
ALL
ALL
ALL
ALL
ALL
ALL
ALL
ALL
ALLALLALLALL
>= 8ALL
ALL
ALL
ALL
ALL
ALL
ALL
ALL
ALL
ALL
ALLALLALL
ALL
ALL>= 9i
>= 9i>= 9i>= 9i>= 9i>= 9i>= 9i
ALL
ALL
Security Alert Number And Description MetaLink Note ID
Alert 68, Oracle Security Update 281188.1
Alert 67, Unauthorized Access Vulnerabilities in Oracle E-Business Suite 274356.1
Alert 66, Security Vulnerabilities in Oracle Application Server Web Cache 265308.1
Alert 65, Security Vulnerability in Oracle9i Application and Database Servers 258997.1
Alert 64, Security Vulnerabilities in Oracle9i Database Server 263508.1
Alert 63, Security Vulnerabilities in Oracle9i Lite 263509.1
Alert 62, SSL Update for CERT CA-2003-26 and older SSL issues 258996.1
Alert 61, SQL Injection Vulnerability in Oracle9i Application Server 253982.1
Alert 60, Unauthorized Access to Restricted Content in Oracle Files 252706.1
Alert 59, Buffer Overflow in Oracle Database Server Binaries 251910.1
Alert 58, Buffer Overflow in the XML Database of Oracle9i Database Server 246202.1
Alert 57, Buffer Overflows in EXTPROC of Oracle Database Server 244523.1
Alert 56, Buffer Overflow Vulnerability in Oracle E-Business Suite 244335.1
Alert 55, Unauthorized Disclosure of Information in Oracle E-Business Suite 244294.1
Alert 54, Buffer Overflow in Net Services for Oracle Database Server 237172.1
Alert 53, Report Review Agent Vulnerability in Oracle E-Business Suite 235262.1
Alert 52, Security Vulnerabilities in Oracle9i Application Server 229288.1
Alert 51, Buffer Overflow in ORACLE executable of Oracle9i Database Server 229287.1
Alert 50, Buffer Overflow in Oracle9i Database Server 229286.1
Alert 49, Buffer Overflow in Oracle9i Database Server 229285.1
Alert 48, Buffer Overflow in Oracle9i Database Server 229284.1
Alert 47, Security Vulnerabilities in Oracle9i Application Server 224215.1
Alert 46, Buffer Overflow in iSQL*Plus (Oracle9i Database Server) 216775.1
Alert 45, Security Release of Apache 1.3.27 214356.1
CENTRAL is an administrative account for Quest Central(?).
CIDS is an account for Cerberus Intrusion Detection System.
CIS is an account for dbengine
CIS is an account for dbengine
CISINFO is an account for dbengine
CISINFO is an account for dbengine
CLKANA is an account for Oracle Clickstream Intelligence.
CLKRT is an account for Oracle Clickstream Intelligence.
COMPANY is an account with DBA privileges
COMPIERE is an account for the application Compiere.
CQSCHEMAUSER is a schema account of a 3rd party product.
CQUSERDBUSER is a user account of a 3rd party product.
Oracle Applications
Oracle Applications
Oracle Applications
CSMIG is an account for Character Set Migrations.
BSC is a schema account from Oracle Applications. Default it has several CREATE privileges.
CALVIN is an account to demonstrate AOLServer. It should not exist in a production environment.
CCT is a schema account from Oracle Applications. Default it has several CREATE privileges.This is a training account. It should not be available in a production environment.This is a training account. It should not be available in a production environment.This is a training account. It should not be available in a production environment.This is a training account. It should not be available in a production environment.This is a training account. It should not be available in a production environment.This is a training account. It should not be available in a production environment.
CE is a schema account from Oracle Applications. Default it has several ANY privs
amongst which ALTER ANY PROCEDUR
CENTRA is an account that presumably manages Centra application software.
at interface from CIS between Internet and at interface from CIS between Internet and at interface from CIS between Internet and at interface from CIS between Internet and
This is a training account. It should not be available in a production environment.
CN is a schema account from Oracle Applications. Default it has several ANY privs
amongst which ALTER ANY PROCEDUR which allow to read
change and destroy all data in your database.
CRP is a schema account from Oracle Applications. Default it has several ANY privs
amongst which ALTER ANY PROCEDUR
CS is a schema account from Oracle Applications. Default it has several ANY privs
amongst which ALTER ANY PROCEDUR
CSC is a schema account from Oracle Applications. Default it has several CREATE privileges.CSD is a schema account from Oracle Applications. Default it has several CREATE privileges.
CSF is a schema account from Oracle Applications. Default it has several CREATE privileges.
CSP is a schema account from Oracle Applications. Default it has several CREATE privileges.CSR is a schema account from Oracle Applications. Default it has several CREATE privileges.CSS is a schema account from Oracle Applications. Default it has several CREATE privileges.CTXDEMO is a demonstration account of Oracle Context/Oracle Text.CTXSYS (Oracle Text/Intermedia Text/Context option) is an account with DBA privileges and therefor allows to read
change and destroy all data in your database.
CTXSYS (Oracle Text/Intermedia Text/Context option) is an account with DBA privileges and therefor allows to read
change and destroy all data in your database.
Oracle Applications
CA Harvest
ICDBOWN is the owner of BEA eLink Business Process Engine.
Oracle Applications
IFSSYS is an account belonging to Oracle Internet File System.
IMAGEUSER is an account of an unknown 3rd party product.
Oracle Applications
IMEDIA is the schema account of the Intermedia option.
Oracle Applications
CTXSYS (Oracle Text/Intermedia Text/Context option) is an account with DBA privileges and therefor allows to read
change and destroy all data in your database.
CTXSYS (Oracle Text/Intermedia Text/Context option) is an account with DBA privileges and therefor allows to read
change and destroy all data in your database.
CUA is a schema account from Oracle Applications. Default it has several ANY privs
amongst which ALTER ANY PROCEDUR
CUE is a schema account from Oracle Applications. Default it has several CREATE privileges.CUF is a schema account from Oracle Applications. Default it has several CREATE privileges.
CUI is a schema account from Oracle Applications. Default it has several CREATE privileges.CUN is a schema account from Oracle Applications. Default it has several CREATE privileges.CUP is a schema account from Oracle Applications. Default it has several CREATE privileges.CUS is a schema account from Oracle Applications. Default it has several CREATE privileges.CZ is a schema account from Oracle Applications. Default it has several CREATE privileges.
This is a training account. It should not be available in a production environment.This is a training account. It should not be available in a production environment.This is a training account. It should not be available in a production environment.HRI is a schema account from Oracle Applications. Default it has several CREATE privileges.
HXC is a schema account from Oracle Applications. Default it has several CREATE privileges.HXT is a schema account from Oracle Applications. Default it has several CREATE privileges.IBA is a schema account from Oracle Applications. Default it has several CREATE privileges.IBE is a schema account from Oracle Applications. Default it has several CREATE privileges.IBP is a schema account from Oracle Applications. Default it has several CREATE privileges.IBU is a schema account from Oracle Applications. Default it has several CREATE privileges.IBY is a schema account from Oracle Applications. Default it has several CREATE privileges.
ICX is a schema account from Oracle Applications. Default it has several CREATE privileges.
IEB is a schema account from Oracle Applications. Default it has several CREATE privileges.
IEM is a schema account from Oracle Applications. Default it has several CREATE privileges.IEO is a schema account from Oracle Applications. Default it has several CREATE privileges.IES is a schema account from Oracle Applications. Default it has several CREATE privileges.IEU is a schema account from Oracle Applications. Default it has several CREATE privileges.IEX is a schema account from Oracle Applications. Default it has several CREATE privileges.
IGC is a schema account from Oracle Applications. Default it has several CREATE privileges.IGF is a schema account from Oracle Applications. Default it has several CREATE privileges.IGI is a schema account from Oracle Applications. Default it has several CREATE privileges.IGS is a schema account from Oracle Applications. Default it has several CREATE privileges.IGW is a schema account from Oracle Applications. Default it has several CREATE privileges.
Book
Oracle Applications
Oracle Applications
9iR2 documenation
KWALKER is a schema owner of Workflow Iasdb
10g
10g
INV is a schema account from Oracle Applications. Default it has several ANY privs
amongst which ALTER ANY PROCEDUR
IPA is a schema account from Oracle Applications. Default it has several CREATE privileges.IPD is a schema account from Oracle Applications. Default it has several CREATE privileges.IPLANET is an account belonging to iPlanet (now called Java Enterprise System).ISC is a schema account from Oracle Applications. Default it has several CREATE privileges.ITG is a schema account from Oracle Applications. Default it has several CREATE privileges.JA is a schema account from Oracle Applications. Default it has several CREATE privileges.JAKE is an account to demonstrate AOLServer. It should not exist in a production environment.JE is a schema account from Oracle Applications. Default it has several CREATE privileges.JG is a schema account from Oracle Applications. Default it has several ANY privs
amongst which ALTER ANY PROCEDUR
JILL is an account to demonstrate AOLServer. It should not exist in a production environment.JL is a schema account from Oracle Applications. Default it has several CREATE privileges.JMUSER is the schema account of the General Ledger module of the Oracle E-Business suite.
This is a training account. It should not be available in a production environment.JTF is a schema account from Oracle Applications. Default it has several CREATE privileges.
LBACSYS is an management account of Oracle Label Security. It allows to change security settings for Oracle Label Security.LIBRARIAN is an account that possibly belongs to ACD/Web Librarian
software targeted at chemists and MARK is an account to demonstrate AOLServer. It should not exist
in a production environment.
MDDEMO_CLERK is a user account belonging to Oracle Metadata API.
MDDEMO_MGR is an administration account for to Oracle Metadata API.The account MDSYS (Oracle Spatial administrator) has DBA-like privileges
which allow to read
change and destroy all data in your database.
ME is a schema account from Oracle Applications. Default it has several CREATE privileges.MFG is a schema account from Oracle Applications. Default it has several ANY privs
amongst which ALTER ANY PROCEDUR
MTSSYS is an account for Microsoft Transaction Server support.
9iR2 documenation
9iR2 documenation
9iR2 documenation
9iR2 documenation
OAIHUB902 is an account of Oracle 9iAS InterConnect (OAI).
ODS is the schema of Oracle Internet Directory metadata.
ODSCOMMON is a user with acces to Oracle Internet Directory.
Oracle Applications
Oracle Applications
Oracle Applications
MRP is a schema account from Oracle Applications. Default it has several ANY privs
amongst which ALTER ANY PROCEDUR
MSC is a schema account from Oracle Applications. Default it has several CREATE privileges.MSD is a schema account from Oracle Applications. Default it has several CREATE privileges.MSO is a schema account from Oracle Applications. Default it has several CREATE privileges.MSR is a schema account from Oracle Applications. Default it has several CREATE privileges.
MWA is a schema account from Oracle Applications. Default it has several CREATE privileges.
NNEUL is an account of Computer and Information Services from the University of Missouri-Rolla.
OAS_PUBLIC is the schema account of older versions of Oracle Webserver.
OCM_DB_ADMIN is an administrative account of Oracle9iAS Certificate Manager (OCM).OCM_DB_ADMIN is an administrative account of Oracle9iAS Certificate Manager (OCM).
ODS_SERVER is an administrative account for of Oracle Internet Directory metadata.
This is a training account. It should not be available in a production environment.
OE is a schema account from Oracle Applications. Default it has several ANY privs
amongst which ALTER ANY PROCEDUR
OEM_REPOSITORY is the schema owner of Oracle Enterprise Managers Repository.
OKC is a schema account from Oracle Applications. Default it has several CREATE privileges.OKE is a schema account from Oracle Applications. Default it has several CREATE privileges.
OKR is a schema account from Oracle Applications. Default it has several CREATE privileges.OKS is a schema account from Oracle Applications. Default it has several CREATE privileges.OKX is a schema account from Oracle Applications. Default it has several CREATE privileges.OLAPDBA is an administrative account for the OLAP Services option.OLAPSVR is an administrative account for the OLAP Services option.OLAPSVR is an administrative account for the OLAP Services option.OLAPSYS is an administrative account for the OLAP Services option.OLAPSYS is an administrative account for the OLAP Services option.
OR Solutions
User used to execute default password check scripts
ORASSO is the schema of Oracle9iAS Single Sign-On.
n/a
DBVISION is an administrative account of Platinum DBVision.
This is a SAP application user ID.
DEMO8 is some kind of demonstration account.
DEMO9 is some kind of demonstration account.
DES is a common name for a Oracle Designer account.
DES2K is an account of Oracle Designer 2000.
10g
10g
DSGATEWAY is an account for Oracle Syndication Server.
DSGATEWAY is an account for Oracle Syndication Server.
DSSYS is an account for Oracle Dynamic Services/Web Services.
ONT is a schema account from Oracle Applications. Default it has several CREATE privileges.
OPI is a schema account from Oracle Applications. Default it has several CREATE privileges.
ORADBA is a DBA account of Computer and Information Services from the University of Missouri-Rolla.
ORASSO_DS is an account belonging to Oracle9iAS Single Sign-On.ORASSO_PA is an account belonging to Oracle9iAS Single Sign-On.ORASSO_PS is an account belonging to Oracle9iAS Single Sign-On.ORASSO_PUBLIC is a public account for Oracle9iAS Single Sign-On.
DBSNMP is an account for the Oracle Intelligent Agent. Under certain circumstances it allows to read passwords from memory.
DCM is an administrative account of Oracle 9iAS Distributed Configuration Manager.
DEMO is a commonly used name for demonstration accounts. This should not exist in a production environment.
DEV2000_DEMOS is a demonstration account for Oracle Developer.DIANE is an account to demonstrate AOLServer. It should not exist in a production environment.
DISCOVERER5 is an administrative account of Oracle9iAS Discoverer.
DPF is an account of Computer and Information Services from the University of Missouri-Rolla.
EAA is a schema account from Oracle Applications. Default it has several CREATE privileges.EAM is a schema account from Oracle Applications. Default it has several CREATE privileges.
EC is a schema account from Oracle Applications. Default it has several ANY privs
amongst which ALTER ANY PROCEDUR
ESTOREUSER is an administration account for WebSphere.
EVENT is an administration account for Oracle Discoverer.
9ir2
9ir2
FINANCE is a schema account for Oracle Financials.
OraSecurityChk.exe
FND is an account for Oracle Applications
9ir2
GPFD is an account of an unknown 3rd party product
GPFD is an account of an unknown 3rd party product
GPFD is an account of an unknown 3rd party product
ABM is an account from Oracle Applications. It has CREATE DATABASE LINK privileges.
ECX is a schema account from Oracle Applications. Default it has several CREATE privileges.
EMP is an training account (I think). It should not be on production environments.ENG is a schema account from Oracle Applications. Default it has several ANY privs
amongst which ALTER ANY PROCEDUR
ENI is a schema account from Oracle Applications. Default it has several ANY privs
amongst which ALTER ANY PROCEDUR
EMV is a schema account from Oracle Applications. Default it has several CREATE privileges.
FA is a schema account from Oracle Applications. Default it has several ANY privs
amongst which ALTER ANY PROCEDUR
FEM is a schema account from Oracle Applications. Default it has several CREATE privileges.FII is a schema account from Oracle Applications. Default it has several CREATE privileges.
FLM is a schema account from Oracle Applications. Default it has several CREATE privileges.
the Financials (?) package.
FPT is a schema account from Oracle Applications. Default it has several CREATE privileges.FRM is a schema account from Oracle Applications. Default it has several CREATE privileges.FROSTY seems to be some kind of test account from a guide to install Oracle on RedHat. This account should not be on production.FTE is a schema account from Oracle Applications. Default it has several CREATE privileges.FV is a schema account from Oracle Applications. Default it has several CREATE privileges.GL is the schema account of the General Ledger module of the Oracle E-Business suite.GMA is a schema account from Oracle Applications. Default it has several CREATE privileges.GMD is a schema account from Oracle Applications. Default it has several CREATE privileges.GME is a schema account from Oracle Applications. Default it has several CREATE privileges.GMF is a schema account from Oracle Applications. Default it has several CREATE privileges.GMI is a schema account from Oracle Applications. Default it has several CREATE privileges.GML is a schema account from Oracle Applications. Default it has several CREATE privileges.GMP is a schema account from Oracle Applications. Default it has several CREATE privileges.GMS is a schema account from Oracle Applications. Default it has several CREATE privileges.
GR is a schema account from Oracle Applications. Default it has several CREATE privileges.
HLW seems to be part of a 9iAS demo. It should not be on a production environment then.
amongst others
This is a training account. It should not be available in a production environment.This is an account to demonstrate using LOBs in VBA code. It should not be installed in a production environment.
ADMIN is an administration account of Apache Jetspeed.
Oracle Applications
Oracle Applications
ALHRO is an unknown account.
ALHRW is an unknown account.
Oracle Applications
Set by values
AP is an account for Oracle Applications
AQ is an account to manage Oracle Advanced Queuing
AQDEMO is an account to demonstrate Oracle Advanced Queuing
AQJAVA is an account of Oracle Advanced Queuing
AQ is an account to use Oracle Advanced Queuing
Oracle Applications
9iR2 default account
ADMIN is a generally used accountname to administer a product (like Apache Jetspeed).ADMINISTRATOR is a commonly used name for management accounts for applications.ADMINISTRATOR is a commonly used name for management accounts for applications.
AK is a schema account from Oracle Applications. Default it has many ANY privileges
amongst which ALTER ANY PROCEDUR
AMS is a schema account from Oracle Applications. Default it has several CREATE privileges.AMV is a schema account from Oracle Applications. Default it has several CREATE privileges.This is a training account. It should not be available in a production environment.Usually it is not a good idea to have anonymous access to a database.
specifically Account Payable.
APPLSYS is an administration account for Oracle Applications. It controls the Concurrent Manager.
APPLSYS is an administration account for Oracle Applications. It controls the Concurrent Manager.
APPLYSYSPUB is an account for Oracle Applications. It has UNLIMITED TABLESPACE.APPLYSYSPUB is an account for Oracle Applications. It has UNLIMITED TABLESPACE.
APPS is an often used name for management or schema accounts for applications. In Oracle Applications it is a schema owner and has DBA-like privileges.APPS_MRC is a schema account from Oracle Applications. It has DBA-like privileges.APPUSER is an often used name for an application account for users.
a messaging system. a messaging system. a messaging system. a messaging system.AR is a schema account from Oracle Applications. Default it has
several ANY privs amongst which ALTER ANY PROCEDUR
ASF is a schema account from Oracle Applications. Default it has several CREATE privileges.ASG is a schema account from Oracle Applications. Default it has several CREATE privileges.ASL is a schema account from Oracle Applications. Default it has several CREATE privileges.ASO is a schema account from Oracle Applications. Default it has several CREATE privileges.
AST is a schema account from Oracle Applications. Default it has several CREATE privileges.
AUDIOUSER is the account to manage the Intermedia Audio option.AURORA$JIS$UTILITY$ is an internal account of Jserver. In 8i changing the password will prevent ORB from working.AURORA$JIS$UTILITY$ is an internal account of Jserver. In 8i changing the password will prevent ORB from working.AURORA$ORB$UNAUTHENTICATED is an internal account of Jserver. In 8i changing the password will prevent ORB from working.
Oracle Applications
BLEWIS is a schema owner of Workflow Iasdb
9iR2 documenation
TRACESVR is required for Oracle trace (otrace) you might want to lock it.
AX is a schema account from Oracle Applications. Default it has several ANY privs
amongst which ALTER ANY PROCEDUR
AZ is a schema account from Oracle Applications. Default it has several CREATE privileges.BC4J is the account to manage the Bussiness Components for Java.BEN is a schema account from Oracle Applications. Default it has several CREATE privileges.BIC is a schema account from Oracle Applications. Default it has several CREATE privileges.BIL is a schema account from Oracle Applications. Default it has several CREATE privileges.BIM is a schema account from Oracle Applications. Default it has several CREATE privileges.BIS is a schema account from Oracle Applications. Default it has several CREATE privileges.
BIX is a schema account from Oracle Applications. Default it has several CREATE privileges.This is a training account. It should not be available in a production environment.
BOM is a schema account from Oracle Applications. Default it has several ANY privs
amongst which ALTER ANY PROCEDUR
SYSMAN is the management account for Oracle Enterprise Mananger. It is used as access to all databases that are managed by it. It might be possible to access a data in your databases.SYSTEM is Oracles database management account. It allows to read
change and destroy all data in your database.
SYSTEM is Oracles database management account. It allows to read
change and destroy all data in your database.
SYSTEM is Oracles database management account. It allows to read
change and destroy all data in your database.
SYSTEM is Oracles database management account. It allows to read
change and destroy all data in your database.
SYSTEM is Oracles database management account. It allows to read
change and destroy all data in your database.
SYSTEM is Oracles database management account. It allows to read
change and destroy all data in your database.
SYSTEM is Oracles database management account. It allows to read
change and destroy all data in your database.
SYSTEM is Oracles database management account. It allows to read
change and destroy all data in your database.
SYSTEM is Oracles database management account. It allows to read
change and destroy all data in your database.
SYSTEM is Oracles database management account. It allows to read
change and destroy all data in your database.
SYSTEM is Oracles database management account. It allows to read
change and destroy all data in your database.
SYSTEM is Oracles database management account. It allows to read
change and destroy all data in your database.
SYSTEM is Oracles database management account. It allows to read
change and destroy all data in your database.
SYSTEM is Oracles database management account. It allows to read
change and destroy all data in your database.
SYSTEM is Oracles database management account. It allows to read
change and destroy all data in your database.
which is generally not used in many
UDDISYS is an administrative account of Oracle9iAS Web Services.
-
9iR2 documentation
WIRELESS is an administrative account of Oracle 9iAS Wireless
WFADMIN is an administrative account of Oracle9iAS WorkFlow.
10g
WKSYS is an administrative account of Oracle9iAS Ultrasearch.
WKSYS is an administrative account of Oracle9iAS Ultrasearch.
WKUSER is a user account of Oracle9iAS Ultrasearch.
VEA is a schema account from Oracle Applications. Default it has several CREATE privileges.VEH is a schema account from Oracle Applications. Default it has several CREATE privileges.
WH is a schema account from Oracle Applications. Default it has several CREATE privileges.WIP is a schema account from Oracle Applications. Default it has several CREATE privileges.
WKPROXY is an administrative account of Oracle9iAS Ultrasearch.
10g
10g
Oracle Applications
WMS is a schema account from Oracle Applications. Default it has several CREATE privileges.
WPS is a schema account from Oracle Applications. Default it has several CREATE privileges.WSH is a schema account from Oracle Applications. Default it has several CREATE privileges.WSM is a schema account from Oracle Applications. Default it has several CREATE privileges.
XDP is a schema account from Oracle Applications. Default it has several CREATE privileges.XLA is a schema account from Oracle Applications. Default it has several CREATE privileges.XNC is a schema account from Oracle Applications. Default it has several CREATE privileges.
XNM is a schema account from Oracle Applications. Default it has several CREATE privileges.XNP is a schema account from Oracle Applications. Default it has several CREATE privileges.XNS is a schema account from Oracle Applications. Default it has several CREATE privileges.
XTR is a schema account from Oracle Applications. Default it has several CREATE privileges.
SYSTEM is Oracles database management account. It allows to read
change and destroy all data in your database.
SYSTEM is Oracles database management account. It allows to read
change and destroy all data in your database.
SYSTEM is Oracles database management account. It allows to read
change and destroy all data in your database.
SYSTEM is Oracles database management account. It allows to read
change and destroy all data in your database.
SYSTEM is Oracles database management account. It allows to read
change and destroy all data in your database.
SYSTEM is Oracles database management account. It allows to read
change and destroy all data in your database.
SYSTEM is Oracles database management account. It allows to read
change and destroy all data in your database.
SYSTEM is Oracles database management account. It allows to read
change and destroy all data in your database.
SYS is Oracles most powerful database management account. It allows to read
change and destroy all data in your database.
SYS is Oracles most powerful database management account. It allows to read
change and destroy all data in your database.
SYS is Oracles most powerful database management account. It allows to read
change and destroy all data in your database.
SYS is Oracles most powerful database management account. It allows to read
change and destroy all data in your database.
SYS is Oracles most powerful database management account. It allows to read
change and destroy all data in your database.
SYS is Oracles most powerful database management account. It allows to read
change and destroy all data in your database.
ORDPLUGINS is an administrative account for Oracle Time Series.The account ORDSYS (Oracle Time Series) has a limited number of risky system privileges
amongst which those to use external
OSE$HTTP$ADMIN is an internal account of Jserver. In 8i changing the password will prevent ORB from working.OSE$HTTP$ADMIN is an internal account of Jserver. In 8i changing the password will prevent ORB from working.OSM is a schema account from Oracle Applications. Default it has several ANY privs
amongst which ALTER ANY PROCEDUROSSAQ_HOST is an administrative account of Oracle9iAS
Syndication Server.OSSAQ_PUB is a public account of Oracle9iAS Syndication Server.OSSAQ_SUB is an administrative account of Oracle9iAS Syndication Server.OTA is a schema account from Oracle Applications. Default it has several ANY privs
amongst which ALTER ANY PROCEDUR
Often neglected
OWF_MGR is the schema owner of Oracle Workflow Manager.
OWF_MGR is the schema owner of Oracle Workflow Manager.
Book
PO is an possibly account with DBA privileges
PORTAL30 is the schema owner of Oracle Portal.
PORTAL31 is the schema owner of Oracle Portal.
PORTAL30_ADMIN is the administration account of Oracle Portal.
Oracle Applications
the OUTLN account has EXECUTE ANY
OZF is a schema account from Oracle Applications. Default it has several CREATE privileges.OZP is a schema account from Oracle Applications. Default it has several CREATE privileges.OZS is a schema account from Oracle Applications. Default it has several CREATE privileges.PA is a schema account from Oracle Applications. Default it has several CREATE privileges.
PERFSTAT is an account of Oracles statistics package Statspack. PERFSTAT probably has permissions to see the data dictionary.PERFSTAT is an account of Oracles statistics package Statspack. PERFSTAT probably has permissions to see the data dictionary.PJM is a schema account from Oracle Applications. Default it has several CREATE privileges.
This is a training account. It should not be available in a production environment.
This is a training account. It should not be available in a production environment.PMI is a schema account from Oracle Applications. Default it has several CREATE privileges.PN is a schema account from Oracle Applications. Default it has several CREATE privileges.
which allow to read
change and destroy all data in your database.
POA is a schema account from Oracle Applications. Default it has several CREATE privileges.POM is a schema account from Oracle Applications. Default it has several CREATE privileges.
PORTAL30_SSO is the schema owner of Oracle Portal Single-Sign onPORTAL30_SSO is the admin account of Oracle Portal Single-Sign on
PORTAL30_SSO is the public account for Oracle Portal Single-Sign on
PUBSUB is an account with DBA privileges
n/a
PSA is a schema account from Oracle Applications. Default it has several CREATE privileges.PSB is a schema account from Oracle Applications. Default it has several CREATE privileges.PSP is a schema account from Oracle Applications. Default it has several CREATE privileges.
which allow to read
change and destroy all data in your database.
PV is a schema account from Oracle Applications. Default it has several CREATE privileges.QA is a schema account from Oracle Applications. Default it has several CREATE privileges.
QP is a schema account from Oracle Applications. Default it has several CREATE privileges.This is a training account. It should not be available in a production environment.This is a training account. It should not be available in a production environment.
This is a training account. It should not be available in a production environment.This is a training account. It should not be available in a production environment.
This is a training account. It should not be available in a production environment.This is a training account. It should not be available in a production environment.
This is a training account. It should not be available in a production environment.This is a training account. It should not be available in a production environment.
This is a training account. It should not be available in a production environment.This is a training account. It should not be available in a production environment.
This is a training account. It should not be available in a production environment.This is a training account. It should not be available in a production environment.
This is a training account. It should not be available in a production environment.This is a training account. It should not be available in a production environment.
This is a training account. It should not be available in a production environment.This is a training account. It should not be available in a production environment.
RG is a schema account from Oracle Applications. Default it has several CREATE privileges.RHX is a schema account from Oracle Applications. Default it has several CREATE privileges.RLA is a schema account from Oracle Applications. Default it has several CREATE privileges.
SAMPLE is possibly an account with DBA privileges
This is a SAP application user ID.
This is a SAP application user ID.
SAPR3 is the administration account (and schema?) of SAP R/3
10g
SPIERSON is a schema owner of Workflow Iasdb
SYSADMIN is the schema owner of Oracle Workflow Manager.
SYSADMIN is the schema owner of Oracle Workflow Manager.
RLM is a schema account from Oracle Applications. Default it has several CREATE privileges.
RMAN is an account for the Oracle Recovery Manager. This account might be misused to write unwanted changes to the database to the backups.
which allow to read
change and destroy all data in your database.
This is a training account. It should not be available in a production environment.This is a training account. It should not be available in a production environment.
This is a training account. It should not be available in a production environment.This is a training account. It should not be available in a production environment.
SSP is a schema account from Oracle Applications. Default it has several CREATE privileges.
SYS is Oracles most powerful database management account. It allows to read
change and destroy all data in your database.
SYS is Oracles most powerful database management account. It allows to read
change and destroy all data in your database.
SYS is Oracles most powerful database management account. It allows to read
change and destroy all data in your database.
SYS is Oracles most powerful database management account. It allows to read
change and destroy all data in your database.
SYS is Oracles most powerful database management account. It allows to read
change and destroy all data in your database.
SYS is Oracles most powerful database management account. It allows to read
change and destroy all data in your database.
SYS is Oracles most powerful database management account. It allows to read
change and destroy all data in your database.
SYS is Oracles most powerful database management account. It allows to read
change and destroy all data in your database.
SYS is Oracles most powerful database management account. It allows to read
change and destroy all data in your database.
SYS is Oracles most powerful database management account. It allows to read
change and destroy all data in your database.
SYS is Oracles most powerful database management account. It allows to read
change and destroy all data in your database.
SYS is Oracles most powerful database management account. It allows to read
change and destroy all data in your database.
SYS is Oracles most powerful database management account. It allows to read
change and destroy all data in your database.
SYS is Oracles most powerful database management account. It allows to read
change and destroy all data in your database.
SYS is Oracles most powerful database management account. It allows to read
change and destroy all data in your database.
SYS is Oracles most powerful database management account. It allows to read
change and destroy all data in your database.
SYSMAN is the management account for Oracle Enterprise Mananger. It is used as access to all databases that are managed by it. It might be possible to access a data in your databases.
Oracle HTTP Server listen port / Oracle HTTP Server port 80Oracle Internet Directory(non-SSL) 389Oracle HTTP Server SSL port 443Oracle Internet Directory(SSL) 636Oracle Net Listener / Enterprise Manager Repository port 1521Oracle Net Listener 1526Oracle Names 1575Oracle Connection Manager (CMAN) 1630Oracle JDBC for Rdb Thin Server 1701Oracle Intelligent Agent 1748Oracle Intelligent Agent 1754Oracle Intelligent Agent 1808Oracle Intelligent Agent 1809Enterprise Manager Servlet port SSL 1810Oracle Connection Manager Admin (CMAN) 1830Enterprise ManagerAgent port 1831Enterprise Manager RMI port 1850Oracle XMLDB FTP Port 2100Oracle GIOP IIOP 2481Oracle GIOP IIOP for SSL 2482Oracle OC4J RMI 3201
Oracle OC4J AJP 3301
Enterprise Manager Reporting port 3339Oracle OC4J IIOP 3401
Oracle OC4J IIOPS1 3501
Oracle OC4J IIOPS2 3601
Oracle OC4J JMS 3701
Oracle9iAS Web Cache Admin port 4000Oracle9iAS Web Cache Invalidation port 4001Oracle9iAS Web Cache Statistics port 4002Oracle Internet Directory(SSL) 4031Oracle Internet Directory(non-SSL) 4032OracleAS Certificate Authority (OCA) - Server Authenticatio4400OracleAS Certificate Authority (OCA) - Mutual Authenticatio4401Oracle HTTP Server SSL port 4443Oracle9iAS Web Cache HTTP Listen(SSL) port 4444Oracle TimesTen 4662Oracle TimesTen 4758Oracle TimesTen 4759Oracle TimesTen 4761Oracle TimesTen 4764Oracle TimesTen 4766
Oracle TimesTen 4767Oracle Enterprise Manager Web Console 5500iSQLPlus 10g 5560iSQLPlus 10g 5580Oracle Notification Service request port 6003Oracle Notification Service local port 6100Oracle Notification Service remote port 6200Oracle9iAS Clickstream Collector Agent 6668Java Object Cache port 7000DCM Java Object Cache port 7100Oracle HTTP Server Diagnostic Port 7200Oracle HTTP Server Port Tunneling 7501Oracle HTTP Server listen port / Oracle HTTP Server port 7777Oracle9iAS Web Cache HTTP Listen(non-SSL) port 7779Oracle HTTP Server Jserv port 8007Oracle XMLDB HTTP port 8080OC4J Forms / Reports Instance 8888OC4J Forms / Reports Instance 8889Oracle Forms Server 6 / 6i 9000Oracle SOAP Server 9998OS Agent 14000Oracle Times Ten 15000Oracle Times Ten 15002Oracle Times Ten 15004Log Loader 44000
Oracle Application Server Edit httpd.conf and restart OHSOracle Application Server Oracle Application Server Edit httpd.conf and restart OHSOracle Application Server Oracle Application Server / Oracle Database Edit listener.ora and restart listenerOracle Database Edit listener.ora and restart listenerOracle Database Edit names.ora and restart names serverOracle Connection Manager Edit cman.ora and restart Connection ManagerOracle Rdb Oracle Application Server snmp_rw.oraOracle Application Server snmp_rw.oraOracle Application Server snmp_rw.oraOracle Application Server snmp_rw.oraOracle Enterprise Manager Oracle Connection Manager (CMAN) Edit cman.ora and restart Connection ManagerOracle Enterprise Manager Oracle Enterprise Manager Oracle Database change dbms_xdb.cfg_updateOracle Database Edit listener.ora/init.ora and restart listener/databaseOracle Database Edit listener.ora/init.ora and restart listener/databaseOracle Application Server
Oracle Application Server
Oracle Application Server Edit oem_webstage/oem.conf and restart OHSOracle Application Server
Oracle Application Server
Oracle Application Server
Oracle Application Server
Oracle Application Server Webcache Admin GUI or webcache.xmlOracle Application Server Webcache Admin GUI or webcache.xmlOracle Application Server Webcache Admin GUI or webcache.xmlOracle Application Server Oracle Application Server Oracle Application Server Oracle Application Server Oracle Application Server Edit httpd.conf and restart OHSOracle Application Server Webcache Admin GUI or webcache.xmlOracle TimesTen Oracle TimesTen Oracle TimesTen Oracle TimesTen Oracle TimesTen Oracle TimesTen
Oracle TimesTen Oracle Enterprise Manager Web Oracle i*SQLPlus Oracle i*SQLPlus RMI Port Oracle Application Server Oracle Application Server Oracle Application Server Oracle Application Server Oracle Application Server Oracle Application Server Oracle Application Server Oracle Application Server Oracle Application Server Edit httpd.conf and restart OHSOracle Application Server Webcache Admin GUI or webcache.xmlOracle Application Server Oracle Database change dbms_xdb.cfg_updateOracle Developer Suite Oracle Developer Suite Oracle Application Server Oracle Application Server Oracle Application Server Oracle Times Ten Oracle Times Ten Oracle Times Ten Oracle Enterprise Manager