Oracle Security Audit Service

PeteFinnigan.com Limited's Oracle database IT security health check service has been designed by Pete Finnigan, a principal consultant with years of real world experience in auditing and securing, designing and hardening customers Oracle databases. Pete is also well known for writing and presenting extensively in the area of Oracle security.

This service is generally offered at a fixed price. Whilst every database is different in terms of features, functions, configuration, administration and of course the applications using it an audit cannot simply be a process of running the same set of scripts or commands against each database to find a set of security issues. The process of securing an Oracle database is made harder because of the myriad of options that Oracle provides and also because of the myriads of requirements set by the applications and processes used to access and manage the database.

An Oracle database security audit can be like the job of a detective, each clue leads to further clues which in turn lead to security vulnerabilities and possible solutions to those issues. The Oracle security audit service provided by PeteFinnigan.com Limited provides structure, repeatability and process to the job of analysing an Oracle database for security issues. This is because a company designed methodology is used to drive the process. This audit service is one of the most comprehensive Oracle database security audits available. The real value is in its custom nature and manual process drive and built on years of experience just in this area. This is the strength of PeteFinnigan.com Limited. The Oracle security database audit service is defined below:

Schedule of work

This database security health check will include the Oracle database, the operating system on which the database is running in the areas that directly relate to the Oracle installation and also the database listener and Oracle networking. In addition some of the wider areas of the processes and architecture and application will be included where appropriate and where they relate directly to the Oracle database being audited. The review consists of a number of phases; these can be described as follows:

• Information gathering via interview / questionnaire
• Data gathering through technical means - this is done using custom PeteFinnigan.com Ltd scripts and tools and manual means
• Detailed analysis of the data gathered
• Production of a detailed management summary
• Production of a detailed summary of every issue located

Access and Scope

The Oracle Security health check is completely non-intrusive. No data is created, deleted or altered during the database security health check process. To complete the health check the following requirements must be met before commencement of the engagement:

• An Operating system account must be made available that has access to all of the Oracle database software, data and installation of the database.
• An Oracle database account must be made available with read-only access to the database parameters, dictionary and data.
• Two views must be created
• Two synonyms must be created

All of the health check is conducted from the PeteFinnigan.com Limited consultants laptop and as such network access must be made available to allow a direct connection to the client networks that allow a ssh / telnet session (ssh is recommended) to be established between the consultants laptop and the relevant servers. A direct Oracle SQL*Net (TNS) connection must also be available between the consultants laptop and the relevant databases to allow scripts to be run and query access to be made available.

All scripts or commands are run through the SQL*Plus tool or via a telnet/ssh terminal.

All accounts needed by the PeteFinnigan.com Limited consultant are read-only and must be removed immediately after the Oracle security health check.

Note:- Exact details of the required accounts, views and synonyms will be made available prior to the assignment commencing. Scripts can be supplied to create these accounts and objects in the database.

The IT health check process

It is important that the audit process is understand in advance of commencement. The IT health check process consists of the following broad steps:

• Onsite data gathering in one of the following ways (Note: In some cases if the client is overseas it can be more cost effective to perform the audit remotely - please ask for details):
  • The key personnel are interviewed to assess the management processes used and the design decisions, architecture and implementation decisions made. In general some checks are made by interview where it is not practical or appropriate to review technically. For this reason it is important that the client provide access to the right staff.
  • SQL and PL/SQL scripts are run to assess the fitness and configuration of the database.
  • Shell scripts and operating system commands are used to assess the contents of Oracle installed configurations, log files and to assess the file permissions and settings directly related to the database installation.
  • Manual checks are made in the database or on the operating system where it is not practical to run predefined scripts.
• Off site analysis is made of the data gathered and a detailed report is produced to isolate all of the issues found. The report details all of the issues located and includes a detailed management summary that highlights the critical issues that should be fixed quickly and the reasons why they are an issue.

• Database
  • The database audit includes detailed investigations into the following broad areas:
    • Review of existing database security processes
    • Review of existing backup processes in relation to security and recoverability
    • Versions and patch management review
    • Detailed review of users and password management and role based access
    • Detailed review of configuration parameters
    • Access controls
    • System privileges
    • Object privileges
    • Review of built-in roles and their use
    • Operating system access
    • Access to standard packages and public privileges
    • Review of PL/SQL and Java used
    • Review of audit trail and settings
    • Review of database links
    • Many more
• Operating system
  • The operating system audit is limited to the areas that interact with the Oracle installation. A complete audit of the operating system is out of scope. The operating system audit will include investigations in the following broad areas:
    • File permissions and ownership Configuration files and key file permissions
    • Password and username leakage
    • Audit and logging
    • Group and suid privileges
    • Examples and demos
    • more
• Oracle listener
  • The listener audit includes detailed investigations into the following areas:
    • Configuration and password protection
    • Logging
    • Network settings for security
    • More
• General Health
  • Database and application set-up
  • Parameters
  • Design and data usage
  • Patches and revisions
  • Backup and recovery
  • Security of key data
  • Systems usage (i.e. what other apps, databases etc)
  • More

Out of scope

The scope of the IT health check is limited to the Oracle database and its immediate infrastructure necessary for the correct operation of the Oracle database. Applications will be reviewed where and only they directly relate to the Oracle database installation.

The IT Health check does not include web architecture, web application review, detailed application review, web servers, application and database servers, penetration testing or other non associated infrastructure.

The scope of the assignment is defined above and any additional consultancy to assist the client or its associates to review the health check report (above the on-site presentation), to assess correction strategies or to assist with the correction are out of scope. If assistance is required from PeteFinnigan.com Limited this can be agreed in advance of the assignment or after completion of the health check in addition to the original audit.

Next Steps