RE: Security auditing tools

  • From: "Sheehan, Jeremy" <JEREMY.SHEEHAN@xxxxxxxxxxxxxxxxx>
  • To: Upendra N <nupendra@xxxxxxxxxxx>, "joel.patterson@xxxxxxxxxxx" <joel.patterson@xxxxxxxxxxx>, Oracle-L <oracle-l@xxxxxxxxxxxxx>
  • Date: Mon, 18 Jun 2012 12:49:47 -0400

We've been using Guardium for just under 2 years now.  Changes aren't made that 
often so the reboots are far and few between.  I think we've had 2 reboots for 
the Guardium agent and that was the initial install and one upgrade.  Generally 
they're done in our maintenance window so it's not disruptive.
As of right now, it's selective, but the goal is to get it enterprise wide with 
different levels of monitoring depending on the database.  The hardest part is 
creating the filters for Guardium.  That requires someone working full time on 
looking over the logs and filtering out legitimate traffic.  I remember sitting 
in many meetings looking over connection strings, sql code and account names 
and then justifying to infosec that the traffic legitimate.

Jeremy

From: Upendra N [mailto:nupendra@xxxxxxxxxxx]
Sent: Monday, June 18, 2012 11:56 AM
To: Sheehan, Jeremy; joel.patterson@xxxxxxxxxxx; Oracle-L
Subject: RE: Security auditing tools

Jeremy,
Thanks for the feedback.
How long have you been using Guardium? How often you have had to make any 
Guardium changes which require you to reboot the server..
Are you using it across the enterprise or selective?

Thanks
-Upendra

> From: JEREMY.SHEEHAN@xxxxxxxxxxxxxxxxx
> To: nupendra@xxxxxxxxxxx; joel.patterson@xxxxxxxxxxx; oracle-l@xxxxxxxxxxxxx
> Date: Mon, 18 Jun 2012 10:12:32 -0400
> Subject: RE: Security auditing tools
>
> We are using Guardium (we're using the IBM stack here). Takes a long time to 
> get running properly and I believe it integrates into the kernel of the OS 
> it's "guarding". If any changes are required, it takes a reboot of the 
> machine. Whenever I do anything I'm not supposed to, I get an email from 
> infosec asking what I was doing. The reports are fairly extensive and they 
> capture just about everything. From what we've seen, very little impact on db 
> performance. One of the key selling points was the ability to block any types 
> of sql that it didn't see as "normal activity".
>
> Thanks!
>
> Jeremy
>
> -----Original Message-----
> From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On 
> Behalf Of Upendra N
> Sent: Friday, June 15, 2012 7:30 PM
> To: joel.patterson@xxxxxxxxxxx; Oracle-L
> Subject: RE: Security auditing tools
>
> Hi Joel,
> I have been reviewing of tools similar that as well.. the notable ones that I 
> have come across are Guardium (IBM purchased this some time ago) and 
> DBProtect (A product from Application Security Inc.). Both of them provide 
> very similar functionality.. We could audit the database binary for missing 
> patches, known vulnerabilities, default passwords. Guardium also says that it 
> has tools to analyze the workload characteristics of a user and identify any 
> deviations which might be a result of SQL Injection etc.
>
>
> Both of them let you configure real-time alerting based on several criteria. 
> They both provide built-in reports which contains enough information for 
> SOX/PCI/HiPAA compliance reporting.
>
>
> BTW, for the 22 page document you are talking about.. did you build this 
> yourself?
>
> Have you seen the 157 page document about Oracle Database security? ;) 
> https://benchmarks.cisecurity.org/tools2/oracle/CIS_Oracle_11g_Benchmark_v1.1.0.pdf
>
>
> -Upendra
>
>
> > From: Joel.Patterson@xxxxxxxxxxx
> > To: Oracle-L@xxxxxxxxxxxxx
> > Date: Fri, 15 Jun 2012 11:03:08 -0400
> > Subject: Security auditing tools
> >
> > We are in the process of laying out a baseline of what and how the 
> > databases and software should be set - as it pertains to security.
> > Of course this encompasses everything from file permissions to account 
> > locks, default passwords - and on and on as you might imagine. I have 
> > already seen a 22 page document listing.
> >
> > Right away, I notice there are a couple items out of date, in this case 
> > pertaining to passwords on the listeners. Or, pertaining to listeners 
> > again, creating separate listeners for everything on your server, from the 
> > agent to administration purposes. Or 'locking' the oracle account --- 
> > etc....
> >
> > What I would like from the list, if one is inclined to be so kind, is if 
> > there are any good 'tools' that anyone uses, that automates the process of 
> > checking/auditing security. Also, any up to date documents on issues like, 
> > but not unlike, what I just brought up with the listeners.
> >
> > Best Regards,
> >
> > Joel Patterson
> > Database Administrator
> > 904 727-2546
> >
> >
> >
> > --
> > http://www.freelists.org/webpage/oracle-l
> >
> >
>
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>
>
> --
> http://www.freelists.org/webpage/oracle-l
>
>

--
http://www.freelists.org/webpage/oracle-l


Other related posts: