Oracle Audit Scripts

Pete Finnigan - Oracle and Oracle security scripts

check_parameter.sql This is the last of the five core auditing scripts available from this tools page. There will be others in the future but the first five here are useful core tools. This script allows you to neatly print out the values of initialization parameters from the database and to also check the results against a known correct value. The script also allows you to check hidden or undocumented parameters. A sample usage of this script is given here.
Oracle Default Password checking tool This is a set of SQL and PL/SQL scripts that can be used to check a database for the existance of any default user accounts with their well known default passwords still set. The list of accounts used is based on the largest list of Oracle default users on the net. Use this tool to ensure that your database is not vulnerable to the most fundamental issue is Orale security 101.
Oracle Password Brute Forcer (Perl) I was made aware of this perl script that can be used to brute force Oracle database passwords. The script is reasonably simple. It first builds TNS packets to get the SIDs/services available from the listener that is being queried. It then uses the SID's found and attempts to connect to the database.
CIS Oracle database security benchmark tool The center for Internet Security provides benchmark documents that are intended to be a best practice minimum standard on securing each piece of equipment that is the subject of the document. There is an Oracle security benchmark document that was developed by CIS in part from the SANS Oracle Security step-by-step written by Pete Finnigan. This scoring tool is based on the benchmark paper and checks most of the items in this paper. The tool provides a score as to how compliant you are with the benchmark.
Some items in the benchmark are not covered by the tool but you can check this from the document itself as each item in the benchmark document indicates if its included in the tool. The tool covers quite a lot of items in the score by asking a questionnaire at the beginning of its operation. The rest of the checks are done programmatically. The tool is written in Java and is available for Windows, Solaris and Linux for Oracle 8i and 9i.

The tools are free for download.
dbcool_audit.pl This is a short security audit script written in perl that can be used to do a simple Oracle security audit.
fileprobe.sh This is a superb script written by Tim Gorman. This korn shell script checks the files in the $ORACLE_HOME and $ORACLE_BASE for any security loopholes

fileprobe.sh (ASCII text file – 16Kb) UNIX Korn-shell script which performs checks on the permissions of files in the Oracle software distribution (i.e. ORACLE_HOME), administration files (i.e. ORACLE_BASE/admin), and database files (i.e. control files, online redo log files, archived redo log files, data files, and temp files). Updated on 29-April 2005!!!
oraprobe.sh (ASCII text file – 10Kb) UNIX Korn-shell script which calls SQL*Plus to probe an Oracle database for possible use of default or guess-able passwords for the standard accounts created during the installation of Oracle products. The script works in two passes: the first pass uses the fixed list of standard accounts with guess-able passwords; the second pass is used whenever the first pass works. The second pass acquires a list of the accounts existing in the ALL_USERS data dictionary view and then tries the account name as the password. In a future version of the script, I’ll include guess-able passwords here also, as well as guess-able variants (such as common number substitution for letters, etc). The intent of this script is not to cause harm or to encourage mayhem, but rather to convince DBAs and database application designers of the importance of strong password protection, which have been built into the RDBMS since v8.0. Newly added on 01-October 2002!!!
tnsprobe.sh (ASCII text file – 6Kb) UNIX Korn-shell script which calls tnsping and lsnrctl to probe a database server host machine for any ports (in the range from 1025 to 65536) with Oracle TNS Listeners on them. If one is found, then the Oracle lsnrctl services command is issued to find if the topology of databases served by the TNS Listener can be displayed, and also to determine if the TNS Listener is passworded. If the lsnrctl services command succeeds, then its output is parsed and the “oraprobe.sh” shell script (see above) is called to probe the Oracle database for accounts with guess-able passwords. The intent of this script is not to cause harm or to encourage mayhem, but rather to convince DBAs and database application designers of the importance of strong password protection, which have been built into the RDBMS since v8.0. Newly added on 01-October 2002!!!

Copyright © 1996-2008 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

Standard disclaimer: The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: February 28, 2008