TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
If when you stated Oracle default account, you were referring to the "sys"
or "system" account:
In DBS 3.0 you will lose the following:
Listener Cleartext Password
Weak Listener Password
Weak Internal Password
Default Internal Password
Default Listener Password
File Owner
File Group
File Permissions - orapw
Listener File Permissions
Blank Listener Password
Unix File Permissions
Setuid Bit
Operating System File Changes
Setuid Bit of File oracleO
Setuid Bit of File oratclsh
Setuid Bit of File otrccref
Weak Passwords for SYSDBA/SYSOPER
Setgid Bit
Setuid Bit of File onrsd
Setuid Bit of File cmctl
You can tell this by looking on the required permissions in the Policy
editor and seeing those that required "access to operating system as the
Oracle software owner".
However there are ways of around logging in as sys and still getting the
checks to run. We actually list out some of the "bare minimum" access
privileges needed for a complete audit in Oracle, and they can be found
within the User Guide, Getting Started, and Evaluation Guide on the Web. We
should be able to customize an account for scanning down to this level
within Sybase and MS SQL Server with 4.0 without just saying you need "sa".
Either way, I've included it within this message for Oracle:
Required Access for an Oracle Scan:
Access to Oracle as the sys or system user account
- OR -
Access to Oracle account with these permissions:
- create session system privilege
- system privilege - select any table
- select from the following tables:
- V_$PARAMETER
- V_$SESSION
- V_$LICENSE
- SYS.LINK$
- SYS.USER$
- OR -
Access to Oracle account with these permissions:
- create session system privilege
- select from the following tables:
- V_$PARAMETER
- V_$SESSION
- V_$LICENSE
- SYS.LINK$
- SYS.USER$
- DBA_AUDIT_SESSION
- DBA_USERS
- DBA_ROLE_PRIVS
Kevin
============================================
Kevin Overcash
Technical Product Manager
[EMAIL PROTECTED]
Internet Security Systems, Inc.
(678) 443-6000 / Direct Dial (678) 443-6144 /fax (678) 443-6479
www.iss.net
Adaptive Network Security for the Enterprise
============================================
-----Original Message-----
From: Bunnell, Randy [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 04, 2000 5:07 PM
To: '[EMAIL PROTECTED]'
Subject: Database Scanner Question
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
Could anyone please tell me what checks (if any) I lose by not logging into
the host with the Oracle default account?
Thank you,
Randy Bunnell
