Scribd
Upload
14 views13 pages

Oracle Hardening

The document outlines a comprehensive list of security hardening measures for Oracle databases, including changing default passwords, removing sample users, and configuring various parameters in listener.ora and sqlnet.ora files. It also details restrictions on user privileges, auditing policies, and access controls to limit public access to sensitive database packages and procedures. Additionally, it specifies commands for implementing these security measures within the Oracle environment.

Uploaded by

ankitbasis
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
14 views13 pages

Oracle Hardening

The document outlines a comprehensive list of security hardening measures for Oracle databases, including changing default passwords, removing sample users, and configuring various parameters in listener.ora and sqlnet.ora files. It also details restrictions on user privileges, auditing policies, and access controls to limit public access to sensitive database packages and procedures. Additionally, it specifies commands for implementing these security measures within the Oracle environment.

Uploaded by

ankitbasis
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 13

Date

Host Name

IP Address

Hardening Score 0 / 126

Oracle Version

Filled By

Validated By

Approved On
S.No Description

Change the default password for following accounts

1
2 Remove Oracle Sample Users
listener.ora Settings

3 Setting for 'secure_control_listener_name' parameter


4 Remove extproc from the listener.ora.
Set the ADMIN_RESTRICTIONS_<listener_name> to the
5 value ON.
Change the default port numbers (1521) that connect
6 to Oracle

set the SECURE_REGISTER_listener_name=TCPS or


SECURE_REGISTER_listener_name=IPC under the
7 SECURE_REGISTER_listenername= parameter
sqlnet.ora settings

8 Setting for the 'audit_sys_operations' parameter

9 Setting for the 'audit_trail' parameter


10 Setting for the 'global_names' parameter

11 Setting for the 'local_listener' parameter

12 Setting for the 'o7_dictionary_accessibility' parameter


13 Setting for the 'os_roles' parameter
14 Setting for the 'remote_listener' parameter

15 Setting for the 'remote_login_passwordfile' parameter


16 Setting for the 'remote_os_authent' parameter
17 Setting for the 'remote_os_roles' parameter
18 Setting for the 'utl_file_dir' parameter

19 Setting for the 'sec_case_sensitive_logon' parameter


Setting for the 'sec_max_failed_login_attempts'
20 parameter

Setting for the 'sec_protocol_error_further_action'


21 parameter
Setting for the 'sec_protocol_error_trace_action'
22 parameter
Setting for the 'sec_return_server_release_banner'
23 parameter
24 Setting for the 'sql92_security' parameter
Setting for undocumented '_trace_files_public'
25 parameter
Password Policy
Restrictions on failed login attempts via the default DB
26 profile
Requirements for account locking via on the default DB
27 profile
Restrictions on password duration via the default DB
28 profile
Restrictions on password history via the default DB
29 profile

30 Restrictions on password use (reuse) via a DB profile


Requirements for account locking (grace time) via a DB
31 profile
Requirements for limiting EXTERNAL user login
32 capability
Requirement for setting the password verification
33 function
Requirements for limiting the number of sessions per
34 user
Oracle user access and authorization restrictions

35 Limit public access to the DBMS_ADVISOR package


36 Limit public access to the DBMS_CRYPTO package
37 Limit public access to the DBMS_JAVA package

38 Limit public access to the DBMS_JAVA_TEST package


39 Limit public access to the DBMS_JOB package
40 Limit public access to the DBMS_LDAP package
41 Limit public access to the DBMS_LOB package
Limit public access to the
42 DBMS_OBFUSCATION_TOOLKIT package

43 Limit public access to the DBMS_RANDOM package

44 Limit public access to the DBMS_SCHEDULER package


45 Limit public access to the DBMS_SQL package

46 Limit public access to the DBMS_XMLGEN package


47 Limit public access to the DBMS_XMLQUERY package
48 Limit public access to the UTL_FILE package
49 Limit public access to the UTL_INADDR package
50 Limit public access to the UTL_TCP package
51 Limit public access to the UTL_MAIL package
52 Limit public access to the UTL_SMTP package
53 Limit public access to the UTL_DBWS package
54 Limit public access to the UTL_ORAMTS package
55 Limit public access to the UTL_HTTP package

56 Limit public access to the HTTPURITYPE object type


Object/Package Privileges - Default
Limiting public user access to the DBMS_SYS_SQL
57 package
Limit public access to the DBMS_BACKUP_RESTORE
58 package
Limiting public user access to the
59 DBMS_AQADM_SYSCALLS package
Limiting public user access to the
60 DBMS_REPACT_SQL_UTL package

61 Limiting public user access to the INITJVMAUX package


Limiting public user access to the
62 DBMS_STREAMS_ADM_UTL package
Limiting public user access to the DBMS_AQADM_SYS
63 package
Limiting public user access to the
64 DBMS_STREAMS_RPC package
Limiting public user access to the DBMS_AQADM_SYS
65 package
Limiting public user access to the DBMS_PRVTAQIM
66 package

67 Limiting public user access to the LTADM package


Limiting public user access to the WWV_DBMS_SQL
68 package
Limiting public user access to the
69 WWV_EXECUTE_IMMEDIATE package

70 Limiting public user access to the DBMS_IJOB package


Limiting public user access to the
71 DBMS_FILE_TRANSFER package
System Privileges - Default
Limiting users by restricting the SELECT ANY
72 DICTIONARY privilege
Limiting users by restricting the SELECT ANY TABLE
73 privilege

Limiting users by restricting the AUDIT SYSTEM


74 privilege
Limiting users by restricting the EXEMPT ACCESS
75 POLICY
Limiting users by restricting the BECOME USER
76 privilege

Limiting users by restricting the CREATE PROCEDURE


77 privilege

Limiting users by restricting the ALTER SYSTEM


78 privilege

Limiting users by restricting the CREATE ANY LIBRARY


79 privilege

Limiting users by restricting GRANT ANY OBJECT


80 PRIVILEGE privilege

81 Limiting users by restricting GRANT ANY ROLE privilege

Limiting users by restricting GRANT ANY PRIVILEGE


82 privilege
Limiting user authorizations for the
83 DELETE_CATALOG_ROLE

Limiting user authorizations for the


84 SELECT_CATALOG_ROLE

Limiting user authorizations for the EXECUTE_CATALOG


85 role
86 Limiting users by restricting the DBA role

87 Limiting authorizations for the SYS.AUD$ table


Limiting authorizations for the SYS.USER_HISTORY$
88 table

89 Limiting authorizations for the SYS.LINK$ table

90 Limiting authorizations for the SYS.USER$ table

91 Limiting user authorizations for the DBA_% views


Limiting authorizations for the
92 SCHEDULER$_CREDENTIAL table
93 Drop table sys.user$mig

Limiting basic user privileges to restrict the ANY


94 keyword

95 Limiting users by restricting the WITH_ADMIN privilege


96 Limit direct privileges for proxy user
97 Revoke execute any procedure from user OUTLN

98 Revoke execute any procedure from user DBSNMP


Audit/Logging Policies and Procedures

99 Audit all CREATE SESSION (logon/logoff) activities


100 Audit all CREATE USER object activities/requests
101 Audit all ALTER USER object activities/requests
102 Audit all DROP USER object activities/requests
103 Audit all user ROLE activities/requests
104 Audit all user GRANT ROLE activities/requests

105 Audit all user CREATE PROFILE activities/requests


106 Audit all user ALTER PROFILE activities/requests
107 Audit all user DROP PROFILE activities/requests
108 Audit all DATABASE LINK activities/requests
109 Audit all PUBLIC DATABASE LINK activities/requests
110 Audit all PUBLIC SYNONYM activities/requests
111 Audit all user SYNONYM activities/requests

112 Audit all grants and revokes of privileges on directories


Audit all user SELECT ANY DICTIONARY
113 activities/requests
Audit all user GRANT ANY OBJECT PRIVILEGE
114 activities/requests

115 Audit all user GRANT ANY PRIVILEGE activities/requests

116 Audit all user CREATE PROCEDURE activities/requests


Audit all user CREATE ANY PROCEDURE
117 activities/requests
Audit all user ALTER ANY PROCEDURE
118 activities/requests
Audit all user DROP ANY PROCEDURE
119 activities/requests

120 Audit all user CREATE ANY LIBRARY activities/requests

121 Audit all user DROP ANY LIBRARY activities/requests

122 Audit all user CREATE ANY TRIGGER activities/requests

123 Audit all user ALTER ANY TRIGGER activities/requests

124 Audit all user DROP ANY TRIGGER activities/requests


125 Set AUDIT ALL ON SYS.AUD$ activities
126 Audit all user ALTER SYSTEM activities/requests
Command / Details Completed Reason for Exception

APEX_040000,APPQOSSYS,CTXSYS,DBSNMP,DIP,EXFSYS,MDDATA,MDSY
S,LBACSYS,OLAPSYS,ORACLE_OCM,ORDDATA,ORDPLUGINS,ORDSYS,OU
TLN,OWBSYS_AUDIT,OWBSYS,SI_INFORMTN_SCHEMA,SPATIAL_CSW_A
DMIN_USR,SPATIAL_WFS_ADMIN_USR,SYS,SYSTEM,WK_TEST,WKPROX
Y,WKSYS,WMSYS,XDB
BI,HR,IX,OE,PM,SCOTT,SH

ALTER SYSTEM SET AUDIT_SYS_OPERATIONS = true SCOPE=SPFILE;

alter system set audit_trail = OS scope = spfile;


alter system set audit_trail = XML,EXTENDED scope = spfile;
alter system set audit_trail = DB,EXTENDED scope = spfile;
alter system set global_names = true scope = spfile;
alter system set local_listener='(DESCRIPTION=(ADDRESS=
(PROTOCOL=IPC)(KEY=REGISTER)))' scope = both;

ALTER SYSTEM SET O7_DICTIONARY_ACCESSIBILITY=FALSE scope=spfile;


ALTER SYSTEM SET OS_ROLES=false SCOPE=SPFILE;
alter system set remote_listener ='' scope = spfile;

ALTER SYSTEM SET remote_login_passwordfile = none scope = spfile;


alter system set remote_os_authent = false scope = spfile;
ALTER SYSTEM SET REMOTE_OS_ROLES=false SCOPE=SPFILE;
ALTER SYSTEM SET UTIL_FILE_DIR = '' SCOPE=SPFILE;

ALTER SYSTEM SET SEC_CASE_SENSITIVE_LOGON=TRUE scope=spfile;


ALTER SYSTEM SET SEC_MAX_FAILED_LOGIN_ATTEMPTS = 5
scope=spfile;

ALTER SYSTEM SET SEC_PROTOCOL_ERROR_FURTHER_ACTION = drop,3


scope=spfile ;
ALTER SYSTEM SET SEC_PROTOCOL_ERROR_FURTHER_ACTION = delay,3
scope=spfile
ALTER SYSTEM SET SEC_PROTOCOL_ERROR_TRACE_ACTION=LOG
scope=spfile;
ALTER SYSTEM SET sec_return_server_release_banner=false
scope=spfile;
ALTER SYSTEM SET sql92_security=FALSE SCOPE=SPFILE;

alter system set "_trace_files_public"=false scope=spfile;

ALTER PROFILE DEFAULT LIMIT FAILED_LOGIN_ATTEMPTS 5;

ALTER PROFILE DEFAULT LIMIT PASSWORD_LOCK_TIME 1;

ALTER PROFILE DEFAULT LIMIT PASSWORD_LIFE_TIME 90;

ALTER PROFILE DEFAULT LIMIT PASSWORD_REUSE_MAX 5;

ALTER PROFILE DEFAULT PASSWORD_REUSE_TIME 90;

ALTER PROFILE DEFAULT PASSWORD_GRACE_TIME 5;

ALTER PROFILE DEFAULT LIMIT SESSIONS_PER_USER 10;

REVOKE EXECUTE ON DBMS_ADVISOR FROM PUBLIC;


REVOKE EXECUTE ON DBMS_CRYPTO FROM PUBLIC;
REVOKE EXECUTE ON DBMS_JAVA FROM PUBLIC;

REVOKE EXECUTE ON DBMS_JAVA_TEST FROM PUBLIC;


REVOKE EXECUTE ON DBMS_JOB FROM PUBLIC;
REVOKE EXECUTE ON DBMS_LDAP FROM PUBLIC;
REVOKE EXECUTE ON DBMS_LOB FROM PUBLIC;

REVOKE EXECUTE ON DBMS_OBFUSCATION_TOOLKIT FROM PUBLIC;

REVOKE EXECUTE ON DBMS_BACKUP_RESTORE FROM PUBLIC;

REVOKE EXECUTE ON DBMS_SCHEDULER FROM PUBLIC;


REVOKE EXECUTE ON DBMS_SQL FROM PUBLIC;

REVOKE EXECUTE ON DBMS_XMLGEN FROM PUBLIC;


REVOKE EXECUTE ON DBMS_XMLQUERY FROM PUBLIC;
REVOKE EXECUTE ON UTL_FILE FROM PUBLIC;
REVOKE EXECUTE ON UTL_INADDR FROM PUBLIC;
REVOKE EXECUTE ON UTL_TCP FROM PUBLIC;
REVOKE EXECUTE ON UTL_MAIL FROM PUBLIC;
REVOKE EXECUTE ON UTL_SMTP FROM PUBLIC;
REVOKE EXECUTE ON UTL_DBWS FROM 'PUBLIC';
REVOKE EXECUTE ON UTL_ORAMTS FROM PUBLIC;
REVOKE EXECUTE ON UTL_HTTP FROM PUBLIC;

REVOKE EXECUTE ON HTTPURITYPE FROM PUBLIC;

REVOKE EXECUTE ON DBMS_SYS_SQL FROM PUBLIC;

REVOKE EXECUTE ON DBMS_BACKUP_RESTORE FROM PUBLIC;

REVOKE EXECUTE ON DBMS_AQADM_SYSCALLS FROM PUBLIC;

revoke execute on DBMS_REPACT_SQL_UTL from PUBLIC;

Revoke execute on INITJVMAUX from PUBLIC;

Revoke execute on DBMS_STREAMS_ADM_UTL from PUBLIC;

Revoke execute on DBMS_AQADM_SYS from PUBLIC;

Revoke execute on DBMS_STREAMS_RPC from PUBLIC;

Revoke execute on DBMS_AQADM_SYS from PUBLIC;

Revoke execute on DBMS_PRVTAQIM from PUBLIC;

Revoke execute on LTADM from PUBLIC;

Revoke execute on WWV_DBMS_SQL from PUBLIC;

Revoke execute on WWV_EXECUTE_IMMEDIATE from PUBLIC;

Revoke execute on DBMS_IJOB from PUBLIC;

Revoke execute on DBMS_FILE_TRANSFER from PUBLIC;


REVOKE SELECT_ANY_DICTIONARY from <grantee>; If user not is
'DBA','DBSNMP','OEM_MONITOR','OLAPSYS','ORACLE_OCM','SYSMAN','
WMSYS'

where grantee not in

REVOKE AUDIT SYSTEM from <grantee>; where grantee not in


'DBA','DATAPUMP_IMP_FULL_DATABASE','IMP_FULL_DATABASE','SYS'

where grantee not in


REVOKE BECOME USER from <grantee>;where grantee not in
'DBA','SYS','IMP_FULL_DATABASE'

REVOKE CREATE_PROCEDURE from <grantee>; where grantee not in


'DBA','DBSNMP','MDSYS','OLAPSYS','OWB$CLIENT','OWBSYS','RECOVERY
_CATALOG_OWNER','SPATIAL_CSW_ADMIN_USR','SPATIAL_WFS_ADMI
N_USR','SYS','APEX_030200','APEX_040000','APEX_040100','APEX_0402
00'

REVOKE ALTER SYSTEM from <grantee>; if user not in


'SYS','SYSTEM','APEX_030200','APEX_040000','APEX_040100','APEX_040
200'

SQL> REVOKE CREATE LIBRARY FROM <grantee>; SQL> REVOKE CREATE


ANY LIBRARY FROM <grantee>; where user not in 'SYS','SYSTEM','DBA'

REVOKE GRANT ANY OBJECT PRIVILEGE FROM <grantee>; where


grantee not in
'DBA','SYS','IMP_FULL_DATABASE','DATAPUMP_IMP_FULL_DATABASE'

REVOKE GRANT ANY ROLE FROM <grantee>; where grantee not in


'DBA','SYS','DATAPUMP_IMP_FULL_DATABASE','IMP_FULL_DATABASE','
SPATIAL_WFS_ADMIN_USR','SPATIAL_CSW_ADMIN_USR'

REVOKE GRANT ANY PRIVILEGE FROM <grantee>; where grantee not in


'DBA','SYS','IMP_FULL_DATABASE','DATAPUMP_IMP_FULL_DATABASE'
REVOKE DELETE_CATALOG_ROLE FROM <grantee>; where grantee not
in 'DBA','SYS'

REVOKE SELECT_CATALOG_ROLE FROM <grantee>; where grantee not


in
'DBA','SYS','IMP_FULL_DATABASE','EXP_FULL_DATABASE','OEM_MONIT
OR'

REVOKE EXECUTE_CATALOG_ROLE FROM <grantee>; where grantee not


in 'DBA','SYS','IMP_FULL_DATABASE','EXP_FULL_DATABASE'
REVOKE DBA from <grantee>; where grantee not in 'SYS','SYSTEM'

REVOKE ALL ON AUD$ FROM <grantee>; where grantee is not required


REVOKE ALL ON USER_HISTORY$ FROM <username>; where grantee not
required

REVOKE ALL ON LINK$ FROM <grantee>; where grantee not required

REVOKE ALL ON SYS.USER$ FROM <username>; where username not in


'CTXSYS','XDB','APEX_030200',
'APEX_040000','APEX_040100','APEX_040200'
REVOKE ALL ON DBA_ FROM <Non-DBA/SYS grantee>; where grantee
not in
REVOKE ALL ON SYS.SCHEDULER$_CREDENTIAL FROM <username>;
where user does not need scheduling
drop table sys.user$mig;

REVOKE ALL ON '<ANY Privilege>' FROM <grantee>; where grantee not


in
'AQ_ADMINISTRATOR_ROLE','DBA','DBSNMP','EXFSYS','EXP_FULL_DATA
BASE','IMP_FULL_DATABASE','DATAPUMP_IMP_FULL_DATABASE','JAVA
DEBUGPRIV','MDSYS','OEM_MONITOR','OLAPSYS','OLAP_DBA','ORACLE_
OCM','OWB$CLIENT','OWBSYS','SCHEDULER_ADMIN','SPATIAL_CSW_AD
MIN_USR','SPATIAL_WFS_ADMIN_USR','SYS','SYSMAN','SYSTEM','WMSY
S','APEX_030200','APEX_040000','APEX_040100','APEX_040200','LBACSY
S'

REVOKE <privilege> FROM <grantee>; where grantee not in


'AQ_ADMINISTRATOR_ROLE','DBA','OWBSYS',
'SCHEDULER_ADMIN','SYS','SYSTEM','WMSYS'
where grantee not in
revoke EXECUTE ANY PROCEDURE from OUTLN;

revoke EXECUTE ANY PROCEDURE from DBSNMP;

AUDIT CREATE SESSION;


AUDIT CREATE USER;
AUDIT ALTER USER;
AUDIT DROP USER;
AUDIT ROLE;
AUDIT SYSTEM GRANT;

AUDIT CREATE PROFILE;


AUDIT ALTER PROFILE;
AUDIT DROP PROFILE;
AUDIT DATABASE LINK;
audit public database link;
AUDIT PUBLIC SYNONYM;
AUDIT SYNONYM;

AUDIT GRANT DIRECTORY;

AUDIT SELECT ANY DICTIONARY;

AUDIT GRANT ANY OBJECT PRIVILEGE;

AUDIT GRANT ANY PRIVILEGE;

AUDIT CREATE PROCEDURE;

AUDIT CREATE ANY PROCEDURE;

AUDIT ALTER ANY PROCEDURE;

AUDIT DROP ANY PROCEDURE;

AUDIT CREATE ANY LIBRARY;

AUDIT DROP ANY LIBRARY;

AUDIT CREATE ANY TRIGGER;

AUDIT ALTER ANY TRIGGER;

AUDIT DROP ANY TRIGGER BY ACCESS;


AUDIT ALL on SYS.AUD$;
AUDIT ALTER SYSTEM;

You might also like