Re: Lock SYSTEM account?

Paul Brewer wrote:

> 8.1.7.0.0 EE on a variety of platforms.
>
> We are implementing a database with a higher-than-normal level of security.
> We are locking certain 'built-in' accounts (DBSNMP, OUTLN and so forth). I
> was wondering if there would be any unwanted side-effects in locking the
> SYSTEM account?
>
> Also, I'm tempted to drop what Thomas Kyte describes as the 'burned in' DBA
> role, and use a similar 'home made' ORA_DBA role instead (the main reason
> for this is so that no-one is 'exempted' from after login triggers).
>
> Yes, I could test this, but we're rather pressed for time at the moment, so
> if anyone is able to throw a pointer or two, it would be greatly
> appreciated.
>
> Thanks,
> Paul

I'm not sure I see much value in locking the SYSTEM account but I absolutely would do the following in a high-security environment.

1. Physically secure the server and make sure that no-one other than root and oracle have access to any directory from ORACLE_BASE on down. Especially access to database, rdbms\admin, and sqlplus\admin.
2. Drop Oracle's built-in demo roles, CONNECT, RESOURCE, and DBA. They are pure nonsense and do nothing but decrease security.
3. Institute (8i) protocol.ora, or in 9i, the same features in sqlnet.ora. Make sure that invited_nodes and excluded_nodes are used.
4. Change the passwords and/or lock out the users such as those you list.
5. Create classes of users and profiles for each one paying special attention to password complexity, password reuse, password expiration, and lockout.
6. Write a LOGON trigger that validates based on schema, osuser, ip address, terminal, and software tool.

Daniel Morgan Received on Tue Aug 13 2002 - 17:18:22 CDT