Dear Readers,
My name is Franz Devantier, creator of this blog. I am an Oracle Certified
Professional (OCP DBA 11g) Security DBA.
I will be sharing with you the basic duties of an Oracle DBA, and also
some of the undocumented, and not so well known tasks.
I will make a deal with you: If you refer me to a company that needs
database support, from a few hours per week to full time, and I am able to sign
a contract with them.
Then I will give you 10% of the monthly
contract or deal price every month. When
the contract ends, and we re-sign the contract, I will again give you 10% of
the monthly contract price. This will go
on until the company no longer employs or contracts me or my agents to look
after their databases.
I can do this, because that 10% is my
marketing budget. When we re-sign the
contract, in the future, it may depend on you giving the thumbs up again, and
that is worth 10% of the monthly contract price, to be given to you as
commission.
Contact:
Franz
Security
Policies - Part 6
Password Complexity Verification
You can create the sample Oracle password verification
routine, by running the PL/SQL script “utlpwdmg.sql”. This script is available in
$ORACLE_HOME/rdbms/admin/
Basically this is what this script does:
CREATE OR REPLACE FUNCTION verify_function
BEGIN
-- Check for the
minimum length of the password (4 characters in 10g, 8 characters in 11g)
-- Check if the
password is same as the username or username(1-100)
-- Check if the
password is same as the username reversed
-- Check if the
password is the same as server name and or servername(1-100)
-- Check if the
password is too simple. A dictionary of words may be
-- Check if the
password is the same as oracle (1-100)
-- Check if the
password contains at least one letter, one digit
-- Check if the
password differs from the previous password by at least
RETURN(TRUE);
END;
/
Then the script goes on to alter the default profile. The important change in the default profile
is:
PASSWORD_VERIFY_FUNCTION verify_function; this means that everytime you change a
password, the verify_function will automatically check to see fi your passwords
meets the minimal requirements.
ALTER PROFILE DEFAULT LIMIT
PASSWORD_LIFE_TIME 180
PASSWORD_GRACE_TIME 7
PASSWORD_REUSE_TIME UNLIMITED
PASSWORD_REUSE_MAX UNLIMITED
FAILED_LOGIN_ATTEMPTS 10
PASSWORD_LOCK_TIME 1
PASSWORD_VERIFY_FUNCTION verify_function;
The alter user command now has a REPLACE clause, by which
users can change their own unexpired passwords.
SQL> ALTER USER fred
IDENTIFIED BY fredx REPLACE fred;
User altered.
SQL> connect fred/fredx
Connected.
SQL>
If the password has already expired, then the user can use
the OCIPasswordChange() call or ask the DBA to change the password for
them. A DBA has the privileges to alter
any users password without supplying the old one, which is a way of forcing a
new password.
Password Verification Routine Formatting Guidelines
You can either use the default password verification
routine, or you can enhance the existing one, or write a new one. You can use PL/SQL or third-party tools for
this.
If you use PL/SQL, you must adhere to the following format:
Routine name
(
userid_parameter IN
VARCHAR(30),
password_parameter IN
VARCHAR (30),
old_password_parameter IN
VARCHAR (30)
)
RETURN BOOLEAN
When you have created your new routine, then you must
assign it as the password verification routine by using the user profile or the
system default profile. It is good
practice to change it first in the default profile, and leave it unspecified in
the other profiles, or define it as well in the other profiles. If it is unspecified, then the value from the
default profile will be given. The
password verification routine must be owned by the SYS user.
Franz Devantier,
Need a database health check, or a security audit?
devantierf@gmail.com
Classifieds
No comments:
Post a Comment