RE: Security audit of Oracle databases

  • From: "MacGregor, Ian A." <ian@xxxxxxxxxxxxxxxxx>
  • To: <jkstill@xxxxxxxxx>, <niall.litchfield@xxxxxxxxx>
  • Date: Tue, 12 Apr 2005 10:35:31 -0700

Oracle's security problems are often not database related.  A default =
9.2 install will install an HTTP listener and an ftp service.  Both of =
these are prime targets for attackers and both have had exploits written =
against them.  These prolems were addressed in a patchset, but it is =
quite possible  different holes will be found in them.

Oracle's desire to be much more than a database, to make things easier =
to accomplish, ameans the DBA has to understand much more than the =
database.=20

Oracle's willingness to allow potential customers to download the =
product and take it for a test spin is great.  Suppose however, someone =
installs Oracle on his desktop. The installation will not be maintained, =
it will not be patched.  The possibiliy for compromise is signifiicant. =
The person who  only wanted to learn Oracle and discovers someone has =
taken over his machine.

Ian MacGregor
Stanford Linear Accelerator Center
ian@xxxxxxxxxxxxxxxxx

-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx =
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Jared Still
Sent: Tuesday, April 12, 2005 8:01 AM
To: niall.litchfield@xxxxxxxxx
Cc: stephenbooth.uk@xxxxxxxxx; wisernet100@xxxxxxxxx; =
oracle-l@xxxxxxxxxxxxx
Subject: Re: Security audit of Oracle databases

On 4/12/05, Niall Litchfield <niall.litchfield@xxxxxxxxx> wrote:
>=20
> On windows of course you can always run any executable under different
> credentials, if you are an administrator, but then to be blunt it =
makes
> sense for dbas to be admins on windows boxes anyway.
>=20
>=20
I would modify that to state that a DBA on a windows box must
have admin access to do that job.=20
If not given initially, the SA's will tire of the DBA pestering them
and grant it anyway. :)

--=20
Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist

--
//www.freelists.org/webpage/oracle-l
--
//www.freelists.org/webpage/oracle-l

Other related posts: