Re: Has Anyone implemented the ISACA-Recommended privileges on $ORACLE_HOME (revoke world-read)
Date: Wed, 16 Mar 2011 23:13:17 +0000 (UTC)
Message-ID: <pan.2011.03.16.23.13.17_at_email.here.invalid>
On Wed, 16 Mar 2011 11:12:30 -0700, byrocat wrote:
> Our database security standard specifies the privileges that are
> supposed to be in place (750 or less on all files and subdirectories
> under $ORACLE_HOME except for $ORACLE_HOME/bin and sub-directories and
> files which has 755 or less).
>
> Turns out that no one installed a new copy or Oracle until just recently
> and then found that the tools installed (SQLPlus) don't work).
>
> I've found an ISACA book called "Oracle Database Security, Audit and
> Control Features" which recommended that the world-read privilege be
> revoked for everything under $ORACLE_HOME). Char 7.2 lays out the files
> and directories and the specific privileges for each. This chart is used
> in a lot of documents, here's one:
> http://www.isacanashville.org/files/presentations/Oracle-Database-
Security-Update.pdf
> Slide 25 is the one with the cahrt.
>
> Has anyone followed this recommendation and what has happened to your
> server and databases?
Those recommendations are pretty much default. There is nothing unusual there. Some recommendations are just plain silly, for instance the recommendation for $ORACLE_HOME/rdbms/log. As of the version 10g, the only real thing happening there is expdp/impdp. The DBA that would allow users to start export into the $ORACLE_HOME directory tree would deserve to be executed in public by being forced to watch movies with Nicholas Cage or the "Twilight Saga".
-- http://mgogala.byethost5.comReceived on Wed Mar 16 2011 - 18:13:17 CDT