Pete Finnigan's Oracle Security Weblog

I also saw another interesting thread on the Oracle-L list titled "Security audit of Oracle databases". The poster asks if anyone can give advice for her friend who was having their Oracle database audited by a third party company. She wanted advice on open source software for checking an Oracle database.

The thread has some good discussions and points being made. I penned a few paragraphs to answer the thread and found that i couldn't post to the list. I have been a member for a long time but recently had email troubles so had to re-subscribe. I now see that to post to the list you need to ask Steve the list owner to grant you posting privileges. Anyway the answer I posted there is a bit late now so here it is again:

"Hi Paula,

There are a number of good checklists out there. The first is the CIS
Oracle benchmark that was closely based on the SANS Oracle security
step-by-step guide book. The CIS benchmark and the scoring tool are
free. There is also a good checklist on the SANS website called the
S.C.O.R.E. document. This is also closely based on the SANS Oracle
security SBS. It is in-fact an edited version of the appendix of the
book. There are also a couple of Oracle 9i checklists written by Oracle.

Tools wise there is the CIS benchmark mentioned above, Patrik Karlsons
tools SIDS, OScanner and OAT, the Integrigy listener check tool,
metacortex, nessus, my audit scripts, Geof Ingrams perl script, Tim
Gormans scripts and a few others.

For the checklists you can find links on my Oracle security white papers
page /orasec.htm - see the checklists section
- and for links to the free tools see my Oracle security tools page -
/tools.htm - Also you might want to run the
default password check scripts that are available on my site. These
include passwords for about 600 default users -
/default/default_password_checker.htm"