Sie sind auf Seite 1von 3

07.10.

2016 Securityparametersin11Gand12COracleDBAAlifelonglearningexperience

OracleDBAAlifelonglearningexperience

Securityparametersin11Gand12C

PostedbyJohnHallasonApril8,2015

Thereare5parametersthatareallprexedwithsecinan11gand12cdatabase.Actuallythatisa
liebecauseoneisnowdeprecatedin12c.Theyareall,asyoumightguessrelatedtosecurity.This
blogisaboutchangesinthedefaultvaluesandsomethoughtsaboutwhetherornotthedefault
valueisappropriateornot.

TRUEin11GR1,11GR2,DEPRECATEDIN
SEC_CASE_SENSITIVE_LOGON
12C
SEC_MAX_FAILED_LOGIN_ATTEMPTS default11GR1,11GR2=10,12c=3
defaultisCONTINUEin11GR1,11GR2,
SEC_PROTOCOL_ERROR_FURTHER_ACTION
drop,3in12c
SEC_PROTOCOL_ERROR_TRACE_ACTION defaultisTRACE11GR1,11GR2,12c
defaultisFALSEin11GR1,11GR2,TRUEin
SEC_RETURN_SERVER_RELEASE_BANNER
12c

SEC_CASE_SENSITIVE_LOGON
Letscoverthedeprecatedonerst.Thiscamealongin11g(asall5did)andisnowdeprecatedas
12cisforcingcasesensitivepasswords.Inparalleltheorapwdfunctionin12cnolongerhasthe
ignorecaseoptioneither.
TheoneapplicationthatIknowdoesnotsupportcasesensitivepasswordsisEBSR12.1.1butthere
isapatch(12964564)ifyouwishtoupgradeto12c(orevencontinuetorunat11GR1).

SEC_MAX_FAILED_LOGIN_ATTEMPTS
Nowdefaultsto3in12cfromthe11Gxdefaultof10,whichisnotunreasonable.Thisallowsa
clienttoaemptaconnection3times(multipleaccounts)beforedroppingtheconnection.

SEC_PROTOCOL_ERROR_TRACE_ACTION
Thistakesactionifbadpacketsareidentiedascominginfromaclient.ThedefaultisTRACEand
againIwouldchallengethatposition.TheotherviableoptionsareLOGwhichproducesaminimal
logleandalsoanalerttothealertlogorjustALERTordonothingNONE.TheTRACEhasthe
possibilityofllingdiskupwhichcouldhavethesameeectasaDoSaackwhichtheparameter
istryingtostopthereforeIthinkIprefertheLOGoptionratherthanjusttheALERToption.
Howeverifyouarealertingensurethatyouhavewrienatrapinwhateveryouusetoparseyour
alertlogstospitoutthemessagetoyourmonitoringscreens.Anicebyproductofthisalertisthat
youcannowformallypassitontothenetworkteamandyouhavesucientevidencetodoso.
https://jhdba.wordpress.com/2015/04/08/securityparametersin11gand12c/ 1/3
07.10.2016 Securityparametersin11Gand12COracleDBAAlifelonglearningexperience

youcannowformallypassitontothenetworkteamandyouhavesucientevidencetodoso.
SEC_PROTOCOL_ERROR_FURTHER_ACTION
Thisiswhereitgetsabittrickyandwehaveanotherchangein12c.In11gthedefaultwas
CONTINUE,thereforeifyouhadtracingsetinthepreviousparameteryoucouldendupwithalot
oflogginggoingon.IthinktheCONTINUEwasthecorrectoptionin11Gasyoudonotwantto
stopvalidconnectionsintoaproductionsystembecausethepacketmightlookbadnotwithout
somedegreeofauthorisationatleast.
From12cthedefaulthaschangedtoDROP,3.Thismeansdroptheconnectionafter3badpackets
havearrivedfromaclient.Whichsoundsgoodaspotentiallyatracelewillnotbecometoobig.
Howeverthereisnothingstoppingaclientaemptingmanysuchconnections,allwithbad
packets,whichcouldpotentiallycauseaDoS,notbyusingallyourprocesses,butbyllingyour
logarea.
WiththischangeofdefaultIthinkitisevenmoreimportanttoknowwhenconnectionsarebeing
droppedbytheSEC_PROTOCOL_ERROR_TRACE_ACTIONparameterandthatiswhyIwould
suggestseingSEC_PROTOCOL_ERROR_FURTHER_ACTIONtoCONTINUE

SEC_RETURN_SERVER_RELEASE_BANNER
Thisparameterspecieswhethertheserverreturnscompletedatabasesoftwareinformationto
unauthenticatedclients.ThedefaultisFALSEinallversionsdespitethe12Cdocumentation
statingthatthedefaultisnowTRUE.Oraclehavechosenthatdefaultasthewholepointof
securityistonotgiveawayanymoreinformationthanyouhavetoandthatcannotbeargued
with.

Somyjointrecommendationsfortheseparametersare:

1.EnsureSEC_RETURN_SERVER_RELEASE_BANNERissettothedefaultofFALSEonall
databases
2.SetSEC_PROTOCOL_ERROR_TRACE_ACTIONtoLOGandensurethattrapsareinplaceto
capturethealerts
3.SetSEC_PROTOCOL_ERROR_FURTHER_ACTIONtoCONTINUE,oratleastensurethatif
youaredroppingconnectionsthenthathasbeencommunicatedtointerestedpartieswhomay
notbeabletogettotheservicetheyneedto.Agoodhalfwayhousewouldbetouse(DELAY,3)
todelayapacketby3secondsbutitisimportantthatallsupportpartiesareawareifthisis
enabled.

Finally,IwillbepostingafollowupblogonFridaywhichcoverssomediscrepanciesinthe12c
dictionaryandseemstobeamajorissuebutIneedtodosomemoreresearchrst.

Abouttheseads

ThisentrywaspostedonApril8,2015at9:26amandisledunder11gnewfeatures,12cnew
https://jhdba.wordpress.com/2015/04/08/securityparametersin11gand12c/ 2/3
07.10.2016 Securityparametersin11Gand12COracleDBAAlifelonglearningexperience

ThisentrywaspostedonApril8,2015at9:26amandisledunder11gnewfeatures,12cnew
features,Oracle.Tagged:12csecurityparameters,SEC_CASE_SENSITIVE_LOGON,
SEC_MAX_FAILED_LOGIN_ATTEMPTS,SEC_PROTOCOL_ERROR_FURTHER_ACTION,
SEC_PROTOCOL_ERROR_TRACE_ACTION,SEC_RETURN_SERVER_RELEASE_BANNER.You
canfollowanyresponsestothisentrythroughtheRSS2.0feed.Youcanleavearesponse,or
trackbackfromyourownsite.

OneResponsetoSecurityparametersin11Gand12C

1.Discrepanciesinv$parameterdefaultvaluesin12cOracle
DBAAlifelonglearningexperiencesaid

April10,2015at8:13am
[]Securityparametersin11Gand12C[]

Reply

Geingsqlstatementsoutofatracele
Discrepanciesinv$parameterdefaultvaluesin12c

BlogatWordPress.com.

https://jhdba.wordpress.com/2015/04/08/securityparametersin11gand12c/ 3/3