- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Questions to ask on an oracle security audit (...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-27-2006 09:38 AM
тАО09-27-2006 09:38 AM
Re: Questions to ask on an oracle security audit (multiple platforms)
especially if this is a financial database, you want to get as intrusive as possible because the auditors will show no mercy.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-27-2006 11:45 PM
тАО09-27-2006 11:45 PM
Re: Questions to ask on an oracle security audit (multiple platforms)
Concerning auditing, i should be important to know how many users have dba rights or how many users know accounts that have dba rights.
to be noted that in the Next release of Oracle 10g, there will be a new option named ORACLE AUDIT which will allow you to create realms such that even the DBAs don't have full access! It will also audit every break-in attempts.
You may also include questions on RMAN Backup and how often RMAN recovery is being tested.
will think some more about it during the break!
kind regards
yogeeraj
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-28-2006 12:49 AM
тАО09-28-2006 12:49 AM
Re: Questions to ask on an oracle security audit (multiple platforms)
1. Is the tape data encrypted? If so, how are the keys managed and kept separate from the data?
2. Do the tapes go off-site to secure storage? Where is the backup inventory kept?
3. Are the tapes in a locked box?
4. How secure are the backups from being intercepted and read?
5. What is the lifetime of the data? i.e. how long are the tapes kept for?
6. Is there any tape testing, to ensure that the backup tape really does hold the data you think it does?
7. How often do you audit the support from your Oracle supplier? Service levels etc?
8. Check the table and column privileges within the schemas, to ensure that only authorised users have rights to select/update/delete/insert.
9. Oracle user and password standards vs. corporate authentication/user access control policy.
10. Does the DB server sit behind a firewall? Which ports are open and listening?
11. Your database patching and upgrade policy wrt oracle security alerts and operating system security alerts. - you must prove that you have procedures to back up the policy and that these procedures are being followed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-28-2006 03:20 AM
тАО09-28-2006 03:20 AM
Re: Questions to ask on an oracle security audit (multiple platforms)
Patti
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-28-2006 03:31 AM
тАО09-28-2006 03:31 AM
Re: Questions to ask on an oracle security audit (multiple platforms)
So one question to ask: Do you encrypt export files...?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-28-2006 03:34 AM
тАО09-28-2006 03:34 AM
Re: Questions to ask on an oracle security audit (multiple platforms)
- which logins are member of the dba and 'orainst' group?
- in which way are passwords applied, which are used by cronjobs or shel scripts (for export purposes e.g.)?
- are they protected against visibility from the ps-command?
mfG Peter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-28-2006 03:49 AM
тАО09-28-2006 03:49 AM
Re: Questions to ask on an oracle security audit (multiple platforms)
data integrity
data availability
So you should also consider things like change control process over your schema, code and data fixes, checking / monitoring of systems, problem investigation and resolution, DR procedures, etc...
Security is a huge area when you get into it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-02-2006 05:56 AM
тАО10-02-2006 05:56 AM
Re: Questions to ask on an oracle security audit (multiple platforms)
trying to throw in stuff that has not been mentioned yet or getting more detailed about others:
- Listener Security Guide, quite good stuff:
http://www.integrigy.com/security-resources/whitepapers/Integrigy_Oracle_Listener_TNS_Security.pdf
- If the Application handles the User Connection (i.e. like SAP) there is no need to let the DB be accessible remotely by various SQLPLUS clients in the wild. Firewall-protect the Listener and/or just bind the Listener-port to private LAN adapters for internal use of the application Servers.
- documented procedures how Oracle CPU-patches (critical patch updates) [one every three months] are reviewed and implemented after they become available.
- dbverify procedures and result checks
- periodical restore verification sessions
- Authorized use of the oracle dba-account. This can be done i.e. by completely keep the password of this user a secret, and permit access to this user by granting a sudo access to command "su - oracle" to those who are permitted. If nobody knows the password, nobody can login at all !
Everybody has to login himself first and the sudo action to become oracle is logged.
- Depending on how much "sqlplus" is the standard administration tool -> enforce to use "script" for logging purposes when sqlplus is used. If other tools in place (like SAP brtools) enable personalized logging procedures for these tools.
- the password aspects that have already been mentioned of course.
just my 0.02├в ┬м input
Volker
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-04-2006 02:42 AM
тАО10-04-2006 02:42 AM
Re: Questions to ask on an oracle security audit (multiple platforms)
I realize this is a multiple answer and therefore not worthy of points - that's fine, but I thought it important enough that I should mention it.
I was going through my "SANS NewsBites" newletter this morning and ran across this bite:
"Oracle Security Hardening Checklist Release Announced at NS2006
Security researcher Paul Wright released a draft of the SANS Oracle Security Hardening Checklist, Version 3.1 at his Oracle Security talk at Network Security 2006. This is the most comprehensive document on Oracle Security available on the Internet and is based on the work of Wright, Finnigan, Litchfield, and the SANS SCORE research team. The draft document is released with a 30-day review period; please send comments to score@san.org.
http://www.sans.org/score/oraclechecklist.php "
Pete
Pete
- « Previous
-
- 1
- 2
- Next »