Re: A few security questions

Comments embedded.
miloann2002_at_yahoo.com wrote:
> I have a few security related questions and would like to hear from you
> if these are really an issue in the real world. If yes what their
> risks are. Any comments are appreciated.
>
> 1. In the init.ora file, is it mandatory that we need to have the
> entries REMOTE_OS_AUTHENT and OS_AUTHENT_PREFIX. If yes, what values
> should be set? True or False?
>
> 2. Using grep -i dba/etc/group and I have the following result:
> dbadev::511: and dba::510:secadm. Would these be appropriate? If not,
> what would be the risk?
>
> 3. In the dba_profiles table, the SESSIONS_PER_USAER is set to
> unlimited.
>
> 4. In the dba_profiles table, the password settings are all set to
> DEFAULT.
>
> 5. In the system tablespace, we have a lot of objects that are owned by
> non SYS account.
>

Which account would this be? I have two owners other than SYS and SYSTEM with objects in the SYSTEM tablespace: OUTLN and WMSYS. There may be other Oracle-created owners depending upon which options you've installed. So, not all non-SYS owners are out of place in the SYSTEM tablespace.

> 6. Have a few entries in the sys.link$ whose passwords are not null.
>

So do I. I believe the storing of un-hashed passwords stopped in 10g; in 9.2.0.6 such passwords are plaintext. I'm not certain how this affects security. I'd visit Pete Finnigan's website (http://www.petefinnigan.com/) as he's probably one of the best sources around for such information.

> Does Oracle have any offical recommendations on these items? Thanks.

David Fitzjarrell Received on Wed Sep 28 2005 - 12:02:37 CDT