Re: Question re security
From: mohammed bhatti <mohammed.bhatti1_at_gmail.com>
Date: Thu, 16 Jan 2014 12:11:16 -0500
Message-ID: <CAPio1USkc+cwDE0G-CNGFOk5kwH-u0QO_McVxxCfVO=_iv+C=Q_at_mail.gmail.com>
I'm fairly certain that these guidelines are taken from the DISA STIG. I haven't seen a commercial version of the database STIG but I do recall in the pre-11g DISA STIG the listener required a password to be set. Also, the listener pre-11g had to be started under it's own dedicated account and not the account that owns the Oracle software. None of these is now required in the 11g STIG.
Date: Thu, 16 Jan 2014 12:11:16 -0500
Message-ID: <CAPio1USkc+cwDE0G-CNGFOk5kwH-u0QO_McVxxCfVO=_iv+C=Q_at_mail.gmail.com>
I'm fairly certain that these guidelines are taken from the DISA STIG. I haven't seen a commercial version of the database STIG but I do recall in the pre-11g DISA STIG the listener required a password to be set. Also, the listener pre-11g had to be started under it's own dedicated account and not the account that owns the Oracle software. None of these is now required in the 11g STIG.
I believe the old faces for the most part, took these guidelines from the DISA STIG and the new faces just followed what the old faces did.
What someone mentioned about having the longest list seems to hold true.
Oh yeah, don't get me started on the auditing requirements. Basically audit EVERYTHING (select/update/insert/delete, ddl, etc).
-- mohammed On Thu, Jan 16, 2014 at 11:35 AM, Patterson, Joel <jpatterson_at_entint.com>wrote:Received on Thu Jan 16 2014 - 18:11:16 CET
> Not sure about this year, but the last few years, it was insisted to use
> a password with the listener.
>
>
>
> No amount of docs or logic prevailed.
>
>
>
> I never know what to expect. Indeed the old faces are out and are
> replaced with new faces. The new faces are now younger than the old faces…
> J
>
>
>
> Joel Patterson
>
> Database Administrator
>
> 904 928-2790
>
>
>
> *From:* oracle-l-bounce_at_freelists.org [mailto:
> oracle-l-bounce_at_freelists.org] *On Behalf Of *bill thater
> *Sent:* Thursday, January 16, 2014 10:51 AM
> *To:* Nuno Souto
> *Cc:* Oracle L
> *Subject:* RE: Question re security
>
>
>
> I still get questions why I need privs to install Oracle software. My
> answer is" if you want it installed without privs talk to Oracle, until
> then, that's what I need" I'm not well liked;-)
>
> sent from my Windows Phone
> Bill"shrek" thater Oracle DBA
> Shrekdba_at_Gmail.com
> "one ping to rule them all
> One ping to find them
> One ping to bring them all
> And in the mutex bind them!"
> ------------------------------
>
> *From: *Nuno Souto
> *Sent: *1/16/2014 2:42 AM
> *Cc: *Oracle L
> *Subject: *Re: Question re security
>
> On 16/01/2014 5:49 PM, david_at_databasesecurity.com wrote:
>
>
> Thanks! Good to see my opinion is shared by someone.
> The problem is when kids with no experience whatsoever of running IT sites
> are given free hand in coming up with security strategies and such.
> I mean, when a network "expert" claims a database is not secure because
> the listener is not using the usual 1521 port and does not ask for a
> password upfront, the only comment I can possibly offer is:
> "go take an Oracle 101 and a network 101 course and AFTER that, let's see
> if you still think that way".
>
>
> --
>
> Cheers
>
> Nuno Souto
>
> dbvision_at_iinet.net.au
>
>
>
>
> >Who here has database servers, app servers, admin and dev workstations,
>
> >each in its own subnet (4 subnets),
> >with firewalls between each subnet,
> >all inside the company's intranet?
>
> >I'd just like to know why and what security expectations, imperatives,
> >constraints/conditions are being addressed/resolved by such a setup?
>
> It depends on what you’re trying to protect. If it’s nuclear launch codes
> then yes – defence in depth – which this config is a typical example of –
> is the way to go. If the data is a list of recipes for cupcakes though this
> would indeed be overkill
>
> :)
>
> Cheers,
>
> David
>
>
>
>
>
> --
> *Joel Patterson*
> *Sr. Database Administrator** |* Enterprise Integration
> Phone: 904-928-2790 | Fax: 904-733-4916
> www.entint.com
>
> <http://www.entint.com/>
>
> [image:
> http://www.facebook.com/pages/Enterprise-Integration/212351215444231]<http://www.facebook.com/pages/Enterprise-Integration/212351215444231>
> [image: http://twitter.com/#!/entint] <http://twitter.com/#!/entint> [image:
> http://www.linkedin.com/company/18276?trk=tyah]<http://www.linkedin.com/company/18276?trk=tyah>
> [image: http://www.youtube.com/user/ValueofIT]<http://www.youtube.com/user/ValueofIT>
>
> This message (and any associated files) is intended only for the use
> of the addressee and may contain information that is confidential,
> subject to copyright or constitutes a trade secret. If you are not the
> intended recipient, you are hereby notified that any dissemination,
> copying or distribution of this message, or files associated with this
> message, is strictly prohibited. If you have received this message in
> error, please notify us immediately by replying to the message and
> deleting it from your computer. Messages sent to and from us may be
> monitored. Any views or opinions presented are solely those of the
> author and do not necessarily represent those of the company. [v.1.1]
>
-- http://www.freelists.org/webpage/oracle-l