Pete Finnigan's Oracle Security Forum


    
      
        Pete Finnigan's Oracle Security Forum
        (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
      

        Oracle Security >> Oracle Security >> Oracle 7.x
        
(Message started by: Pete Finnigan on Mar 22^nd, 2007, 4:13pm)

Title: Oracle 7.x
Post by Pete Finnigan on Mar 22^nd, 2007, 4:13pm

I am auditing Oracle DBMS security. The Oracle version is 7.9.

1. Does Oracle still support 7.x? Does Oracle have post document about this (links)?

2. I use grep -i dba/etc/group and it all show
xxxx [dba:*:50:oracle]. Will this be considered okay for 7.x?

3. How to verify password life, reuse, and fail logon attemps? In 8.x and after, I can run
select profile, resource_name, limit from dba_profiles where resource_type = 'PASSWORD';

However, I used the SQL to run under 7.9. No entry showed. Would this table dba_profiles exist in 7.9?

4. Do we still have documentation for the Oracle 7.x security somewhere in the Oracle webnutse and indicating there are security vulnerabilities with this version? THanks.

Title: Re: Oracle 7.x
Post by Pete Finnigan on Mar 23^rd, 2007, 8:34am

Hi,

I am sure that you are aware that 7.x is not supported. Also there is a not a version 7.9?? - There are no password managment features in 7.x. There are not any really good security checklists fro 7, there are some bits. the best start would be to use the version 8 CIS benchmark as a start point and do some research for 7.x extras.

cheers

Pete

Title: Re: Oracle 7.x
Post by Pete Finnigan on Mar 26^th, 2007, 7:21pm

Thanks for the information. The version is 7.343. Do you happen to have the official Oracle link that indicates version 7.x is no longer supported?

Title: Re: Oracle 7.x
Post by Pete Finnigan on Mar 26^th, 2007, 8:05pm

Hi,

Oracle 7.x is really really old.

It's no longer visible in the certify webpage on Metalink and you should try to upgrade to a newer version instead of hardening the 7.x because there are hundreds of unpatched (sometime remote exploitable) bugs available in 7.x.

The Oracle Certification is available here:
https://metalink.oracle.com/metalink/plsql/f?p=140:1:5198363325710471664

There is a note that Oracle 8.0 is desupported.
https://metalink.oracle.com/metalink/plsql/f?p=140:1:5198363325710471664

I would recommend to upgrade to 10g R2 as soon as possible because the normal support for 9i rel.2 will end in August 2007 (https://metalink.oracle.com/metalink/plsql/showDoc?db=NEW&id=2568797.993
)

Regards

Alexander Kornbrust

Title: Re: Oracle 7.x
Post by Pete Finnigan on Mar 26^th, 2007, 10:00pm

You're absolutely right. I am preparing support for me to write up an audit finding to recommend an upgrade. But, if there is an official information from Oracle as my support document, that's all I need.

Thanks.