On 8/15/06, Anjo Kolk <anjo.kolk@xxxxxxxxxxx> wrote:
So I made it back on the list, I have a question for you all about DB security. There seems to be a lot of talk about DB security, but not a lot of action. Is that true, and if it is true why don't customers act? There are products out there to check for DB security, how are they doing? Does any body on this list use them?
Please share your thoughts and comments,
-- Anjo Kolk
Done on a periodic basis:
* store checksums of all database objects compare signatures from different periods (composition of signature varies with type of object) most discrepancies should be traceable back to a change control ticket
* perform remediation of permissions on database files, executable and lib files. Ironically, this is an simpler task on Windows than it is on unix.
* production databases require a verification function on Oracle account passwords User account passwords timeout. System/account passwords do not timeout.
* report containing all permissions for users/roles. Possible discprepancies are automatically highlighted in the report.
* check random samples of session audit (too many to completely verify)
* passwords on all listeners when the listener version is < 10g
* run odpc.pl against databases (Orecle Default Password Checker) change passwords if needed.
* lock all accounts that can be locked.
* do not install/run Oracle's HTTP server unless needed.
* remove tkprof and bbedit from production databases.
* apply security patches when possible ( "possible" varies with severity of bug )
No 3rd party products in use at this time. We will be looking at a security system for an ERP system.
I have Pete Finnigan's "Oracle Security Step by Step" and refer to that when implementing new security measures.
There's more to do, but not enough time to get it all done.
Oh, and the security monitoring is heavily dependent on Perl scripts. :)
-- Jared Still Certifiable Oracle DBA and Part Time Perl Evangelist
