Vladimir Grigorian, Oracle Audit Checklist

Oracle Audit Checklist

1. Consider host identification and authentication mechanisms
2. Consider host resource access control to protect the Oracle programs, and databases
3. Consider use of operating system audit trail mechanisms
4. Identify the Oracle products and versions in use.
5. Identify the major applications which are using the Oracle Database Server.
6. Obtain Oracle initialization file (init.ora) and review security options
7. Obtain listing of v$parameter and ensure consistent with init.ora
8. Obtain the following Data Dictionary Views:
DBA_USERS (database users),
DBA_ROLES (database roles that have been defined),
DBA_ROLE_PRIVS (relationship of users to roles),
ROLE_ROLE_PRIVS (relationship of roles to roles),
DBA_SYS_PRIVS (system privileges associated with roles & users),
DBA_PROFILES (Resource Limits and Password Controls)
9. Review DBA_USERS and ensure that all users are valid.
10. Consider default and generic user-ids.
11. Ensure default passwords for DBA users (sys and system) have been changed.
12. Review init.ora and determine use of OPS$, OS_AUTHENT prefix
13. Determine use of REMOTE_OS_AUTHENT
14. Determine whether the system privileges granted to each user are appropriate.
15. Determine mechanisms available within client applications for password quality as well as password
changes and frequency.
16. Identify database objects (tables and views) from DBA_OBJECTS, and determine system and
application tables which should be reviewed.
17. For database objects subject to audit, review the level of access granted to the object and ensure that
object privileges are appropriate.
18. Consider the appropriateness of granting access to object privileges with the ADMIN OPTION,
(review DBA_TAB_PRIVS).
19. Review INIT.ORA to determine if auditing has been turned on (AUDIT_TRAIL parameter is set to
NONE; DBA or SA).
20. Determine the level of system auditing (DBA_STMT_AUDIT_OPTS)
21. Determine the level of object auditing (DBA_OBJ_AUDIT_OPTS)
22. Determine the level of privilege auditing (DBA_PRIV_AUDIT_OPTS)
23. Determine if the audit trail (e.g. DBA_AUDIT_OBJECT) is reviewed on a regular basis.
24. Ensure that the database is being operated in ARCHIVELOG.
25. Determine that full operating system backups are being performed
26. Determine whether redo logs are being regularly archived to an off-line media.
27. Determine the availability of SQL*PLUS to users.
28. Determine version of SQL*NET / NET8 which is used and if Secure Network Services product is
being used.
29. Identify all database links created to other databases (DBA_DB_LINKS).
30. Determine the nature of each link (PUBLIC or PRIVATE).
31. Determine the USERNAME and PASSWORD for each link. (Each database link should attach a
user to a remote database using the user’s username and password, rather than the database link
username and password.)
32. Review dba_profiles for password complexity and strength settings