|
sql92_security_chk.sql
"The SQL92 standards specify that security administrators should be able to require that users have SELECT privilege on a table when executing an UPDATE or DELETE statement that references table column values in a WHERE or SET clause. SQL92_SECURITY specifies whether users must have been granted the SELECT object privilege in order to execute such UPDATE or DELETE statements." This query helps identify users and/or objects whereby UPDATE or DELETE privileges have been granted without the SELECT privilege. This is to assist anyone trying to identify the risk of enabling the SQL92_SECURITY initialization parameter on their Oracle database. The query is quite complex as it has to allow for access being granted via different methods. For example a user may have been directly granted UPDATE on a table. However we need to confirm, that not only does the user not have direct SELECT privileges of the table, but also that they don't have SELECT via a role (or nested role), SELECT via the PUBLIC role or SELECT via the SELECT ANY TABLE system privilege. This query utilizes some of the internal data dictionary tables for performance instead of the human friendly views. Consequently there are two versions as Oracle has modified one of the internal data dictionary tables as of Oracle11g. sql92_security_chk.sql - Oracle10g and earlier
sql92_security_chk_11g.sql - Oracle11g and later. Tested on Oracle9iR2, Oracle10gR2 and Oracle11gR2
|
| |
|
|
|
pentest_password_verify.pls
The Oracle database provides the functionality to enforce password complexity rules by allowing the administrator to write a custom PL/SQL function to verify the password. Although Oracle provides a sample function that they encourage their customers to develop to meet their internal (or in-house) verification requirements, many sites do not use this functionality. This is either because they do not have the in-house expertise or the relevant resources are unavailable. The Pentest password verification function is designed for use with the PROFILE resource parameter PASSWORD_VERIFY_FUNCTION. It is intended as an alternative to the Oracle supplied VERIFY_FUNCTION (created by the UTLPWDMG.SQL script). It is designed to be easily customisable by someone with little or no PL/SQL experience. It performs most of the checks required by the majority of sites and is configured by setting the values of a set of constants at the beginning of the function. The PENTEST_PASSWORD_VERIFY function performs the following tests:-
* Check password does not contain the username
* Check password does not contain the username in reverse
* Check password is not similar to the username (soundex)
* Check password is not similar to the previous password (soundex)
* Check password length
* Check password does not contain a forbidden word
* Check password is not similar to a forbidden word (soundex)
* Include database name as a forbidden word
* Include host name as a forbidden word
* Include the current month as a forbidden word
* Check number of alphabetic characters
* Check number of upper characters
* Check number of numeric characters
* Check number of punctuation characters
* Check number of standard oracle punctuation characters (i.e. “_”, “#” and “$”)
* Check number of non-standard oracle punctuation characters
* Check number of times a single character is used within the password
* Check number of different characters used from previous password
* Check number of different characters within the password
NOTE: This function is only compatible with Oracle10g and onwards.
|
| |
|
|
|
scanner.sql
This is a simple scanner script to look for certain security issues within an Oracle database. This scanner accompanies a white paper published on security focus at http://www.securityfocus.com/infocus/1522.
|
| |
|
|
|
su.sql
This script allows the user to change users in an Oracle database without knowing the password of the user they wish to log in as. To use this script you need to be logged in as a dba.
|
| |
|
|
|
sql.sql
This script retrieves the SQL from the Oracle SGA for a particular user and session ID. This allows you to see the statements being executed by any user.
|
| |
|
|
|
events.sql
This script can be used to see which Oracle events are set for the current Oracle session.
|
| |
|
|
|
layout.sql
This script displays details of the logical structures in an Oracle database and the main datafiles used by an Oracle database.
|
| |
|
|
|
who.sql
Shows who is logged onto an Oracle database and gives the database serial number and PID as well as the O/S PID.
|
| |
|
|
|
check_users.sql
Can be used to check for default users installed in the database where the password is still set to the default.
|
| |
|
|
|
check_roles.sql
Can be used to check for default roles installed in the database where the password is still set to the default.
|
| |
|
|
|
link.sql
Script to show the database link details including any stored passwords.
|
| |
|
|
|
disk.sql
Display details of each data file used in the database and show reads, writes and totals.
|
| |
|
|
|
objchk.sql
Checks all objects in the database for validity and displays the objects that are invalid by owner and type.
|
| |
|
|
|
dump.sql
Displays the user_dump_dest (trace directory) from the fixed tables.
|
| |
|
|
|
utl.sql
Displays the user_file_dir (directory utl_file writes to) from the fixed tables.
|
| |
|
|
|
idxchk.sql
This script finds any indexes that are invalid and displays their details.
|
| |
|
|
|
enqueue.sql
This script displays the "enqueue" statistics.
|
| |
|
|
|
resource_limits.sql
Show the resource limits, the current values and the max values.
|
| |
|
|
|
stats.sql
Show all of the system statistics.
|
| |
|
|
|
sys_event.sql
Show all of the system event statistics.
|
| |
|
|
|
redo_latch.sql
Show all of the redo latch statistics.
|
| |
|
|
|
event_names.sql
Display all of the event names and parameters.
|
| |
|
|
|
latch_hit_ratio.sql
Display the latch misses and immediate misses.
|
| |
|
|
|
all_latch.sql
Display the latch statistics wholesale.
|
| |
|
|
|
db_links.sql
Script to show details of database links from dba_db_links.
|
| |
|
|
|
dict_cache.sql
Script to show the hit ratio of the dictionary cache.
|
| |
|
|
|
buffer_cache.sql
Script to show the hit ratio of the buffer cache.
|
| |
|
|
|
sga_mem.sql
Script to show the break down of the SGA in terms of type, status and size.
|
| |
|
|
|
sga_sizing.sql
Script to show the sizing of the SGA and the current use.
|
| |
|
|
|
free_space.sql
Script to show free space for each tablespace in the database.
|
| |
|
|
|
cache.sql
Shows the size of the SQL, the free memory and the percentage free memory in the SGA. Also shows the three key hit ratio's i.e. the buffer cache, the dictionary cache and the library cache. Finally the numbers of memory and disk sorts are shown with the percentage sorts done in memory.
|
| |
|
|
|
sysstat.sql
This script shows the three SGA hit ratio's with slightly different detail to the report above.
|
| |
|
|
|
last_analyze.sql
Dates of the oldest and newest analyze done on the table.
|
| |
|
|
lock.c
This 'C' program can be used to lock the shared memory segments allocated to Oracle in core. This can be used as a workaround for the init.ora parameter LOCK_SGA that will not work on Solaris due to only root being allowed to lock memory in core. This 'C' program can be SUID root or be run as root. Ideally it would be run in a shell script right after the database has been started. This will help prevent the SGA from being paged out.
|
| |
|
|
|
parameters.sql
This script will display all of the initialisation parameters including the hidden ones.
|
| |
|
|
|
hidden.sql
This script will display all of the undocumented hidden initialisation parameters.
|
| |
|
|
|
check_freelist.sql
Checks the number of wait stats on the class "free list".
|
| |
|
|
|
free_memory.sql
Displays the free memory in the SGA.
|
Oracle
Bluetooth