Scribd Logo
Unggah

Selamat datang di Scribd!

  • Oracle security defaults 11G 12C

    Diunggah oleh

    Iker Alex
    50 tayangan3 halaman
    Security parameters for Oracle 11g that need to be treated by DBAs.

    Judul Asli

    Security Parameters in 11G and 12C « Oracle DBA – a Lifelong Learning Experience

    Hak Cipta

    © © All Rights Reserved

    Format Tersedia

    PDF, TXT atau baca online dari Scribd

    Apakah menurut Anda dokumen ini bermanfaat?

    Apakah konten ini tidak pantas?

    Laporkan Dokumen Ini
    Security parameters for Oracle 11g that need to be treated by DBAs.

    Hak Cipta:

    © All Rights Reserved
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    50 tayangan3 halaman

    Oracle security defaults 11G 12C

    Diunggah oleh

    Iker Alex
    Security parameters for Oracle 11g that need to be treated by DBAs.

    Hak Cipta:

    © All Rights Reserved
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    dari 3

    07.10.

    2016 Securityparametersin11Gand12COracleDBAAlifelonglearningexperience

    OracleDBAAlifelonglearningexperience

    Securityparametersin11Gand12C

    PostedbyJohnHallasonApril8,2015

    Thereare5parametersthatareallprexedwithsecinan11gand12cdatabase.Actuallythatisa
    liebecauseoneisnowdeprecatedin12c.Theyareall,asyoumightguessrelatedtosecurity.This
    blogisaboutchangesinthedefaultvaluesandsomethoughtsaboutwhetherornotthedefault
    valueisappropriateornot.

    TRUEin11GR1,11GR2,DEPRECATEDIN
    SEC_CASE_SENSITIVE_LOGON
    12C
    SEC_MAX_FAILED_LOGIN_ATTEMPTS default11GR1,11GR2=10,12c=3
    defaultisCONTINUEin11GR1,11GR2,
    SEC_PROTOCOL_ERROR_FURTHER_ACTION
    drop,3in12c
    SEC_PROTOCOL_ERROR_TRACE_ACTION defaultisTRACE11GR1,11GR2,12c
    defaultisFALSEin11GR1,11GR2,TRUEin
    SEC_RETURN_SERVER_RELEASE_BANNER
    12c

    SEC_CASE_SENSITIVE_LOGON
    Letscoverthedeprecatedonerst.Thiscamealongin11g(asall5did)andisnowdeprecatedas
    12cisforcingcasesensitivepasswords.Inparalleltheorapwdfunctionin12cnolongerhasthe
    ignorecaseoptioneither.
    TheoneapplicationthatIknowdoesnotsupportcasesensitivepasswordsisEBSR12.1.1butthere
    isapatch(12964564)ifyouwishtoupgradeto12c(orevencontinuetorunat11GR1).

    SEC_MAX_FAILED_LOGIN_ATTEMPTS
    Nowdefaultsto3in12cfromthe11Gxdefaultof10,whichisnotunreasonable.Thisallowsa
    clienttoaemptaconnection3times(multipleaccounts)beforedroppingtheconnection.

    SEC_PROTOCOL_ERROR_TRACE_ACTION
    Thistakesactionifbadpacketsareidentiedascominginfromaclient.ThedefaultisTRACEand
    againIwouldchallengethatposition.TheotherviableoptionsareLOGwhichproducesaminimal
    logleandalsoanalerttothealertlogorjustALERTordonothingNONE.TheTRACEhasthe
    possibilityofllingdiskupwhichcouldhavethesameeectasaDoSaackwhichtheparameter
    istryingtostopthereforeIthinkIprefertheLOGoptionratherthanjusttheALERToption.
    Howeverifyouarealertingensurethatyouhavewrienatrapinwhateveryouusetoparseyour
    alertlogstospitoutthemessagetoyourmonitoringscreens.Anicebyproductofthisalertisthat
    youcannowformallypassitontothenetworkteamandyouhavesucientevidencetodoso.
    https://jhdba.wordpress.com/2015/04/08/securityparametersin11gand12c/ 1/3
    07.10.2016 Securityparametersin11Gand12COracleDBAAlifelonglearningexperience

    youcannowformallypassitontothenetworkteamandyouhavesucientevidencetodoso.
    SEC_PROTOCOL_ERROR_FURTHER_ACTION
    Thisiswhereitgetsabittrickyandwehaveanotherchangein12c.In11gthedefaultwas
    CONTINUE,thereforeifyouhadtracingsetinthepreviousparameteryoucouldendupwithalot
    oflogginggoingon.IthinktheCONTINUEwasthecorrectoptionin11Gasyoudonotwantto
    stopvalidconnectionsintoaproductionsystembecausethepacketmightlookbadnotwithout
    somedegreeofauthorisationatleast.
    From12cthedefaulthaschangedtoDROP,3.Thismeansdroptheconnectionafter3badpackets
    havearrivedfromaclient.Whichsoundsgoodaspotentiallyatracelewillnotbecometoobig.
    Howeverthereisnothingstoppingaclientaemptingmanysuchconnections,allwithbad
    packets,whichcouldpotentiallycauseaDoS,notbyusingallyourprocesses,butbyllingyour
    logarea.
    WiththischangeofdefaultIthinkitisevenmoreimportanttoknowwhenconnectionsarebeing
    droppedbytheSEC_PROTOCOL_ERROR_TRACE_ACTIONparameterandthatiswhyIwould
    suggestseingSEC_PROTOCOL_ERROR_FURTHER_ACTIONtoCONTINUE

    SEC_RETURN_SERVER_RELEASE_BANNER
    Thisparameterspecieswhethertheserverreturnscompletedatabasesoftwareinformationto
    unauthenticatedclients.ThedefaultisFALSEinallversionsdespitethe12Cdocumentation
    statingthatthedefaultisnowTRUE.Oraclehavechosenthatdefaultasthewholepointof
    securityistonotgiveawayanymoreinformationthanyouhavetoandthatcannotbeargued
    with.

    Somyjointrecommendationsfortheseparametersare:

    1.EnsureSEC_RETURN_SERVER_RELEASE_BANNERissettothedefaultofFALSEonall
    databases
    2.SetSEC_PROTOCOL_ERROR_TRACE_ACTIONtoLOGandensurethattrapsareinplaceto
    capturethealerts
    3.SetSEC_PROTOCOL_ERROR_FURTHER_ACTIONtoCONTINUE,oratleastensurethatif
    youaredroppingconnectionsthenthathasbeencommunicatedtointerestedpartieswhomay
    notbeabletogettotheservicetheyneedto.Agoodhalfwayhousewouldbetouse(DELAY,3)
    todelayapacketby3secondsbutitisimportantthatallsupportpartiesareawareifthisis
    enabled.

    Finally,IwillbepostingafollowupblogonFridaywhichcoverssomediscrepanciesinthe12c
    dictionaryandseemstobeamajorissuebutIneedtodosomemoreresearchrst.

    Abouttheseads

    ThisentrywaspostedonApril8,2015at9:26amandisledunder11gnewfeatures,12cnew
    https://jhdba.wordpress.com/2015/04/08/securityparametersin11gand12c/ 2/3
    07.10.2016 Securityparametersin11Gand12COracleDBAAlifelonglearningexperience

    ThisentrywaspostedonApril8,2015at9:26amandisledunder11gnewfeatures,12cnew
    features,Oracle.Tagged:12csecurityparameters,SEC_CASE_SENSITIVE_LOGON,
    SEC_MAX_FAILED_LOGIN_ATTEMPTS,SEC_PROTOCOL_ERROR_FURTHER_ACTION,
    SEC_PROTOCOL_ERROR_TRACE_ACTION,SEC_RETURN_SERVER_RELEASE_BANNER.You
    canfollowanyresponsestothisentrythroughtheRSS2.0feed.Youcanleavearesponse,or
    trackbackfromyourownsite.

    OneResponsetoSecurityparametersin11Gand12C

    1.Discrepanciesinv$parameterdefaultvaluesin12cOracle
    DBAAlifelonglearningexperiencesaid

    April10,2015at8:13am
    []Securityparametersin11Gand12C[]

    Reply

    Geingsqlstatementsoutofatracele
    Discrepanciesinv$parameterdefaultvaluesin12c

    BlogatWordPress.com.

    https://jhdba.wordpress.com/2015/04/08/securityparametersin11gand12c/ 3/3

    Anda mungkin juga menyukai