Re: Security audit of Oracle databases

• From: "Don Granaman" <granaman@xxxxxxx>
• To: <stellr@xxxxxxxxxx>, <oracle-l@xxxxxxxxxxxxx>
• Date: Thu, 14 Apr 2005 04:48:38 -0700

Disclaimer: Any statements below are entirely my own personal opinion, not
the opinion or policy of CIS or any other entity.

I was heavily involved in the development of the initial 8i/9i benchmark -
and, as a core member of the CIS Oracle team, have been following and
occasionally advising on the development of the just released 9i/10g
benchmark.  I have not been nearly as active in the latter (too little
experience with 10g and too little time).  The decision was made early on
that the 8i material would be relegated to an 8i-specific document and that
the new document and tool would cover only 9i and 10g (since 8i is now
"desupported").  The currently available scoring tool is based on the 8i/9i
document, but will soon be replaced (supplemented?) with a 9i/10g scoring
tool.

There are some things about the CIS benchmark and scoring tool that might
not be trivially obvious.  Be sure to read the "fine print".  For example,
it scores on a scale of 0-10.  However, the checked items are not weighted
by severity in the scoring tool.  It simply assigns an equal value to
everything it checks.  Some things are crucial and some things are
near-trivial.  Local policy exceptions may exist, but are not accounted for
in the score (other than by disclaimer).  Thus a "high" absolute score is
not really the goal.  A  "low" score may be perfectly acceptable in your
environment.  The real goal is to identify potential issues.  Anything that
the tool finds should be addressed - either by knowing why it really isn't
an issue for you, by knowing why the security trade-off was made, by
exceptions for local policy or by "fixing" the weakness.

Anyone who goes through the benchmark document (or scoring tool output) in
detail will certainly have some level of disagreement with at least a few of
the items (I did).  Feedback is not just welcome, but strongly encouraged -
as stated on the CIS site.

It was indeed "put together by NSA and military types" along with myself,
some other governmental organizations, an Oracle technical representative
(largely to research and clarify issues that could not be easily resolved or
thoroughly tested otherwise - it is not "marketing-driven") and a few
others.   DOE (the Department of Energy) was one of the main driving forces.
However, it is intended to be generally applicable.  The most
security-conscious organizations (e.g. NSA) have their own addendum that is
specific to the organization (and usually not available to the public).

Note also that both the benchmark and he scoring tool are designed for
"inside-out" auditing, not for "outside-in" penetration testing.  For
example, some mention is given to SQL injection in the benchmark, but no
potentially disruptive or destructive tests are performed.  The tool looks
at the system from a DBA's perspective (so requires privileged access to the
database server) and generates report output, but changes nothing.  The
benchmark document is largely generic, with noted platform-specific
inclusions for a few platforms.  The 8i/9i scoring tool has Windows, Linux
and Sparc Solaris versions.

PS:  The auditors WILL find some things "wrong".  Be prepared to address
them...

-Don Granaman (OraSaurus)

----- Original Message ----- 
From: "Ray Stell" <stellr@xxxxxxxxxx>
To: <oracle-l@xxxxxxxxxxxxx>
Sent: Monday, April 11, 2005 9:09 AM
Subject: Re: Security audit of Oracle databases


>
> The center for internet security produced a security benchmark with a
> scoring tool for 8i.  They have not finished the 9i and 10g software,
> however.  This is put together by NSA and military types, amoung other
> volenteers.  I did a little of the early 8i work, but was quickly left
> in the dust.
>
> http://www.cisecurity.org/bench_oracle.html
>
>
>
>
> On Mon, Apr 11, 2005 at 08:49:08AM -0400, Paula_Stankus@xxxxxxxxxxxxxxx
wrote:
> > Guys,
> >
> > I have a friend who is going to go through a security audit from an
> > outside 3rd party.  He would like to verify his security before they
> > come.  Does anyone know of any security opensource software for checking
> > integrity of Oracle databases or scripts?
> >
> > Thanks,
> > Paula
> > --
> > //www.freelists.org/webpage/oracle-l
>
> -- 
> ============================================================
> Ray Stell  stellr@xxxxxx  (540) 231-4109  Tempus fugit  28^D
> --
> //www.freelists.org/webpage/oracle-l
>


--
//www.freelists.org/webpage/oracle-l

• References:
  • RE: Security audit of Oracle databases
    • From: Paula_Stankus
  • Re: Security audit of Oracle databases
    • From: Ray Stell

Other related posts:

• » RE: Security audit of Oracle databases
• » Re: Security audit of Oracle databases
• » Re: Security audit of Oracle databases
• » Re: Security audit of Oracle databases
• » Re: Security audit of Oracle databases
• » Re: Security audit of Oracle databases
• » Re: Security audit of Oracle databases
• » Re: Security audit of Oracle databases
• » RE: Security audit of Oracle databases
• » Re: Security audit of Oracle databases
• » Re: Security audit of Oracle databases
• » Re: Security audit of Oracle databases
• » Re: Security audit of Oracle databases
• » Re: Security audit of Oracle databases
• » RE: Security audit of Oracle databases
• » Re: Security audit of Oracle databases
• » Re: Security audit of Oracle databases
• » Re: Security audit of Oracle databases

1. Home
2. oracle-l
3. Archive
4. 04-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---