Pete Finnigan's Oracle Security Forum (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
Oracle Security >> Oracle Security >> Oracle Financials username/schemas
(Message started by: Pete Finnigan on Nov 2nd, 2005, 5:43pm)

Title: Oracle Financials username/schemas
Post by Pete Finnigan on Nov 2nd, 2005, 5:43pm
Hello Pete

I just completed your Securing Oracle course last week in Los Angeles.  It was very well written and very valuable - thanks.

Would you please entertain an Oracle Financials question (database side)?

Regarding the 160-odd username/app schemas existing in the database for Oracle Financials (e.g. ABM, AHL, AHM, AK):

- With just a couple of known exceptions, the usernames have never been logged into.

- I checked the password hashes against your oracle_default_passwords list, and confirmed that all but one of the passwords had indeed been changed.

- Is it sufficient in your opinion that the passwords have been changed, or should one try locking or even dropping any of these usernames?

I searched Metalink and found nothing on this.  I'd open a TAR (and might still), but their answers can be unclear.

Thanks and Best Regards

George

Title: Re: Oracle Financials username/schemas
Post by Pete Finnigan on Nov 3rd, 2005, 10:58pm
"Is it sufficient in your opinion that the passwords have been changed, or should one try locking or even dropping any of these usernames? "

Unless you know what they've been changed to, you can't be sure how secure those passwords are (or indeed who knows them).
If the accounts are not in everyday use, is there any reason NOT to lock them ?

Title: Re: Oracle Financials username/schemas
Post by Pete Finnigan on Nov 4th, 2005, 1:35pm
Excellent question - The DBA's say that these accounts have to be enabled for patches and upgrades not to fail.  Does that sound as if it has any credence?  

I know that our experience with Oracle Financials has shown the application to be, shall we say, 'fragile'.

Has anyone else had any experience locking these accts/schemas in OFA?

Title: Re: Oracle Financials username/schemas
Post by Pete Finnigan on Nov 4th, 2005, 7:09pm
Hi,

Oracle apps is fragile if you start to change things. Set audit on connections and monitor all of the accounts over a period for connections being made. If you are happy that they are not connected to then lock them but be prepared to unlock them again for upgrades.

My paper [url http://www.petefinnigan.com/orasec.htm]A introduction to simple Oracle auditing[/url] - at the top of the page - gives some good ideas on auditing connections.

hth

cheers

Pete



Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board