Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Verifying passwords have been changed in oracle

Re: Verifying passwords have been changed in oracle

From: Stephen Harris <sweh_at_spuddy.mew.co.uk>
Date: Sun, 10 Nov 2002 12:09:29 -0500
Message-ID: <9s3mqa.o5c.ln@spuddy.org> 





Mark Townsend <markbtownsend_at_attbi.com> wrote:


> I'm confused - you want to check to see if a default password has been used,

> but identified that you couldn't use the default password to check because

> password verification routines are in place. Doesn't the latter preclude the

> former ? Check that the verification routines are in place during build, and




Modifying the default profile doesn't enforce password security on existing
passwords.



  create user fred identified by rubbish;



Now change the default profile so that strong passwords are enforced.  The
user 'fred' still has a poor password.



In my case, I'm looking at verifying things such as 'manager' is
not valid for the 'system' account.



> then once in production, you won't have to check again (especially as your

> security team are auditing connections on sys/system anyhow).

> 

> Or is there more to this story I'm not getting ?




Automation, the DBA changing default profiles, requirements from business
risk managers.  I have to implement what the business asks for, not what
is necessarily sensible :-)



But mainly... the goal of this is to provide an automated method of
determining whether a database installation meets business security
baseline requirements.  It doesn't matter if this tool is run straight
after an instance is created or 3 months later, we need to check and
verify the same thing.



> examples is a company that automated password checking scripts to ensure

> that users didn't use obvious passwords. This thing ran continuously on over

> 1000 instances a day - driving systems/networks into the ground, and

> generating massive amounts of audit trail. A quick deployment of password




Which is why I don't _want_ to attempt to connect as system/manager because
of the audit logs this would generate.



> verification routines solved their self imposed problems.




See above.


-- 
                                 Stephen Harris
                              sweh_at_spuddy.mew.co.uk
      The truth is the truth, and opinion just opinion.  But what is what?
       My employer pays to ignore my opinions; you get to do it for free.


Received on Sun Nov 10 2002 - 11:09:29 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US