Database Technologies‎ > ‎Oracle‎ > ‎

Oracle Database Hardening and Best Practises

Oracle Hardening, Recommended Settings.

Oracle recommends Data Dictionary Protection. This prevents any user with Drop any table privilege to drop objects
of data dictionary.

To check current Setting.
select name,value from v$parameter where name='O7_DICTIONARY_ACCESSIBILITY';

To Disable it, set INIT parameter O7_DICTIONARY_ACCESSIBILITY=FALSE;

--

DELETE_CATALOG_ROLE :  This role enable users to delete records from AUD$ table. This should never be granted to users;

AUDIT TRAIL :   Must be set to DB, or OS. All activities are logged in SYS.AUD$ table.
To check the current setting.
select name,value from v$parameter where name='AUDIT_TRAIL';
select * from dba_stmt_audit_opts,  This contains the current auditing definitions.

Audits logs should be kept for duration per company policy, to check  current duration

select min(TIMESTAMP#) "Minimum data available is of" from sys.aud$;
select max(TIMESTAMP#) "Maximum data available is of" from sys.aud$;

File Permissions.
Datafiles
Datafile Directory : Permision should be set to 750 (Unix boxes)
                     Windows it should be admin and system accounts.

All files
Temporary Tablespace files
Control files
Redo Log files
Archive Log files
Alert Log file
Init.ora, spfile
Datafiles              Should have 0640 (unix boxes) and for windows it should
                       be Admin and system accounts.


Users Accounts       



Profiles

Simultaneous sessions should be restricted to 1 per users.
select a.username,a.profile,b.resource_name,b.limit from dba_users a,dba_profiles b where b.resource_name='SESSIONS_PER_USER'  and a.profile=b.profile order by a.profile;

In profile of the user 'SESSIONS_PER_USER' should be set to 1;

Idle Time activity : If user leaves oracle session un-attented for particular period of time
then session shoudl get automaticaly logget out

select a.username,a.profile,b.resource_name,b.limit from dba_users a,dba_profiles b where b.resource_name='IDLE_TIME'  and a.profile=b.profile order by b.limit desc;

Idealy in the profile it should be set to 15 

PASSWORD_LIFE_TIME
PASSWORD_GRACE_TIME
PASSWORD_REUSE_MAX
PASSWORD_REUSE_TIME
FAILED_LOGIN_ATTEMPTS
PASSWORD_LOCK_TIME

Password verify functin should be set.



Set Password for Listeners

login as Oracle user and set the password

  1. lsnrctl
  2. LSNRCTL>set current_listener <listener name>
  3. LSNRCTL> set password

Password:<Enter the password>

  1. LSNRCTL> change_password

Old password: <Enter Old password>

New password: <Enter Newssword>

Reenter new password: <Re-enter New password>



Comments