DBSecWorx: EXECSEC.SQL

Oracle EXECSEC.SQL Versions: 12.1 - 21c

Overview

Beginning with Oracle Database version 12.1 Oracle added a new file named secconf.sql to the $ORACLE_HOME/rdbms/admin directory that is run by default when a new database is created by not when a database is upgraded using DBUA (Database Upgrade Assistant).

Due to the above it is easily possible to have two different Oracle Databases, both version 12.1, 12.2, 18.3, 19.3, or above and have differences in the security configuration. You must read the full secconf.sql file for the version you are using as a roadmap to understand the differences that may exist in different databases with the exact same version number and, equally important, execsec.sql.

From our standpoint, we find the new Container architecture substantially more secure than the previous legacy architecture and the new Unified Audit Policies created by this script better than legacy auditing.

Use the following to information to help you understand the impact of leveraging secure configuration.

Source Code

File Header

Rem

      Rem $Header: rdbms/admin/execsec.sql /main/5 2020/07/20 01:06:26 dgoddard Exp $

      Rem

      Rem execsec.sql

      Rem

      Rem Copyright (c) 2006, 2014, Oracle and/or its affiliates. 

      Rem All rights reserved.

      Rem

      Rem NAME

      Rem execsec.sql - secure configuration settings

      Rem

      

      Rem DESCRIPTION

      Rem Secure configuration settings for the database include a reasonable

      Rem default password profile, password complexity checks, audit settings

      Rem (enabled, with admin actions audited), and as many revokes from PUBLIC

      Rem as possible. In the first phase, only the default password profile is

      Rem included.

      Rem

      Rem

      Rem NOTES

      Rem 

      

      Note that even though the file header references revokes from PUBLIC ... none take place.

Auditing Version

PROMPT Do you wish to configure 11g style Audit Configuration OR

      PROMPT Do you wish to configure 12c Unified Audit Policies?

      PROMPT Enter RDBMS_11G for former or RDBMS_UNIAUD for latter

      

      When the script is running there will be 3 prompts for input. 11g style Audit Configuration means legacy auditing. 12c Unified Audit Policies is an indication that the new 12c technology should be deployed.

Conclusion

We recommend, in the strongest terms, moving forward from Oracle's legacy architecture to the new Container Database (CDB & PDB) architecture. As part of that move be sure that you improve the manageability and maintainability of your databases by replacing legacy auditing with the new Unified Audit Policies and upgrade using a technique that includes executing the secconf.sql script with or without execsec.sql.