Re: Has Anyone implemented the ISACA-Recommended privileges on $ORACLE_HOME (revoke world-read)
From: onedbguru <onedbguru_at_yahoo.com>
Date: Wed, 16 Mar 2011 17:39:48 -0700 (PDT)
Message-ID: <d21f9664-1853-4850-b678-600381880fbf_at_v16g2000vbq.googlegroups.com>
On Mar 16, 7:13 pm, Mladen Gogala <n..._at_email.here.invalid> wrote:
> On Wed, 16 Mar 2011 11:12:30 -0700, byrocat wrote:
> > Our database security standard specifies the privileges that are
> > supposed to be in place (750 or less on all files and subdirectories
> > under $ORACLE_HOME except for $ORACLE_HOME/bin and sub-directories and
> > files which has 755 or less).
>
> > Turns out that no one installed a new copy or Oracle until just recently
> > and then found that the tools installed (SQLPlus) don't work).
>
> > I've found an ISACA book called "Oracle Database Security, Audit and
> > Control Features" which recommended that the world-read privilege be
> > revoked for everything under $ORACLE_HOME). Char 7.2 lays out the files
> > and directories and the specific privileges for each. This chart is used
> > in a lot of documents, here's one:
> >http://www.isacanashville.org/files/presentations/Oracle-Database-
> Security-Update.pdf
> > Slide 25 is the one with the cahrt.
>
> > Has anyone followed this recommendation and what has happened to your
> > server and databases?
>
> Those recommendations are pretty much default. There is nothing unusual
> there. Some recommendations are just plain silly, for instance the
> recommendation for $ORACLE_HOME/rdbms/log. As of the version 10g, the
> only real thing happening there is expdp/impdp. The DBA that would allow
> users to start export into the $ORACLE_HOME directory tree would deserve
> to be executed in public by being forced to watch movies with Nicholas
> Cage or the "Twilight Saga".
>
> --http://mgogala.byethost5.com
Date: Wed, 16 Mar 2011 17:39:48 -0700 (PDT)
Message-ID: <d21f9664-1853-4850-b678-600381880fbf_at_v16g2000vbq.googlegroups.com>
On Mar 16, 7:13 pm, Mladen Gogala <n..._at_email.here.invalid> wrote:
> On Wed, 16 Mar 2011 11:12:30 -0700, byrocat wrote:
> > Our database security standard specifies the privileges that are
> > supposed to be in place (750 or less on all files and subdirectories
> > under $ORACLE_HOME except for $ORACLE_HOME/bin and sub-directories and
> > files which has 755 or less).
>
> > Turns out that no one installed a new copy or Oracle until just recently
> > and then found that the tools installed (SQLPlus) don't work).
>
> > I've found an ISACA book called "Oracle Database Security, Audit and
> > Control Features" which recommended that the world-read privilege be
> > revoked for everything under $ORACLE_HOME). Char 7.2 lays out the files
> > and directories and the specific privileges for each. This chart is used
> > in a lot of documents, here's one:
> >http://www.isacanashville.org/files/presentations/Oracle-Database-
> Security-Update.pdf
> > Slide 25 is the one with the cahrt.
>
> > Has anyone followed this recommendation and what has happened to your
> > server and databases?
>
> Those recommendations are pretty much default. There is nothing unusual
> there. Some recommendations are just plain silly, for instance the
> recommendation for $ORACLE_HOME/rdbms/log. As of the version 10g, the
> only real thing happening there is expdp/impdp. The DBA that would allow
> users to start export into the $ORACLE_HOME directory tree would deserve
> to be executed in public by being forced to watch movies with Nicholas
> Cage or the "Twilight Saga".
>
> --http://mgogala.byethost5.com
I certainly hope that the company that commissioned this report didn't pay a lot - most of the stuff is out of date by many years. (The copyright on it is 2009). Received on Wed Mar 16 2011 - 19:39:48 CDT