Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


oracle top 10 healthcheck

Posted on 2013-01-17
Medium Priority
Last Modified: 2013-02-05
I am trying to compile a sort of top 5 security checks for an 11g oracle database to set our internal auditors on across our oracle database estate? Which, in your expert opinions as oracle DBA's, are the top 5 most crucial security/access control checks for an oracle database…. Some initial ideas I had from a layman's perspective were 1) application of critical security patches, 2) default database account passwords and 3) weak database account passwords. Can you provide details of any other checks you'd recommend in a top5/6 critical list? I appreciate that weaknesses in applications and host operating systems can expose the database, but I was hoping to keep the list specific to controls within the oracle database…

Secondly, aside from security specific configurations, if you were doing an overall risk assessment/control healthcheck of an oracle database what would you recommend the top10 checks/controls be for some level of assurance that the availability, confidentiality and integrity of the database isn’t in jeopardy. I know there are some useful oracle hardening and configuration guides but I was more after the most important controls/configurations more than anything. So a top 10 priority list would be brilliant and very interesting.

So top 5 security controls 1, 2, 3, 4, 5 and top 5 other essential non-security controls, 1, 2, 3, 4, 5
Question by:pma111
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +2
LVL 38

Accepted Solution

Geert Gruwez earned 1000 total points
ID: 38786825
are there daily/weekly backups for all critical systems ?
are the backups valid ? have the backups been tested with a restore  ?

Author Comment

ID: 38787173
I was hoping this would be quite an easy question but the lack of response indicates maybe not.

I was hoping for some sort of general consensus on the top 5 critical security controls specific to the database, I'd listed passwords and patches, what else?

Aside from backup/restore are there no other risk areas (outside of security) that require effective controls for a database? There must be absolutely loads....
LVL 35

Assisted Solution

johnsone earned 500 total points
ID: 38787260
Look for privileges granted to PUBLIC on application tables.  You cannot revoke all privileges granted to PUBLIC as some of those are required for Oracle to function properly.

Look for privileges granted to users with the word ANY in them.  They shouldn't need them.
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 23

Assisted Solution

by:Steve Wales
Steve Wales earned 500 total points
ID: 38787634
Some of the things I've had internal auditors ask me in the past:

They want a list of absolutely every grant done to any user or role and then want explanations for:
 - Anything that has insert/update/delete (if it's an application owner it's acceptable)
 - Anything granted to PUBLIC (as mentioned above some are required, but some are set by default that aren't needed that way)
 - Any account with DBA privilege (as mentioned above, ANY is a key word that should be limited in privs)
 - Are user accounts set to expire passwords regularly (some can't have that happen, I have some apps that break if a password expires)
 - Are accounts setup with password complexity and reuse rules
 - Make sure no account has default password
 - Make sure default accounts not being used are expired.
 - Make sure that your user list is valid - terminated employees have been removed

I'm sure that there are site specific things as well.

Here's a couple of other documents I found (I don't know if you're Unix or Windows) that may give some further ideas:


Author Comment

ID: 38787652
Thanks for the security issues... I'd also be interested in risks to an oracle database that aren't fixed with security controls though...
LVL 23

Expert Comment

by:Steve Wales
ID: 38787718
As mentioned in previous replies:

 - Are backups being done.
 - Is the database in archive log mode so that point in time recovery is enabled.
 - Are backups tested regularly
 - Do you have an offsite storage solution for backups
 - Are protocols in place for regular patching as quarterly Critical Updates are released
 - Are archive log files being backups up as well as the database
 - Are monitoring tools in place to monitor DB up/down
 - Are the logs being monitored
 - Are old logs being cleaned up (old trace files being purged after x days, alert log being rolled over on a weekly/monthly basis and oldest ones removed)
 - Tablespace freespace being monitored
 - Disk space on server being monitored
 - Growth trends being monitored / analyzed

What else do you particularly need ?  Your question is pretty vague.

Author Comment

ID: 38787754
Its pretty vague as its not an area of expertese so I really wanted to learn from the experts what they perceive the critical controls to keep oracle running smoothly - some good answers. It seems basically security, backups and performance mgmt is about it.
LVL 23

Expert Comment

by:Steve Wales
ID: 38787799
One other thing that just popped into my head - make sure your database statistics are kept up to date.

The optimizer can make some interesting decisions if it's working off stale statistics.
LVL 35

Expert Comment

ID: 38787807
You have mentioned security checks and auditors.  That is why I stayed away from logs, backups, archives, space utilization, etc.  I tried to stay within the topic of an audit.  Those aren't typically things that auditors care about.

Also, the quarterly critical updates are not necessarily applied.  There can be application restrictions on this, especially if you are using a third party application.

Author Comment

ID: 38787837
Sorry just more a general risk assessment and healthcheck than a security audit was what I was looking at.. Ie any issues which can affect the database running smoothly OR being compromised
LVL 38

Assisted Solution

by:Geert Gruwez
Geert Gruwez earned 1000 total points
ID: 38792030
if you database requires auditors checking then i assume your company and the database has to be sox compliant

> is disaster recovery in place ? (also referred to as a DR solution)
> when a disaster happens can the database be restored within a certain time
> do you have backups for everyone to do all the tasks for disaster recovery
>> by backups i mean 2 people
>> the backups have procedures they can follow for the Disaster recovery ?

> sox compliant database:
LVL 28

Expert Comment

by:Naveen Kumar
ID: 38799619
Also Database links from PROD to DEV/SIT/QA/UAT Databases should not be there.  
Open Schema accounts used by application support teams should not be there.
Production database should be able to be connected by users/apps only from PROD/DR hosts/environments.

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the steps required to install WordPress on Azure. Web Apps, Mobile Apps, API Apps, or Functions, in Azure all these run in an App Service plan. WordPress is no exception and requires an App Service Plan and Database to install
In this article, we’ll look at how to deploy ProxySQL.
This video shows how to Export data from an Oracle database using the Original Export Utility.  The corresponding Import utility, which works the same way is referenced, but not demonstrated.
This videos aims to give the viewer a basic demonstration of how a user can query current session information by using the SYS_CONTEXT function

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question