Dear Readers,
My name is Franz Devantier, creator of this blog. I am an Oracle Certified
Professional (OCP DBA 11g) Security DBA.
I will be sharing with you the basic duties of an Oracle DBA, and also
some of the undocumented, and not so well known tasks.
I will make a deal with you: If you refer me to a company that needs
database support, from a few hours per week to full time, and I am able to sign
a contract with them.
Then I will give you 10% of the monthly
contract or deal price every month. When
the contract ends, and we re-sign the contract, I will again give you 10% of
the monthly contract price. This will go
on until the company no longer employs or contracts me or my agents to look
after their databases.
I can do this, because that 10% is my
marketing budget. When we re-sign the
contract, in the future, it may depend on you giving the thumbs up again, and
that is worth 10% of the monthly contract price, to be given to you as
commission.
Contact:
Franz
Security
Policies - Part 2
Protection for Connections as SYS and SYSTEM
After database creation, you should change the default
passwords for SYS and SYSTEM. If you
used DBCA, then they would have already been changed, but if you created the
database manually, then they would be: SYS/CHANGE_ON_INSTALL and
SYSTEM/MANAGER. The SYS and SYSTEM users
are very powerful users, and gives all the privileges to modify a database. So the number of users or administrators that
are allowed to connect as SYS and SYSTEM must be reduced and monitored.
You should also make sure that other administrative names
such as SYSMAN and DBSNMP are also changed from the default. If you want to unlock user accounts, then you
can use the syntax:
SQL> ALTER USER <fred> ACCOUNT UNLOCK IDENTIFIED
BY <password>;
It is good practice to change the password at the same time
as you unlock the account.
Protection for Administrator Connections
Make sure that only database administrators can connect to
the database as SYSDBA or SYSOPER.
SYSOPER privileges allow the user to STARTUP, SHUTDOWN, and recover the
database. SYSDBA privileges are the same
as SYSOPER, but include unrestricted privileges to perform just about any
operation on the database. SYSDBA can
alter the data dictionary tables.
It is good practice to make sure that the
07_DICTIONARY_ACCESSIBILITY initialization parameter is set to FALSE, so that
only the SYSDBA or SYSOPER user, can modify the data dictionary.
Connections with SYSDBA/SYSOPER are authorized after
verification with the password file, and with the operating system privileges
and permissions. If there is no password
file, or the user is not in the password file, then Operating System
Authentication is used.
If the authentication succeeds with the password file, then
the connection is logged with the user name.
If authentication succeeds by means of the operating system, then
“CONNECT /” connection does not record the specific user.
Franz Devantier,
Need a database health check, or a security audit?
devantierf@gmail.com
Classifieds
No comments:
Post a Comment