8 Replies Latest reply: Jan 17, 2013 8:26 PM by Hemant K Chitale RSS

    Oracle critical controls healthcheck

    user599292
      I am trying to compile a sort of top 5 security checks for an 11g oracle database to set our internal auditors on across our oracle database estate? Which, in your expert opinions as oracle DBA's, are the top 5 most crucial security/access control checks for an oracle database…. Some initial ideas I had from a layman's perspective were 1) application of critical security patches, 2) default database account passwords and 3) weak database account passwords. Can you provide details of any other checks you'd recommend in a top5/6 critical list? I appreciate that weaknesses in applications and host operating systems can expose the database, but I was hoping to keep the list specific to controls within the oracle database…

      Secondly, aside from security specific configurations, if you were doing an overall risk assessment/control healthcheck of an oracle database what would you recommend the top10 checks/controls be for some level of assurance that the availability, confidentiality and integrity of the database isn’t in jeopardy. I know there are some useful oracle hardening and configuration guides but I was more after the most important controls/configurations more than anything. So a top 10 priority list would be brilliant and very interesting.
        • 1. Re: Oracle critical controls healthcheck
          Osama_Mustafa
          there are three competent effect On Security confidential, availability and integrity each one of them has its own description and must be consider when you are secure your application , The First Threats in System or databases is ignorant user , So You must Learn And Put Small Fortune to educate User to teach them how to deal with Internal Network.

          i wrote Once About database threats and you can find this article in my Blog https://osamamustafa.blogspot.com There's lot of threats that could be consider ad critical
          1- escalation of privileges Why should I gave users privileges more than they need
          2 - Unnecessary Services that enable On any Operating system Linux . Unix , or windows
          3 -weak password any company should provide strong Password authentication and this can b done by mutli way in 10g, 11g.
          4 - buffer overflow , and this way of hacking is very effective if you have application and you do so you must try to avoid this way of attack
          5 -SQL injection Which is consider one of Top 10 Vulnerabilities for any databases
          6 -ignore encryption for data

          there's lot more but this is what came to my mind , Secure system starting from the basic steps like password and privileges and let us don't forget auditing is necessary to monitor users and what they do, There's no secure system 100% The Rules For Securing Any System is "If the Attackers Want to hack my system and he will all i can do is make it harder for them" simple rule but true.


          Regards
          Osama
          • 2. Re: Oracle critical controls healthcheck
            Osama_Mustafa
            Just as note you need always check the connecting user on database By Enable audit or triggers Oracle provide lot of oracle security tools such as
                  Data Encryption
                 Virtual Private Database
                 Database Auditing
                 Backup Encryption
                 Export file encryption
                 Proxy Authentication
                 Enterprise User Security
                 Secure Application Roles
                 Fine Grained Auditing
            Also Its good idea to check the below document by oracle :
            http://docs.oracle.com/cd/B28359_01/network.111/b28531/guidelines.htm
            • 3. Re: Oracle critical controls healthcheck
              user599292
              Thanks so far. But people have only listed security controls which I mentioned was not the only thing I want to cover. I am pretty sure security is far from the only risk attribute to a business critical database. What other controls outside of security need to be looked at? I was hoping for some expert input here but even I no backup/restore procedures must be pretty vital controls and definately in a top 15, but people havent even mentioned those.

              Edited by: user599292 on Jan 17, 2013 5:39 AM

              Edited by: user599292 on Jan 17, 2013 5:45 AM
              • 4. Re: Oracle critical controls healthcheck
                Osama_Mustafa
                What other controls outside of security need to be looked at?
                Could you please define and explain what You mean by " controls outside of security"
                • 5. Re: Oracle critical controls healthcheck
                  user599292
                  Osama_mustafa wrote:
                  What other controls outside of security need to be looked at?
                  Could you please define and explain what You mean by " controls outside of security"
                  any control that isnt related to security

                  i.e.

                  changing a default password - security control

                  having an effective backup/restore process - continuity control

                  Its more about risks and subsequent controls. Not every risk to an oracle database can be protected by a security control, I would assume.
                  • 6. Re: Oracle critical controls healthcheck
                    user599292
                    here is a similar kind of thing I am after, for active directory:

                    http://www.microsoft.com/en-gb/download/details.aspx?id=19464

                    Edited by: user599292 on Jan 17, 2013 6:31 AM
                    • 7. Re: Oracle critical controls healthcheck
                      marksmithusa
                      The best database security tips that I've read has been [Pete Finnegan's blog|http://www.petefinnigan.com/weblog/entries/].

                      I'm not entirely sure what you're asking, but I'll make some random guesses if I was to be an auditor. These are the first few things that are off the top of my head...

                      Power roles: make sure no-one has powerful roles - such as DBA - without a justified reason
                      CREATE/SELECT/ALTER ANY privileges: make sure all users/roles who have these privileges need them. The same goes with other powerful privileges: ALTER SYSTEM, ALTER DATABASE, etc
                      WITH ADMIN OPTION: check that anyone with this privilege, especially on important tables, really deserves it
                      User profiles: ensure that individual user accounts have password rules to follow (expiration, etc)
                      User accounts: ensure that anyone who no longer works at the company does not have a user account in any database
                      Database links: do you really need public links and do the linked users really need all that access?
                      • 8. Re: Oracle critical controls healthcheck
                        Hemant K Chitale
                        The bigger Audit firms generally have their own lists of Database and Change Management Controls that they look for. These have evolved over the years, particularly since the introduction of SOX.

                        Some tool vendors also have built in SOX Control checks in their Security tools.

                        A google search for Oracle Database SOX Auditing would also throw up a number of documents.

                        SOX controls are a good starting point. You can then "negotiate down" some of the controls if SOX doesn't apply to your organisation.

                        As for Database Security guidelines specifically, you could start with Chapter 10 of the Security Guide
                        http://docs.oracle.com/cd/E11882_01/network.112/e16543/toc.htm


                        Hemant K Chitale