Oracle Home

Oracle Database 9i, 10g, 11g	Oracle Data Warehouse & BI	Oracle Applications EBS 11i, R12	Oracle Middleware	SQL & PL/SQL	UNIX/ Linux

Home > Oracle Database Administration (DBA) > Maintenance > Managing Data Security

Oracle Database 10g Administration (DBA): Maintenance
Managing Data Security
How to change the password for an user ALTER USER scott identified by scott; How to enforce strict password control By default, Oracle will allow users to choose single character passwords and passwords that match their names and userids. Also, by default the password will not expire. However, Oracle manage passwords through profiles. Some of the things that we can restrict: FAILED_LOGIN_ATTEMPTS - failed login attempts before the account is locked PASSWORD_LIFE_TIME - limits the number of days the same password can be used for authentication PASSWORD_GRACE_TIME - number of days after the grace period begins during which a warning is issued and login is allowed PASSWORD_LOCK_TIME - number of days an account will be locked after maximum failed login attempts PASSWORD_REUSE_TIME - number of days before a password can be reused PASSWORD_REUSE_MAX - number of password changes required before the current password can be reused PASSWORD_VERIFY_FUNCTION - password complexity verification script Example: 1) Create the profile: CREATE PROFILE profile_A LIMIT FAILED_LOGIN_ATTEMPTS 7; 2) Associate the profile with an user: ALTER USER scott PROFILE profile_A How to connect as sys without knowing his password If an administrative OS users belongs to the "dba" group on Unix or to the "ORA_DBA" (ORA_sid_DBA) group on NT, we can connect to oracle like this: connect / as sysdba We can use show user command to verify that we are connected as SYS. How to connect as a regular user without knowing his password 1) Select the encrypted password value SQL> SELECT password FROM dba_users WHERE username='SCOTT'; PASSWORD -------------------------- D794344J35502S67 2) Change Scott's password (temporarily) SQL> ALTER USER scott identified by new_pass; 3) Connect using this new password SQL> connect scott/lion 4) Connect as SYS (or SYSTEM) SQL> connect / as sysdba 5) re-enable the first Scott's password SQL> ALTER USER scott identified by values 'D794344J35502S67'; Allowing/ Removing SELECT, DELETE, UPDATE, INSERT privileges on tables GRANT select, update, delete, insert on SCOTT.EMP to PAUL; REVOKE select, update, delete, insert on SCOTT.EMP FROM PAUL; "PAUL" could be a user (schema) or a role. Allowing/ Removing EXECUTE privileges on procedures, functions, packages grant EXECUTE on SCOTT.F1 to PAUL; (Paul will be able to run (execute) scott.F1 function ) revoke EXECUTE on SCOTT.F1 from PAUL; More information about this subject ( Managing Data Security in Oracle ) you can get from www.in-oracle.com Here are some general information about the data security: The activities related to this step take place after all other steps in data security are complete, and all affected data or network systems are restored. The purpose of the this data management step is to review the security incident and determine how to prevent the same type of successful data or network attack in the future as well as to identify areas for improvement to facilitate faster response and better business impact mitigation. Using documents created during the Detect, Contain, and Eradicate steps, the IRTs seek to answer the following questions: What happened to corporate data or network systems? What was supposed to happen to these information systems? What are the differences, or gaps, between 1 and 2? What are the reasons for the differences? What data security controls failed or were missing in the areas of people, process, and technology? What are the lessons learned? The process of answering these questions and the development of an Action Plan to improve incident detection and response are the elements of an After Action Review, or AAR. More information on this subject was taken from here.

Oracle Database 10g Administration (DBA): Maintenance

Managing Data Security

How to change the password for an user

ALTER USER scott identified by scott;

How to enforce strict password control

By default, Oracle will allow users to choose single character passwords and passwords that match their names and userids. Also, by default the password will not expire. However, Oracle manage passwords through profiles. Some of the things that we can restrict:

FAILED_LOGIN_ATTEMPTS - failed login attempts before the account is locked

PASSWORD_LIFE_TIME - limits the number of days the same password can be used for authentication

PASSWORD_GRACE_TIME - number of days after the grace period begins during which a warning is issued and login is allowed

PASSWORD_LOCK_TIME - number of days an account will be locked after maximum failed login attempts

PASSWORD_REUSE_TIME - number of days before a password can be reused

PASSWORD_REUSE_MAX - number of password changes required before the current password can be reused

PASSWORD_VERIFY_FUNCTION - password complexity verification script

Example:

1) Create the profile: CREATE PROFILE profile_A LIMIT FAILED_LOGIN_ATTEMPTS 7;

2) Associate the profile with an user: ALTER USER scott PROFILE profile_A

How to connect as sys without knowing his password

If an administrative OS users belongs to the "dba" group on Unix or to the "ORA_DBA" (ORA_sid_DBA) group on NT, we can connect to oracle like this:

connect / as sysdba

We can use show user command to verify that we are connected as SYS.

How to connect as a regular user without knowing his password

   1) Select the encrypted password value

        SQL> SELECT password FROM dba_users WHERE username='SCOTT';



          PASSWORD

         --------------------------

          D794344J35502S67

    2) Change Scott's password (temporarily)



           SQL> ALTER USER scott identified by new_pass;



    3) Connect using this new password



         SQL> connect scott/lion



    4) Connect as SYS (or SYSTEM)



           SQL> connect / as sysdba



    5) re-enable the first Scott's password

           SQL> ALTER USER scott identified by values 'D794344J35502S67';

Allowing/ Removing SELECT, DELETE, UPDATE, INSERT privileges on tables

GRANT select, update, delete, insert on SCOTT.EMP to PAUL;

REVOKE select, update, delete, insert on SCOTT.EMP FROM PAUL;

"PAUL" could be a user (schema) or a role.

Allowing/ Removing EXECUTE privileges on procedures, functions, packages

grant EXECUTE on SCOTT.F1 to PAUL; (Paul will be able to run (execute) scott.F1 function )

revoke EXECUTE on SCOTT.F1 from PAUL;

More information about this subject ( Managing Data Security in Oracle ) you can get from www.in-oracle.com

Here are some general information about the data security:

The activities related to this step take place after all other steps in data security are complete, and all affected data or network systems are restored. The purpose of the this data management step is to review the security incident and determine how to prevent the same type of successful data or network attack in the future as well as to identify areas for improvement to facilitate faster response and better business impact mitigation. Using documents created during the Detect, Contain, and Eradicate steps, the IRTs seek to answer the following questions:

What happened to corporate data or network systems?
What was supposed to happen to these information systems?
What are the differences, or gaps, between 1 and 2?
What are the reasons for the differences?
What data security controls failed or were missing in the areas of people, process, and technology?
What are the lessons learned?

The process of answering these questions and the development of an Action Plan to improve incident detection and response are the elements of an After Action Review, or AAR.

More information on this subject was taken from here.