Oracle Security Audit Service

PeteFinnigan.com Limited's Oracle database IT security health check service has been designed by Pete Finnigan, a principal consultant with years of real world experience in auditing and securing, designing and hardening customers Oracle databases. Pete is also well known for writing and presenting extensively in the area of Oracle security.

This service is generally offered at a fixed price. Whilst every database is different in terms of features, functions, configuration, administration and of course the applications using it an audit cannot simply be a process of running the same set of scripts or commands against each database to find a set of security issues. The process of securing an Oracle database is made harder because of the myriad of options that Oracle provides and also because of the myriads of requirements set by the applications and processes used to access and manage the database.

"The very detailed hands-on Oracle database security audit decribed here in this page is site based. The PeteFinnigan.com consultant comes to your site and performs the detailed interview, data gathering and manual checks necessary to assess the true security of the database. As described below this is akin to being a detective and the quality of this cannot be replicated simply by running canned scripts or commercial tools offered by some other vendors. The on-site nature of the data gathering phase is the best approach to security auditing an Oracle database and also affords the customer the rare oppertunity to sit alongside world class experts in this field and learn from them.

Whilst this is the ideal it is recognised that some clients want to have an Oracle database security audit performed remotely often for cost and operational reasons. PeteFinnigan.com Limited can also support these types of Oracle database security audit. See below for more details."

An Oracle database security audit can be like the job of a detective, each clue leads to further clues which in turn lead to security vulnerabilities and possible solutions to those issues. The Oracle security audit service provided by PeteFinnigan.com Limited provides structure, repeatability and process to the job of analysing an Oracle database for security issues. This is because a company designed methodology is used to drive the process. This audit service is one of the most comprehensive Oracle database security audits available. The real value is in its custom nature and manual process drive and built on years of experience just in this area. This is the strength of PeteFinnigan.com Limited. The Oracle security database audit service is defined below:

Schedule of work

This database security health check will include the Oracle database, the operating system on which the database is running in the areas that directly relate to the Oracle installation and also the database listener and Oracle networking. In addition some of the wider areas of the processes and architecture and application will be included where appropriate and where they relate directly to the Oracle database being audited. The review consists of a number of phases; these can be described as follows:

• Information gathering via interview / questionnaire
• Data gathering through technical means - this is done using custom PeteFinnigan.com Ltd scripts and tools and manual means
• Detailed analysis of the data gathered
• Production of a detailed management summary
• Production of a detailed summary of every issue located

Access and Scope

The Oracle Security health check is completely non-intrusive. No data is created, deleted or altered during the database security health check process. To complete the health check the following requirements must be met before commencement of the engagement:

• An Operating system account must be made available that has access to all of the Oracle database software, data and installation of the database.
• An Oracle database account must be made available with read-only access to the database parameters, dictionary and data.
• Two views must be created
• Two synonyms must be created

All of the health check is conducted from the PeteFinnigan.com Limited consultants laptop and as such network access must be made available to allow a direct connection to the client networks that allow a ssh / telnet session (ssh is recommended) to be established between the consultants laptop and the relevant servers. A direct Oracle SQL*Net (TNS) connection must also be available between the consultants laptop and the relevant databases to allow scripts to be run and query access to be made available.

All scripts or commands are run through the SQL*Plus tool or via a telnet/ssh terminal.

All accounts needed by the PeteFinnigan.com Limited consultant are read-only and must be removed immediately after the Oracle security health check.

Note:- Exact details of the required accounts, views and synonyms will be made available prior to the assignment commencing. Scripts can be supplied to create these accounts and objects in the database.

The IT health check process

It is important that the audit process is understand in advance of commencement. The IT health check process consists of the following broad steps:

• Onsite data gathering in one of the following ways (Note: In some cases if the client is overseas it can be more cost effective to perform the audit remotely - please ask for details):
  • The key personnel are interviewed to assess the management processes used and the design decisions, architecture and implementation decisions made. In general some checks are made by interview where it is not practical or appropriate to review technically. For this reason it is important that the client provide access to the right staff.
  • SQL and PL/SQL scripts are run to assess the fitness and configuration of the database.
  • Shell scripts and operating system commands are used to assess the contents of Oracle installed configurations, log files and to assess the file permissions and settings directly related to the database installation.
  • Manual checks are made in the database or on the operating system where it is not practical to run predefined scripts.
• Off site analysis is made of the data gathered and a detailed report is produced to isolate all of the issues found. The report details all of the issues located and includes a detailed management summary that highlights the critical issues that should be fixed quickly and the reasons why they are an issue.

• Database
  • The database audit includes detailed investigations into the following broad areas:
    • Review of existing database security processes
    • Review of existing backup processes in relation to security and recoverability
    • Versions and patch management review
    • Detailed review of users and password management and role based access
    • Detailed review of configuration parameters
    • Assessment of authorisation flaws
    • Detailed review of account management
    • Access controls
    • System privileges
    • Object privileges
    • Detection of Oracle Rootkits
    • Detection of Oracle backdoors and trojans
    • Review of built-in roles and their use
    • Operating system access
    • Access to standard packages and public privileges
    • Review of PL/SQL and Java used
    • Review of audit trail configuration and settings
    • Review of database links
    • Many more
• Operating system
  • The operating system audit is limited to the areas that interact with the Oracle installation. A complete audit of the operating system is out of scope. The operating system audit will include investigations in the following broad areas:
    • File permissions and ownership Configuration files and key file permissions
    • Password and username leakage
    • Audit and logging
    • Group and suid privileges
    • Examples and demos
    • more
• Oracle listener
  • The listener audit includes detailed investigations into the following areas:
    • Configuration and password protection
    • Logging
    • Network settings for security
    • More
• General Health
  • Database and application set-up
  • Parameters
  • Design and data usage
  • Version, patches and revision status
  • Backup and recovery
  • Security of key data
  • Systems usage (i.e. what other apps, databases etc)
  • More

Out of scope

The scope of the IT health check is limited to the Oracle database and its immediate infrastructure necessary for the correct operation of the Oracle database. Applications will be reviewed where and only they directly relate to the Oracle database installation.

The IT Health check does not include web architecture, web application review, detailed application review, web servers, application and database servers, penetration testing or other non associated infrastructure.

The scope of the assignment is defined above and any additional consultancy to assist the client or its associates to review the health check report (above the on-site presentation), to assess correction strategies or to assist with the correction are out of scope. If assistance is required from PeteFinnigan.com Limited this can be agreed in advance of the assignment or after completion of the health check in addition to the original audit.

Oracle Database Versions Supported

This detailed Oracle database security audit service is available for all supported versions of Oracle including Oracle 9i, Oracle 10g and Oracle 11g. All platforms are also supported including Windows, Solaris, HP-UX, Aix, Linux and more.

Un-supported versions of Oracle can also be security audited. There is still value in doing this if a customer is forced to use a non-supported version of Oracle perhaps where an application vendor dictates this. Note: Security patches are not available for these un-supported versions but it is still viable to perform all other types of hardening and the non-application of patches may be mitigatable.

Non-Site based audits

This Oracle database security audit service as described above is offered as an on-site visit to perform the interview stage and also the detailed data gathering. This is the ideal method of performing security audit work as the consultant doing the audit is inside your own organisation and there is no additional exposure.

In some rare cases clients cannot allow an on-site visit perhaps due to expense costs, logistics, operational issues or other reasons. PeteFinnigan.com Limited can still accomodate these cases and perform the audit reomotely if necessary. In this case there are reduced overheads and hence reduced costs but slightly increased risks. Direct access to the server and the database is still necessary to allow the technical aspects of the audit to take place. This is usually done with IPSec or VPN and ssh connections. Details would be supplied in advance of an audit.

A further option is also available to clients. This involves not visting the site and also not making external connections to the servers and databases. This method involves the client collecting certain raw data for the PeteFinnigan.com consultant (exact details of how this is done can be obtained by emailing info@petefinnigan.com for more details) to analyse off site. The customer collects the raw data and encrypts it with pgp and sends it to PeteFinnigan.com Limited for analysis. This raw data does not include any customer data as it is all meta-data from the Oracle data layer or server. The downside with this method is that whilst it is not totally deterministic it is not hands-on so lacks the absolute depth of an on-site audit. But this type of audit can still have value if an on-site full audit is not possible.

Next Steps