Pete Finnigan's Oracle Security Forum (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
Oracle Security >> Oracle Security >> Oracle 7.x
(Message started by: Pete Finnigan on Mar 22nd, 2007, 4:13pm)

Title: Oracle 7.x
Post by Pete Finnigan on Mar 22nd, 2007, 4:13pm
I am auditing Oracle DBMS security.  The Oracle version is 7.9.  

1. Does Oracle still support 7.x?  Does Oracle have post document about this (links)?

2. I use grep -i dba/etc/group and it all show
xxxx [dba:*:50:oracle].  Will this be considered okay for 7.x?  

3. How to verify password life, reuse, and fail logon attemps?  In 8.x and after, I can run
select profile, resource_name, limit from dba_profiles where resource_type = 'PASSWORD';

However, I used the SQL to run under 7.9.  No entry showed.  Would this table dba_profiles exist in 7.9?

4.  Do we still have documentation for the Oracle 7.x security somewhere in the Oracle webnutse and indicating there are security vulnerabilities with this version?  THanks.  

Title: Re: Oracle 7.x
Post by Pete Finnigan on Mar 23rd, 2007, 8:34am
Hi,

I am sure that you are aware that 7.x is not supported. Also there is a not a version 7.9?? - There are no password managment features in 7.x. There are not any really good security checklists fro 7, there are some bits. the best start would be to use the version 8 CIS benchmark as a start point and do some research for 7.x extras.

cheers

Pete

Title: Re: Oracle 7.x
Post by Pete Finnigan on Mar 26th, 2007, 7:21pm
Thanks for the information.  The version is 7.343.  Do you happen to have the official Oracle link that indicates version 7.x is no longer supported?  

Title: Re: Oracle 7.x
Post by Pete Finnigan on Mar 26th, 2007, 8:05pm
Hi,

Oracle 7.x is really really old.

It's no longer visible in the certify webpage on Metalink and you should try to upgrade to a newer version instead of hardening the 7.x because there are hundreds of unpatched (sometime remote exploitable) bugs available in 7.x.

The Oracle Certification is available here:
https://metalink.oracle.com/metalink/plsql/f?p=140:1:5198363325710471664

There is a note that Oracle 8.0 is desupported.
https://metalink.oracle.com/metalink/plsql/f?p=140:1:5198363325710471664

I would recommend to upgrade to 10g R2 as soon as possible because the normal support for 9i rel.2 will end   in August 2007 (https://metalink.oracle.com/metalink/plsql/showDoc?db=NEW&id=2568797.993
)

Regards

 Alexander Kornbrust
 

Title: Re: Oracle 7.x
Post by Pete Finnigan on Mar 26th, 2007, 10:00pm
You're absolutely right.  I am preparing support for me to write up an audit finding to recommend an upgrade.  But, if there is an official information from Oracle as my support document, that's all I need.  

Thanks.



Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board