Pete Finnigan's Oracle Security Weblog

I saw Haris Ali's post last night titled http://www.cheblogs.com/roller/page/nimzobenoni/20050110#dba_checklist - (broken link) DBA Checklist and thought about the idea of having a daily, weekly, monthly even yearly checklist to be followed when monitoring and administering an Oracle database or group of Oracle databases is a good one. Whilst I don't agree totally with Haris's list, the act of sitting down a creating a list is fundamentally a good one.

Creating a checklist is the first step on the road to creating policies or procedures for maintaining and monitoring Oracle. This is one of the first actions that should be taken in a security conscious organisation. If you do not plan what to look for, monitor, check and take action then how can you possibly know what to check for and when and more importantly how would you know when there is a problem. This is planning 101.

Creating a checklist in general is useful as Haris points out for general admin but it can also be very useful for security. For instance, you should audit users accounts for weak passwords regularly and also check for default accounts that still have default passwords set. You should in conjunction with this check as part of a checklist consider the rules for managing passwords in the database, for instance minimum times between password changes. rules for password complexity etc.

Write down the key items that need to be monitored. There are two very good Oracle security checklists in existence. These are the SANS S.C.O.R.E. document that is based on the book I wrote for SANS - Oracle Security step-by-step a survival guide for Oracle security. The second is the CIS checklist which is again in part developed based on the same book. Links to both of these lists can be found on my Oracle security white papers page. There is also a few other smaller checklists for Oracle Security in existence. The Oracle 9i and 9iR2 lists are basic but not bad - again links to these are on my Oracle security papers page. There is also a tool available with the CIS paper.

Remember also that checklists are very much site specific as are policies and procedures. There are so many variables that a standard list that suits everyone is hard to define.

Automate as much as possible, the checklist from CIS has a tool. There are also other free tools available such as Patrik Karlssons tools and metacortex as well as a few commercial tools. Links can be found on my Oracle security tools page.

Also be aware that checklists and policies are a moving target. That is they need to be reviewed regularly and updated as necessary to take in new knowledge and techniques that have come available since the last review.

I like the idea in Haris's blog entry of reviewing sites of major suppliers regularly and reading DBA manuals for one hour a day - I think this is excessive but reading the manuals is important and should be done regularly to keep current with the technology. On the same subject subscribe to the relevant security mailing lists such as Bugtraq and vulndev. See the securityfocus site for details.