Database Reference
In-Depth Information
Access to User Password Information
Default users are the largest source of risk, and Oracle addressed that with
DBA_USERS_WITH_DEFPWD
. Permissions have
been tightened up on this view in 12c.
Additionally, access to passwords through
DBA_USERS
has been removed.
Even
SELECT ANY DICTIONARY
is now prevented from viewing the password column of
sys.user$
table. So is the
12c database becoming more secure?
There are 236 privileges in Oracle 12c, but only the most privileged one (SYSDBA) does not have password
controls.
SQL> select count(*) from system_privilege_map;
COUNT(*)
----------
236
So the database is becoming more secret and complex, but the basic security controls such as profiles still do
not apply to the top privileges accounts, so the main battle has not been won as yet. The solution to SYS passwords
currently involves passing responsibility for the control of that value to a separate access control system like CyberArk
or Beyond Trust as examples. We will dig into that later.
LAST_LOGIN
There is some positive additional information about users added into 12c, which increases transparency. In 11g we
had to do this to try to see if a user had used their account.
select name,ctime,ptime
from sys.user$
where password is not null
and password not in ('GLOBAL','EXTERNAL')
and length(password)=16
and ctime=ptime;
Now we have
DBA_USERS.LAST_LOGIN
to replace the preceding query:
SQL> desc dba_users;
Name Null? Type
----------------------------------------- -------- ----------------------------
USERNAME NOT NULL VARCHAR2(128)
USER_ID NOT NULL NUMBER
PASSWORD VARCHAR2(4000)
ACCOUNT_STATUS NOT NULL VARCHAR2(32)
LOCK_DATE DATE
EXPIRY_DATE DATE
DEFAULT_TABLESPACE NOT NULL VARCHAR2(30)
TEMPORARY_TABLESPACE NOT NULL VARCHAR2(30)
CREATED NOT NULL DATE
PROFILE NOT NULL VARCHAR2(128)
INITIAL_RSRC_CONSUMER_GROUP VARCHAR2(128)
EXTERNAL_NAME VARCHAR2(4000)
PASSWORD_VERSIONS VARCHAR2(12)
