Oracle Database Hardening and Best Practises

Oracle Hardening, Recommended Settings.

Oracle recommends Data Dictionary Protection. This prevents any user with Drop any table privilege to drop objects

of data dictionary.

To check current Setting.

select name,value from v$parameter where name='O7_DICTIONARY_ACCESSIBILITY';



DELETE_CATALOG_ROLE : This role enable users to delete records from AUD$ table. This should never be granted to users;

AUDIT TRAIL : Must be set to DB, or OS. All activities are logged in SYS.AUD$ table.

To check the current setting.

select name,value from v$parameter where name='AUDIT_TRAIL';

select * from dba_stmt_audit_opts, This contains the current auditing definitions.

Audits logs should be kept for duration per company policy, to check current duration

select min(TIMESTAMP#) "Minimum data available is of" from sys.aud$;

select max(TIMESTAMP#) "Maximum data available is of" from sys.aud$;

File Permissions.


Datafile Directory : Permision should be set to 750 (Unix boxes)

Windows it should be admin and system accounts.

All files

Temporary Tablespace files

Control files

Redo Log files

Archive Log files

Alert Log file

Init.ora, spfile

Datafiles Should have 0640 (unix boxes) and for windows it should

be Admin and system accounts.

Users Accounts


Simultaneous sessions should be restricted to 1 per users.

select a.username,a.profile,b.resource_name,b.limit from dba_users a,dba_profiles b where b.resource_name='SESSIONS_PER_USER' and a.profile=b.profile order by a.profile;

In profile of the user 'SESSIONS_PER_USER' should be set to 1;

Idle Time activity : If user leaves oracle session un-attented for particular period of time

then session shoudl get automaticaly logget out

select a.username,a.profile,b.resource_name,b.limit from dba_users a,dba_profiles b where b.resource_name='IDLE_TIME' and a.profile=b.profile order by b.limit desc;

Idealy in the profile it should be set to 15







Password verify functin should be set.

Set Password for Listeners

login as Oracle user and set the password

  1. lsnrctl

  2. LSNRCTL>set current_listener <listener name>

  3. LSNRCTL> set password

Password:<Enter the password>

  1. LSNRCTL> change_password

Old password: <Enter Old password>

New password: <Enter Newssword>

Reenter new password: <Re-enter New password>