Embedded Files
Oracle Hardening, Recommended Settings.
Oracle recommends Data Dictionary Protection. This prevents any user with Drop any table privilege to drop objects
of data dictionary.
To check current Setting.
select name,value from v$parameter where name='O7_DICTIONARY_ACCESSIBILITY';
To Disable it, set INIT parameter O7_DICTIONARY_ACCESSIBILITY=FALSE;
--
DELETE_CATALOG_ROLE : This role enable users to delete records from AUD$ table. This should never be granted to users;
AUDIT TRAIL : Must be set to DB, or OS. All activities are logged in SYS.AUD$ table.
To check the current setting.
select name,value from v$parameter where name='AUDIT_TRAIL';
select * from dba_stmt_audit_opts, This contains the current auditing definitions.
Audits logs should be kept for duration per company policy, to check current duration
select min(TIMESTAMP#) "Minimum data available is of" from sys.aud$;
select max(TIMESTAMP#) "Maximum data available is of" from sys.aud$;
File Permissions.
Datafiles
Datafile Directory : Permision should be set to 750 (Unix boxes)
Windows it should be admin and system accounts.
All files
Temporary Tablespace files
Control files
Redo Log files
Archive Log files
Alert Log file
Init.ora, spfile
Datafiles Should have 0640 (unix boxes) and for windows it should
be Admin and system accounts.
Users Accounts
Profiles
Simultaneous sessions should be restricted to 1 per users.
select a.username,a.profile,b.resource_name,b.limit from dba_users a,dba_profiles b where b.resource_name='SESSIONS_PER_USER' and a.profile=b.profile order by a.profile;
In profile of the user 'SESSIONS_PER_USER' should be set to 1;
Idle Time activity : If user leaves oracle session un-attented for particular period of time
then session shoudl get automaticaly logget out
select a.username,a.profile,b.resource_name,b.limit from dba_users a,dba_profiles b where b.resource_name='IDLE_TIME' and a.profile=b.profile order by b.limit desc;
Idealy in the profile it should be set to 15
PASSWORD_LIFE_TIME
PASSWORD_GRACE_TIME
PASSWORD_REUSE_MAX
PASSWORD_REUSE_TIME
FAILED_LOGIN_ATTEMPTS
PASSWORD_LOCK_TIME
Password verify functin should be set.
Set Password for Listeners
login as Oracle user and set the password
lsnrctl
LSNRCTL>set current_listener <listener name>
LSNRCTL> set password
Password:<Enter the password>
LSNRCTL> change_password
Old password: <Enter Old password>
New password: <Enter Newssword>
Reenter new password: <Re-enter New password>
Page updated
Google Sites
Report abuse