Oracle Database Management System Security Standard

Oracle Database Management System Security Standard LCZ-ORACLE-SS 1.2 16 May 2009 This document specifies technical security policy for implementations of Oracle and applies to Oracle implementations 8.0 and above. This standard contains 67 baseline controls, and 2 above baseline controls, for a total of 69 controls. 1.2 16 May 2009 FOD Revised for re-release 1.1 01 June 2004 LCZ Corrected Control Errors 1.0 12 March 2003 LCZ Initial Version for public release 2001200220032009 Frank O'Dwyer All of these Security Standards and Security Policies are copyrighted. THEY ARE NOT IN THE PUBLIC DOMAIN. They are however distributed under a liberal open-source license, see Publishing these Security Standards and Policies.Frank O'Dwyer Introduction

ObjectivesThe objectives of this document are: To specify a baseline configuration for implementations of <trademark>Oracle</trademark> RDBMS To provide guidance to administators, developers and security personnel in securely implementing <trademark>Oracle</trademark> Database Management System.

Scope Controls specified in this document apply to Oracle implementations 8.0 and above. All of the organisation's Oracle implementations will be subject to the policies specified within this security standard. The policies will be applied to new and existing installations.

Not In Scope Compliance with this standard will not provide in depth security architecture or intelligent security design guidance to projects. As a consequence, for high impact or safety-critical business applications, additional guidance will still need to be sought from your Information Security team consultancy function. This is a specific standard for Oracle RDBMS 8.0 and above. Other Oracle products are sujbected to separate standards. Compliance with this standard does not negate the need for an overall security review of a proposed application. Contact the Information Security team if you are in doubt.

Giving FeedbackYour feedback to improve this document is welcome. Please let me know of your experiences in applying the controls and guidance in this standard. Are the controls effective, easy to implement, too onerous, clear, unclear, something missing? Does an exceptional case need to be covered? Let me know. Please send your comments to frankodwyer AT netscape.net. Your comments will be used to produce better free security standards for the IT community.I also request that you give feedback where you think the controls and guidance is correct. This will let us gauge whether or not specific controls are controversial or broadly acceptable to the community, and will help us to resolve cases where we have conflicting feedback on particular content.

Publishing these Security Standards and PoliciesThis document may be reproduced and distributed in whole or in part, free of charge, subject to the following conditions:All copyright and trademark notices, and this permission notice must be preserved complete on all complete or partial copies.Any translation or derivative work of this document must be approved by Frank O'Dwyer in writing before distribution.If you distribute this guide in part, instructions for obtaining the complete version of this manual must be included, and a means for obtaining a complete version provided.Small portions may be reproduced as illustrations for reviews or quotes in other works without this permission notice if proper citation is given.Neither Frank O'Dwyer's name nor the names of any contributors may be used to endorse or promote products derived from this document without specific prior written permission.THIS DOCUMENT IS PROVIDED BY FRANK O'DWYER AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL FRANK O'DWYER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.I would like to be informed of any plans to publish or distribute these documents, just so I know how they're being used and where they are becoming available. If you are publishing or distributing or planning to publish or distribute any of these documents, please send mail to frankodwyer AT netscape.net

Related DocumentsThis document should be read and applied in conjunction with the technology specific security standards that are available from the frankodwyer.com web site. Please note that some of the documents below are currently under development and as such may not as yet be available. Check back frequently for updates to this document and those documents listed below.

Generic Security StandardsGeneric Security Standardshttp://www.frankodwyer.com/standards/index.html#genericData Protection European Union Security Standardhttp://www.frankodwyer.com/standards/index.html#genericApplication Service Provider Security Standardshttp://www.frankodwyer.com/standards/index.html#generic

Operating System Security StandardsGeneric Unix Security Standardshttp://www.frankodwyer.com/standards/index.html#osWindows NT4.0 Generic Security Standardshttp://www.frankodwyer.com/standards/index.html#osWindows NT4.0 Workstation Security Standardshttp://www.frankodwyer.com/standards/index.html#osWindows NT4.0 Server Security Standardshttp://www.frankodwyer.com/standards/index.html#osWindows NT4.0 Domain Security Standardshttp://www.frankodwyer.com/standards/index.html#os

Database Security StandardsOracle Security Standardshttp://www.frankodwyer.com/standards/index.html#db

Definitions An Information Asset equates to any computerised information system or component thereof and thus includes an application, off the shelf software, hardware, media, data item, data item repository and associated communications networks. The specification of the Information Asset in question will usually be given so that this document is unambiguous.

User Configuration

User Administration

User profile names on the database should be consistent with their other login namesIDVersionLevelEnforcementORAC-UA-11.0baselinerecommended

StandardUser profile names on the database should be consistent with their other login names

Detailed Steps Define security administration procedures that result in consistent usernaming

Risks AddressedWhere this control is not applied, the following residual risks exist: Inconsistent user profile names may result in user ids not being removed when a user transfers or leaves These unauthorised accounts may be used to compromised the system Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Accounts belonging to personnel who have fixed periods of employments should be set up with expiration datesIDVersionLevelEnforcementORAC-UA-41.0baselinerecommended

StandardAccounts belonging to personnel who have a fixed period of employment should be set up with expiration dates

Detailed Steps During the account request process obtain account expiration information. Set up the account with an expiration date

Risks AddressedWhere this control is not applied, the following residual risks exist: Redundant accounts are often targeted for compromise Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Scripted modificatons to users should use up to date commandsIDVersionLevelEnforcementORAC-ADMIN-101.0baselinerecommended

StandardScripted modificatons to users should use up to date commands

Detailed Steps Identify scripts that modify database users Ensure that "alter user" is used instead of older commands

Risks AddressedWhere this control is not applied, the following residual risks exist: Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Database administrators should perform periodic user account auditsIDVersionLevelEnforcementORAC-UA-21.0baselinerecommended

StandardDatabase administrators should perform periodic user account audits to ensure access granted is still required.

Detailed Steps Produce a list of user profiles who have access to the DBMS Check that the level of access these accounts have with the application owner Remove any accounts no longer required Modify any account access that is no longer appropriate

Risks AddressedWhere this control is not applied, the following residual risks exist: Redundant accounts can be targeted to gain unauthorised access Redundant access rights can be used to perform unauthorised actions Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Default Accounts

The default password for the demo account should be changedIDVersionLevelEnforcementORAC-DA-51.0baselinerecommended

StandardThe default password for the demo account should be changed

Detailed Steps Change the default password for the demo account following installation

Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

The default password for the dbsnmp account should be changedIDVersionLevelEnforcementORAC-DA-31.0baselinerecommended

StandardThe default password for the dbsnmp account should be changed

Detailed Steps Change the default password for the dbsnmp account following installation

The default password for the scott account should be changedIDVersionLevelEnforcementORAC-DA-41.0baselinerecommended

StandardThe default password for the scott account should be changed

Detailed Steps Change the default password for the scott account following installation

The default password for the p08 account should be changedIDVersionLevelEnforcementORAC-DA-61.0baselinerecommended

StandardThe default password for the p08 account should be changed

Detailed Steps Change the default password for the p08 account following installation

The default password for the system account should be changedIDVersionLevelEnforcementORAC-DA-21.0baselinerecommended

StandardThe default password for the sys account should be changed

Detailed Steps Change the default password for the system account following installation

The default password for the sys account should be changedIDVersionLevelEnforcementORAC-DA-11.0baselinerecommended

StandardThe default password for the sys account should be changed

Detailed Steps Change the default password for the sys account following installation

The scott account should be deleted if possibleIDVersionLevelEnforcementORAC-DA-71.0baselinerecommended

StandardThe scott account should be deleted if possible

Detailed Steps If possible delete the scott following installation.

Roles, Views, and Access Control

Users with a requirement for a single role should be denied the ability to execute the set role commandIDVersionLevelEnforcementORAC-ACC-81.0baselinerecommended

StandardUsers with a requirement for a single role should be denied the ability to execute the set role command

Detailed Steps Deny users access to the DBMS command prompt

Risks AddressedWhere this control is not applied, the following residual risks exist: Access to the CLI can be used to subvert the application security controls Access to the CLI can be used to subvert the database security controls Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Access to the operating system command line interface should be denied from users where possible.IDVersionLevelEnforcementORAC-ACC-71.0baselinerecommended

StandardAccess to the operating system command line interface should be denied from users where possible.

Detailed Steps Use the product_profile table to block the host command

Password protected roles should be implemented.IDVersionLevelEnforcementORAC-ACC-41.0baselinerecommended

StandardPassword protected roles should be implemented.

Detailed Steps Password protect roles on the database

Views should be used to enforce access restrictions to tables.IDVersionLevelEnforcementORAC-ACC-11.0baselinerecommended

StandardViews should be used to enforce access restrictions to tables.

Detailed Steps Define the data access requirement each role needs to have for the database Define views according to these role access requirements

Risks AddressedWhere this control is not applied, the following residual risks exist: Inconsistent access control allows application restrictions to be bypassed Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Users must not be assigned any default Oracle rolesIDVersionLevelEnforcementORAC-ACC-31.0baselinemandatory

StandardUsers must not be assigned any default Oracle roles

Detailed Steps Remove any default roles from the Oracle users Assign the users appropriate created roles Ensure the created roles only have CREATE SESSION privilege

Risks AddressedWhere this control is not applied, the following residual risks exist: Default roles may provide unintended access to the database Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

For live database apps do not use the connect or resource rolesIDVersionLevelEnforcementORAC-ACC-61.0baselinerecommended

StandardFor live database apps do not use the connect or resource roles

Detailed Steps Do not assign the connect or resource roles to any users

Applications should be developed with password protected roles without hard-coding the role password or disclosing the role password to the usersIDVersionLevelEnforcementORAC-ACC-51.0baselinerecommended

StandardApplications should be developed with password protected roles without hard-coding the role password or disclosing the role password to the users

Detailed Steps Password protect roles on the database Do not hard code the password into the application Do not disclose the role password to the users Make the role a default role for the user

Database views should be defined that map to database rolesIDVersionLevelEnforcementORAC-ACC-21.0baselinerecommended

StandardDatabase views should be defined that map to database roles

Detailed Steps Use the management interface to define roles Use the privilege management interface to define database views that map to the roles

Privileges

The CREATE privilege should not be granted to any application.IDVersionLevelEnforcementORAC-PRIV-61.0baselinerecommended

StandardThe CREATE privilege should not be granted to any application.

Detailed Steps Ensure that applications are not granted the CREATE privilege.

The DROP privilege should not be granted to any application.IDVersionLevelEnforcementORAC-PRIV-51.0baselinerecommended

StandardThe DROP privilege should not be granted to any application.

Detailed Steps Ensure that applications are not granted the DROP privilege.

The DBA role must be granted to Database Administrators aloneIDVersionLevelEnforcementORAC-PRIV-41.0baselinemandatory

StandardThe DBA role must be granted to Database Administrators alone

Detailed Steps Ensure that the only holders of the DBA role are Database Administrators

Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised unrestricted privileged access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

The UNLIMITED TABLESPACE privilege should not be granted to any application.IDVersionLevelEnforcementORAC-PRIV-111.0baselinerecommended

StandardThe UNLIMITED TABLESPACE privilege should not be granted to any application.

Detailed Steps Ensure that applications are not granted the UNLIMITED TABLESPACE privilege.

The EXECUTE ANY PROCEDURE privilege should not be granted to any application.IDVersionLevelEnforcementORAC-PRIV-101.0baselinerecommended

StandardThe EXECUTE ANY PROCEDURE privilege should not be granted to any application.

Detailed Steps Ensure that applications are not granted the EXECUTE ANY PROCEDURE privilege.

If the scott account exists, it should have the CONNECT privilege onlyIDVersionLevelEnforcementORAC-PRIV-11.0baselinerecommended

StandardIf the scott account exists, it should have the CONNECT privilege only

Detailed Steps If the scott account exists, remove all privileges except CONNECT

Privileges should be assigned to roles and not directly to usersIDVersionLevelEnforcementORAC-PRIV-121.0baselinerecommended

StandardPrivileges should be assigned to roles and not directly to users

Detailed Steps Use the privilege management interface to define roles Use the privilege management interface to assign users to roles

The ALTER privilege should not be granted to any application.IDVersionLevelEnforcementORAC-PRIV-71.0baselinerecommended

StandardThe ALTER privilege should not be granted to any application.

Detailed Steps Ensure that applications are not granted the ALTER privilege.

The BECOME USER privilege should not be granted to any application.IDVersionLevelEnforcementORAC-PRIV-81.0baselinerecommended

StandardThe BECOME USER privilege should not be granted to any application.

Detailed Steps Ensure that applications are not granted the BECOME USER privilege.

The GRANT ANY PRIVILEGE/ROLE privilege should not be granted to any application.IDVersionLevelEnforcementORAC-PRIV-91.0baselinerecommended

StandardThe GRANT ANY PRIVILEGE/ROLE privilege should not be granted to any application.

Detailed Steps Ensure that applications are not granted the GRANT ANY PRIVILEGE/ROLE privilege.

The p08 account should have the DBA role revokedIDVersionLevelEnforcementORAC-PRIV-21.0baselinerecommended

StandardThe p08 account should have the DBA role revoked

Detailed Steps If the p08 exists, remove the DBA role.

Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised privileged access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Authentication/Password Configuration

Sessions per user should be restricted to 1IDVersionLevelEnforcementORAC-AUTH-81.0baselinerecommended

StandardThe number of concurrent sessions per user should be restricted to 1

Detailed Steps The system resource profile settings should be configured such that the sessions per user value is restricted to 1

Risks AddressedWhere this control is not applied, the following residual risks exist: Reduces the risk of account sharing Reduces the risk of compromised accounts going unnoticed Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Password reuse max should be set to 12 passwordsIDVersionLevelEnforcementORAC-AUTH-71.0baselinerecommended

StandardThe Password resuse max value should be set to 12 passwords to prevent the reuse of the previous 12 passwords used by an account holder

Detailed Steps The system resource profile settings should be configured such that the password reuse max value is set to 12 passwords.

Risks AddressedWhere this control is not applied, the following residual risks exist: Reuse of passwords extends the effective password lifetime The greater the password lifetime the greater the risk of compromise The greater the password lifetime the greater the period within which a compromised password can be used Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Password lifetime should be set to 30 daysIDVersionLevelEnforcementORAC-AUTH-51.0baselinerecommended

StandardPassword lifetime should be set to 30 days

Detailed Steps The system resource profile settings should be configured such that the password lifetime is set to 30 days.

Risks AddressedWhere this control is not applied, the following residual risks exist: Long password lifetimes increases the opportunity for password exposure Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Account logins should timeout and disconnect after 30 minutes of inactivityIDVersionLevelEnforcementORAC-AUTH-31.0baselinerecommended

StandardAccount logins should timeout and disconnect after 30 minutes of inactivity

Detailed Steps The system resource profile settings should be configured to to timeout and disconnect account logins after 30 minutes of user inactivity

Risks AddressedWhere this control is not applied, the following residual risks exist: Accounts logged in but inactive may be subject to unauthorised access Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Password grace time should be set to 0 daysIDVersionLevelEnforcementORAC-AUTH-41.0baselinerecommended

StandardPassword grace time should be set to 0 days

Detailed Steps The system resource profile settings should be configured such that the password grace time is set to 0 days

Risks AddressedWhere this control is not applied, the following residual risks exist: The password lifetime exists to enforce password change to limit the period of exposure that may exist should a password be compromised Password grace time extends the effective password lifetime and thus the period of time for potential exposure Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Password lock time should be set to maximum possible timeIDVersionLevelEnforcementORAC-AUTH-61.0baselinerecommended

StandardPassword lock time should be set to maximum possible time

Detailed Steps The system resource profile settings should be configured such that the password lock time is set to the maximum possible value.

Risks AddressedWhere this control is not applied, the following residual risks exist: Allowing potentially successful attempts to log in to an account after the login failure limit has been reached increases the likelihood of the account becoming compromised. Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

User accounts must not be set such that the user cannot change their passwordIDVersionLevelEnforcementORAC-UA-31.0baselinemandatory

StandardUser accounts must not be set such that the user cannot change their password

Detailed Steps Select change password at next logon for the account in question

Risks AddressedWhere this control is not applied, the following residual risks exist: Account passwords may be compromised Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

User account passwords must contain at least one numeric characterIDVersionLevelEnforcementORAC-AUTH-21.0baselinemandatory

StandardUser account passwords must contain at least one numeric character

Detailed Steps The password management system must be enabled The password complexity function must be set to ensure a minimum of 1 numeric character in the password

Risks AddressedWhere this control is not applied, the following residual risks exist: Increasing password complexity makes passwords harder to guess Easily guessed passwords may result in compromise of accounts Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Accounts must have a password minimum length of 6 charactersIDVersionLevelEnforcementORAC-AUTH-11.0baselinemandatory

StandardAccounts must have a password minimum length of 6 characters

Detailed Steps The password management system must be enabled The minimum length for passwords must be set to 6 characters

Risks AddressedWhere this control is not applied, the following residual risks exist: Short passwords are easier to guess Easily guessed passwords may result in compromise of accounts Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Network Security Configuration

Network Interface Considerations

The listener.ora file should be readable only by the administratorsIDVersionLevelEnforcementORAC-NET-51.0baselinerecommended

StandardThe listener.ora file should be readable only by the administrators

Detailed Steps Ensure the file ownership is not changed from installation time Ensure that the file permissions do not permit read access other than for the administrators

Use Advanced Networking Option to provide encrypted data transferIDVersionLevelEnforcementORAC-NET-11.0above baselinerecommended

StandardUse Advanced Networking Option to provide encrypted data transfer

Detailed Steps Install the ANO Configure ANO to encrypt data transmission from clients to servers for sensitive applications

Risks AddressedWhere this control is not applied, the following residual risks exist: Data transmitted in clear text is subject to disclosure Data transmitted in clear text is subject to modification Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Oracle passwords should be protected from traversing the network in clear text. IDVersionLevelEnforcementORAC-NET-21.0above baselinerecommended

StandardThe advanced networking option should be implemented so as to protect Oracle passwords in transmission across the network.

Detailed Steps Install the ANO Configure ANO to encrypt passwords in transmission from clients to servers

Risks AddressedWhere this control is not applied, the following residual risks exist: Passwords transmitted in clear text are subject to disclosure Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Network listeners for SQL*NET clients should be password protectedIDVersionLevelEnforcementORAC-NET-31.0baselinerecommended

StandardNetwork listeners for SQL*NET clients should be password protected

Detailed Steps Implement passwords on the SQL*NET listeners

The passwords for the listeners for SQL*NET clients should be changed from the default valueIDVersionLevelEnforcementORAC-NET-41.0baselinerecommended

StandardThe passwords for the listeners for SQL*NET clients should be changed from the default value

Detailed Steps Change the passwords on the SQL*NET listeners

Configuration

Files and File Permissions

The config.ora file should be afforded the same control as the init.ora objectIDVersionLevelEnforcementORAC-FP-81.0baselinerecommended

StandardThe config.ora file should be afforded the same control as the init.ora object

Detailed Steps Ensure that the ownership of config.ora is the same as that for init.ora Ensure that the file permissions of config.ora are the same as that for init.ora

The object CATALOG.BSQ must not be modifiedIDVersionLevelEnforcementORAC-FP-101.0baselinemandatory

StandardThe object CATALOG.BSQ must not be modified

Detailed Steps Ensure that the CATALOG.BSQ file permissions are set to prevent unauthorised modification

The object SQL.BSQ must not be modifiedIDVersionLevelEnforcementORAC-FP-91.0baselinemandatory

StandardThe object SQL.BSQ must not be modified

Detailed Steps Ensure that the SQL.BSQ file permissions are set to prevent unauthorised modification

All Oracle database control files should have consistent permission masksIDVersionLevelEnforcementORAC-FP-51.0baselinerecommended

StandardAll Oracle database control files should have consistent permission masks

Detailed Steps Do not alter the file ownership or the permissions of the database control file Ensure that the database control files are consistently protected

The owner of the database files should be OracleIDVersionLevelEnforcementORAC-FP-21.0baselinerecommended

StandardThe owner of the database files should be Oracle

Detailed Steps Set ownership of the database files to Oracle

Oracle users must not have greater access to the database files than that set by the Oracle installationIDVersionLevelEnforcementORAC-FP-31.0baselinerecommended

StandardOracle users must not have greater access to the database files than that set by the Oracle installation

Detailed Steps Do not grant greater than default file access to the Oracle database files to users

The database control file must be owned by OracleIDVersionLevelEnforcementORAC-FP-41.0baselinemandatory

StandardThe database control file must be owned by Oracle

Detailed Steps Do not alter the file ownership or the permissions of the database control file

When assigning user rights to an object never use Grant AllIDVersionLevelEnforcementORAC-FP-111.0baselinemandatory

StandardWhen assigning user rights to an object never use Grant All

Detailed Steps Ensure that users are assigned only the specific rights they require

Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised access may given to a user Unintended access may be given to a user Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Database files should be protected from unauthorised access IDVersionLevelEnforcementORAC-FP-11.0baselinerecommended

StandardDatabase files should be protected from unauthorised access

Detailed Steps Set file access permissions on the database files to the least permissions required for satisfactory functioning.

The Oracle database initialisation file should be available to the Oracle system account aloneIDVersionLevelEnforcementORAC-FP-71.0baselinerecommended

StandardThe Oracle database initialisation file should be available to the Oracle system account alone

Detailed Steps Ensure that the file permissions on the database initialisation files do not permit user access

Risks AddressedWhere this control is not applied, the following residual risks exist: The information held in the initialisation files can be used to subvert the database security Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

The Oracle database initialisation file must not be user readableIDVersionLevelEnforcementORAC-FP-61.0baselinemandatory

StandardThe Oracle database initialisation file must not be user readable

Detailed Steps Ensure that the file permissions on the database initialisation files do not permit user access

Administration

The use of quotas should be consideredIDVersionLevelEnforcementORAC-ADMIN-21.0baselinerecommended

StandardThe use of quotas should be considered to limit potentially harmful or unexpected growth in the database size

Detailed Steps Size the maximum extent of the projected database Implement a quota to limit the growth of the database to the maximum size expected

Risks AddressedWhere this control is not applied, the following residual risks exist: Business information and applications may be unavailable.

Maintain version control and change comments in the Oracle initialisation fileIDVersionLevelEnforcementORAC-ADMIN-11.0baselinemandatory

StandardMaintain version control and change comments in the Oracle initialisation file

Detailed Steps The file must include comments as to the change made The file must include initialisation values before and after the change The file must include who made the change and the date of the change

Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised changes to the Oracle administration file may subvert the security of the database implementation. Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Check users privileges following an upgradeIDVersionLevelEnforcementORAC-ADMIN-31.0baselinemandatory

StandardFollowing an Oracle upgrade, check that users privileges have not changed due to changes to role privileges.

Detailed Steps Note the users privilege levels Verify that post upgrade, users effective privilege levels have not increased

Risks AddressedWhere this control is not applied, the following residual risks exist: Unauthorised privileged access may be obtained Unintended privileged access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

If using Oracle Enterprise Manager ensure the workstations/consoles on which it is run are protected from attack.IDVersionLevelEnforcementORAC-ADMIN-41.0baselinemandatory

StandardIf using Oracle Enterprise Manager ensure the workstations/consoles on which it is run are protected from attack.

Detailed Steps Implement password protected screensavers Implement an idle timeout facility to lock workstations

Backups

Online image backups should be takenIDVersionLevelEnforcementORAC-BACKUP-11.0baselinerecommended

StandardIn accordance with the required backup schedule take periodic online image backups.

Detailed Steps Schedule periodic online image backups

Risks AddressedWhere this control is not applied, the following residual risks exist: Business information and applications may be unavailable.

Online incremental backups should be takenIDVersionLevelEnforcementORAC-BACKUP-21.0baselinerecommended

StandardIn accordance with the required backup schedule take periodic online incremental backups.

Detailed Steps Schedule periodic online incremental backups

Risks AddressedWhere this control is not applied, the following residual risks exist: Business information and applications may be unavailable.

Auditing and Monitoring

Events to be alerted in real-time

The system resource profile settings for password lock time should be set to foreverIDVersionLevelEnforcementORAC-AUDI-11.0baselinerecommended

StandardThe system resource profile settings for password lock time should be set to forever

Detailed Steps Define in the system resource profile settings password lock time to be forever.

Risks AddressedWhere this control is not applied, the following residual risks exist: Setting password lock time to anything other than forever allows password guessing attempts to be resumed against the account after the lockout period expires Given enough time and enough attempts account passwords will be guessed Accounts may be compromised Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

User accounts should be locked out after 3 consecutive login failuresIDVersionLevelEnforcementORAC-AUDIT-11.0baselinerecommended

StandardUser accounts should be locked out after 3 consecutive login failures

Detailed Steps Define the system resource profile settings to lock out accounts after 3 failures

Risks AddressedWhere this control is not applied, the following residual risks exist: Given enough attempts any account password may be guessed Unauthorised access may result from allowing a liberal number of logon attempts Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Events to be audited

Enable auditingIDVersionLevelEnforcementORAC-AUDIT-31.0baselinerecommended

StandardAuditing should be enabled for the following events; - Create Table - Create Index - Drop Index - Alter Index - Drop Table - Audit Object - Noaudit Object - Create Database - Alter Database - Create Tablespace - Alter Tablespace - Drop Tablespace - Alter Session - Alter User - Alter System - Create User - Create Role - Drop User - Drop Role - Set Role - Create Schema - Create Control File - Create Trigger - Alter Trigger - Drop Trigger - Create Profile - Drop Profile - Alter Profile - Drop Procedure - Alter Role - Logon - Logoff - Logoff by Cleanup - System Audit - System Noaudit - Audit default - Noaudit default - System Grant - System Revoke - Grant Role - Revoke Role - Enable Trigger - Disable Trigger - Enable all Triggers - Disable all Triggers

Detailed Steps Enable auditing for the following events; - Create Table - Create Index - Drop Index - Alter Index - Drop Table - Audit Object - Noaudit Object - Create Database - Alter Database - Create Tablespace - Alter Tablespace - Drop Tablespace - Alter Session - Alter User - Alter System - Create User - Create Role - Drop User - Drop Role - Set Role - Create Schema - Create Control File - Create Trigger - Alter Trigger - Drop Trigger - Create Profile - Drop Profile - Alter Profile - Drop Procedure - Alter Role - Logon - Logoff - Logoff by Cleanup - System Audit - System Noaudit - Audit default - Noaudit default - System Grant - System Revoke - Grant Role - Revoke Role - Enable Trigger - Disable Trigger - Enable all Triggers - Disable all Triggers

Risks AddressedWhere this control is not applied, the following residual risks exist: Loss of accountability Legal or regulatory non-compliance Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

The init.ora file must be modified for data dictionary auditing to be enabled.IDVersionLevelEnforcementORAC-AUDIT-61.0baselinerecommended

StandardThe init.ora file must be modified for data dictionary auditing to be enabled.

Detailed Steps Edit the init.ora file and include the commands to enable data dictionary auditing

Risks AddressedWhere this control is not applied, the following residual risks exist: Loss of accountability Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

Use triggers to capture audit information where it is not captured in table informationIDVersionLevelEnforcementORAC-AUDIT-41.0baselinerecommended

StandardUse triggers to capture audit information where it is not captured in table information

Detailed Steps Before an insert, update or delete is executed use a trigger to write the audit information to a table.

Use triggers to log modifications to the DBA_USERs tableIDVersionLevelEnforcementORAC-AUDIT-51.0baselinerecommended

StandardA trigger should be written to log modifications to the DBA_USERs table to identify user password substitution can be logged.

Detailed Steps Write a trigger that logs modifications to the DBA_USERs table.

Tables should be designed to include extra fields for auditing actions takenIDVersionLevelEnforcementORAC-AUDIT-21.0baselinerecommended

StandardTables should be designed to include extra fields for auditing actions taken

Detailed Steps When designing the tables include columns to capture information relating to changes to the data held in the row.

Other

When an object is deleted from the database, delete all related synonymsIDVersionLevelEnforcementORAC-OTHER-11.0baselinemandatory

StandardWhen an object is deleted from the database, delete all related synonyms

Detailed Steps When an object is to be deleted from the database ensure that all synonyms are identified and also deleted.

ChecklistUser ConfigurationUser AdministrationControl IDChecklist QuestionYour AnswerORAC-UA-1Are user profile names on the database consistent with their other login names?ORAC-UA-4Are accounts belonging to personnel who have fixed periods of employments set up with account expiration dates?ORAC-ADMIN-10Do scripted modificatons to users, use up to date commands?ORAC-UA-2Do database administrators perform periodic user account audits to ensure access granted is still required?Default AccountsControl IDChecklist QuestionYour AnswerORAC-DA-5Has the default password for the demo account been changed?ORAC-DA-3Has the default password for the dbsnmp account been changed?ORAC-DA-4Has the default password for the scott account been changed?ORAC-DA-6Has the default password for the p08 account been changed?ORAC-DA-2Has the default password for the system account been changed?ORAC-DA-1Has the default password for the sys account been changed?ORAC-DA-7Has the scott account been deleted?Roles, Views, and Access ControlControl IDChecklist QuestionYour AnswerORAC-ACC-8Are users with a requirement for a single role denied the ability to execute the set role command?ORAC-ACC-7Is access to the operating system command line interface denied from users where possible?ORAC-ACC-4Are password protected roles implemented?ORAC-ACC-1Are views used to enforce access restrictions to tables?ORAC-ACC-3Are users assigned any default Oracle roles?ORAC-ACC-6For live database apps are the connect or resource roles used?ORAC-ACC-5Are applications developed with password protected roles, without hard-coding the role password or disclosing the role password to the users?ORAC-ACC-2Have database views been defined that map to database roles?PrivilegesControl IDChecklist QuestionYour AnswerORAC-PRIV-6Has the CREATE privilege been granted to any application?ORAC-PRIV-5Has the DROP privilege been granted to any application?ORAC-PRIV-4Has the DBA role been granted to Database Administrators alone?ORAC-PRIV-11Has the UNLIMITED TABLESPACE privilege been granted to any application?ORAC-PRIV-10Has the EXECUTE ANY PROCEDURE privilege been granted to any application?ORAC-PRIV-1If the scott account exists, does it have the CONNECT privilege only?ORAC-PRIV-12Have all privileges been assigned to roles and not directly to users?ORAC-PRIV-7Has the ALTER privilege been granted to any application?ORAC-PRIV-8Has the BECOME USER privilege been granted to any application?ORAC-PRIV-9Has the GRANT ANY PRIVILEGE/ROLE privilege been granted to any application?ORAC-PRIV-2Does the p08 account have the DBA role revoked?Authentication/Password ConfigurationControl IDChecklist QuestionYour AnswerORAC-AUTH-8s the sessions per user value set to 1?ORAC-AUTH-7s the Password reuse max value set to 12 passwords?ORAC-AUTH-5Is the password lifetime set to 30 days?ORAC-AUTH-3Do account logins timeout and disconnect after 30 minutes of inactivity?ORAC-AUTH-4Is the password grace time set to 0 days?ORAC-AUTH-6s the Password lock time set to the maximum possible value?ORAC-UA-3Are user accounts set such that the user can change their password?ORAC-AUTH-2Do accounts have a password minimum length of 6 characters?ORAC-AUTH-1Do accounts have a password minimum length of 6 characters?Network Security ConfigurationNetwork Interface ConsiderationsControl IDChecklist QuestionYour AnswerORAC-NET-5Is the listener.ora file only readable by the administrators?ORAC-NET-1Is Advanced Networking Option used to provide encrypted data transfer?ORAC-NET-2Has the advanced networking option been implemented so as to protect Oracle passwords in transmission across the network?ORAC-NET-3Are network listeners for SQL*NET clients password protected?ORAC-NET-4Have the default passwords of the SQL*NET listeners been changed from the default value?ConfigurationFiles and File PermissionsControl IDChecklist QuestionYour AnswerORAC-FP-8Is the config.ora file afforded the same control as the init.ora object?ORAC-FP-10Is the object CATALOG.BSQ protected against modification?ORAC-FP-9Is the object SQL.BSQ protected against modification?ORAC-FP-5Do all Oracle database control files have consistent permission masks?ORAC-FP-2Is the owner of the database files set to be Oracle?ORAC-FP-3Do Oracle users have greater access to the database files than that set at installation time?ORAC-FP-4Is the database control file owned by Oracle?ORAC-FP-11Is Grant All used when assigning object access rights to a user?ORAC-FP-1Are database files protected from unauthorised access?ORAC-FP-7Is the Oracle database initialisation file available only to the Oracle system account?ORAC-FP-6Are the Oracle database initialisation files user readable?AdministrationControl IDChecklist QuestionYour AnswerORAC-ADMIN-2Are quotas used?ORAC-ADMIN-1Are changes to the Oracle initialisation file commented and logged?ORAC-ADMIN-3Are users privileges checked following an upgrade?ORAC-ADMIN-4If using Oracle Enterprise Manager ensure the workstations/consoles on which it is run are protected from attack.BackupsControl IDChecklist QuestionYour AnswerORAC-BACKUP-1Are online image backups taken periodically?ORAC-BACKUP-2Are online incremental backups taken periodically?Auditing and MonitoringEvents to be alerted in real-timeControl IDChecklist QuestionYour AnswerORAC-AUDI-1Is the system resource profile settings for password lock time set to forever?ORAC-AUDIT-1Are user accounts locked out after 3 consecutive login failures?Events to be auditedControl IDChecklist QuestionYour AnswerORAC-AUDIT-3Is auditing enabled for the list of recommended events?ORAC-AUDIT-6Has the init.ora file been modified to enable data dictionary auditing?ORAC-AUDIT-4Are triggers used to capture audit information where it is not captured in table information?ORAC-AUDIT-5Has a trigger been written to log modifications to the DBA_USERs table to identify user password substitution?ORAC-AUDIT-2Are the tables designed to include extra fields for auditing actions taken?OtherControl IDChecklist QuestionYour AnswerORAC-OTHER-1Is it ensured that when an object is deleted from the database, all related synonyms are also deleted?