Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Looking for Security book

Re: Looking for Security book

From: Pete Finnigan <pete_at_peterfinnigan.demon.co.uk>
Date: Sun, 16 Feb 2003 22:09:32 +0000
Message-ID: <2yUlfCBcwAU+Ewln@peterfinnigan.demon.co.uk> 





Hi Paul,



Sorry for the delay in replying to this thread. Some comments in-line. 



In article <1ac7c7b3.0302132240.18129d37_at_posting.google.com>, Paul Drake
<drak0nian_at_yahoo.com> writes


>Pete Finnigan <pete_at_peterfinnigan.demon.co.uk> wrote in message 

>news:<WgRNLjBVYC

>T+Ew4+@peterfinnigan.demon.co.uk>...

>

>Pete,

>

>I'd be interested in if you tested some of the recommendations

>supplied by the SANS text "securing windows 2000". The notion of

>developing a single "security template" for deploying across numerous

>w2k servers (running oracle in particular) seems like quite a good

>idea. 




The other SANS step-by-step guides are recommended in the Oracle step-
-step. These guides have been tested by a lot of people as part of the
consensus process for each guide and are the summation of many many
people's security experience.



>It reminds me of the 'Bastille Linux project', whereby after

>installing RH Linux (6.2 was the last time I used it) one could harden

>the operating system very effectively by running a single script.

>The release of a good sample security template in an open source

>fashion might help to secure a large nmber of servers, relative to the

>circulation of either SANS text, the Oracle Security ste-by-step or

>securing windows 2000 servers. Calling attention to it certainly

>wouldn't hurt.

>




This has already been done by the Centre For Internet Security (CIS),
see www.cisecurity.org, they have provided benchmark documents for a few
O/S's and applications (Oracle benchmark is in development now) Windows
2k is available in level 1 and 2. You can download these "benchmark"
documents that detail a defined security standard for the particular
system being secured. Each also has a benchmark tool available that when
run "scores" the installation against the benchmark standard, i.e. it
finds non compliance's. CIS has as one of its founder members the SANS
Institute. CIS is mentioned on the back cover of the Oracle security
step-by-step book.



>If one actually purchases the W2K Server Resource kit, a tool like

>TripWire wouldn't event be required, as files and filesystems can be

>examined by a single comand. These are things that were put in place

>long before security being a supposed top priority for MS. Its just a

>matter of raising awareness of security tools that are relatively easy

>to use and available on the Server CDROM. they just don't get used in

>a default installation.

>

>Paul




Thanks again for the reply.



kind regards



Pete


-- 
Pete Finnigan

Email : pete_at_peterfinnigan.demon.co.uk
Email : pete_at_petefinnigan.com

Web site: http://www.petefinnigan.com

Independent consultant specialising in Oracle security. Pete Finnigan is the 
author of the recently published book about Oracle security from the SANS 
Institute "Oracle security Step-by-step (A survival guide for Oracle security)" 
- see http://store.sans.org for details.

Some recently published articles include:

http://online.securityfocus.com/infocus/1644 - "SQL injection and Oracle - part 
one"

http://online.securityfocus.com/infocus/1646 - "SQL injection and Oracle - part 
two"


Received on Sun Feb 16 2003 - 16:09:32 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US