Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: Looking for Security book
Hi Paul,
Sorry for the delay in replying to this thread. Some comments in-line.
In article <1ac7c7b3.0302132240.18129d37_at_posting.google.com>, Paul Drake
<drak0nian_at_yahoo.com> writes
>Pete Finnigan <pete_at_peterfinnigan.demon.co.uk> wrote in message
>news:<WgRNLjBVYC
>T+Ew4+@peterfinnigan.demon.co.uk>...
>
>Pete,
>
>I'd be interested in if you tested some of the recommendations
>supplied by the SANS text "securing windows 2000". The notion of
>developing a single "security template" for deploying across numerous
>w2k servers (running oracle in particular) seems like quite a good
>idea.
The other SANS step-by-step guides are recommended in the Oracle step- -step. These guides have been tested by a lot of people as part of the consensus process for each guide and are the summation of many many people's security experience.
>It reminds me of the 'Bastille Linux project', whereby after
>installing RH Linux (6.2 was the last time I used it) one could harden
>the operating system very effectively by running a single script.
>The release of a good sample security template in an open source
>fashion might help to secure a large nmber of servers, relative to the
>circulation of either SANS text, the Oracle Security ste-by-step or
>securing windows 2000 servers. Calling attention to it certainly
>wouldn't hurt.
>
This has already been done by the Centre For Internet Security (CIS), see www.cisecurity.org, they have provided benchmark documents for a few O/S's and applications (Oracle benchmark is in development now) Windows 2k is available in level 1 and 2. You can download these "benchmark" documents that detail a defined security standard for the particular system being secured. Each also has a benchmark tool available that when run "scores" the installation against the benchmark standard, i.e. it finds non compliance's. CIS has as one of its founder members the SANS Institute. CIS is mentioned on the back cover of the Oracle security step-by-step book.
>If one actually purchases the W2K Server Resource kit, a tool like
>TripWire wouldn't event be required, as files and filesystems can be
>examined by a single comand. These are things that were put in place
>long before security being a supposed top priority for MS. Its just a
>matter of raising awareness of security tools that are relatively easy
>to use and available on the Server CDROM. they just don't get used in
>a default installation.
>
>Paul
Thanks again for the reply.
kind regards
Pete
-- Pete Finnigan Email : pete_at_peterfinnigan.demon.co.uk Email : pete_at_petefinnigan.com Web site: http://www.petefinnigan.com Independent consultant specialising in Oracle security. Pete Finnigan is the author of the recently published book about Oracle security from the SANS Institute "Oracle security Step-by-step (A survival guide for Oracle security)" - see http://store.sans.org for details. Some recently published articles include: http://online.securityfocus.com/infocus/1644 - "SQL injection and Oracle - part one" http://online.securityfocus.com/infocus/1646 - "SQL injection and Oracle - part two"Received on Sun Feb 16 2003 - 16:09:32 CST