| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: Project lockdown - opinion solicitation
On Aug 27, 5:04 pm, hpuxrac <johnbhur..._at_sbcglobal.net> wrote:
> On Aug 27, 8:41 am, EdStevens <quetico_..._at_yahoo.com> wrote:
>
>
>
> > On Aug 26, 1:01 pm, hpuxrac <johnbhur..._at_sbcglobal.net> wrote:
>
> > > On Aug 24, 1:31 pm, EdStevens <quetico_..._at_yahoo.com> wrote:
>
> > > > On advice last week, I have downloaded the "Project Lockdown" document
> > > > and begun reviewing it. I get a very uneasy feeling about his
> > > > suggestion to remove the SUID bit from the Oracle executables.
> > > > Searching through this ng I find a lot of issues stemming from not
> > > > leaving the file permissions just as they are created when following
> > > > installation instructions to the letter.
>
> > > > It seems to me this could cause a lot of nagging problems. It also
> > > > seems that if your ORACLE_HOME is on a box where issuance of os user
> > > > accounts is limited to DBAs and SAs the ability to exploit the SUID
> > > > would be extremely limited.
>
> > > > Am I missing something?
>
> > > Never heard of project lockdown.
>
> > > The SUID bit really mostly comes into play for oracle client type
> > > installs.
>
> > > It's not a bad idea at all to have multiple oracle installs on a given
> > > server and have the oracle server software not to be used at all by
> > > people needing client functionality.
>
> > > Talk to your auditors and request an audit of the oracle environment.
> > > Let them give some guidance and flavor those recommendations with your
> > > oracle expertise.
>
> > > Rinse and repeat.
>
> > This document (from Oracle , BTW) goes far beyond our written secruity
> > requirements. I really don't have access to our auditors (they are
> > very much higher in the organization and only come for a site visit
> > every few years. I've never met an auditor in any organization who
> > understood the first thing about Oracle. They all 'manage by magazine
> > article.'-
>
> Any attempts that are made to work on improving the database security
> area without the involvement of IT management and the auditors are
> questionable to me. If you work at a public company and the auditors
> aren't involved with the database area that seems very strange.
>
> I took a brief look at the "Project Lockdown" day 1 activities. Very
> quickly you see this item ...
>
> The content provided here is for instructional purposes only and is
> not validated by Oracle; use it at your own risk! Under no
> circumstances should you consider it to be part of a consulting or
> services offering.
>
> So it's not an oracle project by any means.
>
> There are certainly some good and valid points but anything in this
> area must be approached carefully.
>
> What is the impact for example on the throughput of batch jobs if they
> can't make bequeath connections? Wonder if Cary Millsap ever had
> anything written up in this area ( kidding of course look at his first
> case study in Chapter 12 ). Are there other potential problems?
> Hmmm. Should all the batch jobs be owned by oracle or the dba or
> oinstall groups? Does that cause other issues like the ability to
> change data files being used for batch processing that are going in
> and back to oracle? Hmmm.
>
> That's just some of my thoughts on the question regarding the SUID bit
> recommendations. Arup did a credible job writing up what he did but
> there are other things that fall out from any set of recommendations.
>
> Whatever anyone does with a strategy in this area make sure it is
> carefully and completely exercised on low impact test systems.
>
> Perhaps one thing that everything should at least consider is asking
> your management if "we" could bring in oracle consulting for security
> related work.
Thanks for your comments.
"Arup did a credible job writing up what he did but there are other things that fall out from any set of recommendations."
Exactly why I was soliciting further input. I want proceed VERY carefully.
As for working with the auditors, I'm not even sure we have "auditors" in the classical corporate sense. I do know it is explicitly part of my job description to advise management on on database security issues. Received on Mon Aug 27 2007 - 19:48:03 CDT
 |
 |