Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: " has a news item about CPU 2"] [Next entry: "CPU 12 April researchers advisories"]

CIS Oracle benchmark has been updated

The Center for Internet Security produced a benchmark document for Oracle some time back that covered 8i and 9i. This was based closely on the SANS Oracle Security Step-by-step guide. The benchmark also inlcuded a scoring tool for Windows, Linux and Solaris.

The CIS Oracle benchmark has just been updated quite a lot. The 8i stuff has been relegated to the original document and this has now been updated to version 1.2. The benchmark scoring tool has also been updated to the same level. CIS has also produced a new document for 9i and 10g - this is versioned at 2.0. The introduction of the 9i/10g document states that it is based on research conducted as part of the 10g program, OTN and various books - it would have been nice to see a list of references - Quite a lot of items are still clearly still derived from the earlier document for instance. The 8i document can confuse though as some stuff in there is still also in the 9i/10g document, that is do not assume that just because an issue is in the 8i paper to ignore it, it can still be relevant in 9i/10g. The 10g scoring tool is due in June 2005 according to the website. The Oracle security benchmarks can be downloaded from the CIS site.

These are both good documents though. I have not had time to read them yet to see what changes have been made since version 1.1. I will read through them both and make further comments here.