A good way to check a user's rights and the privileges granted to users or to a public role and other security weaknesses can be to initiate it from Oracle Enterprise Manager Database Control by using the secure configuration evaluation feature.
If you do not have OEM installed and configured, you may use the dbca
or emca
command line utility to perform interactive installation and configuration (for example, emca –config dbcontrol db
):
The evaluations are developed following Oracle security best practices. After every run, you will get the security issues and general recommendations and a hint about how to resolve them. The final evaluation is marked with a compliance score. You should use a minimalistic approach for databases; as for operating security, remove or do not install features that you will not use.
Some recommendations for increasing the initial database security are as follows:
DBA_USER_WITH_DEFPWD
dictionary view (for example SELECT
username, FROM DBA_USERS_WITH_DEFPWD
).ALTER USER TEST
identified by values ALOP34RTYN}_
).SEC_CASE_SENSITIVE_LOGON
to TRUE
(this is the default value) and connection throttling by using SEC_MAX_FAILED_LOGIN_ATTEMPTS
parameter.
SEC_MAX_FAILED_LOGIN_ATTEMPTS
parameter will limit and drop the connection after the specified number of failed connection attempts(default is 10
) using usernames that do not exist in the database and will slow down gradually (throttle) further attempts to connect to overcome resource saturation. It does not apply to valid users.
For a more advanced security assessment, see the Appendix, Installing and Configuring Guardium, ODF, and OAV (the link for the appendix is available in the Preface of this book). For account security assessments related to privileges, known as vulnerabilities and password strength, you may use dedicated commercial tools such as NGS SQUIRREL, AppSecInc's AppDetectivePro, McAfee Database Vulnerability Manager for Databases, and Repscan.
Also, you can use some very useful scripts for privilege assessment reporting developed by Pete Finnigan (for updates and more details check http://www.petefinnigan.com/tools.htm). These scripts are interactive and are excellent for creating different entitlement reports.
For example, use the following script to list the users with specific system privileges:
SQL>@d:petefinniganfind_all_privs.sql who_has_priv: Release 1.0.3.0.0 - Production on Tue May 15 15:59:05 2012 Copyright (c) 2004 PeteFinnigan.com Limited. All rights reserved. PRIVILEGE TO CHECK [SELECT ANY TABLE]: SELECT ANY DICTIONARY OUTPUT METHOD Screen/File [S]: FILE NAME FOR OUTPUT [priv.lst]: OUTPUT DIRECTORY [DIRECTORY or file (/tmp)]: EXCLUDE CERTAIN USERS [N]: USER TO SKIP [TEST%]: Privilege => SELECT ANY DICTIONARY has been granted to => ==================================================================== User => OLAPSYS (ADM = NO) Role => DBA (ADM = YES) which is granted to => User => SYS (ADM = YES) User => SYSTEM (ADM = YES) User => WMSYS (ADM = YES) User => SYSMAN (ADM = NO) User => ORACLE_OCM (ADM = NO) Role => OEM_MONITOR (ADM = NO) which is granted to => User => DBSNMP (ADM = NO) User => SYS (ADM = YES) User => DBSNMP (ADM = NO) User => VASCAN (ADM = NO) User => IX (ADM = NO) PL/SQL procedure successfully completed. For updates please visit http://www.petefinnigan.com/tools.htm
To find all the privileges granted to a specific user, use the following script:
SQL>@d:petefinniganfind_all_privs.sql Find all privileges granted to a specific user : find_all_privs: Release 1.0.7.0.0 - Production on Tue May 15 16:02:58 2012 Copyright (c) 2004 PeteFinnigan.com Limited. All rights reserved. NAME OF USER TO CHECK [ORCL]: HR OUTPUT METHOD Screen/File [S]: FILE NAME FOR OUTPUT [priv.lst]: OUTPUT DIRECTORY [DIRECTORY or file (/tmp)]: User => HR has been granted the following privileges ==================================================================== ROLE => RESOURCE which contains => SYS PRIV => CREATE CLUSTER grantable => NO SYS PRIV => CREATE INDEXTYPE grantable => NO SYS PRIV => CREATE OPERATOR grantable => NO SYS PRIV => CREATE PROCEDURE grantable => NO SYS PRIV => CREATE SEQUENCE grantable => NO SYS PRIV => CREATE TABLE grantable => NO SYS PRIV => CREATE TRIGGER grantable => NO SYS PRIV => CREATE TYPE grantable => NO SYS PRIV => ALTER SESSION grantable => NO SYS PRIV => CREATE DATABASE LINK grantable => NO SYS PRIV => CREATE SEQUENCE grantable => NO SYS PRIV => CREATE SESSION grantable => NO SYS PRIV => CREATE SYNONYM grantable => NO SYS PRIV => CREATE VIEW grantable => NO SYS PRIV => EXEMPT ACCESS POLICY grantable => NO SYS PRIV => UNLIMITED TABLESPACE grantable => NO TABLE PRIV => EXECUTE object => SYS.DBMS_STATS grantable => NO PL/SQL procedure successfully completed. For updates please visit http://www.petefinnigan.com/tools.htm SQL>
The object-level privileges granted to the specific objects can be checked as follows:
SQL> @d:petefinniganwho_can_access.sql who_can_access: Release 1.0.3.0.0 - Production on Tue May 15 16:05:28 2012 Copyright (c) 2004 PeteFinnigan.com Limited. All rights reserved. NAME OF OBJECT TO CHECK [USER_OBJECTS]: EMPLOYEES OWNER OF THE OBJECT TO CHECK [USER]: HR OUTPUT METHOD Screen/File [S]: FILE NAME FOR OUTPUT [priv.lst]: OUTPUT DIRECTORY [DIRECTORY or file (/tmp)]: EXCLUDE CERTAIN USERS [N]: USER TO SKIP [TEST%]: Checking object => HR.EMPLOYEES ==================================================================== Object type is => TABLE (TAB) Privilege => REFERENCES is granted to => User => OE (ADM = NO) Privilege => SELECT is granted to => User => OE (ADM = NO) PL/SQL procedure successfully completed. For updates please visit http://www.petefinnigan.com/tools.htm
3.137.211.239