?
Solved

oracle top 10 healthcheck

Posted on 2013-01-17
12
Medium Priority
?
627 Views
Last Modified: 2013-02-05
I am trying to compile a sort of top 5 security checks for an 11g oracle database to set our internal auditors on across our oracle database estate? Which, in your expert opinions as oracle DBA's, are the top 5 most crucial security/access control checks for an oracle database…. Some initial ideas I had from a layman's perspective were 1) application of critical security patches, 2) default database account passwords and 3) weak database account passwords. Can you provide details of any other checks you'd recommend in a top5/6 critical list? I appreciate that weaknesses in applications and host operating systems can expose the database, but I was hoping to keep the list specific to controls within the oracle database…

Secondly, aside from security specific configurations, if you were doing an overall risk assessment/control healthcheck of an oracle database what would you recommend the top10 checks/controls be for some level of assurance that the availability, confidentiality and integrity of the database isn’t in jeopardy. I know there are some useful oracle hardening and configuration guides but I was more after the most important controls/configurations more than anything. So a top 10 priority list would be brilliant and very interesting.

So top 5 security controls 1, 2, 3, 4, 5 and top 5 other essential non-security controls, 1, 2, 3, 4, 5
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +2
12 Comments
 
LVL 38

Accepted Solution

by:
Geert Gruwez earned 1000 total points
ID: 38786825
are there daily/weekly backups for all critical systems ?
are the backups valid ? have the backups been tested with a restore  ?
0
 
LVL 3

Author Comment

by:pma111
ID: 38787173
I was hoping this would be quite an easy question but the lack of response indicates maybe not.

I was hoping for some sort of general consensus on the top 5 critical security controls specific to the database, I'd listed passwords and patches, what else?

Aside from backup/restore are there no other risk areas (outside of security) that require effective controls for a database? There must be absolutely loads....
0
 
LVL 35

Assisted Solution

by:johnsone
johnsone earned 500 total points
ID: 38787260
Look for privileges granted to PUBLIC on application tables.  You cannot revoke all privileges granted to PUBLIC as some of those are required for Oracle to function properly.

Look for privileges granted to users with the word ANY in them.  They shouldn't need them.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 22

Assisted Solution

by:Steve Wales
Steve Wales earned 500 total points
ID: 38787634
Some of the things I've had internal auditors ask me in the past:

They want a list of absolutely every grant done to any user or role and then want explanations for:
 - Anything that has insert/update/delete (if it's an application owner it's acceptable)
 - Anything granted to PUBLIC (as mentioned above some are required, but some are set by default that aren't needed that way)
 - Any account with DBA privilege (as mentioned above, ANY is a key word that should be limited in privs)
 - Are user accounts set to expire passwords regularly (some can't have that happen, I have some apps that break if a password expires)
 - Are accounts setup with password complexity and reuse rules
 - Make sure no account has default password
 - Make sure default accounts not being used are expired.
 - Make sure that your user list is valid - terminated employees have been removed

I'm sure that there are site specific things as well.

Here's a couple of other documents I found (I don't know if you're Unix or Windows) that may give some further ideas:

http://www.oracle.com/technetwork/articles/servers-storage-admin/tips-harden-oracle-linux-1695888.html
http://www.ordba.net/Articles/HardeningOracleDB.htm
0
 
LVL 3

Author Comment

by:pma111
ID: 38787652
Thanks for the security issues... I'd also be interested in risks to an oracle database that aren't fixed with security controls though...
0
 
LVL 22

Expert Comment

by:Steve Wales
ID: 38787718
As mentioned in previous replies:

 - Are backups being done.
 - Is the database in archive log mode so that point in time recovery is enabled.
 - Are backups tested regularly
 - Do you have an offsite storage solution for backups
 - Are protocols in place for regular patching as quarterly Critical Updates are released
 - Are archive log files being backups up as well as the database
 - Are monitoring tools in place to monitor DB up/down
 - Are the logs being monitored
 - Are old logs being cleaned up (old trace files being purged after x days, alert log being rolled over on a weekly/monthly basis and oldest ones removed)
 - Tablespace freespace being monitored
 - Disk space on server being monitored
 - Growth trends being monitored / analyzed


What else do you particularly need ?  Your question is pretty vague.
0
 
LVL 3

Author Comment

by:pma111
ID: 38787754
Its pretty vague as its not an area of expertese so I really wanted to learn from the experts what they perceive the critical controls to keep oracle running smoothly - some good answers. It seems basically security, backups and performance mgmt is about it.
0
 
LVL 22

Expert Comment

by:Steve Wales
ID: 38787799
One other thing that just popped into my head - make sure your database statistics are kept up to date.

The optimizer can make some interesting decisions if it's working off stale statistics.
0
 
LVL 35

Expert Comment

by:johnsone
ID: 38787807
You have mentioned security checks and auditors.  That is why I stayed away from logs, backups, archives, space utilization, etc.  I tried to stay within the topic of an audit.  Those aren't typically things that auditors care about.

Also, the quarterly critical updates are not necessarily applied.  There can be application restrictions on this, especially if you are using a third party application.
0
 
LVL 3

Author Comment

by:pma111
ID: 38787837
Sorry just more a general risk assessment and healthcheck than a security audit was what I was looking at.. Ie any issues which can affect the database running smoothly OR being compromised
0
 
LVL 38

Assisted Solution

by:Geert Gruwez
Geert Gruwez earned 1000 total points
ID: 38792030
if you database requires auditors checking then i assume your company and the database has to be sox compliant

> is disaster recovery in place ? (also referred to as a DR solution)
> when a disaster happens can the database be restored within a certain time
> do you have backups for everyone to do all the tasks for disaster recovery
>> by backups i mean 2 people
>> the backups have procedures they can follow for the Disaster recovery ?

> sox compliant database:
http://www.s-ox.com/dsp_getFeaturesDetails.cfm?CID=448
http://www.devx.com/enterprise/Article/29991
0
 
LVL 28

Expert Comment

by:Naveen Kumar
ID: 38799619
Also Database links from PROD to DEV/SIT/QA/UAT Databases should not be there.  
Open Schema accounts used by application support teams should not be there.
Production database should be able to be connected by users/apps only from PROD/DR hosts/environments.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the steps required to install WordPress on Azure. Web Apps, Mobile Apps, API Apps, or Functions, in Azure all these run in an App Service plan. WordPress is no exception and requires an App Service Plan and Database to install
In this series, we will discuss common questions received as a database Solutions Engineer at Percona. In this role, we speak with a wide array of MySQL and MongoDB users responsible for both extremely large and complex environments to smaller singl…
Video by: Steve
Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
This is a high-level webinar that covers the history of enterprise open source database use. It addresses both the advantages companies see in using open source database technologies, as well as the fears and reservations they might have. In this…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question