Post on 08-Mar-2020
Oracle Database Security Risk AssessmentOracle Database Security Risk AssessmentOracle Database Security Risk AssessmentOracle Database Security Risk Assessment
Highly ConfidentialHighly ConfidentialHighly ConfidentialHighly Confidential
Assessment Date & TimeAssessment Date & TimeAssessment Date & TimeAssessment Date & Time
1.0.2 (October 2016) - 7409
Database IdentityDatabase IdentityDatabase IdentityDatabase Identity
RoleRoleRoleRoleLog ModeLog ModeLog ModeLog Mode
DatabaseDatabaseDatabaseDatabase IDIDIDID NameNameNameName
ORCLMicrosoft Windows
x86 64-bitPRIMARY NOARCHIVELOG
Fri Jan 06 2017True 3 PDB1
SummarySummarySummarySummary
Basic Information 0 1 0 0 0 0
User Accounts 4 0 0 3 2 1
Privileges and Roles 5 12 0 1 0 0
Authorization Control 0 0 2 0 0 0
Data Encryption 0 0 1 0 0 0
Fine-Grained Access Control 0 1 4 0 0 0
Auditing 4 5 1 0 2 0
Database Configuration 4 4 0 2 1 0
Network Configuration 0 0 0 0 0 0
Operating System 0 0 0 0 0 0
TotalTotalTotalTotal 23232323 8888 6666
Basic InformationBasic InformationBasic InformationBasic Information
Database VersionDatabase VersionDatabase VersionDatabase Version
Security options used: (none)
Security FeaturesSecurity FeaturesSecurity FeaturesSecurity Features
pdb1 - Oracle Database Security Risk Assessment file:///C:/opt/dbsat/pdb1.html
1 of 32 10/25/2017 10:28 AM
FeatureFeatureFeatureFeature Currently UsedCurrently UsedCurrently UsedCurrently Used
AUTHORIZATION CONTROL
Database Vault No
Privilege Analysis No
DATA ENCRYPTION
Column Encryption No
Tablespace Encryption No
Network Encryption No
FINE-GRAINED ACCESS CONTROL
Data Redaction No
Virtual Private Database Yes
Real Application Security No
Label Security No
Transparent Sensitive Data Protection No
AUDITING
Traditional Audit Yes
Fine Grained Audit No
Unified Audit Yes
USER AUTHENTICATION
External Authentication No
Patch CheckPatch CheckPatch CheckPatch Check
StatusStatusStatusStatus Evaluate
SummarySummarySummarySummary OPatch information not available.
DetailsDetailsDetailsDetailsPatch Inventory:
Not available
Patch History:
Action time: Mon Jan 09 2017 16:33:00
Action: APPLY
Version: 12.1.0.2
Bundle series: PSU
Description: WINDOWS DB BUNDLE PATCH 12.1.0.2.161118(64bit):24922906
RemarksRemarksRemarksRemarks It is vital to keep the database software up-to-date with security fixes as they are released. Oracle
issues Patch Set Updates (PSU) on a regular quarterly schedule. These updates should be applied as
soon as they are available. For releases prior to Oracle Database 12c, quarterly updates may be
delivered by patches not marked as PSUs.
User AccountsUser AccountsUser AccountsUser Accounts
pdb1 - Oracle Database Security Risk Assessment file:///C:/opt/dbsat/pdb1.html
2 of 32 10/25/2017 10:28 AM
Note: Predefined Oracle accounts which are locked are not included in this report. To include all user accounts,
run the report with the -a option.
User AccountsUser AccountsUser AccountsUser Accounts
ADIEHL OPEN DEFAULT USERS No PASSWORD
EXPIRED & LOCKED DEFAULT EXAMPLE No PASSWORD
C##ADIEHL OPEN DEFAULT USERS No PASSWORD
OPEN DEFAULT EXAMPLE Yes PASSWORD
PDBADMIN OPEN DEFAULT USERS No PASSWORD
SOE OPEN DEFAULT SOE No PASSWORD
SYS OPEN DEFAULT SYSTEM Yes PASSWORD
User Accounts in SYSTEM or SYSAUX TablespaceUser Accounts in SYSTEM or SYSAUX TablespaceUser Accounts in SYSTEM or SYSAUX TablespaceUser Accounts in SYSTEM or SYSAUX Tablespace
StatusStatusStatusStatus Pass
SummarySummarySummarySummary No user uses SYSTEM or SYSAUX tablespace.
RemarksRemarksRemarksRemarks The SYSTEM and SYSAUX tablespaces are reserved for Oracle-supplied user accounts. To avoid a
possible denial of service caused by exhausting these resources, regular user accounts should not use
these tablespaces. Prior to Oracle Database 12.2, the SYSTEM tablespace cannot be encrypted, and this
is another reason to avoid user schemas in this tablespace.
Sample SchemasSample SchemasSample SchemasSample Schemas
StatusStatusStatusStatus Significant Risk
SummarySummarySummarySummary Found 6 sample schemas.
DetailsDetailsDetailsDetailsSample schemas: HR, IX, OE, PM, SCOTT, SH
RemarksRemarksRemarksRemarks Sample schemas are well-known accounts provided by Oracle to serve as simple examples for
developers. They generally serve no purpose in a production database and should be removed
because they unnecessarily increase the attack surface of the database.
Inactive UsersInactive UsersInactive UsersInactive Users
StatusStatusStatusStatus Some Risk
SummarySummarySummarySummary Found 5 unlocked users inactive for more than 30 days.
DetailsDetailsDetailsDetailsInactive users: C##ADIEHL, HR, PDBADMIN, SOE, SYS
pdb1 - Oracle Database Security Risk Assessment file:///C:/opt/dbsat/pdb1.html
3 of 32 10/25/2017 10:28 AM
RemarksRemarksRemarksRemarks If a user account is no longer in use, it increases the attack surface of the system unnecessarily while
providing no corresponding benefit. Furthermore, unauthorized use is less likely to be noticed when
no one is regularly using the account. Accounts that have been unused for more than 30 days should
Case-Sensitive PasswordsCase-Sensitive PasswordsCase-Sensitive PasswordsCase-Sensitive Passwords
StatusStatusStatusStatus Pass
SummarySummarySummarySummary Case-sensitive passwords are used.
DetailsDetailsDetailsDetailsInitialization parameter SEC_CASE_SENSITIVE_LOGON is set to TRUE.
RemarksRemarksRemarksRemarks Case-sensitive passwords are recommended because including both upper and lower-case letters
greatly increases the set of possible passwords that must be searched by an attacker who is
attempting to guess a password by exhaustive search. Setting SEC_CASE_SENSITIVE_LOGON to TRUE
ensures that the database distinguishes between upper and lower-case letters in passwords.
Users with Expired PasswordsUsers with Expired PasswordsUsers with Expired PasswordsUsers with Expired Passwords
StatusStatusStatusStatus Some Risk
SummarySummarySummarySummary Found 4 unlocked users with password expired for more than 30 days.
DetailsDetailsDetailsDetailsUsers with expired passwords: C##ADIEHL, PDBADMIN, SOE, SYSTEM
RemarksRemarksRemarksRemarks Password expiration is used to ensure that users change their passwords on a regular basis. If a user's
password has been expired for more than 30 days, it indicates that the user has not logged in for at
least that long. Accounts that have been unused for an extended period of time should be investigated
to determine whether they should remain active.
Users with Default PasswordsUsers with Default PasswordsUsers with Default PasswordsUsers with Default Passwords
StatusStatusStatusStatus Severe Risk
SummarySummarySummarySummary Found 3 unlocked user accounts with default password.
DetailsDetailsDetailsDetailsUsers with default password: HR, SYS, SYSTEM
RemarksRemarksRemarksRemarks Default account passwords for predefined Oracle accounts are well known. Open accounts with default
passwords provide a trivial means of entry for attackers, but well-known passwords should be
changed for locked accounts as well.
Password VerifiersPassword VerifiersPassword VerifiersPassword Verifiers
StatusStatusStatusStatus Some Risk
pdb1 - Oracle Database Security Risk Assessment file:///C:/opt/dbsat/pdb1.html
4 of 32 10/25/2017 10:28 AM
SummarySummarySummarySummary All user accounts support the latest password version. Found 8 accounts with HTTP password verifiers.
DetailsDetailsDetailsDetailsDatabase supports password versions up to 12C.
Users requiring updated password verifiers: (none)
Users with HTTP verifiers: ADIEHL, BI, C##ADIEHL, HR, PDBADMIN, SOE, SYS,
SYSTEM
RemarksRemarksRemarksRemarks For each user account, the database may store multiple verifiers, which are hashes of the user
password. Each verifier supports a different version of the password authentication algorithm. Every
user account should include a verifier for the latest password version supported by the database so
that the user can be authenticated using the latest algorithm supported by the client. When all clients
have been updated, the security of user accounts can be improved by removing the obsolete verifiers.
HTTP password verifiers are used for XML Database authentication. Use the ALTER USER command to
User ProfilesUser ProfilesUser ProfilesUser Profiles
DEFAULT (Number of Users) 8
DEFAULT CONNECT_TIME UNLIMITED
DEFAULT FAILED_LOGIN_ATTEMPTS 10
DEFAULT IDLE_TIME UNLIMITED
DEFAULT PASSWORD_GRACE_TIME 7
DEFAULT PASSWORD_LIFE_TIME 180
DEFAULT PASSWORD_LOCK_TIME 1
DEFAULT PASSWORD_REUSE_MAX UNLIMITED
DEFAULT PASSWORD_REUSE_TIME UNLIMITED
DEFAULT PASSWORD_VERIFY_FUNCTION NULL
ORA_STIG_PROFILE (Number of Users) 0
ORA_STIG_PROFILE CONNECT_TIME UNLIMITED (DEFAULT)
ORA_STIG_PROFILE FAILED_LOGIN_ATTEMPTS 3
ORA_STIG_PROFILE IDLE_TIME 15
ORA_STIG_PROFILE PASSWORD_GRACE_TIME 5
ORA_STIG_PROFILE PASSWORD_LIFE_TIME 60
ORA_STIG_PROFILE PASSWORD_LOCK_TIME UNLIMITED
ORA_STIG_PROFILE PASSWORD_REUSE_MAX 10
ORA_STIG_PROFILE PASSWORD_REUSE_TIME 365
Users with Unlimited Password LifetimeUsers with Unlimited Password LifetimeUsers with Unlimited Password LifetimeUsers with Unlimited Password Lifetime
StatusStatusStatusStatus Pass
pdb1 - Oracle Database Security Risk Assessment file:///C:/opt/dbsat/pdb1.html
5 of 32 10/25/2017 10:28 AM
SummarySummarySummarySummary Password expiration is configured for all users.
RemarksRemarksRemarksRemarks Password expiration is used to ensure that users change their passwords on a regular basis.
Passwords that never expire may remain unchanged for an extended period of time. When passwords
do not have to be changed regularly, users are also more likely to use the same passwords for
Users with Unlimited Failed Login AttemptsUsers with Unlimited Failed Login AttemptsUsers with Unlimited Failed Login AttemptsUsers with Unlimited Failed Login Attempts
StatusStatusStatusStatus Pass
SummarySummarySummarySummary No users have unlimited failed login attempts.
RemarksRemarksRemarksRemarks Attackers sometimes attempt to guess a user's password by simply trying all possibilities from a set of
common passwords. To defend against this attack, it is advisable to lock a user account when there
are multiple failed login attempts without a successful login.
Password Verification FunctionsPassword Verification FunctionsPassword Verification FunctionsPassword Verification Functions
StatusStatusStatusStatus Significant Risk
SummarySummarySummarySummary Found 8 users not using password verification function.
DetailsDetailsDetailsDetailsProfiles with password verification function: ORA_STIG_PROFILE
Profiles without password verification function: DEFAULT
Users using profiles without password verification function: ADIEHL, BI,
C##ADIEHL, HR, PDBADMIN, SOE, SYS, SYSTEM
RemarksRemarksRemarksRemarks Password verification functions are used to ensure that user passwords meet minimum requirements
for complexity, which may include factors such as length, use of numbers or punctuation characters,
difference from previous passwords, etc. Oracle supplies several predefined functions, or a custom
PL/SQL function can be used. Every user profile should include a password verification function.
Privileges and RolesPrivileges and RolesPrivileges and RolesPrivileges and Roles
All System PrivilegesAll System PrivilegesAll System PrivilegesAll System Privileges
StatusStatusStatusStatus Evaluate
SummarySummarySummarySummary 494 grants of system privileges
DetailsDetailsDetailsDetailsUsers directly or indirectly granted each system privilege:
ADMINISTER ANY SQL TUNING SET: ADIEHL, SYSTEM
ADMINISTER DATABASE TRIGGER: ADIEHL, SYSTEM
ADMINISTER KEY MANAGEMENT: (none)
ADMINISTER RESOURCE MANAGER: ADIEHL, SOE, SYSTEM
ADMINISTER SQL MANAGEMENT OBJECT: ADIEHL, SYSTEM
ADMINISTER SQL TUNING SET: ADIEHL, SYSTEM
ADVISOR: ADIEHL, SYSTEM
ALTER ANY ASSEMBLY: ADIEHL, SYSTEM
ALTER ANY CLUSTER: ADIEHL, SYSTEM
ALTER ANY CUBE: ADIEHL, SYSTEM
pdb1 - Oracle Database Security Risk Assessment file:///C:/opt/dbsat/pdb1.html
6 of 32 10/25/2017 10:28 AM