Security hardening of a database is an elaborate task requiring a detailed review of the environment. Some of the items which need to be investigated fall under the realm of the DBA, some under the System Admin’s and some to be addressed by the Developers. For all these, the effort starts with first becoming familiar with the known vulnerabilities, deviation from the best practices and the finally action required to eliminate or reduce the threat from the known weak links.
The majority of the items which need to be re-mediated normally are items inside the database and are handled by the DBA team. To help ensure that we have a good baseline covering common known areas which should be secured, a list has been provided below. Be aware that this list is a good baseline but cannot be considered complete and as it is dependent on the OS, Database version and features used. However still this list has a comprehensive list if items identified that one must not ignore. As always please make sure to test in a test environment before deploying to production.
Oracle Database Server Security Checklist
Lock Users not Required
In a default installation a number of users are created and some of them listed below may not be used. It would help secure if these unwanted users are locked.
|DIP||Directory Integration Platform|
|ANONOMOUS||Lock users if not being used|
|XDB||Lock users if not being used|
|ORACLE_OCM||Oracle Configuration Manager|
|APPQOSSYS||Oracle Quality of Service|
Remove Database Components & Binary Options
Here again the default install creates a number of components not all of them may be required. Oracle provides Metalink documents to remove these items. Perform this in a test environment first before deploying to production.
|OCM Desintall||Metalink Note 761313.1|
|Spatial Removal||Metalink Note 179472.1|
|Oracle Text 11gR2 Removal||Metalink Note 970473.1|
|Workspace Manager Removal||Metalink Note 731576.1|
|XML Database Deinstall||Metalink Note 1292089.1|
A new utility CHOPT is used to disable/remove binary options from the default installation.
|Automated Storage Management||Metalink Note 948061.1|
|Context Management Text||Metalink Note 948061.1|
|Oracle Data Mining||Metalink Note 948061.1|
|Database Vault||Metalink Note 948061.1|
|Oracle OLAP||Metalink Note 948061.1|
|Oracle Label Security||Metalink Note 948061.1|
|Oracle Partitioning||Metalink Note 948061.1|
|Real Application Cluster||Metalink Note 948061.1|
|Real Application Testing||Metalink Note 948061.1|
A number of powerful PROCEDURES have been opened up for use to the PUBLIC role. This is extremely dangerous and have been exploited in the past. It is best to revoke all these and if required by a specific user assigned directly to them.
|DBMS_ADVISOR||Revoke EXECUTE from PUBLIC|
|DBMS_BACKUP_RESTORE||Revoke EXECUTE from PUBLIC|
|DBMS_DEBUG||Revoke EXECUTE from PUBLIC|
|DBMS_JOB||Revoke EXECUTE from PUBLIC|
|DBMS_LOB||Revoke EXECUTE from PUBLIC|
|DBMS_METADATA||Revoke EXECUTE from PUBLIC|
|DBMS_OBFUSCATION_TOOLKIT||Revoke EXECUTE from PUBLIC|
|DBMS_RANDOM||Revoke EXECUTE from PUBLIC|
|DBMS_SCHEDULER||Revoke EXECUTE from PUBLIC|
|DBMS_SQL||Revoke EXECUTE from PUBLIC|
|DBMS_SYS_SQL||Revoke EXECUTE from PUBLIC|
|UTL_FILE||Revoke EXECUTE from PUBLIC|
|UTL_HTTP||Revoke EXECUTE from PUBLIC|
|UTL_SMTP||Revoke EXECUTE from PUBLIC|
|UTL_TCP||Revoke EXECUTE from PUBLIC|
Set User Profiles
Set a USER PROFILE for ALL users. First create a profile as a DEFAULT profile and then create one for the Application Users, DBA’s, Application Support/Deployment, etc.. Ensure hat all Profiles have a FAILED_LOGIN_ATTEMPTS, PASSWORD_LIFE_TIME and PASSWORD_VERIFY_FUNCTION resource limit.
To be able to identify any abnormal activity or a breach it is important to know with surety what unauthorized action was actually done. For this STANDARD and ADVANCED auditing should be implemented. Here are some minimum settings to be able to collect information on unauthorized access of data so that action can be taken.
|AUDIT_TRAIL||Set to either DB or XML wIth EXTENDED|
|AUDIT_FILE_DEST|| Use mount$hostname/
|AUDIT_SYS_OPERATIONS||Set to TRUE|
Ensure that the host OS, Grid Home and the RDBMS software are all on latest version with the appropriate up to date patches applied.
|Grid||Metalink Note 854428.1|
|RDBMS||Metalink Note 1454618.1|
|GoldenGate||Metalink Note 811293.1|
During the Software installation phase, node addition or removal you need to be able to execute certain Oracle files as root. Instead of giving direct access as a root user, the DBA should be given SUDO privileges for these commands. Further, the SUDO privileges should only be given when it is actually required and the SUDO remove after the use.
|$GRID_HOME/root.sh||Sudo for GRID Software install|
|$GRID_HOME/rootupgrade.sh||Sudo for GRID Software install|
|$GRID_HOME/install/utl/rootinstall.sh||Sudo for GRID Software install|
|$GRID_HOME/crs/install/rootcrs.pl||Sudo for GRID Software install|
|$GRID_HOME/crs/utl/rootdelete.sh||Sudo for GRID Software install|
|$GRID_HOME/crs/utl/rootdeinstall.sh||Sudo for GRID Software install|
|$GRID_HOME/crs/utl/rootdeletenode.sh||Sudo for GRID Software install|
|$GRID_HOME/crs/utl/rootaddnode.sh||Sudo for GRID Software install|
|$GRID_HOME/bin/crsctl||Sudo for GRID Software install|
|$GRID_HOME/bin/ocrconfig||Sudo for GRID Software install|
|$GRID_HOME/bin/ocrcheck||Sudo for GRID Software install|
|$GRID_HOME/bin/ocrdump||Sudo for GRID Software install|
|$GRID_HOME/bin/srvctl||Sudo for GRID Software install|
|$GRID_HOME/bin/vipca||Sudo for GRID Software install|
|$GRID_HOME/bin/netca||Sudo for GRID Software install|
|$ORACLE_HOME/root.sh||Sudo for RDBMS software install|
|$ORACLE_HOME/install/utl/rootinstall.sh||Sudo for RDBMS software install|
|$ORACLE_HOME/bin/srvctl||Sudo for GRID Software install|