Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "The SANS S.C.O.R.E. Oracle security checklist has been updated"] [Next entry: "eweek article: Oracle Users Take Aim at High Costs, Security Silence"]

KK Mookhey writes about auditing Oracle security

KK Mookhey who is based in India and is CTO of Network Intelligence India Pvt. Ltd has written an excellent paper about auditing an Oracle database, this was published sometime ago but is still generating interest and quite a lot of people have not seen or read it yet so I thought I would talk about it here. The paper is called "Auditing Oracle Security" and is available here.

This paper is very well written and covers a good degree of the ground to get anyone started on trying to secure a database. It covers the installation, parameters, users and profiles, default accounts, how to use auditing, even defunct accounts, password management, roles and privileges and of course the listener. KK also talks about controls within the database such as the product user profile functionality for controlling access through SQL*Plus. He covers Virtual Private Databases (VPD) and encryption. KK also gives good advice on how to focus any audit of an Oracle database.

This is a good overall discussion on Oracle security and anyone starting to think about auditing an Oracle database should read it before delving into more detailed discussions and tools.