Oracle Hardening, Recommended Settings. Oracle recommends Data Dictionary Protection. This prevents any user with Drop any table privilege to drop objects of data dictionary. To check current Setting. select name,value from v$parameter where name='O7_DICTIONARY_ACCESSIBILITY'; To Disable it, set INIT parameter O7_DICTIONARY_ACCESSIBILITY=FALSE; -- DELETE_CATALOG_ROLE : This role enable users to delete records from AUD$ table. This should never be granted to users; AUDIT TRAIL : Must be set to DB, or OS. All activities are logged in SYS.AUD$ table. To check the current setting. select name,value from v$parameter where name='AUDIT_TRAIL'; select * from dba_stmt_audit_opts, This contains the current auditing definitions. Audits logs should be kept for duration per company policy, to check current duration select min(TIMESTAMP#) "Minimum data available is of" from sys.aud$; select max(TIMESTAMP#) "Maximum data available is of" from sys.aud$; File Permissions. Datafiles Datafile Directory : Permision should be set to 750 (Unix boxes) Windows it should be admin and system accounts. All files Temporary Tablespace files Control files Redo Log files Archive Log files Alert Log file Init.ora, spfile Datafiles Should have 0640 (unix boxes) and for windows it should be Admin and system accounts. Users Accounts Profiles Simultaneous sessions should be restricted to 1 per users. select a.username,a.profile,b.resource_name,b.limit from dba_users a,dba_profiles b where b.resource_name='SESSIONS_PER_USER' and a.profile=b.profile order by a.profile; In profile of the user 'SESSIONS_PER_USER' should be set to 1; Idle Time activity : If user leaves oracle session un-attented for particular period of time then session shoudl get automaticaly logget out select a.username,a.profile,b.resource_name,b.limit from dba_users a,dba_profiles b where b.resource_name='IDLE_TIME' and a.profile=b.profile order by b.limit desc; Idealy in the profile it should be set to 15 PASSWORD_LIFE_TIME PASSWORD_GRACE_TIME PASSWORD_REUSE_MAX PASSWORD_REUSE_TIME FAILED_LOGIN_ATTEMPTS PASSWORD_LOCK_TIME Password verify functin should be set. Set Password for Listeners login as Oracle user and set the password
Password:<Enter the password>
Old password: <Enter Old password> New password: <Enter Newssword> Reenter new password: <Re-enter New password> |
Database Technologies > Oracle >