Hi SEP,
trying to throw in stuff that has not been mentioned yet or getting more detailed about others:
- Listener Security Guide, quite good stuff:
http://www.integrigy.com/security-resources/whitepapers/Integrigy_Oracle_Listener_TNS_Security.pdf- If the Application handles the User Connection (i.e. like SAP) there is no need to let the DB be accessible remotely by various SQLPLUS clients in the wild. Firewall-protect the Listener and/or just bind the Listener-port to private LAN adapters for internal use of the application Servers.
- documented procedures how Oracle CPU-patches (critical patch updates) [one every three months] are reviewed and implemented after they become available.
- dbverify procedures and result checks
- periodical restore verification sessions
- Authorized use of the oracle dba-account. This can be done i.e. by completely keep the password of this user a secret, and permit access to this user by granting a sudo access to command "su - oracle" to those who are permitted. If nobody knows the password, nobody can login at all !
Everybody has to login himself first and the sudo action to become oracle is logged.
- Depending on how much "sqlplus" is the standard administration tool -> enforce to use "script" for logging purposes when sqlplus is used. If other tools in place (like SAP brtools) enable personalized logging procedures for these tools.
- the password aspects that have already been mentioned of course.
just my 0.02├в ┬м input
Volker
