Monday, March 18, 2013

Security, Checklists, Recommendations - Part 4

Dear Readers,

My name is Franz Devantier, creator of this blog.  I am an Oracle Certified Professional (OCP DBA 11g) Security DBA.  I will be sharing with you the basic duties of an Oracle DBA, and also some of the undocumented, and not so well known tasks. 

Security, Checklists, Recommendations  -  Part 4
Secure Installation and Configuration Checklist
Security and protection of corporate data and assets is of critical importance, to every business or government institution.  Establishing a secure configuration for a database is definitely a very good defence against attempted security breaches.   The Industry has a set of best security practices for database deployments.  Here is a brief overview of these security best practices for implementing an Oracle Database.

·         Install only those components of the oracle database server that you need:  You can achieve this by running a custom installation, in which you can select the products and options that you would like to install.  Don’t install anything that you don’t need.  If a typical installation was run, then you can remove those products and options that you don’t require afterwards.
·         Lock and expire default user accounts:  The Oracle database typically installs with a whole list of default database server user accounts.  Most of these accounts are automatically locked and expired.  It will be a good exercise to do an audit on this afterwards, to see if there are any additional accounts that you can lock and expire.  Make sure that the SYS and SYSTEM passwords are not “change_on_install”, and “manager”.  DBCA, and Universal installer will prompt you for passwords for the power users, and will not permit these passwords.

You can also lock the SYS and SYSTEM users, and log in using the “AS SYSDBA” for administrator credentials.  You should specify administrative passwords individually.  “AS SYSDBA” tracks the operating system user name, and so accountability can be maintained in this way.  If you only need access to startup and shutdown the database, then you can use SYSOPER, because SYSOPER has fewer administrative privileges than SYSDBA, but still has enough to do a startup, shutdown, mount, backup, archive, and recover.

During a manual installation in which database configuration assistant (DBCA) is not used, all the default database users remain unlocked.  This will allow them to gain access to the data and disrupt database operations.  After a manual installation you should lock and expire all the default database users, except for SYS, SYSTEM, and DBSNMP.  A database administrator can unlock an account and activate it with a new password if required.
·         Change default user passwords:  The easiest way to breach security is to logon with a default user, that still has the default password assigned to it.  To fix this:
o   Change the default passwords of administrative users immediately after installing the database server.  Assign stroing secure passwords to the SYS and SYSTeM user accounts.  Also remember to change the password for SYSMAN and DBSNMP
o   Change the default passwords of all users immediately after installation.  Lock and expire all default accounts after installation.  If any default account is later activated, then change its default password to a new secure password.
o   Enforce password management.  You can apply basic password management rules like password length, history, and complexity to all user passwords.  You can also oblige users to change their passwords on a regular basis, for example every four or eight weeks.  You can implement these requirements in the default profile.  If you are using network authentication services such as Kerberos, token cards, smart cards, or X.509 certificates; then these services provide a strong user authentication and enable better protection from unauthorized access.
·         Enable data dictionary protection: Users with the “ANY” system privilege must be prevented from using it on the data dictionary.  By default the initialization parameter “07_DICTIONARY_ACCESSIBILITY” is set to FALSE.  This setting prevents using the “ANY” privilege on the data dictionary.  Privileged administrative or DBA users will of course still have the “ANY” privileges on the data dictionary.
·         Practice the principal of least privilege:
o   Only grant the needed privileges, to perform the necessary jobs efficiently
o   Restrict the number of system and object privileges granted to database users
o   Restrict the number of SYS-privileged connections to the database.  Minimal amount of “ANY” privileges granted
o   Revoke unnecessary privileges and roles from PUBLIC.  Careful of this one, because a user with minimal privileges can still make use of whatever is granted to PUBLIC
o   Restrict permissions on run-time facilities.  Make sure that only the permissions for the root paths for such facilities are granted.  You need to tighten up the “UTIL-FILE_DIR” initialization parameter
·         Enforce access controls effectively: Keep the initialization parameter at its default setting which is:  REMOTE_OS_AUTHENTICATION=FALSE.  When it is set to true, it is easier for the administrator to manage the database, but it opens up the database to all the users who want to connect.
·         Restrict Operating System Access: 
o   Limit the number of operating system users
o   Limit the privileges of the operating system accounts to the least powerful privileges required for each user
o   Don’t allow the default permissions to be altered on the Oracle Database Home directory, even by powerful administrators, including the “Oracle” user.
o   Restrict the use of symbolic links.  Make sure that all parts of the directory that it links to, are owned by the DBA, or a trusted account such as root.
·         Restrict Network Access
·         Apply all security patches and workarounds:  Plug all the security holes, as soon as they have been identified.  Apply the latest security patches for the OS and the database.  On a regular basis check the Oracle Technology Network for details on security alerts, that have been released by Oracle Corporation: http://www.oracle.com/technetwork/topics/security/alerts-086861.html   Also check on https://support.oracle.com for details of available and upcoming security-related patches.
·         Oracle Security products:  If you believe that you have found a security vulnerability in the Oracle Database Server, then you can either submit an “iTAR”, or email them a complete description of the problem or security hole.  The description should include:  Product version, the platform, exploit scripts that you have developed, and examples etc.  You can send this information to: secalert_us@oracle.com

Franz Devantier,
Need a database health check, or a security audit?
devantierf@gmail.com

Income stabilizer (win-win opportunity)
Join the carefully selected and tested cash-flow generating program below to potentially create a long-term residual or annuity type income enhancer for yourself.

Traffic Wave - Free Report:  The report will give you all the information you need to start making a nice long-term residual income stream for yourself.


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)