Baanboard.com

Go Back   Baanboard.com > Forum > Baan Quick Support: Functional & Technical > Operating Systems & Databases

User login

Frontpage Sponsor

Main

Poll
For ERP LN feature pack upgrade, what method of install are you using?
Installation Wizard into existing VRC
37%
Installation Wizard into new VRC
39%
Manual into existing VRC
3%
Manual into new VRC
21%
Total votes: 38

Baanboard at LinkedIn


Reference Content

Reply
 
Thread Tools Display Modes
  #1  
Old 9th September 2003, 14:42
petefinnigan petefinnigan is offline
Junior Member
 
Join Date: Sep 2003
Posts: 19
petefinnigan is on a distinguished road
Baan: none - DB: Oracle - OS: Unix and Windows
Exclamation Anyone have any BAAN/Oracle security links

Hi everyone

Further to my last thread on the subject of Oracle security I was wondering if anyone here has any links to any articles, white papers, presentations etc specifically about BAAN and Oracle security. I would be interested to hear of any. Also I write regularly papers about Oracle security and would consider getting the ball rolling on BAAN and Oracle security if there are no papers out there all ready.

thanks

Kind regards

Pete
__________________
--
Pete Finnigan
email: pete@petefinnigan.com
Web site: http://www.petefinnigan.com - Oracle security information and services
Book: Oracle security step-by-step Guide - see http://store.sans.org for details.
Reply With Quote
  #2  
Old 9th September 2003, 15:24
patvdv's Avatar
patvdv patvdv is offline
Board Master
 
Join Date: Aug 2001
Location: Belgium
Posts: 2,167
patvdv is on a distinguished road
Baan: n/a - DB: n/a - OS: AIX, HP-UX, Linux
Mystery

I think Baan/Oracle security is very much an 'uncharted' area. You would be surprised how many people run their Baan installations with just the defaults. Sometimes with the 'system/manager' login! So any recommendations from your side would be interesting to read
__________________
Regards,

Patrick Van der Veken - Admin & Founder - (c) 2001-2017 baanboard.com/baanforums.com
Reply With Quote
Sponsored Links
  #3  
Old 9th September 2003, 19:27
Francesco's Avatar
Francesco Francesco is offline
Guru
 
Join Date: Aug 2001
Location: Antwerp, BE
Posts: 727
Francesco is on a distinguished road
Baan: 5b - DB: Oracle - OS: Solaris
On Baan/Oracle security...

Last Sunday's adventure fits the bill.

This past Sunday we performed a Solaris upgrade (6 -> 8) on our production system.
Although I expected having to relicense Baan in the next 72 days, I was not expecting being completely unable to run _any_ session in Baan without receiving the "too many records in tttxt001" crap.

Because I had to somehow create a new brandfile, I grabbed for brand6.2, only to realize that I had no copy of our validation key anywhere on my laptop.
I called three different people, but nobody had the keys anywhere in their email.

Fortunately I was able to "hack" my way back into Baan, by using a Baan/Oracle security breech. I simply pulled the key information out of table tttiex301000 and was able to generate a new and working key file.

Maybe not the most significant security issue, but since we are on the subject....
__________________
Cheers,

Francesco
..............................................................

Admiral Business Solutions | My World | Baan Board | IT Happens!

"If everyone is thinking alike, then somebody isn't thinking" -- George Patton
"It's easy to cry 'bug' when the truth is that you've got a complex system and sometimes it takes a while to get all the components to co-exist peacefully." -- Doug Vargas
Reply With Quote
  #4  
Old 9th September 2003, 23:45
petefinnigan petefinnigan is offline
Junior Member
 
Join Date: Sep 2003
Posts: 19
petefinnigan is on a distinguished road
Baan: none - DB: Oracle - OS: Unix and Windows
Hi Guys,

Thanks very much for the replies, Francesco your details of a "hack" are exactly the sort of thing I am intersted in for a paper about BAAN / Oracle.

I have a huge amount of info about Oracle security specifically (and a lot of it most probably applies to BAAN installations as well BUT it is the BAAN spcifics that need to be addressed.

It sounds like from what Patvdv says that there is little recorded about BAAN / Oracle security and that a lot of people install BAAN on top of a default Oracle install without changing anything much (surely not true!!).

Bear in mind BAAN is new to me, my area is Oracle so some of what I can offer initially might not be totally relevant. Links to all of these items are on my site at http://www.petefinnigan.com/orasec.htm.

o - The first and most obvious way into an Oracle database is to use one of the default accounts with known default passwords. I wrote a paper for a previous employer that included a default password list. There is a slightly longer password list included with the code for my book "Oracle security step-by-step" published by SANS.

o - The next step would be to run th simple scanner that is included with the paper I wrote for securityfocus.com, as I said there is a link to this paper on the URL above, its called "A simple Oracle security scanner". This checks for about 10 common issues.

o - There are a couple of links to check lists produced by Oracle themselves, one for Oracle 9i and 9iR2, they are called "A security checklist for Oracle 9i" and "A security checklist for Oracle 9ir2". Most of what is said applies to Oracle 8 and 8i as well.

o - There are some very good papers on http://www.integrigy.com/resources.htm including an excellent one about securing the Oracle listener. I will be adding links to these shortly to my site.

o - I did a recent paper for securityfocus.com called "An introduction to simple Oracle auditing" that has some SQL to check for some basic abuses such as trying to log on with none existant users 9an indication of hacking), users sharing database accounts and so on. Link in usual place.

There are three books dedicated to Oracle security,

o - "Oracle security step-by-step" by pete Finnigan - see http://store.sans.org - as it says a step by step guide to check for hundreds of configuration and set up issues and vulnerabilities. Its a hands on checklist cookbook.

o - Oracle security - Marlene Therioult - Bill henny - O'Reilly - Good book, based around theory but some practical, bit dated now.

o - Oracle security handbook - Marlene again and Aaron Newman - Oracle press - good book, more up to date again quite a lot of theory.

There is also a chapter in the new special ops book by erik pace berkholtz et al.

I hope this is a good appetizer, as I said I would be interested to hear more from you guys about BAAN specific security issues on Oracle and what standard Oracle stuff works for BAAN. Like Francescos item above - but more importanly the fixes to stop these being used.

hth

kind regards

Pete
__________________
--
Pete Finnigan
email: pete@petefinnigan.com
Web site: http://www.petefinnigan.com - Oracle security information and services
Book: Oracle security step-by-step Guide - see http://store.sans.org for details.
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Baan Security fosterjr Tools Administration & Installation 15 2nd January 2008 13:06
new free Oracle security audit scoring tool petefinnigan Operating Systems & Databases 0 7th June 2004 20:14
new Oracle Row Level security paper petefinnigan Operating Systems & Databases 0 10th November 2003 15:08
ERP Security, Baan Example NPRao General Discussion & Chat 2 24th January 2003 01:57
[Internet Explorer 5.5 & 6.0 security patch]! patvdv General Discussion & Chat 0 19th November 2001 18:53


All times are GMT +2. The time now is 20:47.


©2001-2017 - Baanboard.com - Baanforums.com