Toad World® Forums

Update DB Health Check

Howdy,

Running the DB Health Check on a 12.1.0.2 database, there appears to be some options that could use updating. e.g.:

-- "Hidden Users" returns ORA-1031 without explicit access to SYS.USER$ as of 12.1.
-- "Built in Oracle or 3rd party users with default passwords" also returns ORA-1031 from SYS.USER$ (could use DBA_USERS_WITH_DEFPWD joined to DBA_USERS instead?).

Also, "Tables with > 5% chained rows and > 500 total rows" will not work in a schema where any table has zero rows, instead returning "ORA-01476: divisor is equal to zero".

More importantly, some of the advice also seems outdated, like "Verify audit_trail=NONE/FALSE", with an explanation including "AUDIT_TRAIL = os | db | db_extended | xml | xml_extended results in Oracle collecting instance wide audit trail information, which adds a slight overhead to all database transactions that might be inadvisable for a production database". One would hope any performance concerns would be mitigated by the need to audit security in a Prod DB. There are similar entries for "timed_statistics = FALSE" and others that I think merit a review as well.

It would also be nice to have options for a CDB/PDB installation, Unified Auditing, and other newer Oracle structures.

Thanks!
Rich

Hey Rich,

"Hidden Users" returns ORA-1031 without explicit access to SYS.USER$ as of 12.1.

I don't know of any other way to check for these. The point is that a bad guy could create a user, then hide it with a mod to dba_users and/or all users.

-- "Built in Oracle or 3rd party users with default passwords"

I never noticed DBA_USERS_WITH_DEFPWD before. That's handy. Not granted to anyone though. :frowning:

I'll take care of the "tables with >5%...." item. That just seems like a bug. And I can update those explanation items too.

Regarding CDB/PDB and Unified Auditing, what kinds of checks were you looking for?