Re: Listener Passwords, who uses them and why?

From: DA Morgan <damorgan_at_psoug.org>
Date: Tue, 02 Aug 2005 16:01:55 -0700
Message-ID: <1123024246.99355@yasure>

Maxim Demenko wrote:
> Dave schrieb:
>

>> As the subject says, just curious how many people out there have
>> passwords on their listeners?
>>
>> Some external group auditing us for SOX is saying that its a best
>> practice but in my 8 years as a DBA i've never seen it.
>>
>> I can see if we had problems with listeners going down unexpectedly but
>> this has never happened.    Are there security holes that I should be
>> aware of that recommend having a password?
>>
>> (I'm aware of the iSQLPlus bug in the latest Oracle CPU, but we don't
>> use it..)
>>
>> tnx.
>>

>
> I've found some months ago this document
> http://www.integrigy.com/info/Integrigy_OracleDB_Listener_Security.pdf
> ( is dated Jan 2004), they state that listener passwords can be easily
> brut forced due to lack of automatic logout facility (haven't tested),
> some older exploits are listed too.
> Maybe that helps...
>
> Best regards
>
> Maxim

True or not that has nothing to do with SarbOx compliance. A company required by law to comply with Sarbanes-Oxley needs to due what its auditors say and, unflatteringly, those in IT that are not lawyers and have no skin in the game should just shut up and implement what they are asked. I'm not picking on you here but I hear so .... much whining from IT people who stand to lose nothing but a smidgen of convenience while C-Level management and auditors stand to lose do to substantial financial and legal penalties including jail time. The law may be as dumb as dirt ... but it is the law and must be complied with. As the saying goes: Don't do the crime if you can't do the time.

And once again, Maxim, not directed to you so please don't take the above personally.

-- 
Daniel A. Morgan
http://www.psoug.org
damorgan_at_x.washington.edu
(replace x with u to respond)

Received on Tue Aug 02 2005 - 18:01:55 CDT