Re: Simple Security Questions

On Oct 14, 6:04 pm, Palooka <nob..._at_nowhere.com> wrote:

> Can I safely lock the following accounts (10.2.0.4)?
>
> SYSTEM
> MGMT_VIEW
> OUTLN
>
> None of these ever log in, according to DBA_AUDIT_TRAIL. I have session
> auditing on.
>

This is an interesting question. Most shops advocate not using SYSTEM on a regular basis, but I also have never heard a suggestion to lock it, either. I would defer to being conservative and not locking it, though. My guess is Oracle wouldn't even support it, but that is exactly that...a guess.

OUTLN I think is already locked by default. For MGMT_VIEW I have no clue. It doesn't look like it is locked by default, though. The following may be of interest...

http://www.oracle.com/technology/products/oem/pdf/Security_Paper_OOW_06.pdf

> Also, should I create a new role, with various system privileges, to
> replace the "burned in" DBA role, and grant that to myself rather than DBA?
>

I think the new role is a good idea. We did this some time ago by reverse engineering the existing DBA role and extracting from it what we actually used.

> For information, we are using the database, OEM and RMAN. No RAC, no
> Oracle Applications, no ASM, no DataGuard.
>
> Jobs are scheduled with the newer database scheduler, not DBMS_JOB. Is
> it therefore OK to set JOB_QUEUE_PROCESSES to zero?
>

JOB_QUEUE_PROCESSES is still used for materialized views updates and I think streams queues. Received on Wed Oct 15 2008 - 08:58:48 CDT