| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: Lock SYSTEM account?
Hi Daniel
could you elaborate further on the following
2. Drop Oracle's built-in demo roles, CONNECT, RESOURCE, and DBA. They are pure nonsense and do nothing but decrease security.
I'm interested in your line of thinking here.
tks
steve
Daniel Morgan <dmorgan_at_exesolutions.com> wrote in message news:<3D5985AC.A3FD128D_at_exesolutions.com>...
> Paul Brewer wrote:
>
> > 8.1.7.0.0 EE on a variety of platforms.
> >
> > We are implementing a database with a higher-than-normal level of security.
> > We are locking certain 'built-in' accounts (DBSNMP, OUTLN and so forth). I
> > was wondering if there would be any unwanted side-effects in locking the
> > SYSTEM account?
> >
> > Also, I'm tempted to drop what Thomas Kyte describes as the 'burned in' DBA
> > role, and use a similar 'home made' ORA_DBA role instead (the main reason
> > for this is so that no-one is 'exempted' from after login triggers).
> >
> > Yes, I could test this, but we're rather pressed for time at the moment, so
> > if anyone is able to throw a pointer or two, it would be greatly
> > appreciated.
> >
> > Thanks,
> > Paul
>
> I'm not sure I see much value in locking the SYSTEM account but I absolutely
> would do the following in a high-security environment.
>
> 1. Physically secure the server and make sure that no-one other than root and
> oracle have access to any directory from ORACLE_BASE on down. Especially access
> to database, rdbms\admin, and sqlplus\admin.
>
> 2. Drop Oracle's built-in demo roles, CONNECT, RESOURCE, and DBA. They are pure
> nonsense and do nothing but decrease security.
>
> 3. Institute (8i) protocol.ora, or in 9i, the same features in sqlnet.ora. Make
> sure that invited_nodes and excluded_nodes are used.
>
> 4. Change the passwords and/or lock out the users such as those you list.
>
> 5. Create classes of users and profiles for each one paying special attention
> to password complexity, password reuse, password expiration, and lockout.
>
> 6. Write a LOGON trigger that validates based on schema, osuser, ip address,
> terminal, and software tool.
>
> Daniel Morgan
Received on Wed Aug 14 2002 - 18:21:46 CDT
 |
 |