Path: news.easynews.com!newsfeed1.easynews.com!easynews.com!easynews!newsfeed.news2me.com!canoe.uoregon.edu!logbridge.uoregon.edu!news-west.eli.net!not-for-mail Message-ID: <3DCFFE33.FCF974C9@exesolutions.com> From: Daniel Morgan X-Mailer: Mozilla 4.79 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 Newsgroups: comp.databases.oracle.server Subject: Re: Verifying passwords have been changed in oracle References: <8modqa.6et.ln@spuddy.org> <3dca7941.52781155@ausnews.austin.ibm.com> <3dcbd187.55502918@ausnews.austin.ibm.com> <9s3mqa.o5c.ln@spuddy.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Lines: 58 Date: Mon, 11 Nov 2002 19:00:03 GMT NNTP-Posting-Host: 156.74.250.7 X-Complaints-To: yvonne.tracy@ci.seattle.wa.us X-Trace: news-west.eli.net 1037041203 156.74.250.7 (Mon, 11 Nov 2002 12:00:03 MST) NNTP-Posting-Date: Mon, 11 Nov 2002 12:00:03 MST Organization: City of Seattle NewsReader Service Xref: newsfeed1.easynews.com comp.databases.oracle.server:166567 X-Received-Date: Mon, 11 Nov 2002 11:59:53 MST (news.easynews.com) Stephen Harris wrote: > Mark Townsend wrote: > > I'm confused - you want to check to see if a default password has been used, > > but identified that you couldn't use the default password to check because > > password verification routines are in place. Doesn't the latter preclude the > > former ? Check that the verification routines are in place during build, and > > Modifying the default profile doesn't enforce password security on existing > passwords. > > create user fred identified by rubbish; > > Now change the default profile so that strong passwords are enforced. The > user 'fred' still has a poor password. > > In my case, I'm looking at verifying things such as 'manager' is > not valid for the 'system' account. > > > then once in production, you won't have to check again (especially as your > > security team are auditing connections on sys/system anyhow). > > > > Or is there more to this story I'm not getting ? > > Automation, the DBA changing default profiles, requirements from business > risk managers. I have to implement what the business asks for, not what > is necessarily sensible :-) > > But mainly... the goal of this is to provide an automated method of > determining whether a database installation meets business security > baseline requirements. It doesn't matter if this tool is run straight > after an instance is created or 3 months later, we need to check and > verify the same thing. > > > examples is a company that automated password checking scripts to ensure > > that users didn't use obvious passwords. This thing ran continuously on over > > 1000 instances a day - driving systems/networks into the ground, and > > generating massive amounts of audit trail. A quick deployment of password > > Which is why I don't _want_ to attempt to connect as system/manager because > of the audit logs this would generate. > > > verification routines solved their self imposed problems. > > See above. > > -- > Stephen Harris > sweh@spuddy.mew.co.uk > The truth is the truth, and opinion just opinion. But what is what? > My employer pays to ignore my opinions; you get to do it for free. Security is best instituted before you start using a database, not after the fact. But you can still accomplish the goal by expiring all passwords and forcing them to be reset. Daniel Morgan