application , compliances , security , web-services

Suggestion – Securing Oracle Environments

April 1, 2012

Suggested Oracle Standard
Corporate’s business functions rely upon the integrity, confidentiality, and availability of its computer systems and the information assets stored within them. Responsibilities and procedures for the management, operation and security of all information processing facilities must be established. This standard supports the stated objectives.

Requirements and Implementations

Authentication
Default account’s passwords of all accounts present after the install must be changed to meet the current corporate password standard including but not limited to below:

  • Dbsnmp
  • Demo
  • SysP08
  • System
  • SQL*NET

Oracle accounts should adhere to the Information Security Password Policy.
Password lock time should be set to maximum possible time (till unlocked by system administrator).

Privileges
All privileges should be granted using the principle of least privilege.

The DBA role must be granted to database administrators alone.  Third party applications requiring DBA role needs to go through exception approval process as defined in EXCEPTION section of this document.

The p08 accounts (if exists) should have the DBA role revoked.
The following privileges should not be granted to an application.  Third party applications requiring these privileges needs to go through exception approval process as defined in EXCEPTION section of this document:

  • CREATE
  • DROP
  • UNLIMITED TABLESPACE
  • BECOME USER
  • EXECUTE ANY PROCEDURE
  • GRANT ANY PRIVILEGE/ROLE
  • ALTER
  • ANY

Privileges should be assigned to roles not user.

Configuration
Use the product profile table to block the host command.
All roles should be password protected and the passwords should only be distributed to necessary individuals.

Remove all privileges except for CREATE SESSION to normal users. Normal users are the users which do not have any role.

Restrict permissions on run-time facilities. Do not assign “all permissions” to any database server run-time facility such as the Oracle Java Virtual Machine (OJVM). Grant specific permissions to the explicit document root file paths for such facilities that may execute files and packages outside the database server.

All database views must map to a database role.
The following privileges should not be granted to users:

  • ANY
  • GRANT ALL

The Oracle database and file system must only be readable by Oracle and/or DBA’s.
The file sqlnet.ora should only be accessible by the Oracle application account.
The following files must only be accessible by Oracle DBA’s only:

  • Listener.ora
  • Catalog.bsq
  • Conifg.ora
  • Init.ora
  • Sql.bsq

Install the ASO (Advanced Security Option).
Configure ASO to encrypt data transmission from clients to servers for sensitive data NPI.

Implement passwords on the SQL*NET listeners.
Test all patches and upgrades before implementation. Test and patch the server in timely manner (within 15 days of patch release).

Server hardening is as important as the security of Oracle so ensure that Oracle is installed on a suitably hardened operating system.

Only needed features/options/products should be installed. Remove anything that is not required.

Database server must be suitably protected from physical and network intrusions.

Logging
Tables should be designed to include extra fields for auditing actions taken.  This should be implemented in all new installations. Old installations (before the rollout of this policy) can be exempted from this requirement:

  • Enable auditing for the following events.
  • Create Table
  • Create Index
  • Drop Index
  • Alter Index
  • Drop Table
  • Audit Object
  • Noaudit Object
  • Create Database
  • Alter Database
  • Create Tablespace
  • Alter Tablespace
  • Drop Tablespace
  • Alter Session
  • Alter User
  • Alter System
  • Create User
  • Create Role
  • Drop User
  • Drop Role
  • Set Role
  • Create Schema
  • Create Control File
  • Create Trigger
  • Alter Trigger
  • Drop Trigger
  • Create Profile
  • Drop Profile
  • Alter Profile
  • Drop Procedure
  • Alter Role
  • Logon
  • Logoff
  • Logoff by Cleanup
  • System Audit
  • System Noaudit
  • Audit default
  • Noaudit default
  • System Grant
  • System Revoke
  • Grant Role
  • Revoke Role
  • Enable Trigger
  • Disable Trigger
  • Enable all Triggers
  • Disable all Triggers

Database Link                     create/drop db link
Public Database Link        create/drop public db link
Profile                                   create/drop/alter profile
Public Synonym                 create/drop public synonym
Role                                       create/alter/drop/set role
System Audit                       audit/noaudit object/privilege/statement
System Grant                      grant/revoke privilege/role
Tablespace                          create/alter/drop tablespace
User                                      create/alter/drop user
Grant any privilege          use of “grant any privilege”

Login as    sysdba
Before an insert, update or delete is executed use a trigger to write the audit information to a table

Write a trigger that logs modifications to the DBA_USERs table

The init.ora file must be modified for data dictionary auditing to be enabled

Exceptions under this policy must be detailed in a Risk Acceptance form approved by the System/Application Business Owner, an Executive Lines of Business representative and the IT Custodian and the Information Security Compliance Department.

www.bestitdocuments.com