Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Verifying passwords have been changed in oracle

Re: Verifying passwords have been changed in oracle

From: Sybrand Bakker <gooiditweg_at_sybrandb.demon.nl>
Date: Fri, 08 Nov 2002 19:11:54 +0100
Message-ID: <4gvnsu0a4qeof6mmmflfuda36rjn1q11ue@4ax.com> 





On Fri, 08 Nov 2002 15:21:54 GMT, spamdump_at_nospam.noway.nohow (Ed
Stevens) wrote:



>On Thu, 7 Nov 2002 16:50:14 -0500, sweh_at_spuddy.mew.co.uk (Stephen Harris) wrote:

>

>>Ed Stevens <spamdump_at_nospam.noway.nohow> wrote:

>>> On Thu, 7 Nov 2002 08:09:28 -0500, sweh_at_spuddy.mew.co.uk (Stephen Harris) wrote:

>>

>>>>  Option 1: attempt to connect as system/manager.

>>>>

>>>>  Downside: auditing of these accounts will be strict.  Showing additional

>>>>    login success or fail attempts will help obfuscate any real audit

>>>>    alert oddities.  Our security team has complained about this

>>

>>> I'd use Option 1 and tell the security team to get over it.  Coordinate with

>>

>>I may have to.

>>

>>> them so they KNOW when to EXPECT these entries.

>>

>>Unfortunately this will be running in an automated environment so there's

>>no guarantee of _when_ the attempt will be made.  It could be once a day

>>per database, or multiple times, and depending on the load the exact time

>>will vary anyway.  Ah well.

>>

>>-- 

>>                                 Stephen Harris

>>                              sweh_at_spuddy.mew.co.uk

>>      The truth is the truth, and opinion just opinion.  But what is what?

>>       My employer pays to ignore my opinions; you get to do it for free.

>

>How often do you have to audit to insure the sys and system passwords have been

>changed from the default?  I would think this is something you'd have to check

>exactly once.  And even if there were some fear that it might get set back to

>the defaults on an ongoing basis, well that's a whole 'nother can of worms that

>suggests to me that your security people are worrying about a loose board in the

>barn while the door is standing wide open.





We have many customers with non-default sys and system passwords and
application owners without a password , and the DBA role granted to
that account.



You are completely right.


What is the use of firewalls if the server behind the firewall is
basically completely unprotected?



Regards




Sybrand Bakker, Senior Oracle DBA



To reply remove -verwijderdit from my e-mail address
Received on Fri Nov 08 2002 - 12:11:54 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US