LCZ-ORACLE-SS 1.2 16 May 2009 This document specifies technical security policy for implementations of Oracle and applies to Oracle implementations 8.0 and above. 1.2 16 May 2009 FOD Revised for re-release 1.1 01 June 2004 LCZ Corrected Control Errors 1.0 12 March 2003 LCZ Initial Version for public release 2001200220032009 Frank O'Dwyer To specify a baseline configuration for implementations of <trademark>Oracle</trademark> RDBMS To provide guidance to administators, developers and security personnel in securely implementing <trademark>Oracle</trademark> Database Management System. Controls specified in this document apply to Oracle implementations 8.0 and above. All of the organisation's Oracle implementations will be subject to the policies specified within this security standard. The policies will be applied to new and existing installations. Compliance with this standard will not provide in depth security architecture or intelligent security design guidance to projects. As a consequence, for high impact or safety-critical business applications, additional guidance will still need to be sought from your Information Security team consultancy function. This is a specific standard for Oracle RDBMS 8.0 and above. Other Oracle products are sujbected to separate standards. Compliance with this standard does not negate the need for an overall security review of a proposed application. Contact the Information Security team if you are in doubt. An Information Asset equates to any computerised information system or component thereof and thus includes an application, off the shelf software, hardware, media, data item, data item repository and associated communications networks. The specification of the Information Asset in question will usually be given so that this document is unambiguous. User profile names on the database should be consistent with their other login names Are user profile names on the database consistent with their other login names? Define security administration procedures that result in consistent usernaming Inconsistent user profile names may result in user ids not being removed when a user transfers or leaves These unauthorised accounts may be used to compromised the system Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Accounts belonging to personnel who have a fixed period of employment should be set up with expiration dates Are accounts belonging to personnel who have fixed periods of employments set up with account expiration dates? During the account request process obtain account expiration information. Set up the account with an expiration date Redundant accounts are often targeted for compromise Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Scripted modificatons to users should use up to date commands Do scripted modificatons to users, use up to date commands? Identify scripts that modify database users Ensure that "alter user" is used instead of older commands Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Database administrators should perform periodic user account audits to ensure access granted is still required. Do database administrators perform periodic user account audits to ensure access granted is still required? Produce a list of user profiles who have access to the DBMS Check that the level of access these accounts have with the application owner Remove any accounts no longer required Modify any account access that is no longer appropriate Redundant accounts can be targeted to gain unauthorised access Redundant access rights can be used to perform unauthorised actions Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The default password for the demo account should be changed Has the default password for the demo account been changed? Change the default password for the demo account following installation Unauthorised access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The default password for the dbsnmp account should be changed Has the default password for the dbsnmp account been changed? Change the default password for the dbsnmp account following installation Unauthorised access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The default password for the scott account should be changed Has the default password for the scott account been changed? Change the default password for the scott account following installation Unauthorised access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The default password for the p08 account should be changed Has the default password for the p08 account been changed? Change the default password for the p08 account following installation Unauthorised access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The default password for the sys account should be changed Has the default password for the system account been changed? Change the default password for the system account following installation Unauthorised access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The default password for the sys account should be changed Has the default password for the sys account been changed? Change the default password for the sys account following installation Unauthorised access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The scott account should be deleted if possible Has the scott account been deleted? If possible delete the scott following installation. Unauthorised access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Users with a requirement for a single role should be denied the ability to execute the set role command Are users with a requirement for a single role denied the ability to execute the set role command? Deny users access to the DBMS command prompt Access to the CLI can be used to subvert the application security controls Access to the CLI can be used to subvert the database security controls Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Access to the operating system command line interface should be denied from users where possible. Is access to the operating system command line interface denied from users where possible? Use the product_profile table to block the host command Access to the CLI can be used to subvert the application security controls Access to the CLI can be used to subvert the database security controls Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Password protected roles should be implemented. Are password protected roles implemented? Password protect roles on the database Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Views should be used to enforce access restrictions to tables. Are views used to enforce access restrictions to tables? Define the data access requirement each role needs to have for the database Define views according to these role access requirements Inconsistent access control allows application restrictions to be bypassed Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Users must not be assigned any default Oracle roles Are users assigned any default Oracle roles? Remove any default roles from the Oracle users Assign the users appropriate created roles Ensure the created roles only have CREATE SESSION privilege Default roles may provide unintended access to the database Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. For live database apps do not use the connect or resource roles For live database apps are the connect or resource roles used? Do not assign the connect or resource roles to any users Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Applications should be developed with password protected roles without hard-coding the role password or disclosing the role password to the users Are applications developed with password protected roles, without hard-coding the role password or disclosing the role password to the users? Password protect roles on the database Do not hard code the password into the application Do not disclose the role password to the users Make the role a default role for the user Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Database views should be defined that map to database roles Have database views been defined that map to database roles? Use the management interface to define roles Use the privilege management interface to define database views that map to the roles Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The CREATE privilege should not be granted to any application. Has the CREATE privilege been granted to any application? Ensure that applications are not granted the CREATE privilege. Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The DROP privilege should not be granted to any application. Has the DROP privilege been granted to any application? Ensure that applications are not granted the DROP privilege. Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The DBA role must be granted to Database Administrators alone Has the DBA role been granted to Database Administrators alone? Ensure that the only holders of the DBA role are Database Administrators Unauthorised unrestricted privileged access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The UNLIMITED TABLESPACE privilege should not be granted to any application. Has the UNLIMITED TABLESPACE privilege been granted to any application? Ensure that applications are not granted the UNLIMITED TABLESPACE privilege. Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The EXECUTE ANY PROCEDURE privilege should not be granted to any application. Has the EXECUTE ANY PROCEDURE privilege been granted to any application? Ensure that applications are not granted the EXECUTE ANY PROCEDURE privilege. Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. If the scott account exists, it should have the CONNECT privilege only If the scott account exists, does it have the CONNECT privilege only? If the scott account exists, remove all privileges except CONNECT Unauthorised access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Privileges should be assigned to roles and not directly to users Have all privileges been assigned to roles and not directly to users? Use the privilege management interface to define roles Use the privilege management interface to assign users to roles Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The ALTER privilege should not be granted to any application. Has the ALTER privilege been granted to any application? Ensure that applications are not granted the ALTER privilege. Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The BECOME USER privilege should not be granted to any application. Has the BECOME USER privilege been granted to any application? Ensure that applications are not granted the BECOME USER privilege. Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The GRANT ANY PRIVILEGE/ROLE privilege should not be granted to any application. Has the GRANT ANY PRIVILEGE/ROLE privilege been granted to any application? Ensure that applications are not granted the GRANT ANY PRIVILEGE/ROLE privilege. Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The p08 account should have the DBA role revoked Does the p08 account have the DBA role revoked? If the p08 exists, remove the DBA role. Unauthorised privileged access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The number of concurrent sessions per user should be restricted to 1 s the sessions per user value set to 1? The system resource profile settings should be configured such that the sessions per user value is restricted to 1 Reduces the risk of account sharing Reduces the risk of compromised accounts going unnoticed Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The Password resuse max value should be set to 12 passwords to prevent the reuse of the previous 12 passwords used by an account holder s the Password reuse max value set to 12 passwords? The system resource profile settings should be configured such that the password reuse max value is set to 12 passwords. Reuse of passwords extends the effective password lifetime The greater the password lifetime the greater the risk of compromise The greater the password lifetime the greater the period within which a compromised password can be used Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Password lifetime should be set to 30 days Is the password lifetime set to 30 days? The system resource profile settings should be configured such that the password lifetime is set to 30 days. Long password lifetimes increases the opportunity for password exposure Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Account logins should timeout and disconnect after 30 minutes of inactivity Do account logins timeout and disconnect after 30 minutes of inactivity? The system resource profile settings should be configured to to timeout and disconnect account logins after 30 minutes of user inactivity Accounts logged in but inactive may be subject to unauthorised access Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Password grace time should be set to 0 days Is the password grace time set to 0 days? The system resource profile settings should be configured such that the password grace time is set to 0 days The password lifetime exists to enforce password change to limit the period of exposure that may exist should a password be compromised Password grace time extends the effective password lifetime and thus the period of time for potential exposure Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Password lock time should be set to maximum possible time s the Password lock time set to the maximum possible value? The system resource profile settings should be configured such that the password lock time is set to the maximum possible value. Allowing potentially successful attempts to log in to an account after the login failure limit has been reached increases the likelihood of the account becoming compromised. Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. User accounts must not be set such that the user cannot change their password Are user accounts set such that the user can change their password? Select change password at next logon for the account in question Account passwords may be compromised Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. User account passwords must contain at least one numeric character Do accounts have a password minimum length of 6 characters? The password management system must be enabled The password complexity function must be set to ensure a minimum of 1 numeric character in the password Increasing password complexity makes passwords harder to guess Easily guessed passwords may result in compromise of accounts Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Accounts must have a password minimum length of 6 characters Do accounts have a password minimum length of 6 characters? The password management system must be enabled The minimum length for passwords must be set to 6 characters Short passwords are easier to guess Easily guessed passwords may result in compromise of accounts Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The listener.ora file should be readable only by the administrators Is the listener.ora file only readable by the administrators? Ensure the file ownership is not changed from installation time Ensure that the file permissions do not permit read access other than for the administrators Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Use Advanced Networking Option to provide encrypted data transfer Is Advanced Networking Option used to provide encrypted data transfer? Install the ANO Configure ANO to encrypt data transmission from clients to servers for sensitive applications Data transmitted in clear text is subject to disclosure Data transmitted in clear text is subject to modification Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The advanced networking option should be implemented so as to protect Oracle passwords in transmission across the network. Has the advanced networking option been implemented so as to protect Oracle passwords in transmission across the network? Install the ANO Configure ANO to encrypt passwords in transmission from clients to servers Passwords transmitted in clear text are subject to disclosure Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Network listeners for SQL*NET clients should be password protected Are network listeners for SQL*NET clients password protected? Implement passwords on the SQL*NET listeners Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The passwords for the listeners for SQL*NET clients should be changed from the default value Have the default passwords of the SQL*NET listeners been changed from the default value? Change the passwords on the SQL*NET listeners Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The config.ora file should be afforded the same control as the init.ora object Is the config.ora file afforded the same control as the init.ora object? Ensure that the ownership of config.ora is the same as that for init.ora Ensure that the file permissions of config.ora are the same as that for init.ora Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The object CATALOG.BSQ must not be modified Is the object CATALOG.BSQ protected against modification? Ensure that the CATALOG.BSQ file permissions are set to prevent unauthorised modification Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The object SQL.BSQ must not be modified Is the object SQL.BSQ protected against modification? Ensure that the SQL.BSQ file permissions are set to prevent unauthorised modification Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. All Oracle database control files should have consistent permission masks Do all Oracle database control files have consistent permission masks? Do not alter the file ownership or the permissions of the database control file Ensure that the database control files are consistently protected Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The owner of the database files should be Oracle Is the owner of the database files set to be Oracle? Set ownership of the database files to Oracle Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Oracle users must not have greater access to the database files than that set by the Oracle installation Do Oracle users have greater access to the database files than that set at installation time? Do not grant greater than default file access to the Oracle database files to users Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The database control file must be owned by Oracle Is the database control file owned by Oracle? Do not alter the file ownership or the permissions of the database control file Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. When assigning user rights to an object never use Grant All Is Grant All used when assigning object access rights to a user? Ensure that users are assigned only the specific rights they require Unauthorised access may given to a user Unintended access may be given to a user Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Database files should be protected from unauthorised access Are database files protected from unauthorised access? Set file access permissions on the database files to the least permissions required for satisfactory functioning. Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The Oracle database initialisation file should be available to the Oracle system account alone Is the Oracle database initialisation file available only to the Oracle system account? Ensure that the file permissions on the database initialisation files do not permit user access The information held in the initialisation files can be used to subvert the database security Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The Oracle database initialisation file must not be user readable Are the Oracle database initialisation files user readable? Ensure that the file permissions on the database initialisation files do not permit user access The information held in the initialisation files can be used to subvert the database security Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The use of quotas should be considered to limit potentially harmful or unexpected growth in the database size Are quotas used? Size the maximum extent of the projected database Implement a quota to limit the growth of the database to the maximum size expected Business information and applications may be unavailable. Maintain version control and change comments in the Oracle initialisation file Are changes to the Oracle initialisation file commented and logged? The file must include comments as to the change made The file must include initialisation values before and after the change The file must include who made the change and the date of the change Unauthorised changes to the Oracle administration file may subvert the security of the database implementation. Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Following an Oracle upgrade, check that users privileges have not changed due to changes to role privileges. Are users privileges checked following an upgrade? Note the users privilege levels Verify that post upgrade, users effective privilege levels have not increased Unauthorised privileged access may be obtained Unintended privileged access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. If using Oracle Enterprise Manager ensure the workstations/consoles on which it is run are protected from attack. If using Oracle Enterprise Manager ensure the workstations/consoles on which it is run are protected from attack. Implement password protected screensavers Implement an idle timeout facility to lock workstations Unauthorised privileged access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. In accordance with the required backup schedule take periodic online image backups. Are online image backups taken periodically? Schedule periodic online image backups Business information and applications may be unavailable. In accordance with the required backup schedule take periodic online incremental backups. Are online incremental backups taken periodically? Schedule periodic online incremental backups Business information and applications may be unavailable. The system resource profile settings for password lock time should be set to forever Is the system resource profile settings for password lock time set to forever? Define in the system resource profile settings password lock time to be forever. Setting password lock time to anything other than forever allows password guessing attempts to be resumed against the account after the lockout period expires Given enough time and enough attempts account passwords will be guessed Accounts may be compromised Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. User accounts should be locked out after 3 consecutive login failures Are user accounts locked out after 3 consecutive login failures? Define the system resource profile settings to lock out accounts after 3 failures Given enough attempts any account password may be guessed Unauthorised access may result from allowing a liberal number of logon attempts Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Auditing should be enabled for the following events; - Create Table - Create Index - Drop Index - Alter Index - Drop Table - Audit Object - Noaudit Object - Create Database - Alter Database - Create Tablespace - Alter Tablespace - Drop Tablespace - Alter Session - Alter User - Alter System - Create User - Create Role - Drop User - Drop Role - Set Role - Create Schema - Create Control File - Create Trigger - Alter Trigger - Drop Trigger - Create Profile - Drop Profile - Alter Profile - Drop Procedure - Alter Role - Logon - Logoff - Logoff by Cleanup - System Audit - System Noaudit - Audit default - Noaudit default - System Grant - System Revoke - Grant Role - Revoke Role - Enable Trigger - Disable Trigger - Enable all Triggers - Disable all Triggers Is auditing enabled for the list of recommended events? Enable auditing for the following events; - Create Table - Create Index - Drop Index - Alter Index - Drop Table - Audit Object - Noaudit Object - Create Database - Alter Database - Create Tablespace - Alter Tablespace - Drop Tablespace - Alter Session - Alter User - Alter System - Create User - Create Role - Drop User - Drop Role - Set Role - Create Schema - Create Control File - Create Trigger - Alter Trigger - Drop Trigger - Create Profile - Drop Profile - Alter Profile - Drop Procedure - Alter Role - Logon - Logoff - Logoff by Cleanup - System Audit - System Noaudit - Audit default - Noaudit default - System Grant - System Revoke - Grant Role - Revoke Role - Enable Trigger - Disable Trigger - Enable all Triggers - Disable all Triggers Loss of accountability Legal or regulatory non-compliance Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The init.ora file must be modified for data dictionary auditing to be enabled. Has the init.ora file been modified to enable data dictionary auditing? Edit the init.ora file and include the commands to enable data dictionary auditing Loss of accountability Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Use triggers to capture audit information where it is not captured in table information Are triggers used to capture audit information where it is not captured in table information? Before an insert, update or delete is executed use a trigger to write the audit information to a table. Loss of accountability Legal or regulatory non-compliance Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. A trigger should be written to log modifications to the DBA_USERs table to identify user password substitution can be logged. Has a trigger been written to log modifications to the DBA_USERs table to identify user password substitution? Write a trigger that logs modifications to the DBA_USERs table. Loss of accountability Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Tables should be designed to include extra fields for auditing actions taken Are the tables designed to include extra fields for auditing actions taken? When designing the tables include columns to capture information relating to changes to the data held in the row. Loss of accountability Legal or regulatory non-compliance Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. When an object is deleted from the database, delete all related synonyms Is it ensured that when an object is deleted from the database, all related synonyms are also deleted? When an object is to be deleted from the database ensure that all synonyms are identified and also deleted. Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.