Oracle Database Hardening and Best Practises

Oracle Hardening, Recommended Settings.

Oracle recommends Data Dictionary Protection. This prevents any user with Drop any table privilege to drop objects

of data dictionary.

To check current Setting.

select name,value from v$parameter where name='O7_DICTIONARY_ACCESSIBILITY';

To Disable it, set INIT parameter O7_DICTIONARY_ACCESSIBILITY=FALSE;

--

DELETE_CATALOG_ROLE : This role enable users to delete records from AUD$ table. This should never be granted to users;

AUDIT TRAIL : Must be set to DB, or OS. All activities are logged in SYS.AUD$ table.

To check the current setting.

select name,value from v$parameter where name='AUDIT_TRAIL';

select * from dba_stmt_audit_opts, This contains the current auditing definitions.

Audits logs should be kept for duration per company policy, to check current duration

select min(TIMESTAMP#) "Minimum data available is of" from sys.aud$;

select max(TIMESTAMP#) "Maximum data available is of" from sys.aud$;

File Permissions.

Datafiles

Datafile Directory : Permision should be set to 750 (Unix boxes)

Windows it should be admin and system accounts.

All files

Temporary Tablespace files

Control files

Redo Log files

Archive Log files

Alert Log file

Init.ora, spfile

Datafiles Should have 0640 (unix boxes) and for windows it should

be Admin and system accounts.

Users Accounts

Profiles

Simultaneous sessions should be restricted to 1 per users.

select a.username,a.profile,b.resource_name,b.limit from dba_users a,dba_profiles b where b.resource_name='SESSIONS_PER_USER' and a.profile=b.profile order by a.profile;

In profile of the user 'SESSIONS_PER_USER' should be set to 1;

Idle Time activity : If user leaves oracle session un-attented for particular period of time

then session shoudl get automaticaly logget out

select a.username,a.profile,b.resource_name,b.limit from dba_users a,dba_profiles b where b.resource_name='IDLE_TIME' and a.profile=b.profile order by b.limit desc;

Idealy in the profile it should be set to 15

PASSWORD_LIFE_TIME

PASSWORD_GRACE_TIME

PASSWORD_REUSE_MAX

PASSWORD_REUSE_TIME

FAILED_LOGIN_ATTEMPTS

PASSWORD_LOCK_TIME

Password verify functin should be set.

Set Password for Listeners

login as Oracle user and set the password

  1. lsnrctl

  2. LSNRCTL>set current_listener <listener name>

  3. LSNRCTL> set password

Password:<Enter the password>

  1. LSNRCTL> change_password

Old password: <Enter Old password>

New password: <Enter Newssword>

Reenter new password: <Re-enter New password>