33. Check the users and roles Who
has “CREATE ANY DIRECTORY”
privilege.
·
select
GRANTEE,ADMIN_OPTION from
dba_sys_privs where privilege like '%CREATE
ANY DIRECTORY%';
34. Check the users who has “CREATE JOB” privilege and discuss.
Because creating job privilege can provide schedule dba’s nightmares.
·
select
GRANTEE,ADMIN_OPTION from
dba_sys_privs where privilege like '%CREATE
JOB%';
35. Check the powerful network packages and control the
PUBLIC grants. If they were
granted to PUBLIC read the oracle support document ID 247093.1 and ID 470366.1
and revoke the privileges from PUBLIC and regrant to necessary schema accounts.
Ø Be Cautious When Revoking Privileges
Granted to PUBLIC [ID 247093.1]
Ø Permissions for Packages DBMS_RANDOM,
UTL_FILE, UTL_HTTP, UTL_SMTP and UTL_TCP [ID 470366.1]
·
SELECT grantee,
table_name,
privilege,
grantable
FROM
dba_tab_privs
WHERE
table_name IN
('UTL_FILE',
'UTL_TCP',
'UTL_HTTP',
'UTL_SMTP',
'DBMS_RANDOM',
'DBMS_LOB',
'DBMS_SQL',
'DBMS_SYS_SQL')
AND
grantee = 'PUBLIC';
36. Check the DBMS_SCHEDULER and DBMS_JOB
package privileges and revoke them from PUBLIC.
·
select * from
dba_tab_privs where
table_name ='DBMS_SCHEDULER';
·
select * from
dba_tab_privs where
table_name ='DBMS_JOB';
37. Check the users except schema accounts
who has RESOURCE privileges .
·
Select * from
dba_role_privs where
granted_role ='RESOURCE' and
grantee not in (select
username from
dba_users where profile ='SCHEMA');
38. Check the users who has CONNECT
privileges and if its note necessary REVOKE them.
·
select
* from
dba_role_privs where
granted_role ='CONNECT' and
grantee not in (select
username from
dba_users where profile ='ORAUSER');
39. Check the critical and
administrative roles which has password
·
select * from sys.user$
where
type#=0 and password is not null ;
40. Check these parameters value and set
the minimum requirements
·
SELECT distinct limit,resource_name FROM DBA_PROFILES WHERE
RESOURCE_NAME IN ('PASSWORD_LIFE_TIME','FAILED_LOGIN_ATTEMPTS','PASSWORD_GRACE_TIME','PASSWORD_REUSE_MAX') order by 2 desc;
41. Check the users who has default
profile and check limits for profile
default .
·
select username from
dba_users where profile='DEFAULT' ;
·
select * from
dba_profiles where profile ='DEFAULT';
42. Check the SLECT ANY PRIVILEGE and If
its granted to PUBLIC revoke THEM.
·
select grantee,admin_option from dba_sys_privs where privilege='SELECT
ANY TABLE' ;
43. Check the users who has default password
·
select * from
dba_users_with_defpwd;
44. Check the TMP_DIR and TMPDIR
directories path and privileges .
·
#cat
/home/oracle/.bash_profile |grep TMP*
45. Check the Oracle osuser id and group
id , also privileges.
46. 07_DICTIONARY_ACCESSIBILITY parameter
value is important for system privileges.
Its default = FALSE and not allowed the see sys and system privileges.
·
select value from
gv$parameter where name='O7_DICTIONARY_ACCESSIBILITY';
47. Control remote os authentication
parameter.If its true check the users who can authenticate remotely.
·
select value from
gv$parameter where name='remote_os_authent'
48. Control the remote os roles parameter
.If its true check the roles and granted users.
·
select value from
gv$parameter where name='remote_os_roles' ;
49. Check the ifile parameter value and security.
50. Check the users who was created
externally.
·
select * from
dba_users where
authentication_type<>'PASSWORD';
51. Check
the privileges INITJVMAUX and OWA_UTIL packages.
If they granted to public analyze them and revoke from public give the
necessary users.
·
select
table_name,privilege,grantable
from dba_tab_privs where
table_name in('INITJVMAUX','OWA_UTIL') and
grantee='PUBLIC' ;
52. Check the database components
and their status. INVALID states
requires reinstalling, deinstalling or compiling according to Otn documents. Older version companents requires up to date.
·
select
comp_id,version,status
from dba_registry;
53. Check the trace file public parameter
and find the optimum value. (pfile)
·
_trace_files_public
54. Check the CREATE EXTERNAL JOB system privilege and control granted to
PUBLIC.
·
select
grantee,admin_option
from dba_sys_privs where privilege='CREATE
EXTERNAL JOB' and
grantee='PUBLIC';
·
55. SEC_RETURN_SERVER_RELEASE_BANNER and SEC_MAX_FAILED_LOGIN_ATTEMPS parameter values are very important. These
parameters are new features in 11g.
·
select
inst_id,name,value from
gv$parameter where name in ('sec_return_server_release_banner','sec_max_failed_login_attempts') ;
56. Chek the SEC_CASE_SENSITIVE_LOGON
parameter value. It provides case sensitive user and role passwords in 11g
.Default value is TRUE.
·
select * from
gv$parameter where name='sec_case_sensitive_logon';
57. Check the DBMS_XMLQUERY package is
granted to PUBLIC.
·
SELECT DECODE (grantee, 'PUBLIC', 'TRUE', 'FALSE')
FROM dba_tab_privs
WHERE
table_name = 'DBMS_XMLQUERY' AND
grantee = 'PUBLIC';
58. Check audit sys operation parameter is TRUE or FALSE.
·
select inst_id,value from
gv$parameter where name='audit_sys_operations';
59. Control the all profiles and limit password verify
function value. Set the NULL values to Oracle 11g standard VERIFY_FUNCTION. (
which has 8 karakter ,case sensitive, minimum 1 char, 1 number, 1 punction )
·
select * from
dba_profiles where
resource_name='PASSWORD_VERIFY_FUNCTION' and limit is null;
60. Check the SYS
user profile and set the profile ORASYS if its not. Control ORASYS profile users.
·
select profile from
dba_users where
username='SYS' ;
61. Check the audit log level parameter.
·
select
inst_id,value from
gv$parameter where name='audit_syslog_level';
Hiç yorum yok:
Yorum Gönder