Database security checklist updated for 9i,10g,11g R2 version.This documentation is prepared from Sans Institute security checklist 2003, Pete Finnigan web site and Oracle.com Oracle security documentation .
1. Check
database version
• SQL>Select * from v$version;
2. Check
operating system release and patch information
·
$ cat /etc/*release*
3. Check
database features
·
SQL>SET SERVEROUTPUT ON
SQL>DECLARE
SQL>paramVARCHAR2(4000):='';
SQL>BEGIN
SQL>FOR C IN(select PARAMETER from v$option where value='TRUE' order by SQL>parameter asc) LOOP
SQL>param:=param || c.parameter || ',';
SQL>ENDLOOP;
SQL>DBMS_OUTPUT.PUT_LINE(param);
SQL>END;
SQL>/
4. Check
Oracle Database software files owner and
permission information.Software owner must be oracle .
·
# ls –ltr $ORACLE_HOME/bin
5. Check
Orace software owner accounts password same as username or not
·
#login su – oracle (password :oracle)
6. Check
umask value.( default value for umask 0022)
·
$umask
7. Check
datafile permissons at database files
directory
·
SQL>select name from v$datafile;
8. Check
the username and passwords which are seen at process list. They could be
tirggered from crontab or open source database’s stop/ start scripts.
·
# Ps –ef |grep more
9. Contact
system admin team and check the ps command restrictions. ps command would be limited or No limited.
10. Check
shell history , bash_history for
username and passwords. Delete password and username entries from bash_history
if they are exists.
·
#history | more
11. Check
the username and password at crontab
·
#crontab
–l
12. Check
control file permissons
·
SQL>select name fromv$controlfile;
·
# cd /name
·
Ls –ltr *.ctl
13. Check
the users who has ALTER SESSION and ALTER SYSTEM privileges
·
SQL>SELECT grantee, admin_option
FROM dba_sys_privs
WHERE privilege IN('ALTER SYSTEM','ALTER SESSION');
14. Check
log_archive_dest1 and destn directory privilges
who can read archive logs except for ORACLE software owner.
·
SQL>SELECT VALUE
FROM gv$parameter
WHERE name LIKE'%log_archive_dest%';
15. Check
the database has any external table, check directory_name ,owner and
table_name.
·
SQL>SELECT * FROM
DBA_EXTERNAL_TABLES;
16. Check
the listener service password , if its exist read the documents and disable
password authentication.
17. Check
the database users which are
authenticate from proxy account.
·
SQL>select * from dba_users where authentication_type<>'PASSWORD';
18. Check
the SYS and SYSTEM accounts password are same or NOT ?
19. Check
the remote login password file value. (NONE,SHARED,EXCLUSIVE)
·
SQL>select * from gv$parameter where name='remote_login_passwordfile' ;
20. Check
the database users default passwords and If SYSTEM tablespace exists set the
tablespace to DATA or User defined tablespace.
·
SQL> select username from dba_users where default_tablespace='SYSTEM';
21. Check
the Utl_file_dir parameter value for Oracle lower versions from 11g and directory permission for Oracle
11g databases. Utl_file_dir is
deprecated at Oracle 11g database.
·
select value from gv$parameter where name='utl_file_dir';
·
select * from dba_directories;
·
cd $directory_path
22. Check
the package privileges;
·
SQL>select * from dba_tab_privs where table_name='dbms_backup_restore';
23. Check
the who has ALL_USERS view SELECT
privileges.
·
SQL>select GRANTEE,PRIVILEGE,GRANTABLE from dba_tab_privs where table_name='ALL_USERS';
24. Check
the all ‘%ALL%’ views privileges count.
·
select * from dba_tab_privs where table_name like 'ALL%'
25. Check
the os authenticate users
·
SQL>select value from gv$parameter where name='os_authent_prefix';
26. Check
the remote listener parameter
·
SQL>select * from gv$parameter where name like '%remote_listener%';
