Skip to Main Content
Forums

Oracle Database Discussions

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Is it safe to change default DB user's passwords and Profile ?

MaxMar 13 2014 — edited Mar 13 2014

Grid version :    11.2.0.4.0

RDBMS version:    11.2.0.4.0

Platform     :    Oracle Linux 6.4

To comply with upcoming security audit, we need all DB users except the application users to comply with password policy of our firm.

Currently all our DB users belong to DEFAULT profile which doesn't enforce any restrictions like Password complexity, password expiry .

To implement the password policy, I have created 3 profiles and a password verify function.

Following are the 3 profiles I am introducing

MANH_ADM -- For SYS, SYSTEM, SYSMAN users. Associated to a password verify function which complies without our firm's policies.

MANH_NONADM -- For users that got created by default when you create a fresh database. Associated to a password verify function which complies with our firm's policies

MANH_APP -- For Application users. Very Lenient. No restrictions as requested by apps team. No password policy associated.

Below is an excerpt from the script which we have used to implement the security of all our DBs. It

changes the profile of these users to a custom profile named MANH_NONADM and changes the password of all default DB users.

ALTER USER OUTLN          PROFILE MANH_NONADM;

ALTER USER DIP              PROFILE MANH_NONADM;

ALTER USER ORACLE_OCM          PROFILE MANH_NONADM;

ALTER USER APPQOSSYS          PROFILE MANH_NONADM;

ALTER USER WMSYS          PROFILE MANH_NONADM;

ALTER USER EXFSYS          PROFILE MANH_NONADM;

-- For oracle text, don't enforce

ALTER USER CTXSYS          PROFILE MANH_APP;

-- MGMT_VIEW used OEM Database control. Don't enforce

ALTER USER MGMT_VIEW          PROFILE MANH_APP;

--Used by Enterprise manager, don't enforce

ALTER USER DBSNMP PROFILE MANH_APP;

-- XDB stores Oracle XML DB data and metadata. Don't enforce

ALTER USER XDB              PROFILE MANH_APP;

--ALTER USER XS$NULL          PROFILE MANH_NONADM;

ALTER USER ANONYMOUS          PROFILE MANH_NONADM;

ALTER USER ORDPLUGINS          PROFILE MANH_NONADM;

ALTER USER ORDSYS          PROFILE MANH_NONADM;

ALTER USER ORDDATA          PROFILE MANH_NONADM;

ALTER USER SI_INFORMTN_SCHEMA      PROFILE MANH_NONADM;

ALTER USER MDSYS          PROFILE MANH_NONADM;

ALTER USER OLAPSYS          PROFILE MANH_NONADM;

ALTER USER MDDATA          PROFILE MANH_NONADM;

ALTER USER SPATIAL_WFS_ADMIN_USR  PROFILE MANH_NONADM;

ALTER USER SPATIAL_CSW_ADMIN_USR  PROFILE MANH_NONADM;

ALTER USER APEX_PUBLIC_USER      PROFILE MANH_NONADM;

ALTER USER FLOWS_FILES          PROFILE MANH_NONADM;

ALTER USER APEX_030200          PROFILE MANH_NONADM;

ALTER USER OWBSYS          PROFILE MANH_NONADM;

ALTER USER OWBSYS_AUDIT          PROFILE MANH_NONADM;

-- Change password

ALTER USER OUTLN          IDENTIFIED BY uNani8987#;

ALTER USER DIP              IDENTIFIED BY Hg$i9CLai;

ALTER USER ORACLE_OCM          IDENTIFIED BY Hg$i9CLak;

ALTER USER DBSNMP          IDENTIFIED BY pR$YeoT3i; ------> This messed up Enterprise manager

ALTER USER APPQOSSYS          IDENTIFIED BY pR$YeoT3m;

ALTER USER WMSYS          IDENTIFIED BY Hg$i9CLna;

ALTER USER EXFSYS          IDENTIFIED BY Hg$i9CLnb;

ALTER USER CTXSYS          IDENTIFIED BY Hg$i9CLns;

ALTER USER ANONYMOUS          IDENTIFIED BY Hg$i9CLnc;

ALTER USER XDB              IDENTIFIED BY Hg$i9CLnd;

--ALTER USER XS$NULL          IDENTIFIED BY Hg$i9CLne;

ALTER USER ORDPLUGINS          IDENTIFIED BY Hg$i9CLnaf;

ALTER USER ORDSYS          IDENTIFIED BY Hg$i9CLnag;

ALTER USER ORDDATA          IDENTIFIED BY Hg$i9CLnah;

ALTER USER SI_INFORMTN_SCHEMA      IDENTIFIED BY pR$YeoT3m;

ALTER USER MDSYS          IDENTIFIED BY julsi8987#;

ALTER USER OLAPSYS          IDENTIFIED BY pR$YeoT3w;

ALTER USER MDDATA          IDENTIFIED BY  uNani8987#;

ALTER USER SPATIAL_WFS_ADMIN_USR  IDENTIFIED BY  Hg$i9CLai;

ALTER USER SPATIAL_CSW_ADMIN_USR  IDENTIFIED BY  Hg$i9CLak;

ALTER USER MGMT_VIEW          IDENTIFIED BY  pR$YeoT3i;

ALTER USER APEX_PUBLIC_USER      IDENTIFIED BY  UI$YeoT3m;

ALTER USER FLOWS_FILES          IDENTIFIED BY  Hg$i9CLna;

ALTER USER APEX_030200          IDENTIFIED BY  Hg$i9CLnb;

ALTER USER OWBSYS          IDENTIFIED BY  Hg$i9CLnb;

ALTER USER OWBSYS_AUDIT          IDENTIFIED BY  pR$YeoT3s;

The above mentioned script was executed on one of our critical production DBs . After that, Enterprise manager stopped working because DBSNMP's default password has changed. To fix this, DBSNMP User's password has to be changed in a special way as described in 259387.1

Now, I am worried that other DB features may not work if I change the default password of default users.

So, we want to know if it is safe to

1. Change the password of default DB users mentioned above ?

2. Change the profile of default DB users from DEFAULT to a custom Profile as shown above ?
This post has been answered by EdStevens on Mar 13 2014
Jump to Answer
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Apr 10 2014
Added on Mar 13 2014
#general-database-discussions
3 comments
1,518 views