marrowyung
asked on
Oracle security check result.
hi,
We have some Oracle security related issue, are they really necessary ? please share your though.
1) Description: 1.1.10 Change the default password for 'OLAPSYS' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The OLAPSYS account owns the online analytical processing (OLAP) catalog. OLAP applications are developed/operate to use business
intelligence and data warehousing systems and OLAP is optimized for this type of application.
Finding:
The OLAPSYS user has default password using 11G or 10G password hashing mechanism.
2) Description: 1.1.12 Change the default password for 'ORDDATA' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The ORDDATA user operationalizes/owns the Oracle Multimedia DICOM modality: Digital Imaging and Communications in Medicine
(DICOM), which is the industry standard for medical imaging, enables the Database to store, manage, and manipulate all DICOM format
medical content.
3) Description: 1.1.18 Change the default password for 'SI_INFORMTN_SCHEMA' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The SI_INFORMTN_SCHEMA functions as the location for storing plugins supplied by Oracle and all other third-party plugins.
Finding:
The SI_INFORMTN_SCHEMA user has default password using 11G or 10G password hashing mechanism.
Rationale:
As the default SI_INFORMTN_SCHEMA account created by Oracle has a well-known password and can be potentially corrupted to allow
the installation of malware disguised as third-party multimedia plugins, this value should be reset according to the needs of the organization.
4) Description: 1.1.19 Change the default password for 'SPATIAL_CSW_ADMIN_USR' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The SPATIAL_CSW_ADMIN_USR account owns the Catalog Services for the Web (CSW) capabilities, which are used by Oracle to load
record-type metadata and instances from the DB into the main memory when these records are cached.
Finding:
The SPATIAL_CSW_ADMIN_USR user has default password using 11G or 10G password hashing mechanism.
5) Description: 1.1.20 Change the default password for 'SPATIAL_WFS_ADMIN_USR' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The SPATIAL_WFS_ADMIN_USR account owns the Web Feature Service (WFS) capabilities, which are used by Oracle to load feature
instance/metadata from the DB into the main memory when these are pulled from a cache.
Finding:
The SPATIAL_WFS_ADMIN_USR user has default password using 11G or 10G password hashing mechanism.
6) Description: 1.1.2 Change the default password for 'APPQOSSYS' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The APPQOSSYS account manages/owns all Quality of Service objects and provides an intuitive, policy-driven system to manage service
level requirements.
7) Description: 1.1.26 Change the default password for 'WMSYS' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The WMSYS account stores manages all metadata for the Workspace manager, which provides a virtual environment to isolate
workspaces, such as a collection of changes to production data, or keep a changes history, allowing the creation of "what if" scenarios.
Finding:
The WMSYS user has default password using 11G or 10G password hashing mechanism.
8)
Description: 1.1.27 Change the default password for 'XDB' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The XDB account enables high-performance storage and retrieval of XML data.
Finding:
The XDB user has default password using 11G or 10G password hashing mechanism.
9) Description: 1.1.4 Change the default password for 'DBSNMP' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The DBSNMP account is used by the Oracle Enterprise Manager to monitor and manage the database.
Finding:
The DBSNMP user has default password using 11G or 10G password hashing mechanism.
10 )
Description: 1.1.5 Change the default password for 'DIP' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The DIP account supports the operation of the Oracle Internet Directory and Oracle Label Security.
Finding:
The DIP user has default password using 11G or 10G password hashing mechanism.
11)
Description: 1.1.3 Change the default password for 'CTXSYS' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The CTXSYS is used to administer Oracle Text.
Finding:
The CTXSYS user has default password using 11G or 10G password hashing mechanism.
12)
Description: 1.1.8 Change the default password for 'MDSYS' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The MDSYS is the user in that operationalizes the Oracle Multimedia Locator, which serves as part of the storage, management, and
retrieval of audio/video images.
Finding:
The MDSYS user has default password using 11G or 10G password hashing mechanism.
13)
Description: 1.1.7 Change the default password for 'MDDATA' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The MDDATA account owns the schema used by Oracle Spatial for storing Geocoder and router data, which allows the plotting of
datapoints, such as market locations/types, against latitude and longitude on a map, in a way similar to a GPS presentation.
Finding:
The MDDATA user has default password using 11G or 10G password hashing mechanism.
14)
Description: Unspecified vulnerability in the Oracle OLAP component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows
local users to affect confidentiality, integrity, and availability via unspecified vectors.
Fixed in CPU Apr 2016.
Remediation: Install the latest update available and follow additional remediation steps if necessary as suggested in the vendor's website.
15)
Description: Unspecified vulnerability in the JDBC component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote
attackers to affect confidentiality, integrity, and availability via unknown vectors.
Fixed in CPU Jul 2016.
Remediation: Install the latest update available and follow additional remediation steps if necessary as suggested in the vendor's website.
16) Description: Unspecified vulnerability in the Portable Clusterware component in Oracle Database Server 11.2.0.4 and 12.1.0.2 allows
remote attackers to affect availability via unknown vectors.
Fixed in CPU Jul 2016.
Remediation: Install the latest update available and follow additional remediation steps if necessary as suggested in the vendor's website.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3479
17)
Description: Vulnerability in the Core RDBMS component of Oracle Database Server. Supported versions that are affected are 11.2.0.4,
12.1.0.2 and 12.2.0.1. Easily exploitable vulnerability allows low privileged attacker having Create session privilege with logon to the
infrastructure where Core RDBMS executes to compromise Core RDBMS. While the vulnerability is in Core RDBMS, attacks may
significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Core RDBMS. Note: This score is
for Windows platform version 11.2.0.4 of Database. For Windows platform version 12.1.0.2 and Linux, the score is 7.8 with scope
Unchanged.
Fixed in CPU October 2017.
Remediation: Install the latest update available and follow additional remediation steps if necessary as suggested in the vendor's website.
18)
Description: 1.1.18 Change the default password for 'SI_INFORMTN_SCHEMA' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The SI_INFORMTN_SCHEMA functions as the location for storing plugins supplied by Oracle and all other third-party plugins.
Finding:
The SI_INFORMTN_SCHEMA user has default password using 11G or 10G password hashing mechanism.
Rationale:
As the default SI_INFORMTN_SCHEMA account created by Oracle has a well-known password and can be potentially corrupted to allow
the installation of malware disguised as third-party multimedia plugins, this value should be reset according to the needs of the organization.
Question is, changing all those password is ok ?
We have some Oracle security related issue, are they really necessary ? please share your though.
1) Description: 1.1.10 Change the default password for 'OLAPSYS' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The OLAPSYS account owns the online analytical processing (OLAP) catalog. OLAP applications are developed/operate to use business
intelligence and data warehousing systems and OLAP is optimized for this type of application.
Finding:
The OLAPSYS user has default password using 11G or 10G password hashing mechanism.
2) Description: 1.1.12 Change the default password for 'ORDDATA' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The ORDDATA user operationalizes/owns the Oracle Multimedia DICOM modality: Digital Imaging and Communications in Medicine
(DICOM), which is the industry standard for medical imaging, enables the Database to store, manage, and manipulate all DICOM format
medical content.
3) Description: 1.1.18 Change the default password for 'SI_INFORMTN_SCHEMA' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The SI_INFORMTN_SCHEMA functions as the location for storing plugins supplied by Oracle and all other third-party plugins.
Finding:
The SI_INFORMTN_SCHEMA user has default password using 11G or 10G password hashing mechanism.
Rationale:
As the default SI_INFORMTN_SCHEMA account created by Oracle has a well-known password and can be potentially corrupted to allow
the installation of malware disguised as third-party multimedia plugins, this value should be reset according to the needs of the organization.
4) Description: 1.1.19 Change the default password for 'SPATIAL_CSW_ADMIN_USR' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The SPATIAL_CSW_ADMIN_USR account owns the Catalog Services for the Web (CSW) capabilities, which are used by Oracle to load
record-type metadata and instances from the DB into the main memory when these records are cached.
Finding:
The SPATIAL_CSW_ADMIN_USR user has default password using 11G or 10G password hashing mechanism.
5) Description: 1.1.20 Change the default password for 'SPATIAL_WFS_ADMIN_USR' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The SPATIAL_WFS_ADMIN_USR account owns the Web Feature Service (WFS) capabilities, which are used by Oracle to load feature
instance/metadata from the DB into the main memory when these are pulled from a cache.
Finding:
The SPATIAL_WFS_ADMIN_USR user has default password using 11G or 10G password hashing mechanism.
6) Description: 1.1.2 Change the default password for 'APPQOSSYS' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The APPQOSSYS account manages/owns all Quality of Service objects and provides an intuitive, policy-driven system to manage service
level requirements.
7) Description: 1.1.26 Change the default password for 'WMSYS' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The WMSYS account stores manages all metadata for the Workspace manager, which provides a virtual environment to isolate
workspaces, such as a collection of changes to production data, or keep a changes history, allowing the creation of "what if" scenarios.
Finding:
The WMSYS user has default password using 11G or 10G password hashing mechanism.
8)
Description: 1.1.27 Change the default password for 'XDB' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The XDB account enables high-performance storage and retrieval of XML data.
Finding:
The XDB user has default password using 11G or 10G password hashing mechanism.
9) Description: 1.1.4 Change the default password for 'DBSNMP' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The DBSNMP account is used by the Oracle Enterprise Manager to monitor and manage the database.
Finding:
The DBSNMP user has default password using 11G or 10G password hashing mechanism.
10 )
Description: 1.1.5 Change the default password for 'DIP' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The DIP account supports the operation of the Oracle Internet Directory and Oracle Label Security.
Finding:
The DIP user has default password using 11G or 10G password hashing mechanism.
11)
Description: 1.1.3 Change the default password for 'CTXSYS' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The CTXSYS is used to administer Oracle Text.
Finding:
The CTXSYS user has default password using 11G or 10G password hashing mechanism.
12)
Description: 1.1.8 Change the default password for 'MDSYS' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The MDSYS is the user in that operationalizes the Oracle Multimedia Locator, which serves as part of the storage, management, and
retrieval of audio/video images.
Finding:
The MDSYS user has default password using 11G or 10G password hashing mechanism.
13)
Description: 1.1.7 Change the default password for 'MDDATA' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The MDDATA account owns the schema used by Oracle Spatial for storing Geocoder and router data, which allows the plotting of
datapoints, such as market locations/types, against latitude and longitude on a map, in a way similar to a GPS presentation.
Finding:
The MDDATA user has default password using 11G or 10G password hashing mechanism.
14)
Description: Unspecified vulnerability in the Oracle OLAP component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows
local users to affect confidentiality, integrity, and availability via unspecified vectors.
Fixed in CPU Apr 2016.
Remediation: Install the latest update available and follow additional remediation steps if necessary as suggested in the vendor's website.
15)
Description: Unspecified vulnerability in the JDBC component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote
attackers to affect confidentiality, integrity, and availability via unknown vectors.
Fixed in CPU Jul 2016.
Remediation: Install the latest update available and follow additional remediation steps if necessary as suggested in the vendor's website.
16) Description: Unspecified vulnerability in the Portable Clusterware component in Oracle Database Server 11.2.0.4 and 12.1.0.2 allows
remote attackers to affect availability via unknown vectors.
Fixed in CPU Jul 2016.
Remediation: Install the latest update available and follow additional remediation steps if necessary as suggested in the vendor's website.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3479
17)
Description: Vulnerability in the Core RDBMS component of Oracle Database Server. Supported versions that are affected are 11.2.0.4,
12.1.0.2 and 12.2.0.1. Easily exploitable vulnerability allows low privileged attacker having Create session privilege with logon to the
infrastructure where Core RDBMS executes to compromise Core RDBMS. While the vulnerability is in Core RDBMS, attacks may
significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Core RDBMS. Note: This score is
for Windows platform version 11.2.0.4 of Database. For Windows platform version 12.1.0.2 and Linux, the score is 7.8 with scope
Unchanged.
Fixed in CPU October 2017.
Remediation: Install the latest update available and follow additional remediation steps if necessary as suggested in the vendor's website.
18)
Description: 1.1.18 Change the default password for 'SI_INFORMTN_SCHEMA' (Scored)
Profile Applicability:
Level 1 - 11.x on any platform
Description:
The SI_INFORMTN_SCHEMA functions as the location for storing plugins supplied by Oracle and all other third-party plugins.
Finding:
The SI_INFORMTN_SCHEMA user has default password using 11G or 10G password hashing mechanism.
Rationale:
As the default SI_INFORMTN_SCHEMA account created by Oracle has a well-known password and can be potentially corrupted to allow
the installation of malware disguised as third-party multimedia plugins, this value should be reset according to the needs of the organization.
Question is, changing all those password is ok ?
this is a standard "holes" document of an attack and penetration test
off course you should change the default password for all the accounts
never seen any movies were a seal team comes in and uses the default code to open the bank safe ?
or the front door with number lock ?
same thing
off course you should change the default password for all the accounts
never seen any movies were a seal team comes in and uses the default code to open the bank safe ?
or the front door with number lock ?
same thing
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
the point is usually we worry about sysdba and sysadm, I can't see so much other type of account.
It is about doing first time right.
All aware of the SYS and SYSTEM users that are loaded with high-level database privileges to perform every database administrative task imaginable.
For this reason, yet not often adhered to, the SYS and SYSTEM accounts should nearly never be used. Instead grant specific privileges to pseudo database administrative accounts.
We need to protect against the use and miss-use of these two important accounts.
Likewise, the other predefined administrative accounts should be handled with the same amount of caution.
But assumption trap kick in.
DBAs and developers often, in an attempt to hurry testing, may grant higher levels of privileges to these accounts.
This has the potential to create great harm if any form of migration were to happen from development or test into a production environment and these accounts were propagated as well. Such exposure should be avoid otherwise attacker will haunt for these and pivot remotely into the systems to do more harm.
All aware of the SYS and SYSTEM users that are loaded with high-level database privileges to perform every database administrative task imaginable.
For this reason, yet not often adhered to, the SYS and SYSTEM accounts should nearly never be used. Instead grant specific privileges to pseudo database administrative accounts.
We need to protect against the use and miss-use of these two important accounts.
Likewise, the other predefined administrative accounts should be handled with the same amount of caution.
But assumption trap kick in.
DBAs and developers often, in an attempt to hurry testing, may grant higher levels of privileges to these accounts.
This has the potential to create great harm if any form of migration were to happen from development or test into a production environment and these accounts were propagated as well. Such exposure should be avoid otherwise attacker will haunt for these and pivot remotely into the systems to do more harm.
ASKER
"But assumption trap kick in.
DBAs and developers often, in an attempt to hurry testing, may grant higher levels of privileges to these accounts."
yes I knew.
but actually all those permission stuff I post is normal in all oracle DB but I don't think all orace DB will have it, right?
DBAs and developers often, in an attempt to hurry testing, may grant higher levels of privileges to these accounts."
yes I knew.
but actually all those permission stuff I post is normal in all oracle DB but I don't think all orace DB will have it, right?
ASKER
"1-14,18) ORACLE creates a default account with those user ID such as "XDB" (and others) and mostly with password "CHANGE_ON_INSTALL"."
15-17, do you think it is really just update products?
15-17, do you think it is really just update products?
>>15-17, do you think it is really just update products?
It does appear you just need to make sure you are patched.
It does appear you just need to make sure you are patched.
Oracle creates a number of default database users or schemas when a new database is created. Later version will have more. E.g. Oracle Database 12c, the list of default accounts below.
https://docs.oracle.com/database/121/NTDBI/startrdb.htm#NTDBI2845
For the patches, it is just that. Unless you are not able to do it then it is the workaround that need to be in place. You can rescan to confirm and note that changes may need reboot.
https://docs.oracle.com/database/121/NTDBI/startrdb.htm#NTDBI2845
For the patches, it is just that. Unless you are not able to do it then it is the workaround that need to be in place. You can rescan to confirm and note that changes may need reboot.
ASKER
"Oracle creates a number of default database users or schemas when a new database is created. Later version will have more. E.g. Oracle Database 12c, the list of default accounts below.
"
in this case the oracle DBA has a lot of thing to do on that ! change all password is time consuming .
"
in this case the oracle DBA has a lot of thing to do on that ! change all password is time consuming .
>>change all password is time consuming .
Not really. Besides, that is part of the job of a DBA.
Since NO ONE EVER needs to log into them, you don't really need to remember the passwords.
Have SQL generate the SQL. Then just exeecute it:
Just add to the list of usernames you need to change.
Takes seconds per database.
Not really. Besides, that is part of the job of a DBA.
Since NO ONE EVER needs to log into them, you don't really need to remember the passwords.
Have SQL generate the SQL. Then just exeecute it:
select 'alter user ' || username || ' identified by ' || dbms_random.string('a',10) || ';' from dba_users where username in ('XDB','CTXSYS');Just add to the list of usernames you need to change.
Takes seconds per database.
To add on default password can be search and change. See the script. You can add on if needed but should quite comprehensive already.
https://www.google.com.sg/amp/s/maxwellmiranda.wordpress.com/2011/03/08/script-to-find-default-oracle-user-passwords/amp/
in case you want to see official oracle advice
https://docs.oracle.com/cd/B28359_01/server.111/b28337/tdpsg_user_accounts.htm#BABJAEDF
Some others also
https://www.google.com.sg/amp/s/maxwellmiranda.wordpress.com/2011/03/08/script-to-find-default-oracle-user-passwords/amp/
in case you want to see official oracle advice
https://docs.oracle.com/cd/B28359_01/server.111/b28337/tdpsg_user_accounts.htm#BABJAEDF
Some others also
. If you find default accounts with default passwords, then do two things.
First decide if the account can be removed. It should be possible in almost all cases. If it can remove it.
If not change the password, lock and expire the account and audit access to them. Also use the password management features particularly on default accounts.
>>See the script. You can add on if needed but should quite comprehensive already.
The password column is no longer populated in 12c so that script likely won't help.
The link to the Oracle documentation is good. I would go with the docs.
You should always go with the version of the documentation you are running.
Here is the 12.2 version.
https://docs.oracle.com/en/database/oracle/oracle-database/12.2/tdpsg/securing-the-database-installation-and-configuration.html#GUID-8884D9B2-34BD-4D73-8E8F-16E8A539F1C1
Putting that into my query:
The password column is no longer populated in 12c so that script likely won't help.
The link to the Oracle documentation is good. I would go with the docs.
You should always go with the version of the documentation you are running.
Here is the 12.2 version.
https://docs.oracle.com/en/database/oracle/oracle-database/12.2/tdpsg/securing-the-database-installation-and-configuration.html#GUID-8884D9B2-34BD-4D73-8E8F-16E8A539F1C1
Putting that into my query:
select 'alter user ' || username || ' identified by ' || dbms_random.string('a',10) || ';'
from dba_users where username in (select username from DBA_USERS_WITH_DEFPWD);
lol, default password list ... had a good laugh with that
ASKER
slightwv ,
"Besides, that is part of the job of a DBA."
I mean not that expensive and much!
"Have SQL generate the SQL. Then just execute it:"
So still need time to add one by one. MS SQL don't need that except the account is created for service use that sometimes we don't prefer to have password change, that's is also good as we can have virtual account for SQL server operation as it has no password at all ! no need to change at all.
"Besides, that is part of the job of a DBA."
I mean not that expensive and much!
"Have SQL generate the SQL. Then just execute it:"
So still need time to add one by one. MS SQL don't need that except the account is created for service use that sometimes we don't prefer to have password change, that's is also good as we can have virtual account for SQL server operation as it has no password at all ! no need to change at all.
lol, comparing mssql to oracle ?
some auditing departments want a "complex" password
i've made a script which runs daily to reset the system/sys password to something random
some vendors actually used sys to login, after i reset that password all hell broke loose
they came up with an idiot story for some missing privs and was given the password
they thought they were ok again ... until the day after
they finally decided to follow the rules and use a separate account
it's not only about the default passwords, it's about the whole security thingy
protect access to your systems and especially to high priviliged accounts
So still need time to add one by one.Well, if you're clever you can setup a dos/bash script which resets all the default passwords
some auditing departments want a "complex" password
i've made a script which runs daily to reset the system/sys password to something random
some vendors actually used sys to login, after i reset that password all hell broke loose
they came up with an idiot story for some missing privs and was given the password
they thought they were ok again ... until the day after
they finally decided to follow the rules and use a separate account
it's not only about the default passwords, it's about the whole security thingy
protect access to your systems and especially to high priviliged accounts
ASKER
"lol, comparing mssql to oracle ?"
why not ? this kind of compare can be a good learning step stone.
"it's not only about the default passwords, it's about the whole security thingy
protect access to your systems and especially to high priviliged accounts"
I knew, the question I am asking is about a result from a scanning process.
why not ? this kind of compare can be a good learning step stone.
"it's not only about the default passwords, it's about the whole security thingy
protect access to your systems and especially to high priviliged accounts"
I knew, the question I am asking is about a result from a scanning process.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
another thought is that if those default account is not needed, then consider "locking" them out and render not "usable". otherwise opt for the risk acceptance is really deem it is so unfriendly but the aftermath of the damage control may be costly when (not if) hacker exploits the default account to gain access and penetrate. Sometimes it is also driven by compliance to close them up.
Most, if not all, of them are locked and expired by default.
ASKER
slightwv,
"If the account is unlocked some process might be using it even with the default password. If you change it, things might break."
you mean application still using it and that's why it is unlocked ?
"Most, if not all, of them are locked and expired by default."
sorry I am confused.
"If the account is unlocked some process might be using it even with the default password. If you change it, things might break."
you mean application still using it and that's why it is unlocked ?
"Most, if not all, of them are locked and expired by default."
sorry I am confused.
>>you mean application still using it and that's why it is unlocked ?
Something/someone at some time has unlocked the account which means they needed to do so. If it still needs to be unlocked, we have no idea. That is something your apps/DBAs/systems folks will need to tell you.
>>sorry I am confused.
When you create a database, you get many default users and schemas. That is what the security check looked at. MOST of them are created with a LOCKED and EXPIRED status so no one can log into them unless a DBA unlocks them.
Check the docs for allowed account_status column values.
https://docs.oracle.com/en/database/oracle/oracle-database/12.2/refrn/DBA_USERS.html#GUID-309FCCB2-2E8D-4371-9FC5-7F3B10E2A8C0
Here is a subset from one of my databases:
Something/someone at some time has unlocked the account which means they needed to do so. If it still needs to be unlocked, we have no idea. That is something your apps/DBAs/systems folks will need to tell you.
>>sorry I am confused.
When you create a database, you get many default users and schemas. That is what the security check looked at. MOST of them are created with a LOCKED and EXPIRED status so no one can log into them unless a DBA unlocks them.
Check the docs for allowed account_status column values.
https://docs.oracle.com/en/database/oracle/oracle-database/12.2/refrn/DBA_USERS.html#GUID-309FCCB2-2E8D-4371-9FC5-7F3B10E2A8C0
Here is a subset from one of my databases:
SQL> select username,account_status from dba_users where username in ('XDB','CTXSYS','ANONYMOUS');
XDB LOCKED
ANONYMOUS EXPIRED & LOCKED
CTXSYS OPENASKER
tks all, might come back later for this is really necessary.
>>might come back later for this is really necessary.
No need to come back later:
It is all about security and risk mitigation. With that is perceived and actual.
First rule is there is no such thing as a 100% secure computer.
Once of the most secure computers is one with no cables, keyboards or power connected, encased in 5 feet of steel reinforced concrete and dropped off a boat in the Mariana Trench. Then there is everything else.
There are known vulnerabilities in those packages and security testers know to look for them. They do a scan and make recommendations about possible security risks. Many times they have no idea about the impacts of their suggestions.
It is up to Management to accept any risk of not following those recommendations.
For example: If only one server is allowed to connect to the database server and only one username is unlocked then having PUBLIC execute isn't as big of a deal as a database server open to the entire network with thousands of potential connections.
No need to come back later:
It is all about security and risk mitigation. With that is perceived and actual.
First rule is there is no such thing as a 100% secure computer.
Once of the most secure computers is one with no cables, keyboards or power connected, encased in 5 feet of steel reinforced concrete and dropped off a boat in the Mariana Trench. Then there is everything else.
There are known vulnerabilities in those packages and security testers know to look for them. They do a scan and make recommendations about possible security risks. Many times they have no idea about the impacts of their suggestions.
It is up to Management to accept any risk of not following those recommendations.
For example: If only one server is allowed to connect to the database server and only one username is unlocked then having PUBLIC execute isn't as big of a deal as a database server open to the entire network with thousands of potential connections.
ASKER
"Once of the most secure computers is one with no cables, keyboards or power connected, encased in 5 feet of steel reinforced concrete and dropped off a boat in the Mariana Trench. Then there is everything else.
"
yeah, someone talk about that before and it is very risky once Internet comes up ! before that we are fine ... :):)
"There are known vulnerabilities in those packages and security testers know to look for them. They do a scan and make recommendations about possible security risks. Many times they have no idea about the impacts of their suggestions."
exactly ! I get an MS SQL check that it said turn on C2 Audit ! B.S. !! if it turns on , SQL server CPU super high ! SQL server doesn't works any more.
"
yeah, someone talk about that before and it is very risky once Internet comes up ! before that we are fine ... :):)
"There are known vulnerabilities in those packages and security testers know to look for them. They do a scan and make recommendations about possible security risks. Many times they have no idea about the impacts of their suggestions."
exactly ! I get an MS SQL check that it said turn on C2 Audit ! B.S. !! if it turns on , SQL server CPU super high ! SQL server doesn't works any more.
In my databases it is. I cannot speak for your databases. Most of those accounts should be "EXPIRED & LOCKED". If they are in your system, then change the passwords since nothing is logging in as them.
If one or more of them are "OPEN", I would check with the DBA and/or Administrators/System Analysts to see what might be using them.
Here is the query:
select username, account_status from dba_users;
In 12c there is now a LAST_LOGIN column in dba_users that will provide additional information. If they haven't been logged into forever, probably safe to change the passwords but again, we cannot say for sure because we don't know your system.