Dear Readers,
My name is Franz Devantier, creator of this blog. I am an Oracle Certified
Professional (OCP DBA 11g) Security DBA.
I will be sharing with you the basic duties of an Oracle DBA, and also
some of the undocumented, and not so well known tasks.
I will make a deal with you: If you refer me to a company that needs
database support, from a few hours per week to full time, and I am able to sign
a contract with them.
Then I will give you 10% of the monthly
contract or deal price every month. When
the contract ends, and we re-sign the contract, I will again give you 10% of
the monthly contract price. This will go
on until the company no longer employs or contracts me or my agents to look
after their databases.
I can do this, because that 10% is my
marketing budget. When we re-sign the
contract, in the future, it may depend on you giving the thumbs up again, and
that is worth 10% of the monthly contract price, to be given to you as
commission.
Security
Policies - Part 8
Install only what is required.
Options and Products
The Oracle Database Server installation has a host of
options and products that are in addition to the database server. Most of these options are on the CD pack. However you should install only those options
that you need, because installing additional products that you don’t use, can
compromise your security configuration.
If you perform a Typical installation, then you will automatically
install a number of extra products. It
is best to use a Custom installation to avoid installing unnecessary
products. This way you will not need to
maintain additional products and options, that you are not going to use. If you need any additional options or products
then you can at any time, install these options and products as required. If the database has been installed with
unnecessary options and products, then you can deinstall what you don’t need.
Sample Schemas
The sample schemas provides a common platform for
examples. The sample schemas are good in
a test or development environment, however if you are migrating the database to
production, then you should remove the sample schemas, or at least lock the
sample schema accounts. A Production
database should not be installed with the sample schemas.
Lock and expire default user accounts.
The Oracle Database Server installs with a number of
default or preset database server user accounts. If you have installed using Database
Configuration Assistant (DBCA), then most of the default database accounts are
automatically locked and expired. If you
have performed a manual installation of the database, then none of the default
users are locked and expired, you will have to do this manually after
installing the database.
If these default database user accounts are not locked and
expired, then they can be exploited in order to gain unauthorized access to
data or disrupt normal database operations.
If you install any additional products, options or
components later on, then this can also result in additional default database
accounts being created. DBCA will
automatically lock and expire them, but you should check to see that this has
been done. Unlock those accounts that
you will be using on a regular basis, and assign a strong, meaningful password
to them. You can use password management
to maintain strong passwords on all your unlocked user accounts.
Default Accounts
and Status with a Standard Installation using DBCA
Username
|
Account Status
|
ANONYMOUS
|
EXPIRED & LOCKED
|
CTXSYS
|
EXPIRED & LOCKED
|
DBSNMP
|
EXPIRED & LOCKED
|
DIP
|
EXPIRED & LOCKED
|
DMSYS
|
EXPIRED & LOCKED
|
EXFSYS
|
EXPIRED & LOCKED
|
HR
|
EXPIRED & LOCKED
|
MDDATA
|
EXPIRED & LOCKED
|
MDSYS
|
EXPIRED & LOCKED
|
MGMT_VIEW
|
EXPIRED & LOCKED
|
ODM
|
EXPIRED & LOCKED
|
ODM_MTR
|
EXPIRED & LOCKED
|
OE
|
EXPIRED & LOCKED
|
OLAPSYS
|
EXPIRED & LOCKED
|
ORDPLUGINS
|
EXPIRED & LOCKED
|
ORDSYS
|
EXPIRED & LOCKED
|
OUTLN
|
EXPIRED & LOCKED
|
PM
|
EXPIRED & LOCKED
|
QS
|
EXPIRED & LOCKED
|
QS_ADM
|
EXPIRED & LOCKED
|
QS_CB
|
EXPIRED & LOCKED
|
QS_CBADM
|
EXPIRED & LOCKED
|
QS_CS
|
EXPIRED & LOCKED
|
QS_ES
|
EXPIRED & LOCKED
|
QS_OS
|
EXPIRED & LOCKED
|
QS_WS
|
EXPIRED & LOCKED
|
RMAN
|
EXPIRED & LOCKED
|
SCOTT
|
EXPIRED & LOCKED
|
SH
|
EXPIRED & LOCKED
|
SI_INFORMTN_SCHEMA
|
EXPIRED & LOCKED
|
SYS
|
OPEN
|
SYSMAN
|
EXPIRED & LOCKED
|
SYSTEM
|
OPEN
|
TSMSYS
|
EXPIRED & LOCKED
|
WK_TEST
|
EXPIRED & LOCKED
|
WKPROXY
|
EXPIRED & LOCKED
|
WKSYS
|
EXPIRED & LOCKED
|
WMSYS
|
EXPIRED & LOCKED
|
XDB
|
EXPIRED & LOCKED
|
If any of the default database server accounts besides SYS
and SYSTEM is required to be open for whatever reason, then the DBA, can unlock
and activate the account with a new secure password.
Enterprise Manager Accounts
If you install Enterprise Manager then SYSMAN and DBSNMP
are also open. If you configure
Enterprise Manager for Central Administration, then the SYSMAN account will
also be locked.
Franz Devantier,
Need a database health check, or a security audit?
devantierf@gmail.com
No comments:
Post a Comment