Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: OPS$ / default accounts

RE: OPS$ / default accounts

From: Seefelt, Beth <Beth.Seefelt_at_TetleyUSA.com>
Date: Thu, 31 Jan 2002 10:21:20 -0800
Message-ID: <F001.00402585.20020131101140@fatcity.com> 







It goes in snmp_rw.ora



snmp.connect.<SID>.password = "dbsnmppwd"
snmp.connect.<SID>.password = "dbsnmppwd"




-----Original Message-----


Sent: Thursday, January 31, 2002 12:41 PM
To: Multiple recipients of list ORACLE-L




Hey All,



Anyone remember how to change the DBSNMP password?  I know I can change
it in the db easily enough, but how does the server/DBSNMP listener
process know what the new password is?  Must be stored in an OS file
someplace.



I was just poking around trying to figure it out.  The docs have the
answer hidden someplace and Google is not responding to search requests.



Just curious.



And Jim, the first thing I do when I come upon an instance with these
"default" accounts established, is to lock them (alter user account
lock) so that someone cannot connect using them.



Thanks!



Tom Mercadante


Oracle Certified Professional




-----Original Message-----


Sent: Thursday, January 31, 2002 11:43 AM
To: Multiple recipients of list ORACLE-L




Speaking of default accounts with default passwords, here is my list
that I check for. Anyone want to compare notes :) i.e. have I missed
any?



Thanks,



Jim




perfstat/perfstat


TRACESVR   ???   is only used with 7.x Databases
REPADMIN   ???



CTXSYS/CTXSYS



DBSNMP/DBSNMP



INTERNAL/ORACLE



MDSYS/MDSYS



MTSSYS/MTSSYS



ORDPLUGINS/ORDPLUGINS



ORDSYS/ORDSYS



OUTLN/OUTLN



SYS/CHANGE_ON_INSTALL



SYSTEM/MANAGER



SCOTT/TIGER





-----Original Message-----


Kirti


Sent: 31 January 2002 15:25


To: Multiple recipients of list ORACLE-L




Stephane,


 Thanks. Yes, we are properly fenced....
 None of the databases have those default accounts with default
passwords. We do not use OEM and that agent. Passwords of critical
accounts get changed regularly and often.  Database user ids are
generated & approved by Data Security group before DBAs can add them to
databases (so others do not know and can not guess who has what id), and
they request reports of access privileges when least expected.  So, it's
all how you manage your set up. When I joined this company I was going
nuts about such things (remote_os_authent, default links by virtue of
Oracle Names etc), but as I learned the environment I was comfortable..
And it is helping us more than creating problems and concerns.



Cheers !






-----Original Message-----


Sent: Thursday, January 31, 2002 2:20 AM
To: Multiple recipients of list ORACLE-L




"Deshpande, Kirti" wrote:


>

> We use REMOTE_OS_AUTHENT in many of our databases. I know we shouldn't




> do this, but we have to, and that's another topic...

>

> We also use a specific auth prefix.

>

> Now, can someone show me how a Windoze user, 'GOD' get in the database

when


> I do not have a user, '<Auth_Prefix>GOD' in my database.

>

> I say, I have nothing to worry about this setup as long as 'GOD' user 

> in



my


> database is controlled appropriately via roles, grants, profile 

> etc....

>

> Sure, if I had <auth_prefix>GOD in the database, I will be looking for




> another job.... Right?

>

> - Kirti

>




The problem as I see it is that it's fairly easy to get the names of
users on a database. The number of databases you can connect to using
dbsnmp/dbsnmp or outln/outln is desperately high, and from there you can
query ALL_USERS. I must say that I am truly hopeless with any Microsoft
OS, so you could safely let me with admin rights on the box when I feel
at my most mischievous. But imagine I come with Linux on my laptop, I
plug (like many 'nomad' users often do) into your network, manage to
connect (as a less-than-nothing user), check the user list, spot
something looking like a prefix, and use this information to add with
linuxconf a suitably named account to my machine? I am certain that in
your case everything is correctly fenced, but I have met many many many
databases where the standard in terms of grants was 'TO PUBLIC', and
where database links were PUBLIC as well, and usually connected to the
other database as the owner of most tables (even as DBA). IMHO, if you
really want to be secure, you must first know Oracle and your
environment well, and also audit sensitive information.


--
Regards,

Stephane Faroult
Oriole Ltd
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Stephane Faroult
  INET: sfaroult_at_oriole.com

--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Deshpande, Kirti
  INET: kirti.deshpande_at_verizon.com

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the
message BODY, include a line containing: UNSUB ORACLE-L (or the name of
mailing list you want to be removed from).  You may also send the HELP
command for other information (like subscribing).

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: James McCann
  INET: james_at_openet-telecom.com

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the
message BODY, include a line containing: UNSUB ORACLE-L (or the name of
mailing list you want to be removed from).  You may also send the HELP
command for other information (like subscribing).
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Mercadante, Thomas F
  INET: Thomas.Mercadante_at_Labor.State.Ny.Us

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the
message BODY, include a line containing: UNSUB ORACLE-L (or the name of
mailing list you want to be removed from).  You may also send the HELP
command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Seefelt, Beth
  INET: Beth.Seefelt_at_TetleyUSA.com

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Thu Jan 31 2002 - 12:21:20 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US