Re: Verifying passwords have been changed in oracle

On Thu, 7 Nov 2002 16:50:14 -0500, sweh_at_spuddy.mew.co.uk (Stephen Harris) wrote:

>Ed Stevens <spamdump_at_nospam.noway.nohow> wrote:
>> On Thu, 7 Nov 2002 08:09:28 -0500, sweh_at_spuddy.mew.co.uk (Stephen Harris) wrote:
>
>>> Option 1: attempt to connect as system/manager.
>>>
>>> Downside: auditing of these accounts will be strict. Showing additional
>>> login success or fail attempts will help obfuscate any real audit
>>> alert oddities. Our security team has complained about this
>
>> I'd use Option 1 and tell the security team to get over it. Coordinate with
>
>I may have to.
>
>> them so they KNOW when to EXPECT these entries.
>
>Unfortunately this will be running in an automated environment so there's
>no guarantee of _when_ the attempt will be made. It could be once a day
>per database, or multiple times, and depending on the load the exact time
>will vary anyway. Ah well.
>
>--
> Stephen Harris
> sweh_at_spuddy.mew.co.uk
> The truth is the truth, and opinion just opinion. But what is what?
> My employer pays to ignore my opinions; you get to do it for free.

How often do you have to audit to insure the sys and system passwords have been changed from the default? I would think this is something you'd have to check exactly once. And even if there were some fear that it might get set back to the defaults on an ongoing basis, well that's a whole 'nother can of worms that suggests to me that your security people are worrying about a loose board in the barn while the door is standing wide open.

--
Ed Stevens
(Opinions expressed do not necessarily represent those of my employer.)