Re: Questions to ask on an oracle security audit (multiple platforms)

Steven E. Protter · ‎09-27-2006

I've been asked to prepare a series of questions to ask on an Oracle Security audit. I'm not doing the audit, I'm just pointing out issues that should be addressed.

Note: This covers HP-UX and Linux.

Here is what I have so far:
1) Is the oracle password not the same as the user id? Some other similar ones.
2) Run oracle's RDA tool. This provides a good system overview.
3) Run security_patch_check and then swlist to make sure they are all installed.

What else would you like asked on an audit.

I will wait till the thread cools off and provide solution points(8-10) for suggestions I accept.

Take time to think about your response because multiple answers will not get multiple bunnies.

Any reasonable repsonse will get something though.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Pete Randall · ‎09-27-2006

Steve,

Does Oracle have any specific security/hardening recommendations/patches. If so, I would ask if they have been implemented.

Pete

P.S. You may be able to guess that I don't know squat about Oracle - we're an Informix shop.

Pete

KapilRaj · ‎09-27-2006

I am no oracle expert but if I su - oracle
export ORACLE_SID=bla
export ORACLE_HOME=/opt/app/oracle/pro....

sqlplus ' / as sysdba'

I get connected. I think this is a security hole. Fix this ( I don't know how to). Also I would prefer listener to run on a diffrent port other than 1521 and with a password.

Regds,

Kaps

Nothing is impossible

Peter Godron · ‎09-27-2006

Steven,
A whole site dedicated to Oracle Security Audits:
http://www.petefinnigan.com/tools.htm

At the actual DB level I would investigate:
Grants/Roles/Object priviledges, especially to public or with admin.
Data access ((Materialised) Views/Tables)
What Oracle audits on DML/DDL commands is running?
How are the backups/redo logs safeguarded?

At a more general level:
Who reviews the audit results/logs ?
Who is receiving the Oracle Security Alerts?
Who controls the listener/webserver configs?

Keith Johnson · ‎09-27-2006

This may be included in number 1, but make sure to check for default passwords.

No matter where you go...there you are.

John Poff · ‎09-27-2006

Hi Steven,

In addition to the usual type of password questions (how often are they changed, are they aged, who has access to them), you might ask if they are running any scripts or programs where the Oracle username and password combination show up in the process table. Also, make sure they aren't storing the passwords in a plain text file for use by scripts and programs.

Are the filesystems and directories containing the Oracle data files and programs set with the correct permissions and ownership?

JP

P.S. Bonus question:

How many Oracle DBAs does it take to change a light bulb?

None. It's a hardware problem.

Geoff Wild · ‎09-27-2006

Some things we do:

Can oracle login directly?
Should be no - should have to login as real user the su to oracle.

Is Oracle password verification function enabled?
Should be yes

Do any regular users have SYSDBA privileges?
Should be no

Do Oracle users have passwords that expire?
Should be yes

Rgds...Geoff

Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.

TwoProc · ‎09-27-2006

An additional one:

Are the tns listener admin accounts password protected (lsnrctl tool)?

For Windows people: Did you turn off the default http (Apache) services that Oracle installed for you (whether you wanted it or not)? Double check for this on the Windows Client systems?

We are the people our parents warned us about --Jimmy Buffett

Steven E. Protter · ‎09-27-2006

Everything looks solution quality thus far.

I especially like the website. After reviewing the site that post looks like a 10.

How many Oracle DBA's does it take to screw in a light bulb?

Answer: More than we budgeted for.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Sean Dale · ‎09-27-2006

You may want to include something about how security is managed: individually, using roles, etc. We use a role for developers so we only have to make changes to the role and not each of the users. I think it is easier to manage.

Also, what type of disaster recovery is implemented? Data Guard allows you to run multiple standby databases. Are the standby databases at other sites?

Live life everyday

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Questions to ask on an oracle security audit (multiple platforms)

Questions to ask on an oracle security audit (multiple platforms)