EdStevens wrote:
> On Aug 27, 5:04 pm, hpuxrac <johnbhur..._at_sbcglobal.net> wrote:
>> On Aug 27, 8:41 am, EdStevens <quetico_..._at_yahoo.com> wrote:
>>
>>
>>
>>> On Aug 26, 1:01 pm, hpuxrac <johnbhur..._at_sbcglobal.net> wrote:
>>>> On Aug 24, 1:31 pm, EdStevens <quetico_..._at_yahoo.com> wrote:
>>>>> On advice last week, I have downloaded the "Project Lockdown" document
>>>>> and begun reviewing it. I get a very uneasy feeling about his
>>>>> suggestion to remove the SUID bit from the Oracle executables.
>>>>> Searching through this ng I find a lot of issues stemming from not
>>>>> leaving the file permissions just as they are created when following
>>>>> installation instructions to the letter.
>>>>> It seems to me this could cause a lot of nagging problems. It also
>>>>> seems that if your ORACLE_HOME is on a box where issuance of os user
>>>>> accounts is limited to DBAs and SAs the ability to exploit the SUID
>>>>> would be extremely limited.
>>>>> Am I missing something?
>>>> Never heard of project lockdown.
>>>> The SUID bit really mostly comes into play for oracle client type
>>>> installs.
>>>> It's not a bad idea at all to have multiple oracle installs on a given
>>>> server and have the oracle server software not to be used at all by
>>>> people needing client functionality.
>>>> Talk to your auditors and request an audit of the oracle environment.
>>>> Let them give some guidance and flavor those recommendations with your
>>>> oracle expertise.
>>>> Rinse and repeat.
>>> This document (from Oracle , BTW) goes far beyond our written secruity
>>> requirements. I really don't have access to our auditors (they are
>>> very much higher in the organization and only come for a site visit
>>> every few years. I've never met an auditor in any organization who
>>> understood the first thing about Oracle. They all 'manage by magazine
>>> article.'-
>> Any attempts that are made to work on improving the database security
>> area without the involvement of IT management and the auditors are
>> questionable to me. If you work at a public company and the auditors
>> aren't involved with the database area that seems very strange.
>>
>> I took a brief look at the "Project Lockdown" day 1 activities. Very
>> quickly you see this item ...
>>
>> The content provided here is for instructional purposes only and is
>> not validated by Oracle; use it at your own risk! Under no
>> circumstances should you consider it to be part of a consulting or
>> services offering.
>>
>> So it's not an oracle project by any means.
>>
>> There are certainly some good and valid points but anything in this
>> area must be approached carefully.
>>
>> What is the impact for example on the throughput of batch jobs if they
>> can't make bequeath connections? Wonder if Cary Millsap ever had
>> anything written up in this area ( kidding of course look at his first
>> case study in Chapter 12 ). Are there other potential problems?
>> Hmmm. Should all the batch jobs be owned by oracle or the dba or
>> oinstall groups? Does that cause other issues like the ability to
>> change data files being used for batch processing that are going in
>> and back to oracle? Hmmm.
>>
>> That's just some of my thoughts on the question regarding the SUID bit
>> recommendations. Arup did a credible job writing up what he did but
>> there are other things that fall out from any set of recommendations.
>>
>> Whatever anyone does with a strategy in this area make sure it is
>> carefully and completely exercised on low impact test systems.
>>
>> Perhaps one thing that everything should at least consider is asking
>> your management if "we" could bring in oracle consulting for security
>> related work.
>
> Thanks for your comments.
>
> "Arup did a credible job writing up what he did but there are other
> things that fall out from any set of recommendations."
>
> Exactly why I was soliciting further input. I want proceed VERY
> carefully.
>
> As for working with the auditors, I'm not even sure we have "auditors"
> in the classical corporate sense. I do know it is explicitly part of
> my job description to advise management on on database security issues.
I have worked with auditors, both internal and external, and the one
thing I can say with confidence is that the vast majority of them are
totally ignorant of databases. Many, if not most, work off cheat sheets
that tell them what to do.
One recent, and poignant example, was an auditor who marked off a
company for not having any batch processes. If isn't easy to breathe
when you are laughing that hard inside and trying not to embarrass
the poor guy.
--
Daniel A. Morgan
University of Washington
damorgan_at_x.washington.edu (replace x with u to respond)
Puget Sound Oracle Users Group
www.psoug.org
Received on Tue Sep 04 2007 - 13:34:46 CDT
