col password format a20col account_status format a20col username format a15select o.username, o.password, d.account_statusfrom dba_users d, osp_accounts owhere o.hash_value = d.password/USERNAME PASSWORD ACCOUNT_STATUS--------------- -------------------- --------------------CTXSYS CHANGE_ON_INSTALL OPENOLAPSYS MANAGER OPENDIP DIP EXPIRED & LOCKEDDMSYS DMSYS OPENEXFSYS EXFSYS EXPIRED & LOCKEDSYSTEM ORACLE OPENWMSYS WMSYS EXPIRED & LOCKEDXDB CHANGE_ON_INSTALL EXPIRED & LOCKEDOUTLN OUTLN OPENSCOTT TIGER OPENSYS ORACLE OPEN
Here you can see some of the most vulnerable of situations, especially the last line, which says SYS and the password is "ORACLE" (as is that of SYSTEM)!It may not be "change_on_install", but it's just as predictable.The vulnerability varies across versions. In Oracle Database 10
and later, the database installation has a prompt that asks what the password should be,instead of assuming it to be "change_on_install" or something else. Because the user is forced to make a decision, it is likely that the password will be a non-default one. However, if the user chooses something as predictable as "oracle", then the point is moot. (Perhaps "oracle" was chosen when the database wasbeing built prior to production as a convenience to the DBAs. After it went to production, the password stuck around.)In versions prior to Oracle Database 10
, the password is not prompted to be entered, and hence it is likely that the default password—e.g."change_on_install" for SYS and "manager" for SYSTEM—is active. This tool will help you identify such cases.Also note that the userid SCOTT—the demo account for learning SQL techniques—may be fine for a development database, but not a production one. It is apotential back-door entry for intruders and you should immediately drop it.Accounts like CTXSYS, DMSYS, and OLAPSYS, are required for Oracle tools. The best strategy is to drop these users if you are not using these options. Ifyou are not sure you are using them, or just want to reserve the opportunity, you can keep these accounts but lock them from connections. To lock anaccount and expire the password, you would issue:
alter user dmsys account lock expire password;
which will set the account status to
EXPIRED & LOCKED
. When the user tries to login, the following error will be raised:
ERROR:ORA-28000: the account is lockedWarning: You are no longer connected to ORACLE.
Change the password for all accounts you cannot lock. One such account is DBNSMP, but we'll discuss that later.
The locking of unused accounts shouldn't cause any problems.
1. Identify the unused accounts.2. Lock them and expire their passwords.
1.2 Configure Oracle Binary Permissions
Oracle Database uses several binary files. The most important, of course, is the executable "oracle" in UNIX and Linux flavors and "oracle.exe" in Windows.Note the permission on these files. For instance, in UNIX, you may see something like this.
# cd $ORACLE_HOME/bin# ls -l oracle-rwsr-s--x 1 oracle oinstall 69344968 Jun 10 14:05 oracle
Project Lockdown by Arup NandaPage 3 of 66