Databases
cancel
Showing results for 
Search instead for 
Did you mean: 

Questions to ask on an oracle security audit (multiple platforms)

SOLVED
Go to solution
Steven E. Protter
Exalted Contributor

Questions to ask on an oracle security audit (multiple platforms)

I've been asked to prepare a series of questions to ask on an Oracle Security audit. I'm not doing the audit, I'm just pointing out issues that should be addressed.

Note: This covers HP-UX and Linux.

Here is what I have so far:
1) Is the oracle password not the same as the user id? Some other similar ones.
2) Run oracle's RDA tool. This provides a good system overview.
3) Run security_patch_check and then swlist to make sure they are all installed.

What else would you like asked on an audit.

I will wait till the thread cools off and provide solution points(8-10) for suggestions I accept.

Take time to think about your response because multiple answers will not get multiple bunnies.

Any reasonable repsonse will get something though.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
18 REPLIES
Pete Randall
Outstanding Contributor

Re: Questions to ask on an oracle security audit (multiple platforms)

Steve,

Does Oracle have any specific security/hardening recommendations/patches. If so, I would ask if they have been implemented.


Pete

P.S. You may be able to guess that I don't know squat about Oracle - we're an Informix shop.

Pete
KapilRaj
Honored Contributor

Re: Questions to ask on an oracle security audit (multiple platforms)

I am no oracle expert but if I su - oracle
export ORACLE_SID=bla
export ORACLE_HOME=/opt/app/oracle/pro....

sqlplus ' / as sysdba'

I get connected. I think this is a security hole. Fix this ( I don't know how to). Also I would prefer listener to run on a diffrent port other than 1521 and with a password.

Regds,

Kaps
Nothing is impossible
Peter Godron
Honored Contributor
Solution

Re: Questions to ask on an oracle security audit (multiple platforms)

Steven,
A whole site dedicated to Oracle Security Audits:
http://www.petefinnigan.com/tools.htm

At the actual DB level I would investigate:
Grants/Roles/Object priviledges, especially to public or with admin.
Data access ((Materialised) Views/Tables)
What Oracle audits on DML/DDL commands is running?
How are the backups/redo logs safeguarded?

At a more general level:
Who reviews the audit results/logs ?
Who is receiving the Oracle Security Alerts?
Who controls the listener/webserver configs?


Keith Johnson
Valued Contributor

Re: Questions to ask on an oracle security audit (multiple platforms)

This may be included in number 1, but make sure to check for default passwords.
No matter where you go...there you are.
John Poff
Honored Contributor

Re: Questions to ask on an oracle security audit (multiple platforms)

Hi Steven,

In addition to the usual type of password questions (how often are they changed, are they aged, who has access to them), you might ask if they are running any scripts or programs where the Oracle username and password combination show up in the process table. Also, make sure they aren't storing the passwords in a plain text file for use by scripts and programs.

Are the filesystems and directories containing the Oracle data files and programs set with the correct permissions and ownership?

JP


P.S. Bonus question:

How many Oracle DBAs does it take to change a light bulb?

None. It's a hardware problem.

Geoff Wild
Honored Contributor

Re: Questions to ask on an oracle security audit (multiple platforms)

Some things we do:

Can oracle login directly?
Should be no - should have to login as real user the su to oracle.

Is Oracle password verification function enabled?
Should be yes

Do any regular users have SYSDBA privileges?
Should be no

Do Oracle users have passwords that expire?
Should be yes



Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
TwoProc
Honored Contributor

Re: Questions to ask on an oracle security audit (multiple platforms)

An additional one:

Are the tns listener admin accounts password protected (lsnrctl tool)?

For Windows people: Did you turn off the default http (Apache) services that Oracle installed for you (whether you wanted it or not)? Double check for this on the Windows Client systems?

We are the people our parents warned us about --Jimmy Buffett
Steven E. Protter
Exalted Contributor

Re: Questions to ask on an oracle security audit (multiple platforms)

Everything looks solution quality thus far.

I especially like the website. After reviewing the site that post looks like a 10.

How many Oracle DBA's does it take to screw in a light bulb?

Answer: More than we budgeted for.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Sean Dale
Trusted Contributor

Re: Questions to ask on an oracle security audit (multiple platforms)

You may want to include something about how security is managed: individually, using roles, etc. We use a role for developers so we only have to make changes to the role and not each of the users. I think it is easier to manage.

Also, what type of disaster recovery is implemented? Data Guard allows you to run multiple standby databases. Are the standby databases at other sites?

Live life everyday
Deoncia Grayson_1
Honored Contributor

Re: Questions to ask on an oracle security audit (multiple platforms)

another thing you might want to check to expound on Peter's answer... you might want to get very database intrusive, which users are granted what rights, who are given write access to what tables, does everyone have read write access?? also who are permitted to add rows outside of the database admins, what procedures do you follow before making a change to database, do they have a change control policy in place?

especially if this is a financial database, you want to get as intrusive as possible because the auditors will show no mercy.

If no one ever took risks, Michelangelo would have painted the Sistine floor. -Neil Simon
Yogeeraj_1
Honored Contributor

Re: Questions to ask on an oracle security audit (multiple platforms)

hi SEP,

Concerning auditing, i should be important to know how many users have dba rights or how many users know accounts that have dba rights.

to be noted that in the Next release of Oracle 10g, there will be a new option named ORACLE AUDIT which will allow you to create realms such that even the DBAs don't have full access! It will also audit every break-in attempts.

You may also include questions on RMAN Backup and how often RMAN recovery is being tested.


will think some more about it during the break!

kind regards
yogeeraj

No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
Steve Lewis
Honored Contributor

Re: Questions to ask on an oracle security audit (multiple platforms)

Tape handling procedures. If it gets backed up to disk elsewhere then this may not apply. If its only backed up to disk on-site then what happens when the building is unavailable.

1. Is the tape data encrypted? If so, how are the keys managed and kept separate from the data?
2. Do the tapes go off-site to secure storage? Where is the backup inventory kept?
3. Are the tapes in a locked box?
4. How secure are the backups from being intercepted and read?
5. What is the lifetime of the data? i.e. how long are the tapes kept for?
6. Is there any tape testing, to ensure that the backup tape really does hold the data you think it does?
7. How often do you audit the support from your Oracle supplier? Service levels etc?
8. Check the table and column privileges within the schemas, to ensure that only authorised users have rights to select/update/delete/insert.
9. Oracle user and password standards vs. corporate authentication/user access control policy.
10. Does the DB server sit behind a firewall? Which ports are open and listening?
11. Your database patching and upgrade policy wrt oracle security alerts and operating system security alerts. - you must prove that you have procedures to back up the policy and that these procedures are being followed.
Patti Johnson
Respected Contributor

Re: Questions to ask on an oracle security audit (multiple platforms)

Oracle also provides a script to check for default passwords for all their products. Download Patch 4926128 to verify if you still have any known userid/password combinations.

Patti
Alzhy
Honored Contributor

Re: Questions to ask on an oracle security audit (multiple platforms)

Only one from me from an experience sometime ago when I got hold of a surplus disk, it contained database export files - and they were not encrypted!

So one question to ask: Do you encrypt export files...?
Hakuna Matata.
Peter Nikitka
Honored Contributor

Re: Questions to ask on an oracle security audit (multiple platforms)

Hi Steven,

- which logins are member of the dba and 'orainst' group?
- in which way are passwords applied, which are used by cronjobs or shel scripts (for export purposes e.g.)?
- are they protected against visibility from the ps-command?

mfG Peter
The Universe is a pretty big place, it's bigger than anything anyone has ever dreamed of before. So if it's just us, seems like an awful waste of space, right? Jodie Foster in "Contact"
Steve Lewis
Honored Contributor

Re: Questions to ask on an oracle security audit (multiple platforms)

By the way, I am sure you are aware of this already, but just in case, I noticed that a lot of answers are related to confidentiality. That is only one third of security. The other 2 thirds are:

data integrity
data availability

So you should also consider things like change control process over your schema, code and data fixes, checking / monitoring of systems, problem investigation and resolution, DR procedures, etc...

Security is a huge area when you get into it.
Volker Borowski
Honored Contributor

Re: Questions to ask on an oracle security audit (multiple platforms)

Hi SEP,

trying to throw in stuff that has not been mentioned yet or getting more detailed about others:

- Listener Security Guide, quite good stuff:
http://www.integrigy.com/security-resources/whitepapers/Integrigy_Oracle_Listener_TNS_Security.pdf

- If the Application handles the User Connection (i.e. like SAP) there is no need to let the DB be accessible remotely by various SQLPLUS clients in the wild. Firewall-protect the Listener and/or just bind the Listener-port to private LAN adapters for internal use of the application Servers.

- documented procedures how Oracle CPU-patches (critical patch updates) [one every three months] are reviewed and implemented after they become available.

- dbverify procedures and result checks

- periodical restore verification sessions

- Authorized use of the oracle dba-account. This can be done i.e. by completely keep the password of this user a secret, and permit access to this user by granting a sudo access to command "su - oracle" to those who are permitted. If nobody knows the password, nobody can login at all !
Everybody has to login himself first and the sudo action to become oracle is logged.

- Depending on how much "sqlplus" is the standard administration tool -> enforce to use "script" for logging purposes when sqlplus is used. If other tools in place (like SAP brtools) enable personalized logging procedures for these tools.

- the password aspects that have already been mentioned of course.

just my 0.02â ¬ input
Volker
Pete Randall
Outstanding Contributor

Re: Questions to ask on an oracle security audit (multiple platforms)

Steve,

I realize this is a multiple answer and therefore not worthy of points - that's fine, but I thought it important enough that I should mention it.

I was going through my "SANS NewsBites" newletter this morning and ran across this bite:

"Oracle Security Hardening Checklist Release Announced at NS2006
Security researcher Paul Wright released a draft of the SANS Oracle Security Hardening Checklist, Version 3.1 at his Oracle Security talk at Network Security 2006. This is the most comprehensive document on Oracle Security available on the Internet and is based on the work of Wright, Finnigan, Litchfield, and the SANS SCORE research team. The draft document is released with a 30-day review period; please send comments to score@san.org.
http://www.sans.org/score/oraclechecklist.php "


Pete

Pete