Re: Has Anyone implemented the ISACA-Recommended privileges on $ORACLE_HOME (revoke world-read)
Date: Wed, 16 Mar 2011 17:24:26 -0700 (PDT)
On Mar 16, 7:13 pm, Mladen Gogala <n..._at_email.here.invalid> wrote:
> On Wed, 16 Mar 2011 11:12:30 -0700, byrocat wrote:
> > Our database security standard specifies the privileges that are
> > supposed to be in place (750 or less on all files and subdirectories
> > under $ORACLE_HOME except for $ORACLE_HOME/bin and sub-directories and
> > files which has 755 or less).
> > Turns out that no one installed a new copy or Oracle until just recently
> > and then found that the tools installed (SQLPlus) don't work).
> > I've found an ISACA book called "Oracle Database Security, Audit and
> > Control Features" which recommended that the world-read privilege be
> > revoked for everything under $ORACLE_HOME). Char 7.2 lays out the files
> > and directories and the specific privileges for each. This chart is used
> > in a lot of documents, here's one:
> > Slide 25 is the one with the cahrt.
> > Has anyone followed this recommendation and what has happened to your
> > server and databases?
> Those recommendations are pretty much default. There is nothing unusual
> there. Some recommendations are just plain silly, for instance the
> recommendation for $ORACLE_HOME/rdbms/log. As of the version 10g, the
> only real thing happening there is expdp/impdp. The DBA that would allow
> users to start export into the $ORACLE_HOME directory tree would deserve
> to be executed in public by being forced to watch movies with Nicholas
> Cage or the "Twilight Saga".
Most of those security sites recommend things that just do not make any sense. (mostly they recommend Security through obscurity). Like using a non-default port for the listener. Why? a descent portscanner will find it in about a millisecond anyway. Take care of your security within your databases. Use strong passwords Remember, however, that prior to 11gR2, passwords were not case-sensitive. You could enter them case-sensitive but, it really didn't use it casesensitive. This will freak out most security folks.
SQL> create user me identified by "Letmein" account unlock;
SQL> grant connect to me;
SQL> connect me/letmein
SQL> connect me/"Letmein"
SQL> connect me/"LETMEIN"
SQL> connect me/"LETmeIN"
IMO, Things like expdp/impdp should be left to the DBA staff. There are too many ways a user could really mess things up with this access. Don't give users login access to the database servers. Ensure the application(s) handle the things necessary to maintain security. If necessary use OLS (Oracle Label Services) to keep people from seeing too much. etc, etc, etc...
One... CISSP. Received on Wed Mar 16 2011 - 19:24:26 CDT