Re: Looking for Security book

Hi Paul

some comments in line.

>Pete,
>
>it is impossible to secure the filesystem.

Yes I agree wholeheartedly, I meant to say Unix is easier to secure than NT, not that either file system can be secured completely for Oracle. The sentence implied wrongly tho..:-(

>once a user gains local administrator, or an account in the local
>administrator's group, they can take ownership or grant filesystem
>permissions on files to which they previously did not have access
>rights. All that one can hope to do is to generate alerts (not in the
>local event logs) that would be tracked in the event of such
>filesystem (or local user group, e.g. ORA_DBA) permissions being
>granted.

Yes I talk about logging and syslog in action 1.9.2 in the book and also the use of tools like swatch and logcheck.

>
>If local administrator can be gained, the battle is certainly lost.
>At least if the box does not participate in a domain, that limits the
>number of members of the Domain Admins group that can cause damage,
>such as the deletion of online redo log group members. (it happened
>today).
>
>Testing backups is important, though.
>

The first point I make in the backups section!

>
>here's a couple of additions/corrections:
>
>a user logging in as a member of the local group users should also
>have access to (as read/execute)
>
>%ORACLE_HOME%\
> network\
> admin*
> mesg*
> oracore\mesg
> ocommon\nls\mesg
> rdbms\mesg*
> sqlplus\mesg
> sysman\mesg
>
>
>* mandatory.
>the others seemed like a good idea, based upon other error messages.
>
>now, the easy way to accomplish this is to just assign
>read/browse/execute at the level of %ORACLE_BIN%\ (and all
>subfolders).
>This exposes read/exec on \rdbms\admin. Based upon the tone of the
>rest of the book, I would expect that you would find this as not being
>a good idea.

You are correct, i suggest that \rdbms\admin is protected properly in action 1.2.3 but in some instances this would be over the top. The book tries to cater for differing levels of security from good common sense for all production systems to securing for top secret and nailing down as much as possible. Its horses for courses.
>
>not wanting to cause anyone that followed this thread to give up,
>based upon an error message or 2 ...
>
>Paul

thanks for the update to your info Paul

kind regards

Pete

-- 
Pete Finnigan

Email : pete_at_peterfinnigan.demon.co.uk
Email : pete_at_petefinnigan.com

Web site: http://www.petefinnigan.com

Independent consultant specialising in Oracle security. Pete Finnigan is the 
author of the recently published book about Oracle security from the SANS 
Institute "Oracle security Step-by-step (A survival guide for Oracle security)" 
- see http://store.sans.org for details.

Some recently published articles include:

http://online.securityfocus.com/infocus/1644 - "SQL injection and Oracle - part 
one"

http://online.securityfocus.com/infocus/1646 - "SQL injection and Oracle - part 
two"