Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Listener Passwords, who uses them and why?

Re: Listener Passwords, who uses them and why?

From: Maxim Demenko <mdemenko_at_arcor.de>
Date: Wed, 03 Aug 2005 11:45:00 +0200
Message-ID: <42f09335$0$6977$9b4e6d93@newsread2.arcor-online.net> 





DA Morgan schrieb:


> Maxim Demenko wrote:

> 


>> Dave schrieb:
>>
>>> As the subject says, just curious how many people out there have
>>> passwords on their listeners?
>>>
>>> Some external group auditing us for SOX is saying that its a best
>>> practice but in my 8 years as a DBA i've never seen it.
>>>
>>> I can see if we had problems with listeners going down unexpectedly but
>>> this has never happened.    Are there security holes that I should be
>>> aware of that recommend having a password?
>>>
>>> (I'm aware of the iSQLPlus bug in the latest Oracle CPU, but we don't
>>> use it..)
>>>
>>> tnx.
>>>
>>
>> I've found some months ago this document
>> http://www.integrigy.com/info/Integrigy_OracleDB_Listener_Security.pdf
>> ( is dated Jan 2004), they state that listener passwords can be easily 
>> brut forced due to lack of automatic logout facility (haven't tested), 
>> some older exploits are listed too.
>> Maybe that helps...
>>
>> Best regards
>>
>> Maxim




> 

> 

> True or not that has nothing to do with SarbOx compliance. A company

> required by law to comply with Sarbanes-Oxley needs to due what its

> auditors say and, unflatteringly, those in IT that are not lawyers and

> have no skin in the game should just shut up and implement what they

> are asked. I'm not picking on you here but I hear so .... much whining

> from IT people who stand to lose nothing but a smidgen of convenience

> while C-Level management and auditors stand to lose do to substantial

> financial and legal penalties including jail time. The law may be as

> dumb as dirt ... but it is the law and must be complied with. As the

> saying goes: Don't do the crime if you can't do the time.

> 

> And once again, Maxim, not directed to you so please don't take the

> above personally.




That's Ok, but i'm fully agreed with Dave in the direction as well, that 
if i'm forced to do something on demand, i'll be at least best informed 
of consequences. Does apply as well in case, i'm doing it on my own. And 
( not picked on OP), if i should improve the grade of security in my 
database ( which is not bad of course ) by methods which are ( maybe ) 
questionable, then i'll like to know the *real* extent of security  i 
gained or lost , to take  additional steps.



Best regards



Maxim
Received on Wed Aug 03 2005 - 04:45:00 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US