Oraclewizard.com, Inc is a Veteran Owned HUBZONE Certified Small Business, Principle owner Robert Lockard is an Oracle ACE Director and Winner of the 2015 Oracle Developers Choice Award for Database Design.
It’s been a year long process now the book is finally been released. There are a few things I would have written different and a few other subjects I would have liked to cover. Perhaps that will come in my next book or future posts.
In this book we cover Secure Coding, setting up Encryption, and audit. We also dive deep into performing privilege analysis.
Let’s revisit a customer who was about to go through an IG Audit. There is one finding that always seems to come up. Default accounts with default passwords. I don’t care if the accounts are expired and locked, if the user still has the default password set, then it’s a finding. Now you can go through all the default accounts and change the password if you want. I’m personally fond of having a script that does the work for me.
This is the script I use to go through and change all the default passwords. Now, once I’m done with this, I go back on set any necessary default accounts such as DBSNMP to a known password. Why, I find it easier to lock all the doors then methodically move through and unlock only the doors that are necessary.
First we are going to need a function that returns an impossible password. Well, in all honesty, it’s not impossible to crack, (that is because given enough horsepower any password can be eventually cracked.) This function will do one thing, return a 30 character randomly generated password of any printable character. There are a couple characters you can’t put in a password, so when we encounter those, we are going to replace them with an integer between 0 – 9.
Next we are going to go through all the default accounts and change the password.
<CODE>DECLARE -- get the list of users with default passwords. CURSOR users_with_defpwd_cur IS SELECT username FROM sys.dba_users_with_defpwd; stmt VARCHAR2(2000); -- the base sql statement passwd VARCHAR2(32); -- the impossible_password. FUNCTION impossible_password RETURN VARCHAR2 AS -- will create a 30 character password wrapped in double quotes. passwd VARCHAR2(32); -- this is the password we are returning. -- we need 32 characters because we are -- wrapping the password in double quotes. p_invalid_char_3 VARCHAR2(1) := '"'; -- invalid password character 3 is '"' p_invalid_char_4 VARCHAR2(1) := ';'; -- invalid password character 4 is ';' BEGIN passwd := SYS.dbms_random.STRING('p',30); -- get 30 printable characters. -- find all the invalid characters and replace them with a random integer -- between 0 and 9. passwd := REPLACE(passwd, p_invalid_char_3, ceil(SYS.dbms_random.VALUE(-1,9))); passwd := REPLACE(passwd, p_invalid_char_4, ceil(SYS.dbms_random.VALUE(-1,9))); -- before we pass back the password, we need to put a double quote -- on either side of it. This is because sometime we are going to -- get a strange character that will cause oracle to cough up a hairball. passwd := '"' || passwd || '"'; RETURN passwd; END;-- main procedure.BEGIN FOR users_with_defpwd_rec IN users_with_defpwd_cur LOOP passwd := impossible_password; stmt := 'alter user ' || users_with_defpwd_rec.username || ' identified by ' || passwd; EXECUTE IMMEDIATE stmt; END LOOP;EXCEPTION WHEN OTHERS THEN sys.dbms_output.put_line(sqlerrm); sys.dbms_output.put_line(stmt);END;/</CODE>
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.