This discussion is archived
6 Replies Latest reply: Mar 27, 2006 11:23 AM by 365741 RSS

URGENT: FAILED_LOGIN_ATTEMPTS changed in 10gR2

Laurent Schneider Oracle ACE
Currently Being Moderated
Hi,
This is a major change in Oracle Security and it has not been documented.

Oracle Version 10.1 and below : Default profile failed_login_attempts unlimited
Oracle Version 10.2 : Default profile failed_login_attempts 10

It MUST be documented. it is a very important change

at least in :
- part B14233-02 Database Readme Section 7 security
http://download-uk.oracle.com/docs/cd/B19306_01/readmes.102/b14233/toc.htm#CHDCHFGG
- part B14238-01 Database Upgrade Guide - Compatibility and Interoperability
http://download-uk.oracle.com/docs/cd/B19306_01/server.102/b14238/compat.htm#CHDFHCHD
- part B14266-01 Database Security Guide - Listing All Profiles and Assigned Limits (must be corrected to 10)
http://download-uk.oracle.com/docs/cd/B19306_01/network.102/b14266/admusers.htm#i1009127

Please note that this is a major change in database security, some tools, for example OEM, will lock accounts quickly when you change password on the database, as soon as the original password as been tried ten times. I urge you to document this asap to avoid future issues.

Thanks you very much for prompt answer
Laurent




proof :

a1001000.sql
Rem =========================================================================
Rem =========================================================================
Rem Upgrade sets failed_login_attempts = 10
Rem           if it is UNLIMITED for DEFAULT profile
Rem ========================================================================

DECLARE
 prec DBA_PROFILES%ROWTYPE;
BEGIN
 SELECT * INTO prec FROM DBA_PROFILES
 WHERE  profile = 'DEFAULT' AND resource_name = 'FAILED_LOGIN_ATTEMPTS';


 IF prec.LIMIT = 'UNLIMITED' THEN
   EXECUTE IMMEDIATE
      'ALTER PROFILE default  LIMIT failed_login_attempts 10';
 END IF;
END;
/
sql.bsq
create profile "DEFAULT" limit            /* default value, always present */
  composite_limit               unlimited                   /* service units */
  sessions_per_user             unlimited              /* logins per user id */
  cpu_per_session               unlimited            /* cpu usage in minutes */
  cpu_per_call                  unlimited        /* max cpu minutes per call */
  logical_reads_per_session     unlimited
  logical_reads_per_call        unlimited
  idle_time                     unlimited
  connect_time                  unlimited
  private_sga                   unlimited      /* valid only with TP-monitor */
  failed_login_attempts         10
  password_life_time            unlimited
  password_reuse_time           unlimited
  password_reuse_max            unlimited
  password_verify_function      null
  password_lock_time            unlimited
  password_grace_time           unlimited
/