Hi everyone

Further to my last thread on the subject of Oracle security I was wondering if anyone here has any links to any articles, white papers, presentations etc specifically about BAAN and Oracle security. I would be interested to hear of any. Also I write regularly papers about Oracle security and would consider getting the ball rolling on BAAN and Oracle security if there are no papers out there all ready.

thanks

Kind regards

Pete

I think Baan/Oracle security is very much an 'uncharted' area. You would be surprised how many people run their Baan installations with just the defaults. Sometimes with the 'system/manager' login! So any recommendations from your side would be interesting to read :)

Last Sunday's adventure fits the bill.

This past Sunday we performed a Solaris upgrade (6 -> 8) on our production system.
Although I expected having to relicense Baan in the next 72 days, I was not expecting being completely unable to run _any_ session in Baan without receiving the "too many records in tttxt001" crap.

Because I had to somehow create a new brandfile, I grabbed for brand6.2, only to realize that I had no copy of our validation key anywhere on my laptop.
I called three different people, but nobody had the keys anywhere in their email.

Fortunately I was able to "hack" my way back into Baan, by using a Baan/Oracle security breech. I simply pulled the key information out of table tttiex301000 and was able to generate a new and working key file.

Maybe not the most significant security issue, but since we are on the subject.... :D

Hi Guys,

Thanks very much for the replies, Francesco your details of a "hack" are exactly the sort of thing I am intersted in for a paper about BAAN / Oracle.

I have a huge amount of info about Oracle security specifically (and a lot of it most probably applies to BAAN installations as well BUT it is the BAAN spcifics that need to be addressed.

It sounds like from what Patvdv says that there is little recorded about BAAN / Oracle security and that a lot of people install BAAN on top of a default Oracle install without changing anything much (surely not true!!).

Bear in mind BAAN is new to me, my area is Oracle so some of what I can offer initially might not be totally relevant. Links to all of these items are on my site at http://www.petefinnigan.com/orasec.htm.

o - The first and most obvious way into an Oracle database is to use one of the default accounts with known default passwords. I wrote a paper for a previous employer that included a default password list. There is a slightly longer password list included with the code for my book "Oracle security step-by-step" published by SANS.

o - The next step would be to run th simple scanner that is included with the paper I wrote for securityfocus.com, as I said there is a link to this paper on the URL above, its called "A simple Oracle security scanner". This checks for about 10 common issues.

o - There are a couple of links to check lists produced by Oracle themselves, one for Oracle 9i and 9iR2, they are called "A security checklist for Oracle 9i" and "A security checklist for Oracle 9ir2". Most of what is said applies to Oracle 8 and 8i as well.

o - There are some very good papers on http://www.integrigy.com/resources.htm including an excellent one about securing the Oracle listener. I will be adding links to these shortly to my site.

o - I did a recent paper for securityfocus.com called "An introduction to simple Oracle auditing" that has some SQL to check for some basic abuses such as trying to log on with none existant users 9an indication of hacking), users sharing database accounts and so on. Link in usual place.

There are three books dedicated to Oracle security,

o - "Oracle security step-by-step" by pete Finnigan - see http://store.sans.org - as it says a step by step guide to check for hundreds of configuration and set up issues and vulnerabilities. Its a hands on checklist cookbook.

o - Oracle security - Marlene Therioult - Bill henny - O'Reilly - Good book, based around theory but some practical, bit dated now.

o - Oracle security handbook - Marlene again and Aaron Newman - Oracle press - good book, more up to date again quite a lot of theory.

There is also a chapter in the new special ops book by erik pace berkholtz et al.

I hope this is a good appetizer, as I said I would be interested to hear more from you guys about BAAN specific security issues on Oracle and what standard Oracle stuff works for BAAN. Like Francescos item above - but more importanly the fixes to stop these being used.

hth

kind regards

Pete