| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re: Security audit of Oracle databases
Disclaimer: Any statements below are entirely my own personal opinion, not
the opinion or policy of CIS or any other entity.
I was heavily involved in the development of the initial 8i/9i benchmark - and, as a core member of the CIS Oracle team, have been following and occasionally advising on the development of the just released 9i/10g benchmark. I have not been nearly as active in the latter (too little experience with 10g and too little time). The decision was made early on that the 8i material would be relegated to an 8i-specific document and that the new document and tool would cover only 9i and 10g (since 8i is now "desupported"). The currently available scoring tool is based on the 8i/9i document, but will soon be replaced (supplemented?) with a 9i/10g scoring tool.
There are some things about the CIS benchmark and scoring tool that might not be trivially obvious. Be sure to read the "fine print". For example, it scores on a scale of 0-10. However, the checked items are not weighted by severity in the scoring tool. It simply assigns an equal value to everything it checks. Some things are crucial and some things are near-trivial. Local policy exceptions may exist, but are not accounted for in the score (other than by disclaimer). Thus a "high" absolute score is not really the goal. A "low" score may be perfectly acceptable in your environment. The real goal is to identify potential issues. Anything that the tool finds should be addressed - either by knowing why it really isn't an issue for you, by knowing why the security trade-off was made, by exceptions for local policy or by "fixing" the weakness.
Anyone who goes through the benchmark document (or scoring tool output) in detail will certainly have some level of disagreement with at least a few of the items (I did). Feedback is not just welcome, but strongly encouraged - as stated on the CIS site.
It was indeed "put together by NSA and military types" along with myself, some other governmental organizations, an Oracle technical representative (largely to research and clarify issues that could not be easily resolved or thoroughly tested otherwise - it is not "marketing-driven") and a few others. DOE (the Department of Energy) was one of the main driving forces. However, it is intended to be generally applicable. The most security-conscious organizations (e.g. NSA) have their own addendum that is specific to the organization (and usually not available to the public).
Note also that both the benchmark and he scoring tool are designed for "inside-out" auditing, not for "outside-in" penetration testing. For example, some mention is given to SQL injection in the benchmark, but no potentially disruptive or destructive tests are performed. The tool looks at the system from a DBA's perspective (so requires privileged access to the database server) and generates report output, but changes nothing. The benchmark document is largely generic, with noted platform-specific inclusions for a few platforms. The 8i/9i scoring tool has Windows, Linux and Sparc Solaris versions.
PS: The auditors WILL find some things "wrong". Be prepared to address them...
-Don Granaman (OraSaurus)
>
> The center for internet security produced a security benchmark with a
> scoring tool for 8i. They have not finished the 9i and 10g software,
> however. This is put together by NSA and military types, amoung other
> volenteers. I did a little of the early 8i work, but was quickly left
> in the dust.
>
> http://www.cisecurity.org/bench_oracle.html
>
>
>
>
> On Mon, Apr 11, 2005 at 08:49:08AM -0400, Paula_Stankus_at_doh.state.fl.us
wrote:
> > Guys,
> >
> > I have a friend who is going to go through a security audit from an
> > outside 3rd party. He would like to verify his security before they
> > come. Does anyone know of any security opensource software for checking
> > integrity of Oracle databases or scripts?
> >
> > Thanks,
> > Paula
> > --
> > http://www.freelists.org/webpage/oracle-l
>
> --
> ============================================================
> Ray Stell stellr_at_vt.edu (540) 231-4109 Tempus fugit 28^D
> --
> http://www.freelists.org/webpage/oracle-l
>
-- http://www.freelists.org/webpage/oracle-lReceived on Thu Apr 14 2005 - 05:51:09 CDT
 |
 |