Building an Oracle™ Database

Instead of using the Oracle™ installer or the Database Creation Assistant (dbca) to create your database, use a script that installs the minimum functionality required, and then add the features required by your application. In Oracle™ 10g, you may specify the initial password for SYS and SYSTEM in the CREATE DATABASE statement using the following syntax:

USER SYS IDENTIFIED BY password
USER SYSTEM IDENTIFIED BY password

If you do not specify passwords for SYS and SYSTEM, the default passwords CHANGE_ON_INSTALL and MANAGER will be used. If you use this feature, be sure to set the file permissisons to prohibit access by anyone who is not a member of the DBA group.

Sample script

Oracle™ provides a pair of sample parameter files in the dbs directory of the ORACLE_HOME, init.ora and initdw.ora. The initdw.ora file contains suggested parameters for a warehouse.

Recommended Initalization Parameter Settings

Parameter	Suggested Value	Comment
AUDIT_SYS_OPERATIONS	TRUE	Audits activity of users authenticated as SYSDBA or SYSOPER
AUDIT_TRAIL	DB	In 10g, set to DB,EXTENDED. May also be set to OS, XML or XML,EXTENDED
DISPATCHERS		Unless XDB is in use, remove any reference to (SERVICE=dbsidXDB), as this permits FTP and HTTP connectivity to the database.
GLOBAL_NAME	TRUE	Forces dblink to have the same name as destination db
LDAP_DIRECTORY_ACCESS	NONE	If using OID, set to PASSWORD or SSL
LOCAL_LISTENER	listener_name	Set this parameter if you want the database to register with a listener other than the default listener running on port 1521.
O7_DICTIONARY_ACCESSIBILITY	FALSE	Prevents users with "ANY" (SELECT ANY TABLE, DROP ANY SYNONYM) privileges from using them to access objects in the SYS schema
OS_AUTHENT_PREFIX	""	The default is OPS$. When set to "", database accounts must match operating system accounts for external authentication
OS_ROLES	FALSE	See Oracle Database Advanced Security Administrator's Guide for more information.
REMOTE_LOGIN_PASSWORDFILE	SHARED	Setting value to SHARED enables use of a password file. Setting value to NONE forces operating system authentication.
REMOTE_OS_AUTHENT	FALSE	Do not allow remote operating system authentication
REMOTE_OS_ROLES	FALSE	Do not allow remote operating systems to override database roles
SQL92_SECURITY	TRUE	Requires users to have SELECT privilege ona table when executing UPDATE or DELETE statements.
UTL_FILE_DIR	Do not set	When not set, users cannot create or read files using the UTL_FILE package. If this functionality is required, create an Oracle directory object instead, as you can grant individual read and write privileges. When UTL_FILE_DIR is set, every database user has read and write access to the files in that directory.

Restrict access to all directories associated with the database and the Oracle binaries. Also restrict access to directories where log files, trace files, core files and archived log files may be written, as these files often contain sensitive information.

After building the database, lock the SYS user, and change the passwords for for any users that were created with a default value.