2016 Securityparametersin11Gand12COracleDBAAlifelonglearningexperience
OracleDBAAlifelonglearningexperience
Securityparametersin11Gand12C
PostedbyJohnHallasonApril8,2015
Thereare5parametersthatareallprexedwithsecinan11gand12cdatabase.Actuallythatisa
liebecauseoneisnowdeprecatedin12c.Theyareall,asyoumightguessrelatedtosecurity.This
blogisaboutchangesinthedefaultvaluesandsomethoughtsaboutwhetherornotthedefault
valueisappropriateornot.
TRUEin11GR1,11GR2,DEPRECATEDIN
SEC_CASE_SENSITIVE_LOGON
12C
SEC_MAX_FAILED_LOGIN_ATTEMPTS default11GR1,11GR2=10,12c=3
defaultisCONTINUEin11GR1,11GR2,
SEC_PROTOCOL_ERROR_FURTHER_ACTION
drop,3in12c
SEC_PROTOCOL_ERROR_TRACE_ACTION defaultisTRACE11GR1,11GR2,12c
defaultisFALSEin11GR1,11GR2,TRUEin
SEC_RETURN_SERVER_RELEASE_BANNER
12c
SEC_CASE_SENSITIVE_LOGON
Letscoverthedeprecatedonerst.Thiscamealongin11g(asall5did)andisnowdeprecatedas
12cisforcingcasesensitivepasswords.Inparalleltheorapwdfunctionin12cnolongerhasthe
ignorecaseoptioneither.
TheoneapplicationthatIknowdoesnotsupportcasesensitivepasswordsisEBSR12.1.1butthere
isapatch(12964564)ifyouwishtoupgradeto12c(orevencontinuetorunat11GR1).
SEC_MAX_FAILED_LOGIN_ATTEMPTS
Nowdefaultsto3in12cfromthe11Gxdefaultof10,whichisnotunreasonable.Thisallowsa
clienttoaemptaconnection3times(multipleaccounts)beforedroppingtheconnection.
SEC_PROTOCOL_ERROR_TRACE_ACTION
Thistakesactionifbadpacketsareidentiedascominginfromaclient.ThedefaultisTRACEand
againIwouldchallengethatposition.TheotherviableoptionsareLOGwhichproducesaminimal
logleandalsoanalerttothealertlogorjustALERTordonothingNONE.TheTRACEhasthe
possibilityofllingdiskupwhichcouldhavethesameeectasaDoSaackwhichtheparameter
istryingtostopthereforeIthinkIprefertheLOGoptionratherthanjusttheALERToption.
Howeverifyouarealertingensurethatyouhavewrienatrapinwhateveryouusetoparseyour
alertlogstospitoutthemessagetoyourmonitoringscreens.Anicebyproductofthisalertisthat
youcannowformallypassitontothenetworkteamandyouhavesucientevidencetodoso.
https://jhdba.wordpress.com/2015/04/08/securityparametersin11gand12c/ 1/3
07.10.2016 Securityparametersin11Gand12COracleDBAAlifelonglearningexperience
youcannowformallypassitontothenetworkteamandyouhavesucientevidencetodoso.
SEC_PROTOCOL_ERROR_FURTHER_ACTION
Thisiswhereitgetsabittrickyandwehaveanotherchangein12c.In11gthedefaultwas
CONTINUE,thereforeifyouhadtracingsetinthepreviousparameteryoucouldendupwithalot
oflogginggoingon.IthinktheCONTINUEwasthecorrectoptionin11Gasyoudonotwantto
stopvalidconnectionsintoaproductionsystembecausethepacketmightlookbadnotwithout
somedegreeofauthorisationatleast.
From12cthedefaulthaschangedtoDROP,3.Thismeansdroptheconnectionafter3badpackets
havearrivedfromaclient.Whichsoundsgoodaspotentiallyatracelewillnotbecometoobig.
Howeverthereisnothingstoppingaclientaemptingmanysuchconnections,allwithbad
packets,whichcouldpotentiallycauseaDoS,notbyusingallyourprocesses,butbyllingyour
logarea.
WiththischangeofdefaultIthinkitisevenmoreimportanttoknowwhenconnectionsarebeing
droppedbytheSEC_PROTOCOL_ERROR_TRACE_ACTIONparameterandthatiswhyIwould
suggestseingSEC_PROTOCOL_ERROR_FURTHER_ACTIONtoCONTINUE
SEC_RETURN_SERVER_RELEASE_BANNER
Thisparameterspecieswhethertheserverreturnscompletedatabasesoftwareinformationto
unauthenticatedclients.ThedefaultisFALSEinallversionsdespitethe12Cdocumentation
statingthatthedefaultisnowTRUE.Oraclehavechosenthatdefaultasthewholepointof
securityistonotgiveawayanymoreinformationthanyouhavetoandthatcannotbeargued
with.
Somyjointrecommendationsfortheseparametersare:
1.EnsureSEC_RETURN_SERVER_RELEASE_BANNERissettothedefaultofFALSEonall
databases
2.SetSEC_PROTOCOL_ERROR_TRACE_ACTIONtoLOGandensurethattrapsareinplaceto
capturethealerts
3.SetSEC_PROTOCOL_ERROR_FURTHER_ACTIONtoCONTINUE,oratleastensurethatif
youaredroppingconnectionsthenthathasbeencommunicatedtointerestedpartieswhomay
notbeabletogettotheservicetheyneedto.Agoodhalfwayhousewouldbetouse(DELAY,3)
todelayapacketby3secondsbutitisimportantthatallsupportpartiesareawareifthisis
enabled.
Finally,IwillbepostingafollowupblogonFridaywhichcoverssomediscrepanciesinthe12c
dictionaryandseemstobeamajorissuebutIneedtodosomemoreresearchrst.
Abouttheseads
ThisentrywaspostedonApril8,2015at9:26amandisledunder11gnewfeatures,12cnew
https://jhdba.wordpress.com/2015/04/08/securityparametersin11gand12c/ 2/3
07.10.2016 Securityparametersin11Gand12COracleDBAAlifelonglearningexperience
ThisentrywaspostedonApril8,2015at9:26amandisledunder11gnewfeatures,12cnew
features,Oracle.Tagged:12csecurityparameters,SEC_CASE_SENSITIVE_LOGON,
SEC_MAX_FAILED_LOGIN_ATTEMPTS,SEC_PROTOCOL_ERROR_FURTHER_ACTION,
SEC_PROTOCOL_ERROR_TRACE_ACTION,SEC_RETURN_SERVER_RELEASE_BANNER.You
canfollowanyresponsestothisentrythroughtheRSS2.0feed.Youcanleavearesponse,or
trackbackfromyourownsite.
OneResponsetoSecurityparametersin11Gand12C
1.Discrepanciesinv$parameterdefaultvaluesin12cOracle
DBAAlifelonglearningexperiencesaid
April10,2015at8:13am
[]Securityparametersin11Gand12C[]
Reply
Geingsqlstatementsoutofatracele
Discrepanciesinv$parameterdefaultvaluesin12c
BlogatWordPress.com.
https://jhdba.wordpress.com/2015/04/08/securityparametersin11gand12c/ 3/3