Oracle 11g: Secure Configuration Guide checklist
I will follow the following secure configuration guide checklist. You
can skip steps that they do not apply to your environment or it is not a
concern for your organization.
1. Install only what is required
2. Lock and expire default user accounts
3. Change default user passwords
4. Enforce password management
a. Complex password function
b. Use of Oracle Advanced Security such as Kerberos
5. Enable data Dictionary protection
07_DICTIONARY_ACCESSIBILITY=FALSE
If not set, any user with a DROP ANY TABLE will be able to maliciously
drop a
dictionary table.
6. Grant necessary privileges only
7. Revoke unnecessary privileges from PUBLIC
PUBLIC acts as a default role granted to every user in an Oracle
database.
So, any user can exercise privileges that are granted to PUBLIC.
Check the execute privileges on packages. The more powerful packages
that may potentially
be
misused include:
UTL_TCP
UTL_SMTP
UTL_HTTP
UTL_FILE
DBMS_RANDOM
8. Grant users role only if they need the role's privilege
9. Restrict permissions on run-time facilities: (Be more specific)
Donot:
call dbms_java.grant_permission('SCOTT','SYS:java.io.FilePermission','<<ALL
FILES>>','read');
Do:
call dbms_java.grant_permission('SCOTT','SYS:java.io.FilePermission','<<c:\mydirectory>>','read');
10. Authenticate clients properly
Set the pfile or spfile, the following configuration parameter:
REMOTE_OS_AUTHENT=FALSE
11. Limit the number of operating system users
12. Utilize a firewall if you have to
13. Never poke a hole through a firewall
For example, don't leave open Oracle Listener's 1521 port to
make a connection to the Internet or vice versa.
14. Prevent unauthorized administration of the Oracle Listener
Set the listener.ora, the following security configuration
parameter.
ADMIN_RESTRICTIONS_listener_name=ON
15. Check network IP addresses
Set the protocol.ora, the followings Oracle Net parameters.
tcp.validnode_checking=YES
tcp.excluded_nodes=(xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx)
tcp.invited_nodes=(xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx)
16. Encrypt Network traftic
Using Oracle Advanced Security to encrypt or set sqlnet.ora
parameters.
17. Harden the operating system
Such as FTP, TFTP, TELNET, etc. Besure to close both the UDP and
TCP ports for each
service
that is being disabled. Disabling one type of port and not the other
does not make the operating system more secure.
18. Apply all security patches and workarounds
Good Luck!
|