• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 633
  • Last Modified:

oracle top 10 healthcheck

I am trying to compile a sort of top 5 security checks for an 11g oracle database to set our internal auditors on across our oracle database estate? Which, in your expert opinions as oracle DBA's, are the top 5 most crucial security/access control checks for an oracle database…. Some initial ideas I had from a layman's perspective were 1) application of critical security patches, 2) default database account passwords and 3) weak database account passwords. Can you provide details of any other checks you'd recommend in a top5/6 critical list? I appreciate that weaknesses in applications and host operating systems can expose the database, but I was hoping to keep the list specific to controls within the oracle database…

Secondly, aside from security specific configurations, if you were doing an overall risk assessment/control healthcheck of an oracle database what would you recommend the top10 checks/controls be for some level of assurance that the availability, confidentiality and integrity of the database isn’t in jeopardy. I know there are some useful oracle hardening and configuration guides but I was more after the most important controls/configurations more than anything. So a top 10 priority list would be brilliant and very interesting.

So top 5 security controls 1, 2, 3, 4, 5 and top 5 other essential non-security controls, 1, 2, 3, 4, 5
0
pma111
Asked:
pma111
  • 4
  • 3
  • 2
  • +2
4 Solutions
 
Geert GruwezOracle dbaCommented:
are there daily/weekly backups for all critical systems ?
are the backups valid ? have the backups been tested with a restore  ?
0
 
pma111Author Commented:
I was hoping this would be quite an easy question but the lack of response indicates maybe not.

I was hoping for some sort of general consensus on the top 5 critical security controls specific to the database, I'd listed passwords and patches, what else?

Aside from backup/restore are there no other risk areas (outside of security) that require effective controls for a database? There must be absolutely loads....
0
 
johnsoneSenior Oracle DBACommented:
Look for privileges granted to PUBLIC on application tables.  You cannot revoke all privileges granted to PUBLIC as some of those are required for Oracle to function properly.

Look for privileges granted to users with the word ANY in them.  They shouldn't need them.
0
Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

 
Steve WalesSenior Database AdministratorCommented:
Some of the things I've had internal auditors ask me in the past:

They want a list of absolutely every grant done to any user or role and then want explanations for:
 - Anything that has insert/update/delete (if it's an application owner it's acceptable)
 - Anything granted to PUBLIC (as mentioned above some are required, but some are set by default that aren't needed that way)
 - Any account with DBA privilege (as mentioned above, ANY is a key word that should be limited in privs)
 - Are user accounts set to expire passwords regularly (some can't have that happen, I have some apps that break if a password expires)
 - Are accounts setup with password complexity and reuse rules
 - Make sure no account has default password
 - Make sure default accounts not being used are expired.
 - Make sure that your user list is valid - terminated employees have been removed

I'm sure that there are site specific things as well.

Here's a couple of other documents I found (I don't know if you're Unix or Windows) that may give some further ideas:

http://www.oracle.com/technetwork/articles/servers-storage-admin/tips-harden-oracle-linux-1695888.html
http://www.ordba.net/Articles/HardeningOracleDB.htm
0
 
pma111Author Commented:
Thanks for the security issues... I'd also be interested in risks to an oracle database that aren't fixed with security controls though...
0
 
Steve WalesSenior Database AdministratorCommented:
As mentioned in previous replies:

 - Are backups being done.
 - Is the database in archive log mode so that point in time recovery is enabled.
 - Are backups tested regularly
 - Do you have an offsite storage solution for backups
 - Are protocols in place for regular patching as quarterly Critical Updates are released
 - Are archive log files being backups up as well as the database
 - Are monitoring tools in place to monitor DB up/down
 - Are the logs being monitored
 - Are old logs being cleaned up (old trace files being purged after x days, alert log being rolled over on a weekly/monthly basis and oldest ones removed)
 - Tablespace freespace being monitored
 - Disk space on server being monitored
 - Growth trends being monitored / analyzed


What else do you particularly need ?  Your question is pretty vague.
0
 
pma111Author Commented:
Its pretty vague as its not an area of expertese so I really wanted to learn from the experts what they perceive the critical controls to keep oracle running smoothly - some good answers. It seems basically security, backups and performance mgmt is about it.
0
 
Steve WalesSenior Database AdministratorCommented:
One other thing that just popped into my head - make sure your database statistics are kept up to date.

The optimizer can make some interesting decisions if it's working off stale statistics.
0
 
johnsoneSenior Oracle DBACommented:
You have mentioned security checks and auditors.  That is why I stayed away from logs, backups, archives, space utilization, etc.  I tried to stay within the topic of an audit.  Those aren't typically things that auditors care about.

Also, the quarterly critical updates are not necessarily applied.  There can be application restrictions on this, especially if you are using a third party application.
0
 
pma111Author Commented:
Sorry just more a general risk assessment and healthcheck than a security audit was what I was looking at.. Ie any issues which can affect the database running smoothly OR being compromised
0
 
Geert GruwezOracle dbaCommented:
if you database requires auditors checking then i assume your company and the database has to be sox compliant

> is disaster recovery in place ? (also referred to as a DR solution)
> when a disaster happens can the database be restored within a certain time
> do you have backups for everyone to do all the tasks for disaster recovery
>> by backups i mean 2 people
>> the backups have procedures they can follow for the Disaster recovery ?

> sox compliant database:
http://www.s-ox.com/dsp_getFeaturesDetails.cfm?CID=448
http://www.devx.com/enterprise/Article/29991
0
 
Naveen KumarProduction Manager / Application Support ManagerCommented:
Also Database links from PROD to DEV/SIT/QA/UAT Databases should not be there.  
Open Schema accounts used by application support teams should not be there.
Production database should be able to be connected by users/apps only from PROD/DR hosts/environments.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 4
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now