Solved

oracle top 10 healthcheck

Posted on 2013-01-17
12
618 Views
Last Modified: 2013-02-05
I am trying to compile a sort of top 5 security checks for an 11g oracle database to set our internal auditors on across our oracle database estate? Which, in your expert opinions as oracle DBA's, are the top 5 most crucial security/access control checks for an oracle database…. Some initial ideas I had from a layman's perspective were 1) application of critical security patches, 2) default database account passwords and 3) weak database account passwords. Can you provide details of any other checks you'd recommend in a top5/6 critical list? I appreciate that weaknesses in applications and host operating systems can expose the database, but I was hoping to keep the list specific to controls within the oracle database…

Secondly, aside from security specific configurations, if you were doing an overall risk assessment/control healthcheck of an oracle database what would you recommend the top10 checks/controls be for some level of assurance that the availability, confidentiality and integrity of the database isn’t in jeopardy. I know there are some useful oracle hardening and configuration guides but I was more after the most important controls/configurations more than anything. So a top 10 priority list would be brilliant and very interesting.

So top 5 security controls 1, 2, 3, 4, 5 and top 5 other essential non-security controls, 1, 2, 3, 4, 5
0
Comment
Question by:pma111
  • 4
  • 3
  • 2
  • +2
12 Comments
 
LVL 36

Accepted Solution

by:
Geert Gruwez earned 250 total points
Comment Utility
are there daily/weekly backups for all critical systems ?
are the backups valid ? have the backups been tested with a restore  ?
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
I was hoping this would be quite an easy question but the lack of response indicates maybe not.

I was hoping for some sort of general consensus on the top 5 critical security controls specific to the database, I'd listed passwords and patches, what else?

Aside from backup/restore are there no other risk areas (outside of security) that require effective controls for a database? There must be absolutely loads....
0
 
LVL 34

Assisted Solution

by:johnsone
johnsone earned 125 total points
Comment Utility
Look for privileges granted to PUBLIC on application tables.  You cannot revoke all privileges granted to PUBLIC as some of those are required for Oracle to function properly.

Look for privileges granted to users with the word ANY in them.  They shouldn't need them.
0
 
LVL 22

Assisted Solution

by:Steve Wales
Steve Wales earned 125 total points
Comment Utility
Some of the things I've had internal auditors ask me in the past:

They want a list of absolutely every grant done to any user or role and then want explanations for:
 - Anything that has insert/update/delete (if it's an application owner it's acceptable)
 - Anything granted to PUBLIC (as mentioned above some are required, but some are set by default that aren't needed that way)
 - Any account with DBA privilege (as mentioned above, ANY is a key word that should be limited in privs)
 - Are user accounts set to expire passwords regularly (some can't have that happen, I have some apps that break if a password expires)
 - Are accounts setup with password complexity and reuse rules
 - Make sure no account has default password
 - Make sure default accounts not being used are expired.
 - Make sure that your user list is valid - terminated employees have been removed

I'm sure that there are site specific things as well.

Here's a couple of other documents I found (I don't know if you're Unix or Windows) that may give some further ideas:

http://www.oracle.com/technetwork/articles/servers-storage-admin/tips-harden-oracle-linux-1695888.html
http://www.ordba.net/Articles/HardeningOracleDB.htm
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Thanks for the security issues... I'd also be interested in risks to an oracle database that aren't fixed with security controls though...
0
 
LVL 22

Expert Comment

by:Steve Wales
Comment Utility
As mentioned in previous replies:

 - Are backups being done.
 - Is the database in archive log mode so that point in time recovery is enabled.
 - Are backups tested regularly
 - Do you have an offsite storage solution for backups
 - Are protocols in place for regular patching as quarterly Critical Updates are released
 - Are archive log files being backups up as well as the database
 - Are monitoring tools in place to monitor DB up/down
 - Are the logs being monitored
 - Are old logs being cleaned up (old trace files being purged after x days, alert log being rolled over on a weekly/monthly basis and oldest ones removed)
 - Tablespace freespace being monitored
 - Disk space on server being monitored
 - Growth trends being monitored / analyzed


What else do you particularly need ?  Your question is pretty vague.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 3

Author Comment

by:pma111
Comment Utility
Its pretty vague as its not an area of expertese so I really wanted to learn from the experts what they perceive the critical controls to keep oracle running smoothly - some good answers. It seems basically security, backups and performance mgmt is about it.
0
 
LVL 22

Expert Comment

by:Steve Wales
Comment Utility
One other thing that just popped into my head - make sure your database statistics are kept up to date.

The optimizer can make some interesting decisions if it's working off stale statistics.
0
 
LVL 34

Expert Comment

by:johnsone
Comment Utility
You have mentioned security checks and auditors.  That is why I stayed away from logs, backups, archives, space utilization, etc.  I tried to stay within the topic of an audit.  Those aren't typically things that auditors care about.

Also, the quarterly critical updates are not necessarily applied.  There can be application restrictions on this, especially if you are using a third party application.
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Sorry just more a general risk assessment and healthcheck than a security audit was what I was looking at.. Ie any issues which can affect the database running smoothly OR being compromised
0
 
LVL 36

Assisted Solution

by:Geert Gruwez
Geert Gruwez earned 250 total points
Comment Utility
if you database requires auditors checking then i assume your company and the database has to be sox compliant

> is disaster recovery in place ? (also referred to as a DR solution)
> when a disaster happens can the database be restored within a certain time
> do you have backups for everyone to do all the tasks for disaster recovery
>> by backups i mean 2 people
>> the backups have procedures they can follow for the Disaster recovery ?

> sox compliant database:
http://www.s-ox.com/dsp_getFeaturesDetails.cfm?CID=448
http://www.devx.com/enterprise/Article/29991
0
 
LVL 28

Expert Comment

by:Naveen Kumar
Comment Utility
Also Database links from PROD to DEV/SIT/QA/UAT Databases should not be there.  
Open Schema accounts used by application support teams should not be there.
Production database should be able to be connected by users/apps only from PROD/DR hosts/environments.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This article describes some very basic things about SQL Server filegroups.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
Via a live example, show how to take different types of Oracle backups using RMAN.
This video shows how to Export data from an Oracle database using the Datapump Export Utility.  The corresponding Datapump Import utility is also discussed and demonstrated.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

5 Experts available now in Live!

Get 1:1 Help Now