| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.misc -> Re: Oracle Security Questions
Thanks a lot.
Would like to hear more about the backdoor use. Do you have any literature to specify risks and how to?
"HansF" <News.Hans_at_telus.net> wrote in message
news:pan.2005.09.09.17.31.21.892545_at_telus.net...
> On Fri, 09 Sep 2005 08:32:46 -0700, miloann2002 interested us by writing:
>
> > I have the following questions in the Oracle 8 and 9 platforms:
> >
> > 1. Does the roles need to set password? If no password, any
negative
> > impact?
>
> No, the roles do not need to have a password. Whether a roles gets a
> password depends on your business requirement. You can even mix-and-match
> the use of role passwords.
>
> For example, a role for 'batch input clerk' might be freely available to
> anyone, and using a password will simply slow down the interaction.
>
> On the other hand, the role 'human resources manager who has final
> authority to approve raises' could be legitimately protected bwith
> passwords.
>
> > 2. Can user data / objects be put in the system tablespace? Can
this
> > cause denial of services?
>
> Yes, users can put their data into the SYSTEM tablespace unless the DBA
> has properly configured the environment and resource rules. In fact,
> until recently it was the default to do so, even though filling up the
> system tablespace is one of the easiest ways to cause a denial of service.
>
> Competent DBAs have therefore stopped using the 'RESOURCE' role and use
> tablespace-oriented disk quotas instead. In the newest versions of
> Oracle apparently the RESOPURCE and CONNECT roles are no longer
> available - which is a relief to those of us who are security-aware.
>
> > 3. Is it critical to set password life, password reuse, and other
> > password settings? If we have robust operating system and application
> > security, do we still need to configure the password settings in Oracle?
> >
>
> It's up to you. If you are satisfied with the rest of your security
> measures and they are good enough for the laws of your country and for
> your business, adding a laayer on top of that for Oracle sedcurity is
> certainly overkill.
>
> However, if you do use the minimum of Oracle security, you are likely to
> forget about reading the documentation and learning about valuable new
> featuresd such as Fine-Grained Security (also known as Row Level
> Security) or column-level encryption. The usual result of missing those
> kinds of features is to spend development money doing the same thing.
>
> By the way - are you covered for potential backdoor use such as ODBC
> linking from spreadsheets.
>
> > Thanks.
>
> I encourage reading the Oracle Press 'Effective Oracle Database 10g
> Security by Design', even if you are not on 10g (yet).
>
> --
> Hans Forbrich
> Canada-wide Oracle training and consulting
> mailto: Fuzzy.GreyBeard_at_gmail.com
> *** I no longer assist with top-posted newsgroup queries ***
>
Received on Sat Sep 10 2005 - 09:13:42 CDT
 |
 |