Re: Verifying passwords have been changed in oracle

On Thu, 7 Nov 2002 08:09:28 -0500, sweh_at_spuddy.mew.co.uk (Stephen Harris) wrote:

>I know questions like this have been asked a number of times in the
>past, but I haven't found an answer that works...
>
>We are beginning to deploy Oracle 9.2.0.1.0 systems in our environment.
>We want to ensure the installer _has_ changed the SYS and SYSTEM password
>from the defaults. We are developing an automated audit script which will
>be run (as SYSDBA) to check this sort of thing.
>
>Previous answers given to this appear to be:
>
> Option 1: attempt to connect as system/manager.
>
> Downside: auditing of these accounts will be strict. Showing additional
> login success or fail attempts will help obfuscate any real audit
> alert oddities. Our security team has complained about this
>
> Option 2: attempt to change the password, check teh crypt string, change
> it back
>
> Downside: Apart from a small window where the password may be wrong, we
> have password verification functions in place which means we _can't_
> set MANAGER as the password; the password change fails when I attempt
> to do 'alter user system identified by manager' because there are no
> digits or whatever else the verification function requires. There is
> no way I'll be allowed to disable that temporarily!
>
>So I need another way of verifying the current password is no longer the
>default value. Any ideas are much appreciated.
>
>Thanks!
>
>--
> Stephen Harris
> sweh_at_spuddy.mew.co.uk
> The truth is the truth, and opinion just opinion. But what is what?
> My employer pays to ignore my opinions; you get to do it for free.

I'd use Option 1 and tell the security team to get over it. Coordinate with them so they KNOW when to EXPECT these entries.

--
Ed Stevens
(Opinions expressed do not necessarily represent those of my employer.)