Pau Lo
asked on
oracle top 10 healthcheck
I am trying to compile a sort of top 5 security checks for an 11g oracle database to set our internal auditors on across our oracle database estate? Which, in your expert opinions as oracle DBA's, are the top 5 most crucial security/access control checks for an oracle database…. Some initial ideas I had from a layman's perspective were 1) application of critical security patches, 2) default database account passwords and 3) weak database account passwords. Can you provide details of any other checks you'd recommend in a top5/6 critical list? I appreciate that weaknesses in applications and host operating systems can expose the database, but I was hoping to keep the list specific to controls within the oracle database…
Secondly, aside from security specific configurations, if you were doing an overall risk assessment/control healthcheck of an oracle database what would you recommend the top10 checks/controls be for some level of assurance that the availability, confidentiality and integrity of the database isn’t in jeopardy. I know there are some useful oracle hardening and configuration guides but I was more after the most important controls/configurations more than anything. So a top 10 priority list would be brilliant and very interesting.
So top 5 security controls 1, 2, 3, 4, 5 and top 5 other essential non-security controls, 1, 2, 3, 4, 5
Secondly, aside from security specific configurations, if you were doing an overall risk assessment/control healthcheck of an oracle database what would you recommend the top10 checks/controls be for some level of assurance that the availability, confidentiality and integrity of the database isn’t in jeopardy. I know there are some useful oracle hardening and configuration guides but I was more after the most important controls/configurations more than anything. So a top 10 priority list would be brilliant and very interesting.
So top 5 security controls 1, 2, 3, 4, 5 and top 5 other essential non-security controls, 1, 2, 3, 4, 5
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the security issues... I'd also be interested in risks to an oracle database that aren't fixed with security controls though...
As mentioned in previous replies:
- Are backups being done.
- Is the database in archive log mode so that point in time recovery is enabled.
- Are backups tested regularly
- Do you have an offsite storage solution for backups
- Are protocols in place for regular patching as quarterly Critical Updates are released
- Are archive log files being backups up as well as the database
- Are monitoring tools in place to monitor DB up/down
- Are the logs being monitored
- Are old logs being cleaned up (old trace files being purged after x days, alert log being rolled over on a weekly/monthly basis and oldest ones removed)
- Tablespace freespace being monitored
- Disk space on server being monitored
- Growth trends being monitored / analyzed
What else do you particularly need ? Your question is pretty vague.
- Are backups being done.
- Is the database in archive log mode so that point in time recovery is enabled.
- Are backups tested regularly
- Do you have an offsite storage solution for backups
- Are protocols in place for regular patching as quarterly Critical Updates are released
- Are archive log files being backups up as well as the database
- Are monitoring tools in place to monitor DB up/down
- Are the logs being monitored
- Are old logs being cleaned up (old trace files being purged after x days, alert log being rolled over on a weekly/monthly basis and oldest ones removed)
- Tablespace freespace being monitored
- Disk space on server being monitored
- Growth trends being monitored / analyzed
What else do you particularly need ? Your question is pretty vague.
ASKER
Its pretty vague as its not an area of expertese so I really wanted to learn from the experts what they perceive the critical controls to keep oracle running smoothly - some good answers. It seems basically security, backups and performance mgmt is about it.
One other thing that just popped into my head - make sure your database statistics are kept up to date.
The optimizer can make some interesting decisions if it's working off stale statistics.
The optimizer can make some interesting decisions if it's working off stale statistics.
You have mentioned security checks and auditors. That is why I stayed away from logs, backups, archives, space utilization, etc. I tried to stay within the topic of an audit. Those aren't typically things that auditors care about.
Also, the quarterly critical updates are not necessarily applied. There can be application restrictions on this, especially if you are using a third party application.
Also, the quarterly critical updates are not necessarily applied. There can be application restrictions on this, especially if you are using a third party application.
ASKER
Sorry just more a general risk assessment and healthcheck than a security audit was what I was looking at.. Ie any issues which can affect the database running smoothly OR being compromised
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Also Database links from PROD to DEV/SIT/QA/UAT Databases should not be there.
Open Schema accounts used by application support teams should not be there.
Production database should be able to be connected by users/apps only from PROD/DR hosts/environments.
Open Schema accounts used by application support teams should not be there.
Production database should be able to be connected by users/apps only from PROD/DR hosts/environments.
ASKER
I was hoping for some sort of general consensus on the top 5 critical security controls specific to the database, I'd listed passwords and patches, what else?
Aside from backup/restore are there no other risk areas (outside of security) that require effective controls for a database? There must be absolutely loads....