Vladimir Grigorian, General Security Controls within Oracle

Page 1

A. General Security Controls within Oracle

Objective:

To ensure general security controls are adequate and are functioning

as intended within the operating system and the RDBMS.

Risk:

Unsecured information assets may result in the fraud, corruption or

misuse of corporate information assets.

NOTE:

THE SCOPE OF THIS REVIEW DOES NOT INCLUDE A

REVIEW OF APPLICATION LEVEL ORACLE SECURITY.

Standard Control

Testwork to Verify Control

Control

Present

Description if

Applicable

Password Controls

1. Every account must have a

password.

Obtain the Data Dictionary for

the database and verify all

accounts have a password and

they are encrypted.

2. Passwords must always be

encrypted. (A shadow

password file should be

used if the system supports

it or a third party

application should be

utilized.)

Obtain the Data Dictionary for

the database and verify all

accounts have a password and

they are encrypted.

3. Passwords should be

minimum of 6 characters

for end-users and 8

characters for system

administration accounts.

4. Passwords should contain at

least one alphabetic and one

non-alphabetic character.

5. The maximum password

life should be set at 90 days

for users and 60 days for

system administration

accounts.

6. Passwords must not be

reused.

Page 2

7. A unique initial password

must be assigned to all new

accounts and all users must

change their passwords

immediately when using a

new account for the first

time.

8. All vendor supplied default

passwords must be changed

or deactivated immediately

upon installation.

Observe the DBA signing in as

the default password of Oracle

as Oracle, Sys as

Change_On_Install, and

System as MANAGER. Verify

the sign-ins are denied.

9. A password checker

program such as “crack”

must be run periodically, at

least weekly.

Discuss the controls over

passwords with the DBA.

General Controls in the

RDBMS

1. The responsibilities of the

Database Administrator

should include the

following: installing and

maintaining the Oracle

software, problem solving

for Oracle users, liaison

with Oracle Corporation,

monitoring and tuning

database performance,

guaranteeing data integrity

and consistency, reducing

unnecessary or redundant

storage, facilitating sharing

of data among users,

administering database

security, performing regular

database back-ups,

performing data recovery

when necessary, creating

database structures and

objects, and assisting in the

design of efficient

applications.

Obtain a copy of the DBA’s job

description and verify the

appropriate tasks are included.

Page 3

2. Oracle environments should

have a separation of

responsibilities between

systems administrators,

network administrators,

DBAs, security officers,

operators, developers and

other users.

Through discussions with the

DBA, verify the responsibilities

are separated between those

functions. Note: It is

acceptable for the application

administrator to act as the

system administrator if the

database is used by only one

application.

3. The auditing function in the

database should be turned

on upon installation.

Review the INIT.ORA to

determine if AUDIT_TRAIL

has been set to TRUE.

4. The system auditing should

be used to audit some of the

following information:

connect, resource, DBA,

and not exists.

Obtain the

DBA_SYS_AUDIT_OPTS

Data Dictionary view from the

DBA and determine if the level

of auditing that is turned on is

appropriate.

5. Object auditing should be

used to audit tables and

views. Specific functions

which should be audited

include alter, insert, audit,

lock, comment, rename,

delete, select, grant, update,

index, and all.

Obtain the

DBA_TAB_AUDIT_OPS Data

Dictionary view from the DBA

and determine if the level of

auditing that is turned on is

adequate.

6. The audit trail should be

reviewed on a regular basis.

Discuss with the DBA the

process for reviewing the audit

trail (DBA_AUDIT_TRAIL)

and determine the adequacy of

events being logged.

7. The audit trail table in the

Data Dictionary

(SYS.AUD$) should be

purged on a regular basis.

Discuss with the DBA the

schedule for purging the audit

trail table. Determine its

adequacy.

Change Control in RDBMS

8. Appropriate change controls

should exist over the

database and objects

including approval;

unit/user acceptance testing,

separate test environment,

and adequate parameters set

in the INIT.ORA file.

Discuss with the DBA the

change control process and

verify adequate controls are

present including approval, test,

and appropriate version control.

Controls within Oracle Tools

9. Access to

Obtain/ review the

Page 4

PRODUCT_USER_PROFI

LE should be owned by the

DBA and all other Oracle

users should be limited to

Select, as it is owned by the

DBA username SYSTEM.

Product_User_Profile and

verify that it is owned by the

DBA. Verify that all other

Oracle user access is limited to

SELECT.

10. The use of SQL*DBA Tool

should be limited to only

authorized DBAs.

Obtain a file access listing from

the DBA for the Unix

Operating System and verify

access to the SQL*DBA Tool is

limited to the DBA.

11. The authorized operating

system user profiles that

have access to the Oracle

SQL tool or Oracle

Application files should be

limited and used only for

installation or upgrades.

Review list of user profiles and

verify that they are for staff in

the Oracle support group.

12. The SQL*FORMS have a

default for column security

of “off”. This should be

turned to “on” upon

installation.

Review parameter settings for

SQL Forms. Verify that

column security is set to “on”.