Oracle Default User Password Check for Unix Utilities

Oracle has some big security holes, one of them is to create users and use a default password during the install of some of the utilities and features. Third party software using Oracle's RDBMS does the same. Here is a quick script to check for the ~600 most common default passwords and the users this problem affects.

The script just compares two lists containing users and encrypted password strings, one from the database, one from any of several sites on the internet. Other default password checkers require building tables, a bunch of sql and a lot of hooha for something that any DBA should be able to check in a total of five minutes and a ten line script.

# Oracle default password checking script for Unix utilities.
# - Need DBA privileges to see dba_users and the environment to run
#   Oracle sqlplus.
# - Cut and paste the comma delimited Oracle default password file from 
#   http://www.petefinnigan.com/default/oracle_default_passwords.csv 
#   into the file default_pw 
# - Then run this script, it uses "comm" which uses sorted input files.
#   The result is the password names that have default passwords.

get_user_pw () {
sqlplus << EOF
connect / as sysdba
set pagesize 0;
select username, password from dba_users;

get_user_pw | awk '{print $1,$2}'| sort > sorted_db_pw
cat default_pw| awk '{FS=",";print $3,$5;}'|sort > sorted_default_pw

comm -12 sorted_db_pw sorted_default_pw