Oracle 11g and RAC Database Security 1

[tekpr00]

hello All,

I am being asked to come up with best practices for Database Security.
Our environment is Oracle Database 11g on AIX.
We also have a RAC environment.
Lastly we have a MS SQL Server on windows NT.

1) I suggested we take an audit of default passwords(scott as an example)and make sure the accounts is locked or default passwords are changed. Question, does anyone knows a script or process that can extract all other default accounts in the database?

2) Also, would anyone have a oracle security user group that I can join for uptodate method/measure in database world?

3) Has anyone heard of this group - Data Management Institute(

http://datainstitute.org/webportal/)

Please advise if I should join their security sub group.

Thanks for your input as always.

 

[Scunningham99]

hi

11g -- Check users which have default password set. Suggest change accordingly
SQL> select * from dba_users_with_defpwd;

SECURITY
Ensure remote OS authentication is disabled
Setting the REMOTE_OS_AUTHENT parameter to True forces Oracle to accept a client operating system user name received over a non-secure connection and use it for account access.

• Set REMOTE_OS_AUTHENT to FALSE

Ensure data dictionary protection is enabled
Setting the 07_DICTIONARY_ACCESSIBILITY to TRUE allows users with ANY system privileges to ac-cess the data dictionary. As a result, these user accounts can be exploited to gain unauthorized ac-cess to data. Instead the data dictionary should be protected such that only those authorized users making DBA-privileged connections can use the ANY system privilege to access the data dictionary.

• Set 07_DICTIONARY_ACCESSIBILITY to FALSE. If a user needs view access to the data dictionary, then it is permissible to grant that user the SELECT ANY DICTIONARY system privilege.

Ensure database trace files are not readable
The _TRACE_FILES_PUBLIC parameter indicates whether or not debugging trace files generated by Oracle in the directory specified by the USER_DUMP_DEST parameter are readable to everyone. Access to these debugging trace files should be restricted in order to prevent exposing sensitive information regarding the database as well as the applications running on it.

• Set _TRACE_FILES_PUBLIC to FALSE.

Ensures remote OS roles are disabled
The REMOTE_OS_ROLES parameter specifies whether operating system roles are allowed for remote clients. If users connect to the database over Oracle Net, and their roles are not authenticated by Oracle, the remote user could impersonate another operating system user over a network connection. Allowing users to remotely authenticate is a bad security practice in itself. Adding the ability to assume operating system roles for these accounts makes the situation even more insecure.

• Set REMOTE_OS_ROLES to FALSE

Ensures sessions for users who connect as SYS are fully audited
The AUDIT_SYS_OPERATIONS parameter enables or disables the auditing of operations issued by user SYS, and users connecting with SYSDBA or SYSOPER privileges. Since these are highly privileged users, auditing can be especially important.

• Set AUDIT_SYS_OPERATIONS to TRUE



Sy UK