![]() So whilst i use checklists in terms of having written extensive tools over the years i do not work through a checklist as such as each system has different requirements and security issues, each "check" can have a different risk level based on what else is going on. My methodology allows repeatability whilst being actually different checks for each database well because each database is different. Of course I also look at all the other perifery issues such as OS access. I am not going to go into great detail suffice to say that the methodology is based around understanding the data, understanding the data flow (into and out of the database), the business use of the data and then to correllate that with what is actually going on with the data and how its managed and accessed and what the privilege models are for all classes of users. I have a methodology that allows due dilligence and repeatability but is not based on working through a set of checks. What we need is a methodology, in fact I have one, this is what I have done for years as part of my security audit service for an Oracle database. we don't want to simply try things from a list (tip?) and see if it works, then move onto the next good thing to try. If you want to perform an audit for yourself then you need a place to start and the lists like the CIS / SANS SCORE / SANS step-by-step are good starting points BUT (the bad bit) what we don't want to do is create the same issue as compulsive tuning disorder for security, i.e. I have tens of thousands of lines of code implementing checks. My lists are internal and will stay that way, i update them probably on average on a daily basis. This is important, I obviously use my own checklists that are much much more detailed than any of the above lists, I check for some ten times more settings / parameters / privileges / configurations and more than these lists. They are good because when we audit an Oracle database we need to have something to work to, some standards, some list of things to check. I want to make two comments about checklists they are good and bad at the same time. So its great that a resource like this exists as I said there is not many check lists for Oracle databases. There is the DoD STIG, some NSA document, the great, little IT Governance Institute book there is Oracle's own checklist that gets updated from time to time but is not as detailed as the SANS SCORE or the CIS benchmark. ![]() There is the SANS Step-by-step, the SANS SCORE (written by me and updated by Paul) that is essentially the checklist from the SANS step-by-step and obviously very similar to the CIS benchmark as they have the same starting points. I think that its great that there is an update to this important check list as there are not many available checklists anyway for the Oracle database. The 11g benchmark includes a few 11g specifics such as case sensitive passwords and other 11g settings, as I said the style is better than the earlier versions, I like it. For instance compare the SANS SCORE document with the CIS benchmark. The original benchmark (8i) was based on the book I wrote for SANS, the Oracle Security step by step guide, that is no longer available. The lineage / history is still strongy there though. The 11g guides style seems better than the previous ones. The 9i/10g benchmark really added a lot of advanced security option checks that in my experience most sites are not using anyway (the Oracle ASO add on that is). The 11g guide does not seem a massive change in terms of checks over the 9i/10g. The checks were never complete anyway as quite a lot were in the form of questions but a lot of the checks still work for the later versions of the database. ![]() You can of course get the scoring tool (available for Windows, Linux and Solaris platforms) and still run it on 11g or 9i/10g. There is still only an 8i scoring tool as one was not produced for the 9i/10g benchmark and there is not one available for the 11g guide either.Īs you will see a simple registration is required and all three versions of the banchmark are available. (broken link) The Oracle benchmark for 11g is an update of the previous 8i (version 1) and the subseqent 9i/10g (version 2) Oracle benchmarks. A new Oracle CIS benchmark has been released recently for Oracle 11g. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |