Sign in or 
Share this
Database Security
Topics that should be written here:
- Security risks with oracle database
- How to secure the database
- The first things to do after a new database is created
- Secured ways to authenticate
- Oracle Internet Directory
- Oracle Auditing
- 3rd party tools that can help (Like: Imperva, IPLocks etc...)
- Bad and good experiences with database security...
Some basic tips to build a more secure database:
Links to Security Documents:
Hackproofing Oracle Application Server
http://www.ngssoftware.com/papers/hpoas.pdf
Securing Oracle9iAS 1.0.2.x
http://www.oracle.com/technology/deploy/security/oracle9iAS/pdf/securingias.pdf
CIS Oracle Benchmark Security Configuration for Oracle 8i
https://www.infosec.uga.edu/policymanagement/documents/Center_for_Internet_Security_Tools/CIS_Oracle_Benchmark_v1.2.pdf
CIS Oracle Benchmark Security Configuration for Oracle 9i/10g
https://www.infosec.uga.edu/policymanagement/documents/Center_for_Internet_Security_Tools/CIS_Oracle_Benchmark_v2.0.pdf
Securing Oracle Network Traffic
http://www.dbspecialists.com/presentations/net8_security.html
Conducting a Security Audit of an Oracle Database
http://www.giac.org/certified_professionals/practicals/gsec/1730.php
See Security Technology Center on OTN Website
See Critical Patch Updates | Subscribe
- Security risks with oracle database
- How to secure the database
- The first things to do after a new database is created
- Secured ways to authenticate
- Oracle Internet Directory
- Oracle Auditing
- 3rd party tools that can help (Like: Imperva, IPLocks etc...)
- Bad and good experiences with database security...
Some basic tips to build a more secure database:
- Only install what you need
- Delete any demos or administration documentation from your production servers
- Turn on audits and run reports at least weekly on bad passwords, bad usernames, and multiple usernames from the same IP address
- Store your audits in the DB, not the OS
- Wrap or encrypt any plain text code, usernames, passwords, or other sensitive data
- Install patches in a timely manner, for both the OS and and DB
- Use a firewall
- Turn on Valid_Node_Checking
- Do hot backups daily (a dump file if nothing else)
- Do full cold backups weekly if possible and monthly at a minimum
- Keep a VM of your DB for emergency recoveries
Links to Security Documents:
Hackproofing Oracle Application Server
http://www.ngssoftware.com/papers/hpoas.pdf
Securing Oracle9iAS 1.0.2.x
http://www.oracle.com/technology/deploy/security/oracle9iAS/pdf/securingias.pdf
CIS Oracle Benchmark Security Configuration for Oracle 8i
https://www.infosec.uga.edu/policymanagement/documents/Center_for_Internet_Security_Tools/CIS_Oracle_Benchmark_v1.2.pdf
CIS Oracle Benchmark Security Configuration for Oracle 9i/10g
https://www.infosec.uga.edu/policymanagement/documents/Center_for_Internet_Security_Tools/CIS_Oracle_Benchmark_v2.0.pdf
Securing Oracle Network Traffic
http://www.dbspecialists.com/presentations/net8_security.html
Conducting a Security Audit of an Oracle Database
http://www.giac.org/certified_professionals/practicals/gsec/1730.php
Oracle Database Audit Program
http://64.233.169.104/search?q=cache:2f7dOxeWvLEJ:www.auditnet.org/docs/Oracle%2520Database%2520Audit%2520Program.doc+Oracle+Database+Audit+Program.doc&hl=en&ct=clnk&cd=1&gl=us&lr=lang_en
http://64.233.169.104/search?q=cache:2f7dOxeWvLEJ:www.auditnet.org/docs/Oracle%2520Database%2520Audit%2520Program.doc+Oracle+Database+Audit+Program.doc&hl=en&ct=clnk&cd=1&gl=us&lr=lang_en
Security Readiness Review Evaluation Scripts:
See Critical Patch Updates | Subscribe
Ruudboy |
Latest page update: made by Ruudboy
, Nov 22 2007, 7:41 AM EST
(about this update
About This Update
Removed a line which had nothing to do with security
- Ruudboy
5 words deleted view changes - complete history) |
|
More Info: links to this page
|
| Started By | Thread Subject | Replies | Last Post | ||
|---|---|---|---|---|---|
| normanjd | Links to Oracle Security Docs | 0 | Nov 19 2007, 3:14 PM EST by normanjd | ||
|
Thread started: Nov 19 2007, 3:14 PM EST
Watch
In looking around for information on locking down Oracle products, I have the these two documents of great help on the Oracle 9i and Oracle 9iAS platforms:
Hackproofing Oracle Application Server http://www.ngssoftware.com/papers/hpoas.pdf Securing Oracle9iAS 1.0.2.x http://www.oracle.com/technology/deploy/security/oracle9iAS/pdf/securingias.pdf What documents (and their links) have other found useful? I personally am looking for any information on Oracle 8i and above.. |
||||
| wgblack3 | Oracle 0-day to get SYSDBA access | 0 | Nov 13 2007, 1:13 PM EST by wgblack3 | ||
|
Thread started: Nov 13 2007, 1:13 PM EST
Watch
Will Oracle release a patch for this?
Tanel Poder has found a way to get SYSDBA access to the Oracle database by utilising a user who has the BECOME USER system privilege, execute privileges on KUPP$PROC.CHANGE_USER and CREATE SESSION. he shows how a user with these privileges can become SYS (but not SYSDBA) and then use an immediate debug event to cause a debugger to flip the SYSDBA bit in the PGA to set a dedicated server session to an SYSDBA one, from there the user can do anything else. The user needs to have these privileges so its not an open and shut case but serious in that a privilege escalation is still possible. Tanels post is here http://blog.tanelpoder.com/2007/11/10/oracle-security-all-your-dbas-are-sysdbas-and-can-have-full-os-access/ and my blog entry / analysis is here - http://www.petefinnigan.com/weblog/archives/00001126.htm
4
out of
6 found this valuable.
Do you?
Keyword tags:
authentication
Hardening
Security
SYSDBA
|
||||
Showing 2 of 2 threads for this page
